Security is a way of life.

Cloud technologies sat at the center of our lives as an undeniable truth. This has led cloud providers to create certificate programs. Currently, there are many certificate programs of the three cloud providers (AWS, Azure Google Cloud) that dominate the market. On this occasion, I wanted to prepare notes to help friends who want to get certificates for these three providers.

I'm starting the first of these notes with Azure. To obtain the Azure Security Engineer (AZ-500) certification, you must first obtain the AZ-900 Fundementals certificate, which is mandatory. If you want to take the AZ-900 exam, these preparation notes will be a great support for you.

Microsoft expects person who will have AZ-900 certification to learn about the four modules:

  • Module 1: Cloud Concepts
  • Module 2: Core Azure Services
  • Module 3: Security, Privace, Compliance and Trust
  • Module 4: Azure Pricing and Support

In this document, we will examine all modules in detail.

Module 1 - Cloud Concepts

Why Should We Prefer Cloud Services?

For of all, we must understand the concept called Cloud Computing. Cloud Computing is the provision of IT services (server, database, networking, software, analytics, intelligence, etc.) over the internet (cloud) with economy models that are faster, more flexible and can be scaled compared to standard methods. Generally, we only pay for what we use and reduce our operating costs while providing the quality of hardware we want.

The companies that provide these services are called Cloud Providers. Cloud Providers are responsible for operating the physical hardware you need so that you can run your business smoothly. Each project and job has its own dynamics and the needs of each project / job are unique. For these needs, cloud providers offer a wide variety of services. Some of these are those:

  • Compute Power: Linux, Windows servers or web applications etc.
  • Storage: Data storage, databases etc.
  • Networking: Secure connections between the Cloud Provider and the company or network services between your web applications.
  • Analytics: Telemetry and some services that visualize performance data, etc.

Cloud services generally provide the following benefits.

High Availability: Compared to traditional methods, service downtime decreases almost to maybe one in ten thousand.

Scalability: When starting a project, it can be difficult to predict how much it can grow. Therefore, it is possible to scale the needs starting with more minimal resources as time goes on. As the demand increases, you can expand your agreement with your cloud provider and scale your services.

Elasticity: You can increase or decrease your resources automatically when needed. The difference from Scalability is that this can be done automatically. If needed, you can access the most accurate resources and use the most efficient geographical location.

Agility: The cloud services you need can be allocated to you quickly. Maybe you can get resources that will be ready in days or weeks in just minutes.

Fault Tolerance: Since Redundancy is integrated into the cloud services architecture, if any component fails, it has a backup, so the work continues. Therefore, we can say that the fault tolerance (fault resistance) is high.

Disaster Recovery: In any disaster situation, cloud services perform the fastest reaction on recovery, automation and services being readily available to use.

Global Reach: Cloud providers have data centers in many regions of the world. In this way, you can reach audiences from anywhere in the world.

Customer Latency Capabilities: Traditional methods involve running software on the servers in your office. In this case, your customers who will connect to your server in Istanbul from Brazil may experience serious slowdowns. Cloud providers can reduce these delays by directing traffic to your customers.

Predictive Cost Considerations: Generally, prices are predetermined in cloud services. You know how much you will pay for which service and you can set your budget in a predictable way. You can also prepare your future growth scenarios according to these price policies.

Technical Skill Requirements and Considerations: If you want to create the services you will get from cloud providers with your own means, there will be a serious workload. You will need to employ staff with technical skills for maintenance and physical infrastructure execution. When you work with cloud services, cloud providers make them for you.

Increased Productivity: Data centers established on-site occupy space. It creates a serious cost with the staff who need to deal with them. At the same time, when very rapid growth occurs, hardware purchases will create serious costs. Cloud services save you from these burdens. You too can just focus on improving your business.

Security: Because cloud providers serve many customers, they allocate much more time and budget than any company can spend on security. Therefore, it is ensured that you are safe from threats to the infrastructure.

Economies of Scale:

The economy of scale concept is similar to the concept of cooperative. When a very small scale company benefits from the possibilities of a company that does very large-scale work, costs decrease.

Cloud providers are very large businesses and make their purchases with very large deals. In this way, they can obtain items with high expenses such as equipment in much more affordable ways. In this way, small and medium sized enterprises have their needs in a much more affordable way than usual.

To give an example, you need a total of 50 TB of storage space. When you try to buy a 50 TB storage hardware product alone, the unit cost will be quite high. However, the unit costs are much lower as the cloud provider purchases thousands, millions of TB worth of storage hardware. In this way, you can reach the 50 TB storage you need at much lower costs.

CapEx and OpEx Concepts

In the past years, when starting a startup life, a physical office, facility or infrastructure was needed to start the company business. Therefore, starting a new business was a capital demand. And even more investment would have to be made to grow.

Nowadays, a startup can start its business with a much lower investment by taking service from any cloud provider. There are two different models for these investments.

CapEx: CapEx, which stands for Capital Expenditure (Capital Expenditure), is used as the capital of the majority of the money in the establishment phase, as in the past. is spent on needs. This expense is deducted from tax over time. CapEx has a high initial cost structure but decreases over time. That means you spend your money up front.

OpEx: OpEx, which stands for Operational Expenditure, does not require an initial investment. You get the product or service you need against a monthly bill. With this, you can enter the market immediately and use the infrastructure you need by paying much less for the infrastructure. There is no upfront cost and there are also models that you can pay for as much as you use. At the same time, invoices are deducted from tax in the same tax period.

Consumption-based model

Cloud providers work with a model called Consumption-based model. This model is based on the end user paying only for the resources they use. So whatever you use you only pay for it. The benefits of this model are:

  • There is no upfront cost.
  • There is no need to purchase unused and idle infrastructure.
  • Only when you need it you can increase your resources immediately.
  • When you no longer need it, you can reduce your resources and get rid of unnecessary payment burden.

Types of Cloud Models

There are 3 types of cloud models. These are Public Cloud, Private Cloud and Hybrid Cloud.

Public Cloud

  • The most common is the cloud model.
  • It is based on sharing CPU and resources.
  • There are places where it is also called hosting.
  • Here, the resources belong to the cloud provider and these resources are shared by various customers.
  • Deep knowledge is not required to use such structures.

Private Cloud

  • It is the more expensive and less commonly used model. (On-Premises)
  • The ability to use the customer as dedicated data and resources are used only by the specified customer.
  • It requires deep technical knowledge for its management.

Hybrid Cloud

  • It is the combination of Public and Private.
  • Public at certain times includes Private use at certain times.
  • It is the most flexible and cost-effective variety.

Types of Cloud Services

Müşteri sorumluluğunda = You managed

Cloud Provider Sorumluluğunda = Cloud Provider Managed

Cloud models actually mean the delegation of certain responsibilities to Cloud Providers. It is very important to understand how and which responsibilities are delegated here. The parts marked in yellow in the table above are the parts you are responsible for. The parts marked with green are the parts under the responsibility of the Cloud Provider.

Apart from on-premises systems, the services we will focus on will be IaaS, PaaS and SaaS.


Infrastructure as a Service offers you infrastructure as a service. :) Cloud Providers take responsibility for the storage, networking and compute parts for you. You don't have to make any hardware investments. You can directly create your VMs, install the Operating Systems you want, and run the software you want on them.

  • There is no hardware or installation cost. We pay as much as the resource we use.
  • The user is responsible for purchasing, installation, configuration, and management of their own software operating systems, middleware, and applications.
  • The cloud provider is responsible for storage, networking and compute parts and is also responsible for infrastructure maintenance and repairs.
  • It is generally used in test and development processes. There are also situations where it can be cheaper to host websites than web hosting.
  • They are also used for storage, backup and recovery purposes.
  • Responsibilities are shared in IaaS. The Cloud Provider is responsible for ensuring that infrastructure and hardware are working properly, while the customer is responsible for configuration, updates and software.
  • IaaS is defined as the first step to the cloud.


Platform as a Service is the most used service by developers. It is often preferred for creating, testing, and distributing software applications. Cloud providers manage storage, networking, compute, virtual machine, operating system and runtime parts for you. The application and Data & Access part remains under your responsibility.

  • Its general purpose is to focus only on your application without taking any action on the infrastructure.
  • Let's say you are deploying a web application, you do not deal with parts such as operating system, server and system updates.
  • There is no hardware or installation cost. We pay as much as the resource we use.
  • The user is responsible for the development processes of their own applications.
  • The cloud provider is also responsible for operating system management and network / service configurations.
  • It is widely used for development processes, but also for Analytics and business intelligence.


As its name suggests, Software as a Service is a service to provide you with a service as software. The biggest example is Office 365. The cloud provider offers you a software / application directly as a service. You only have Data & Access, the usage part. The cloud provider manages the remaining storage, networking, compute, virtual machine, operating system, runtime and application parts for you.

  • Its general purpose is to enable you to use the software directly.
  • Usually there are monthly or annual license models.
  • The user is only obliged to use the application.
  • The cloud provider manages all processes.
  • If we need to give an example to this category, we can give software such as Office 365, Skype, and Microsoft Dynamics CRM Online.

In short, when you use Office 365, you actually use SaaS, when you create a VM in Azure and install an OS yourself, you use IaaS, and when you use Azure SQL Database, you use a PaaS.

We have come to the end of our first module. In the second module, we will examine Core Azure Services.