AZ 900 MS Learn
for a VPN gateway you need to deploy a subnet called
"GatewaySubnet" for the VPN gateway. Use at least a /27 address mask to make sure you have enough IP addresses in the subnet for future growth. You can't use this subnet for any other services.
To connect your datacenter to a VPN gateway, you'll need these on-premises resources:
- A VPN device that supports policy-based or route-based VPN gateways - A public-facing (internet-routable) IPv4 address
With Azure Firewall, you can configure:
- Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet. - Network rules that define source address, protocol, destination port, and destination address. - Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests.
Azure AD provides services such as:
- Authentication: verifying identity to access apps and resources, providing self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. - Single-Sign-On (SSO): A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts. - Application management: manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. - Device Management: Manage how your cloud or on-premises devices access your corporate data.
What services provide provide Azure AD Multi-Factor Authentication capabilities
- Azure Active Directory: free edition has MFA for global admins; premium allows MFA via Conditional Access - Office 365: subset of Azure AD MFA is part of your Office 365 subscription
Azure has two implementations of serverless compute:
- Azure Functions: Functions can execute code in almost any modern language. - Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.
Azure Firewall provides many features, including:
- Azure Monitor logging. - Built-in high availability. - Unrestricted cloud scalability. - Inbound and outbound filtering rules. - Inbound Destination Network Address Translation (DNAT) support.
Azure supports a broad range of technologies and services to provide big data and analytic solutions, including
- Azure Synapse Analytics - Azure HDInsight - Azure Databricks - Azure Data Lake Analytics
Azure Database for PostgreSQL Single Server
- Built-in high availability (99.99 percent SLA) for no additional cost - Predictable performance and inclusive, pay-as-you-go pricing. - Vertical scale as needed, within seconds. - Monitoring and alerting to assess your server. - Enterprise-grade security and compliance. - Ability to protect sensitive data at-rest and in-motion. - Automatic backups and point-in-time-restore for up to 35 days. No extra cost or admin stuff
Azure Database for PostgreSQL delivers the following benefits:
- Built-in high availability (v. on-premises) for no additional cost - Simple and flexible pricing. You have predictable performance based on a selected pricing tier choice that includes software patching, automatic backups, monitoring, and security. - Scale up or down as needed, within seconds. You can scale compute or storage independently as needed, to make sure you adapt your service to match usage. - Adjustable automatic backups and point-in-time-restore for up to 35 days. - Enterprise-grade security and compliance to protect sensitive data at-rest and in-motion. This security covers data encryption on disk and SSL encryption between client and server communication.
Azure Database for MySQL delivers:
- Built-in high availability with no additional cost. - Predictable performance and inclusive, pay-as-you-go pricing. - Scale as needed, within seconds. - Ability to protect sensitive data at-rest and in-motion. - Automatic backups. - Enterprise-grade security and compliance.
The benefits of using Key Vault include:
- Centralized application secrets: so you can control distribution, and reduces chances that secrets are accidentally leaked. - Securely stored secrets and keys: industry-standard algorithms, key lengths, and HSMs. - Access monitoring and access control: monitor and control access to secrets. - Simplified administration of application secrets: esay to enroll and renew certificates from public certificate authorities (CAs). - Integration with other Azure services: integrate with storage accounts, container registries, event hubs, ++. to securely reference the secrets stored in Key Vault.
ExpressRoute supports three models that you can use to connect your on-premises network to the Microsoft cloud:
- CloudExchange colocation - Point-to-point Ethernet connection - Any-to-any connection
Azure Sentinel enables you to:
- Collect cloud data at scale (across users, devices, apps, and infrastructure) both on-premises and from multiple clouds. - Detect previously undetected threats (+ Minimize false positives by using Microsoft's comprehensive analytics and threat intelligence.) - Investigate threats with AI - Respond to incidents rapidly with built-in orchestration and automation of common tasks
With Azure Machine Learning, you can:
- Create a process defining how to get data, handle missing/bad data, split data into a training set or test set, and deliver the data to the training process. - Train and evaluate predictive models by using tools and programming languages familiar to data scientists. - Create pipelines that define where and when to run the compute-intensive experiments that are required to score the algorithms based on the training and test data. - Deploy the best-performing algorithm as an API to an endpoint so it can be consumed in real time by other applications.
There are three main ways to purchase services on Azure. They are:
- Enterprise Agreement: larger customers agree to spend a predetermined amount over 3 years - paid annually - From the web: purchase services in Azure Portal - billed monthly with credit cards or invoices - Via a Cloud Solution Provider: Your CSP bills you for Azure as they determine and answer support questions
Azure Government services handle data that is subject to certain government regulations and requirements such as
- Federal Risk and Authorization Management Program (FedRAMP) - National Institute of Standards and Technology (NIST) 800.171 Defense Industrial Base (DIB) - International Traffic in Arms Regulations (ITAR) - Internal Revenue Service (IRS) 1075 - Department of Defense (DoD) L4 - Criminal Justice Information Service (CJIS)
Azure free account provides
- Free access to popular Azure products for 12 months. - A credit to spend for the first 30 days. - Access to more than 25 products that are always free.
benefits of Azure Dedicated Host
- Gives visibility and control of the server infrastructure that's running your Azure VMs. - Helps address compliance requirements by deploying your workloads on an isolated server. - Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.
Who uses Azure AD?
- IT admins: to controll access to app and resources - developers: to add single sign on functional to n app etc - users: to change their password w/o IT support - online service subscribers: Microsoft 365, office, azure, etc. all have Azure AD tenants
Microsoft's Trust Center provides:
- In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products. - Additional resources for each topic. - Links to the security, privacy, and compliance blogs and upcoming events.
Azure virtual networks provide the following key networking capabilities:
- Isolation and segmentation between multiple VNets - Internet communications - Communicate between Azure resources - Communicate with on-premises resources - Route/filter network traffic across subnets and networks - Connect virtual networks - set up secure endpoints + protect again sql injects and cross site scripting - allows private IPs
Azure Cognitive Services categories
- Language services: to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want. - Speech services: Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition. - Vision services: Add recognition and identification capabilities when you're analyzing pictures, videos, and other visual content. - Decision services: Add personalized recommendations for each user that automatically improve each time they're used, moderate content to monitor and remove offensive or risky content, and detect abnormalities in your time series data.
Pros to using ExpressRoute
- Layer 3 (address level) connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. - Connectivity to Microsoft cloud services across all regions in the geopolitical region. - Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on. - Dynamic routing between your network and Microsoft via BGP. - Built-in redundancy in every peering location for higher reliability. - Connection uptime SLA. - QoS support for Skype for Business.
How can you limit network connectivity across all of your resources to allow only what's required (network layer)?
- Limit communication between resources by segmenting your network and configuring access controls - deny by default - Restrict inbound internet access and limit outbound where appropriate - Implement secure connectivity to on-premises networks
Benefits of Azure Resource Manager
- Manage infrastructure w/ templates rather than scripts: a JSON file that defines what you want to deploy to Azure. - Deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually. - Redeploy your solution throughout the development life cycle and have confidence your resources are deployed in a consistent state. - Define the dependencies between resources so they're deployed in the correct order. - Apply access control to all services because RBAC is natively integrated into the management platform. - Apply tags to resources to logically organize all the resources in your subscription. - Clarify your organization's billing by viewing costs for a group of resources that share the same tag.
Azure Key Vault can help you:
- Manage secrets: store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. - Manage encryption keys: create and control the encryption keys that are used to encrypt your data. - Manage SSL/TLS certificates: provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources. - Store secrets backed by hardware security modules (HSMs): secrets and keys can be protected by software or by FIPS 140-2 Level 2 validated HSMs.
xpressRoute enables direct access to the following services in all regions:
- Microsoft Office 365 - Microsoft Dynamics 365 - Azure compute services, such as Azure Virtual Machines - Azure cloud services, such as Azure Cosmos DB and Azure Storage
Azure Security Center can
- Monitor security settings across on-premises and cloud workloads. - Automatically apply required security settings to new resources as they come online. - Provide security recommendations based on your current configurations, resources, and networks. - Continuously monitor your resources and perform security assessments to identify potential vulnerabilities - Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run. - Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred. - Provide just-in-time access control for network ports to reduces your attack surface by ensuring that the network only allows traffic you require at the time that you need it to.
Azure virtual networks enable you to filter traffic between subnets by using
- Network security groups - Network virtual appliances
Advantages of IaaS
- No CapEx - Agility. Applications can be made accessible quickly, and deprovisioned whenever needed. - Management. The shared responsibility model applies; the user manages and maintains the services they have provisioned, and the cloud provider manages and maintains the cloud infrastructure. - Consumption-based model. Organizations pay only for what they use and operate under an Operational Expenditure (OpEx) model. - Skills. No deep technical skills are required to deploy, use, and gain the benefits of a public cloud. Organizations can use the skills and expertise of the cloud provider to ensure workloads are secure, safe, and highly available. - Cloud benefits. Organizations can use the skills and expertise of the cloud provider to ensure workloads are made secure and highly available. - Flexibility. IaaS is the most flexible cloud service because you have control to configure and manage the hardware running your application.
Advantages of PaaS
- No CapEx - Agility. PaaS is more agile than IaaS, and users don't need to configure servers for running applications. - Consumption-based model. Users pay only for what they use, and operate under an OpEx model. - Skills. No deep technical skills are required to deploy, use, and gain the benefits of PaaS. - Cloud benefits. Users can take advantage of the skills and expertise of the cloud provider to ensure that their workloads are made secure and highly available. In addition, users can gain access to more cutting-edge development tools. They can then apply these tools across an application's lifecycle. - Productivity. Users can focus on application development only, because the cloud provider handles all platform management. Working with distributed teams as services is easier because the platform is accessed over the internet. You can make the platform available globally more easily.
Advantages of SaaS
- No CapEx - Agility. Users can provide staff with access to the latest software quickly and easily. -Pay-as-you-go pricing model. Users pay for the software they use on a subscription model, typically monthly or yearly, regardless of how much they use the software. - Skills. No deep technical skills are required to deploy, use, and gain the benefits of SaaS. - Flexibility. Users can access the same application data from anywhere.
A consumption-based model has many benefits, including:
- No upfront costs. - No need to purchase and manage costly infrastructure that users might not use to its fullest. - The ability to pay for additional resources when they are needed. - The ability to stop paying for resources that are no longer needed.
Azure virtual networks enable you to link resources together to create a network that spans both your local and cloud environments How can you do this?
- Point-to-site virtual private networks - Site-to-site virtual private networks - Azure ExpressRoute
Azure Advisor Recommendation types
- Reliability: to ensure and improve the continuity of your business-critical applications. - Security: to detect threats and vulnerabilities that might lead to security breaches. - Performance: to improve the speed of your applications. - Cost: to optimize and reduce your overall Azure spending. - Operational Excellence: to help achieve process and workflow efficiency, resource manageability, and deployment best practices.
Security Score helps you
- Report on the current state of your organization's security posture. - Improve your security posture by providing discoverability, visibility, guidance, and control. - Compare with benchmarks and establish key performance indicators (KPIs).
Azure Cost Management + Billing features include:
- Reporting: Use historical data to generate reports and forecast future expenditure. - Data enrichment: categorize resources with tags that correspond to real-world business and organizational units. - Budgets: Create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns. - Alerting: Get alerts based on your cost and usage budgets. - Recommendations: Receive recommendations to eliminate idle resources and to optimize the Azure resources you provision.
What is tag metadata useful for?
- Resource management: you can locate and act on resources associated with specific workloads, environments, business units, and owners. - Cost management and optimization: you can group resources so you can report on costs, allocate internal cost centers, track budgets, and forecast estimated cost. - Operations management: you can group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs). - Security: you can classify data by its security level (e.g. public/confidential) - Governance and regulatory compliance: you can identify resources that align with governance or regulatory compliance requirements, or your own requirements like owner and department name - Workload optimization and automation: you can visualize resources that participate in complex deployments. e.g. tag a resource with its app name and use DevOps to perform automated tasks on those resources.
Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:
- Role assignments - Policy assignments - Azure Resource Manager templates - Resource groups
Service Health helps you keep an eye on several event types:
- Service issues: problems in Azure (e.g. outages) that affect you right now. - Planned maintenance: You can see how an event will affect you and what you need to do. Most occur without any impact to you and aren't shown here. If a reboot is required, Service Health allows you to choose when to perform the maintenance to minimize the downtime. - Health advisories: issues that require you to act to avoid service interruption, including service retirements and breaking changes. Health advisories are announced far in advance to allow you to plan.
Blob Storage is ideal for:
- Serving images or documents directly to a browser. - Storing files for distributed access. - Streaming video and audio. - Storing data for backup and restore, disaster recovery, and archiving. - Storing data for analysis by an on-premises or Azure-hosted service. - Storing up to 8 TB of data for virtual machines.
Key features of route-based VPN gateways in Azure include:
- Supports IKEv2 - Uses any-to-any (wildcard) traffic selectors - Can use dynamic routing protocols, where routing/forwarding tables direct traffic to different IPSec tunnels. Data packets are encrypted based on network routing tables that are created dynamically using routing protocols such as Border Gateway Protocol (BGP).
VMs are an ideal choice when you need:
- Total control over the operating system (OS). - The ability to run custom software. - To use custom hosting configurations.
You'll want to enable Azure resources to communicate securely with each other. You can do that in one of two ways:
- Virtual networks to connect to VMs/App Services & other Azure resources - Service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
What kinds of attacks can DDoS Protection Standard tier help prevent?
- Volumetric attacks: flood network layer with a substantial amount of seemingly legitimate traffic. - Protocol attacks: render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. - Resource-layer (application-layer) attacks (only with web application firewall): target web app packets to disrupt the transmission of data between hosts (layer 7)
With App Service, you can host most common app service styles like:
- Web apps; ASP.NET Core, Java, Ruby, PHP, Python etc - API apps; REST based web apis w/ swagger - WebJobs; run programs or scripts often by trigger - Mobile apps; quickly build backend stuff and support for front-end
DDoS Protection service tiers
- basic; automatically enabled/free, traffic monitoring and mitigation of network-level attacks ensuring Azure infrastructure is not affected, Azure global network distributes and mitigates attack traffic across Azure regions - standard: extra capabilities for Virtual Network resources, protection is tuned via dedicated traffic monitoring and machine learning algorithms. policies are applied to resources in virtual networks like Azure Load Balancer and Application Gateway
Why should you use Azure virtual desktop?
- best user experience: use any device; have VMs near apps and services for faster loading; login is fast - enhance security; MFA and role-based access controls can be used; separated from hardware protecting confidential info; reverse connect technology doesn't use inbound ports = more secure
There are three main aspects to consider when you create and manage subscriptions:
- billing (maybe break up with subscriptions) - access control (maybe use subscriptions and RBAC) - subscription limit (spread resources across subscriptions if you hit limits)
How to start with machine learning
- collect your data and analyze it to check for biases, accuracy, and validity - split the data into training data and evaluation data - choose a model for you data (text-based, visual, other data) - train model on training data and let it create an algorithm - use evaluation data to test the model for accuracy - tweak algorithm manually if needed & retest - deploy
STAR Certification demonstrates that the CSP (Cloud service provider):
- conforms to application requirements of ISO/IEC 27001 - Has addressed issues critical to cloud security as outlined in the CCM - Has been assessed against the STAR Combability Maturity Model for the mgmt of activities in CCM control areas
To build a SLA for your app you should
- determine workload (what resource you must use to create your app) - combine SLAs to computer the composite SLA of those resources - consider customization options to meet your SLA goal e.g. different tiers, backup storages, deploy 2+ in diff availability zones, duplicate components (redundancy)
migration process flow
- discover: the features you use/need - assess: which on-prem dbs can be migrated - migrate: move data - cutover: change connection strings - optimize: optimize
When to use VMs
- during testing and development - when running apps in the cloud - when extending you datacenter to the cloud - during disaster recovery
How does the TCO Calculator work?
- enter details of your on prem workloads - review suggested industry average cost (adjust if needed) for OpEx (include electricity, network maintenance, IT labor) - review the side by side report to compare on premise cost breakdown with Azure cost breakdown
key features of Azure Virtual Desktop
- familiar to Azure admins bc uses Azure AD, RBAC (role based access controls), Azure Monitor etc - load balancing uses on VM host pools (collections of VMs with the same configuration assigned to multiple users) - Windows 10 Enterprise multi-session can be used to allow multiple concurrent users on a single VM
Types of Azure subscriptions
- free trial: 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free - pay-as-you-go: pay for what you use - member offers: certain Microsoft products may come with Azure credits or reduced rates in Azure (e.g. Visual Studio subscribers)
What four compliance categories does Azure support?
- global (e.g. ISO stuff) - US Gov (e.g. DoD stuff; CJIS) - Industry (e.g. PCI DSS- Payment Card Industry Data Security Standard) - Regional (e.g. Canada Privacy Laws)
What are three ways to organize related resources?
- group them by subscription - group them by resource group - group them using tags
Three Azure storage tiers
- hot; frequently accessed data - cool; infrequently access and stored for at least 30 days - archive; rarely accessed data and stored for at least 180 days
What's in a typical SLA
- intro: explains expectations like its scope, and how subscription renewals can affect terms - general terms: defining words like downtime, and how to submit claims and get credits - SLA details: guarantees of the service as a %, focuses on uptime and may address latency (speed), what happens if Azure fails to meet specifications -- typically a credit
Organize the four levels of Azure's management structure in a top-down hierarchy or organization - subscriptions - resources - resource groups - management groups.
- management groups - subscriptions - resource groups - resources
When to use Azure Files
- migrate on prem file shares to cloud with few changes needed in app - store config and other developer files files to access from multiple VMs - write data to a file share and processing/analyze it later -- diagnostic logs, metrics, or crash dumps
Configurable settings for basic virtual network
- network name (unique to subscription) - address space in CIDR (unique to subscription and any other networks you connect to) - subscription and location of vNet - subnet to partition vNet - DDoS protection: basic or standard - Service endpoints: select endpoints you want to enable including Azure Cosmos DB, Service Bus, Key Vault, etc
3 big benefits of serverless computing
- no infrastructure management - automatic scalability - only pay for what you use
If you explore the azure compliance document for a specific standards page you will see
- overview of standard - cloud services in scope - overview of audit cycle and links to audit reports - answers to FAQs - additional resources
options that you can configure in the Pricing calculator can include
- region - tier - billing options (like enterprise exceptions) - support options - programs and offers (like licensing stuff) - Azure Dev/Test pricing (for Dev/Test stuff)
Azure VPN Gateway instances are deployed in Azure Virtual Network instances and enable the following connectivity
- site-to-site - point-to-site - network-to-network
Three categories of sign ons for MFA
- something the user knows: email addr and password - something the user has: code on a phone - something the user is: biometric property like fingerprint
Azure resources you need to deploy an operational VPN gateway
- virtual network - gateway subnet - public ip addr - local network gateway - virtual network gateway - connection
advantages of region pairs:
- you can use them to provide reliable services and data redundancy - If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure at least one is restored as quickly as possible for applications hosted in that region pair. - Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage. - Data continues to reside within the same geography as its pair (except for Brazil South) for tax- and law-enforcement jurisdiction purposes.
How many datacenters do availability zones have?
1 or more
Azure Sphere comes in three parts:
1. Azure Sphere micro-controller unit (MCU): to process OS and sensor signals 2. customized Linux OS: to communicate with security service and run vendor's software 3. Azure Sphere Security Service (AS3): ensure device is not maliciously compromised by authenticating each device via certificates and checking for tampering
Implementing a policy in Azure Policy involves three tasks:
1. Create a policy definition 2. Assign the definition to resources 3. Review the evaluation results
Implementing a blueprint in Azure Blueprints involves these three steps:
1. Create an Azure blueprint. 2. Assign the blueprint. 3. Track the blueprint assignments.
Cloud Adoption Framework consists of tools, documentation, and proven practices. What are the 5 stages it includes?
1. Define your strategy 2. Make a plan 3. Ready your organization 4. Adopt the cloud 5. Govern and manage your cloud environments
Working with the TCO Calculator involves three steps:
1. Define your workload 2. adjust assumptions 3. view report
There are two basic approaches to AI:
1. deep learning: system that's modeled on the neural network of the human mind, enabling it to discover, learn, and grow through experience 2. machine learning: data science technique that uses existing data to train a model, test it, and then apply it to new dat to forecast future behaviors, outcomes, and trends
What is included in most CI/CD pipelines
1. get most recent code from source code mgmt system & update dependencies/packages 2. compile source code into binary executable 3. remove compiled binary to location where it can be deployed to a test environment for further testing 4. binary and other files get deployed to prod
he maximum number of network Azure ExpressRoute circuits per subscription is
10
how may management groups can be supported in a single directory
10,000
99.9% availability means how much downtime per week?
10.1 minutes
, if you reduce the VM's size from Standard_D4_v4 to Standard_D2_v4, which is the next size lower, you reduce your compute cost by
50% 5esizing a VM requires it to be stopped, resized, and then restarted -- but saves money if its underutilized
You have a current composite SLA of 99.78, you want to add 2 new services each with a SLA of 99.9, what is your new composite?
99.58%
SQL Database provides _______ percent availability.
99.99
Billing zones
A geographical grouping of Azure Regions for billing purposes. Zone 1: Australia Central, West US, East US, Canada West, West Europe, France Central, ++ Zone 2: Australia East, Japan West, Central India, Korea South, ++ Zone 3: Brazil South, South Africa North, South Africa West, UAE Central, UAE North DE Zone 1: Germany Central, Germany Northeast
Hybrid cloud
A hybrid cloud is a computing environment that combines a public cloud and a private cloud by allowing data and applications to be shared between them.
Azure Machine Learning
A platform for making predictions. It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result. After you've run experiments to test the model, you can deploy and use it in real time via a web API endpoint.
Private cloud
A private cloud consists of computing resources used exclusively by users from one business or organization. A private cloud can be physically located at your organization's on-site (on-premises) datacenter, or it can be hosted by a third-party service provider.
Site-to-site virtual private networks
A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
Subscriptions
A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
serverless computing
A type of cloud computing that allows companies to focus on building a business function using code without worrying about how to deploy - enables developers to build applications faster by eliminating the need for them to manage infrastructure (like Paas) Azure executes your code based on triggers and handles the servers and running of code for you; can autoscale for demand; don't need to worry about outages; only pay for what you use
you can use existing data to forecast future behaviors; build use and deploy machine learning models in the cloud using this service category
AI
What is the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively?
ARM Templates
used when you need a highly reliable means of deploying a complex set of services that perform different roles in your app architecture
ARM Templates
What should you use to manage resources if you need to repeatedly set up one or more resources and ensure that all the dependencies are created in the proper order
ARM templates PowerShell and Azure CLI could be used, but there'd be no validation, hard to rollback if there's an error, and more difficult to save previous scripts
The company needs a repeatable, reliable way to scale its operations during peak sales periods. - it should be efficient and maybe parallel - create dependencies in the correct order - and not fail in the middle of deployment What can you use?
ARM templates - we're basically deploying an entire cloud infrastructure and we want to repeat this during peak times PowerShell or Azure CLI could be used, but less efficient an could fail in the middle etc
Azure VPN Gateway
Accesses Azure Virtual Networks through high-performance VPN gateways.
Active Directory v. Azure AD
Active Directory = on prem resource run on a Windows server to provide identity and access mgmt that is managed by your org Azure AD = cloud based identity and access mgmt, you control the accounts but Microsoft ensures the service is globally available and can monitor and detect suspicious sign-in attempts (unexpected location/device, etc)
Bing Search
Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.
Azure SignalR Service
Add real-time web functionalities easily.
Natural Language processing
Allow your apps to process natural language with prebuilt scripts, evaluate sentiment, and learn how to recognize what users want.
Web API
An API that's accessible from servers that accept requests via HTTP
Azure Functions
An event-driven, serverless compute service.
How can VMs be used when extending your datacenter to the cloud?
An organization can extend the capabilities of its own on-premises network by creating a virtual network in Azure and adding VMs to that virtual network. e.g. run SharePoint on an Azure VM instead of locally
you can quickly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance. What is this?
App Service
What is likely the best way for you to identify which billing department each Azure resource belongs to?
Apply a tag to each resource that include the billing department (could split by subscriptions too - but less good)
Resources in the Dev and Test environments are each paid for by different departments. What's the best way to categorize costs by department?
Apply a tag to resources to identify the appropriate billing department
What's the best way to ensure that the development team doesn't provision too many virtual machines at the same time?
Apply spending limits to the team's Azure subscription
What blob storage tier should you use for long-term backups or disaster recovery
Archive access tier - for data that is rarely accessed and stored for at least 180 day
AuthN
Authentication
How can you connect Active Directory with Azure AD in order to provide a consistent identity experience to your users?
Azure AD Connect
synchronizes user identities between on-premises Active Directory and Azure AD so you can support SSO, MFA, and self-service password changes
Azure AD Connect
To monitor your actual costs and get recommendations around unused resources and ways to optimize services you can use
Azure Advisor
What dashboard in Portal displays personalized recommendations for all your subscriptions, and you can use filters to select recommendations for specific subscriptions, resource groups, or services
Azure Advisor
What should you use to get recommendation on how to optimize your cloud environment?
Azure Advisor
What should you use to get recommendations on how to cut costs?
Azure Advisor
You want to be alerted when new recommendations to improve your cloud environment are available. Which service will do this?
Azure Advisor
You need to analyze how you're using Azure to reduce costs, improve resilience, and harden your security. What should you use?
Azure Advisory - for an analysis of your deployed resources
This platform as a service (PaaS) environment allows you to focus on the website and API logic while Azure handles the infrastructure to run and scale your web applications.
Azure App Service
scalable hosting platform for web based apps where you can easily deploy, operate, and scale apps
Azure App Services
service for sending telemetry information from application source code to Azure
Azure Application Insights
- Starts a pool of compute VMs for you. - Installs applications and staging data. - Runs jobs with as many tasks as you have. - Identifies failures. - Requeues work. - Scales down the pool as work completes. What am I?
Azure Batch
this type of storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Azure Blob Storage
Which Azure Storage option is better for storing data for backup and restore, disaster recovery, and archiving
Azure Blob Storage (Question asked for Azure Storage type, not access tier)
You need to create a human-computer interface that uses natural language to answer customer questions. Which product option should you select as a candidate?
Azure Bot Service
you need to create a virtual agent to interact with humans by using natural language which AI service should you use
Azure Bot Service
The Customer Service team has long asked for a virtual agent to handle the vast majority of questions it gets asked. No matter how prominent it makes the answers to the most frequently asked questions on the website, shoppers are impatient and perceive contact in a chat window as saving them time. The team wants shoppers to feel as though they're interacting with a real human. When it becomes clear that the virtual agent can't provide an answer, the chat session should be transferred to a human. Providing a virtual agent would decrease the amount of time it takes for all shoppers to receive answers. The virtual agent could answer most questions, which would free up human customer service agents to provide support for more difficult questions or thorny account-related issues. What service should you use?
Azure Bot Service we want to chat with a person-like thing = bot we have FAQs and other data to train it with = bot We could also use QnA Maker or other tools alongside this solution
As an administrator, you need to retrieve the IP address from a particular VM by using Bash, what tool should you use?
Azure CLI - Bash = Azure CLI
A team of Linux developers needs to check on the health of Azure resources and keep everything up and running via a variety of tasks, and Portal is too slow, what can they use?
Azure CLI - one off tasks with Linux background
Is PowerShell or Azure CLI better for people familiar with Linux?
Azure CLI for Linux people PowerShell for Windows people but either can be used on either OS - just preferance
You need to identify the content of product images to automatically create alt tags for images formatted properly. Which product option is the best candidate?
Azure Cognitive Service
only 80 percent of potential customers speak English. In some neighborhoods, that number falls to 50 percent. The team sees the addition of multiple languages as a wonderful opportunity to serve non-English speakers with the same online e-commerce experience as English speakers. What service should you use?
Azure Cognitive Services We want to translate and understand text = cognitive service
You need a service that can understand the content and meaning of images, video, or audio, and translate text into a different language What should you use?
Azure Cognitive Services speech to text; analyzing text; etc.
to solve general problems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces, you can use
Azure Cognitive Services (via APIs to include in your code)
you need to predict user behavior and provide users with personalized recommendations in your app What should you use?
Azure Cognitive Services Personalizer watches your users' actions within an application. You can use Personalizer to predict their behavior and provide relevant experiences as it identifies usage patterns. Azure Machine Learning could also be used
these two services allow you to deploy containerized apps with fully managed services
Azure Container Instances and Azure Kubernetes Service
Allows developers to create apps fast with their choice of APIs, such as MongoDB, Cassandra, Gremlin, and more.
Azure Cosmos DB
Your development team is interested in writing Graph-based applications that take advantage of the Gremlin API. Which db option would be ideal for that scenario?
Azure Cosmos DB
________ supports schema-less data, which lets you build highly responsive and "Always On" applications to support constantly changing data. You can use this feature to store data that's updated and maintained by users around the world.
Azure Cosmos DB
An attacker can bring down your website by sending a large volume of network traffic to your servers. Which Azure service can help protect your App Service instance from this kind of attack?
Azure DDoS Protection
You can migrate your existing SQL Server databases with minimal downtime by using
Azure Database Migration Service - it performs all of the required steps. You just change the connection string in your apps.
_____________ offers several service tiers, and each tier provides different performance and capabilities to support lightweight to heavyweight database workloads. Dynamic scalability enables your database to transparently respond to rapidly changing resource requirements. You only pay for the resources you need, and only when you need them.
Azure Database for MySQL
a company uses the LAMP (Linux, Apache, MySQL, and PHP) stack for several of its websites. Which option would be ideal for migration?
Azure Database for MySQL
a suite of services that address every stage of the software development lifecycle
Azure DevOp
Is DevOps or GitHub more sophisticated for project management and reporting?
Azure DevOps
The team needs to give project sponsors and managers executive level reporting, including burndown charts, track progress against epics, and track custom information that's specific to the company in each work item and bug report. upper management team wants to ensure that contractors only have access to the information they need to do their work What should be used to do this?
Azure DevOps - its not open source and needs robust permissions and project mgmt = DevOps
Should you use Azure DevOps or GitHub for more complex permissions
Azure DevOps, bc GitHub works on a simple model of read/write permissions to every feature while DevOps has a much more granular set of permissions
Which service could help you manage the VMs that your developers and testers need to ensure that your new app works across various operating systems?
Azure DevTest Labs
provides an automated means of managing the process of building, setting up, and tearing down virtual machines (VMs) that contain builds of your software projects so developers and testers can perform tests across a variety of environments and builds
Azure DevTest Labs
Typical usage scenarios of this storage type would be to share files anywhere in the world, diagnostic data, or application data sharing.
Azure Files
You need to process messages from a queue, parse them by using some existing imperative logic written in Java, and then send them to a third-party API. Which serverless option should you choose?
Azure Functions
create vent driven serverless apps (with no coding required) using
Azure Functions
host a single method or function by using a popular programming language in the cloud that runs in response to an event. An example of an event might be an HTTP request, a new message on a queue, or a message on a timer. What service does this
Azure Functions
ideal when you're concerned only about the code running your service and not the underlying platform or infrastructure. They're commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less. What are these
Azure Functions
If you need to use build complex algorithms, or data lookup and parsing operations then you should use this serverless compute option
Azure Functions if you have a logic-intensive orchestration that requires a complex algorithm, implementing that algorithm might be more verbose and visually overwhelming in Logic Apps --> Functions is better
Data about each product that's sold is packaged as a JSON message and sent to an event hub. The event hub distributes the JSON message to subscribers, which allows various systems to be notified. upgrade its e-commerce site to include real-time inventory tracking, but currently does so one a day using a Windows service on a VM in Azure that is written in C# to retrieve messages, parse JSON, perform lookups of db info, and send notifications as necessary. Which serverless option should be used?
Azure Functions port the Windows Service code into an Azure Function and make the necessary changes bind the function to a trigger so it runs whenever a new message is on the queue
Azure Functions v. Logic Apps pricing
Azure Functions pricing is based on the number of executions and the running time of each execution. Logic Apps pricing is based on the number of executions and the type of connectors that it utilizes.
With this IoT service, the visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages. You can watch the overall performance across all devices in aggregate, and you can set up alerts that send notifications when a specific device needs maintenance. Finally, you can push firmware updates to the device.
Azure IoT Central
If you primarily want to send messages with your IoT devices and occasionally push updates, and don't need further reporting features, you should use
Azure IoT Hub
By using this service, devices that are equipped with sensors and that can connect to the internet could send their sensor readings to a specific endpoint in Azure via a message. The message's data is then collected and aggregated. Devices could also be updated with new firmware to fix issues or add functionality by sending software updates from this services to each device.
Azure IoT services
What is the best way for your company to safely store its certificates so that they're accessible to cloud VMs?
Azure Key Value
You want to orchestrate a workflow by using APIs from several well-known services. Which is the best option for this scenario?
Azure Logic Apps
Your team has limited experience with writing custom code, but it sees tremendous value in automating several important business processes. Which of the following options is your team's best option?
Azure Logic Apps
low-code/no-code development platform hosted as a cloud service. The service helps you automate and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. simplifies how you design and build scalable solutions, whether in the cloud, on-premises, or both. This solution covers app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) integration.
Azure Logic Apps
A store sends out surveys for customer satisfaction. Ideally, negative customer satisfaction scores would trigger a customer retention workflow. First, a sentiment analysis would be generated based on the free-form comments, an email would be sent to the customer with an apology and a coupon code, and the message would be routed to the Dynamics 365 customer service team so that it could schedule a follow-up email. No developers are available to work on this, but IT staff are. What serverless solution should be used?
Azure Logic Apps A cloud or IT professional could use existing connectors to perform a sentiment analysis by using the Azure Cognitive Services connector, send an email by using the Office 365 Outlook connector, and create a new record and follow-up email by using the Dynamics 365 customer service connector. Because Azure Logic Apps is a low-code/no-code service, no developers are needed. A cloud or IT professional should be able to build and support this workflow.
You need to build a model based on historical data, what AI service should you use?
Azure Machine Learning
when your data scientists need complete control over the design and training of an algorithm using your own data you should use
Azure Machine Learning
The Marketing team is convinced that it can increase sales dramatically by suggesting add-on products that complement the items in a shopper's cart at the point of checkout. The team could hard-code these suggestions, but it feels that a more organic approach would be to use its years' worth of sales data as well as new shopping trends to decide what products to display to the shopper. Additionally, the suggestions could be influenced by product availability, product profitability, and other factors. What service should you use?
Azure Machine Learning Azure Cognitive Services Personalizer could play a role as it deals with predicting users, but we need a more complex model with historical data sets so this leads us to something more flexible that can still predict future outcomes = machine learning
You need to predict future behavior based on previous actions. Which product option should you select as a candidate?
Azure Machine Learning (potentially Azure Cognitive Service Personalizer if we were given more info)
You need to build a model by using your own data, what AI service should you use?
Azure Machine Learning as it is maximumly flexible
If you want to track how your Azure services are performing and diagnose issues, you should use
Azure Monitor
Which service is a platform that powers Application Insights, monitoring for VMs, containers, and Kubernetes?
Azure Monitor
You want to measure custom events alongside other usage metrics and telemetry, what should you use?
Azure Monitor
You want to keep track of the performance or issues related to your specific VM or container instances, databases, your applications, and so on, what should you use?
Azure Monitor to create reports and notifications to help you understand how your services are performing or diagnose issues related to your Azure usage
Your e-commerce website is experiencing intermittent errors, and the team is unsure of the cause. Because of the nature of the errors, the team suspects that it's either a database or caching issue. What are the circumstances surrounding the errors? Does it happen only during peak usage times? What is the state of the team's Azure SQL instance? What is the state of its Redis caching server? How can it trace the issues to a root cause? What service should you use to answer these questions?
Azure Monitor - to gain insight on performance and specific issues additional information about the state of the web application can be sent to Application Insights to help locate the root cause of the issue as well
Where can you create custom views by using Power BI and Kusto queries.
Azure Monitor Dashboard
what lets you use data to help you react to critical events in real time, through alerts delivered to teams via SMS, email, and so on. Or use thresholds to trigger autoscaling functionality to scale up or down to meet the demand.
Azure Monitor Dashboard
What can be used to automate CI/CD processes?
Azure Pipelines & GitHub Actions
If all resources in a certain resource group should be tagged with AppName tag and a value of "SpecialOrders," and one is created without this tag under Azure Policies, what happens?
Azure Polices will automatically reapply the tag (or add it for the first time) if it is missing
CORS should not allow every resource to access your web apps - how can you enforce this?
Azure Policies
How can you make sure new resources use the same tags as existing resources?
Azure Policies
MFA should be enabled on accounts with write permissions on your subscription - how can you enforce this?
Azure Policies
You want to restrict which locations your organization can specify when it deploys a resource. How can you do this?
Azure Policies
Lets you create, configure, and control all your services and resources from a single easy to use web-based interface
Azure Portal
Where can you manage your Azure subscription using a GUI
Azure Portal
a web-based, unified console that provides an alternative to command-line tools
Azure Portal
You're a developer who needs to set up your first VM to host a process that runs nightly. Which of the following tools is your best choice?
Azure Portal - your *first VM, and a one-off task = portal
Your financial officer want to run custom reports in real time to see how resources are being used and cost, what should you use?
Azure Portal, bc we are doing one-time tasks and the person is non-technical
if you're in a cloud management or administrative role, it's less efficient to rely solely on visual scanning and clicking so you should use _______ for one-off resource mgmt stuff
Azure PowerShell or Azure CLI
What can you use to perform one-off mgmt , administrative, or reporting actions in Azure
Azure Powershell, Azure CLI, or Azure Portal
allows you to distribute you applications globally so you can locative your data and apps where they're needed most
Azure Regional Datacenters
ARM
Azure Resource Manager
Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created, Azure enables you to control access through
Azure Role Based Access Control (Azure RBAC)
a relational database based on the latest stable version of the Microsoft SQL Server database engine. This db is a high-performance, reliable, fully managed, highly available, and secure database. You can use it to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure.
Azure SQL Database
a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed PaaS.
Azure SQL Managed Instance
Provides recommendations on how to improve security posture based on your current configurations, resources, and networks
Azure Security Center
What can automatically detect potential inbound attacks like logins from malicious IPs, suspicious commands being run, etc
Azure Security Center
place to check security settings, identify potential security weaknesses, and analyze inbound attacks
Azure Security Center
provides visibility of your security posture across all of your services, both on Azure and on-premises
Azure Security Center
Where can you get a detailed analysis of different components and whether they comply with certain security regulations?
Azure Security Center (policy & compliance section)
aggregates security data from many different sources, and provides additional capabilities for threat detection and response
Azure Sentinel
After an outage, this service provides official incident reports, called root cause analyses (RCAs), which you can share with stakeholders.
Azure Service Health
Your cloud operations team wants to let stakeholders know about upcoming planned downtime in advance. When outages do happen, the team wants to quickly ascertain whether the issue is specific to their services or a service interruption that affects many Azure customers. The team also wants to provide key stakeholders with reports that explain how and why the incident occurred, and so on. What should they use?
Azure Service Health
You want to monitor Azure services and regions, what should you use?
Azure Service Health for status of services and outages
If you want to stay no top of planned outages you should use
Azure Service Helth
A company wants to build a new voting kiosk for sales to governments around the world. Which IoT technologies should the company choose to ensure the highest degree of security?
Azure Sphere
When security of IoT devices is of critical consideration, you'll want to use
Azure Sphere bc it ensures a secure channel of communication between the device and Azure by controlling everything from the hardware to the operating system and the authentication process
A company wants to implement a touchless point-of-sale solution for self-checkout. The self-checkout terminals should be, above all else, secure. Each terminal must be impervious to malicious code that could create fraudulent transactions, force the company to take the systems offline during a heavy shopping period, or send transactional data to a spying organization. The terminals should also report back vital information on the company's health and allow secure updates to its software remotely. They also want a way to push updates to its terminals and also make sense of all of the data that will be generated through analysis. What IoT Service should be used + why?
Azure Sphere with Iot Central Security is important = sphere Iot Central can also provide the analytics the company is looking for so building on top of both makes sense
A company has millions of log entries that it wants to analyze. Which db option would be ideal for analysis?
Azure Synapse Analytics
Where can the IT department find reference blueprints that it can apply directly to its Azure subscriptions?
Azure compliance doucmentation
on-demand computing service for running cloud-based applications. It provides computing resources such as disks, processors, memory, networking, and operating systems. The resources are available on-demand and can typically be made available in minutes or even seconds. You pay only for the resources you use, and only for as long as you're using them.
Azure compute
Meeting the European Union Model Clauses ensures
Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world
Linking compute resources and providing access to applications is the key function of
Azure networking
How can you access previews?
Azure portal create a resource and search "preview"
You can create and configure Azure Virtual Network instances using
Azure portal, Azure PowerShell on your local computer, or Azure Cloud Shell
How do you know when there's a service outage?
Azure status provides a global view of the health of Azure services and regions -- good starting place You can subscribe to Azure Status for updates via RSS feed You can access Azure Service Health from here too, for a personalized view the health of services and regions your are using
Your company has a team of remote workers that need to use Windows-based software to develop your company's applications, but your team members are using various operating systems like macOS, Linux, and Windows. Which Azure compute service would help resolve this scenario?
Azure virtual desktop
empower developers and data scientists a wide range of productive experiences for building, training, and deploying machine learning models faster
Azure's AI and ML services
Azure Load Balancer
Balances inbound and outbound connections to applications or service endpoints.
Azure Database for PostgreSQL Single Server pricing tiers
Basic, General Purpose, and Memory Optimized. Each tier offers different resource capabilities to support your database workloads. You can build your first app on a small database for a few dollars a month, and then adjust the scale to meet the needs of your solution. Dynamic scalability enables your database to transparently respond to rapidly changing resource requirements. You only pay for the resources you need, and only when you need them.
for large amounts of data, you can use open source cluster services to run analytics at a massive scale and make decisions based on complex queries using this service category
Big Data
BGP
Border Gateway Protocol; used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.
you might need a single invoice for your organization but want to organize charges by department, team, or project how can you do this?
Break up your resources by subscriptions for separate departments But then have a invoice section for the subscriptions you want on a single invoice
How can you improve your secure score?
By remediating all of the recommendations for a single resource within a control
Stages of CI pipeline and CD pipeline
CI: plan, code, build, test CD: release, deploy, operate, monitor
Security posture is your organization's ability to protect from and respond to security threats. The common principles used to define a security posture are
CIA confidentiality integrity availability
What are the lock levels?
CanNotDelete - authorized people can modify/read but not delete ReadOnly - authorized people can not delete or change
requires significant up-front financial costs
CapEx
View the report with TCO calculator
Choose a time frame between one and five years and TCO will generate a report for you based on the info you entered view costs breakdowns for on prem v. Azure in categories: compute, datacenter, networking, storage, and IT labor
Offers a collection of documents, implementation guidance, best practices, and tools for each of those things
Cloud Adoption Framework
Azure Machine Learning Service
Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud.
Azure Kubernetes Service
Cluster management for VMs that run containerized services. a complete orchestration service for containers with distributed architectures and large volumes of containers. controls placement of pods (1+ container) on a cluster node staggers update deployments & can roll back horizontally scales automatically or manually networking stuff and api extensions
Azure ML Studio
Collaborative visual workspace where you can build, test, and deploy machine learning solutions by using prebuilt machine learning algorithms and data-handling modules.
What's the easiest way for a company to combine security data from all of its monitoring tools into a single report that it can take action on?
Collect security data in Azure Sentinel
Colocation at a cloud exchange for ExpressRoute
Colocated providers can normally offer both Layer 2 and Layer 3 connections between your infrastructure, which might be located in the colocation facility, and the Microsoft cloud. e.g. you can request a virtual cross-connection to the Microsoft cloud
composite SLA
Combining SLAs across different service offerings multiply the SLA of each individual service (by instance)
How can your IT department ensure that employees at the company's retail stores can access company applications only from approved tablet devices?
Conditional Access
Azure Virtual Network
Connects VMs to incoming virtual private network (VPN) connections.
Azure ExpressRoute
Connects to Azure over high-bandwidth dedicated secure connections. For environments where you need high bandwidth and security. ExpressRoute provides dedicated private connectivity to Azure that doesn't travel over the internet.
Azure compute resources that you can use to deploy and manage containers.
Container Instances and Azure Kubernetes Service
These are lightweight, virtualized application environments. They're designed to be quickly created, scaled out, and stopped dynamically. You can run multiple instances of these application on a single host machine What am I?
Containers e.g. Container Instances and Azure Kubernetes Service
Speech
Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.
What blob storage tier should you use to access invoices for your customers
Cool access tie - for data that is infrequently accessed and stored for at least 30 da
Over the years, Tailwind Traders has acquired several smaller companies. Each of these companies had teams of developers who used different database services and various APIs to work with their data. You'd like to enable each of these teams to work with an environment where they can use their existing skills. What should you use?
Cosmos DB - which has the flexibility to use an API developers are comfortable with e.g. SQL, MongoDB, Cassandra, Tables, and Gremlin
How can your company most easily implement a deny by default policy so that VMs can't connect to each other?
Create a network security group rule that prevents access from another VM on the same network allows you to filter traffic to and from resources by source and destination IP address, port, and protocol
You want to enable Azure Security Center to recommend missing security system updates on your servers. How can you do this?
Create an Azure Policy (Enable Monitoring in Azure Security Center - which is actually an initiative with numerous policy defs in it to monitor different things in Security Center)
You want to specify a set of VM SKUs that your organization can deploy. How can you do this?
Create an Azure Policy specifying the allowed SKUs
Which is the best way for you to ensure that the team deploys only cost-effective virtual machine SKU sizes?
Create an Azure Policy that specified the allowed SKU sized
What is the first step that you would take in order to share an image file as a blob in Azure Storage?
Create an Azure Storage Account
How can a company enforce having only certain applications run on its VMs?
Create an application control rule in Azure Security Center
Web Apps feature of Azure App Service
Create and deploy mission-critical web apps at scale.
What's the best way for your company to limit all outbound traffic from VMs to known hosts?
Create application rules in Azure Firewall
How can you allow some users to control the virtual machines in each environment but prevent them from modifying networking and other resources in the same resource group or Azure subscription?
Create role assignments with Azure RBAC
Azure Virtual WAN
Creates a unified wide area network (WAN) that connects local and remote sites.
Azure Sphere
Creates an end-to-end, highly secure IoT solution that encompasses everything from the hardware and OS on the device to the secure method of sending messages from the device to the message hub. Built in communication and security for internet connected devices
CORS
Cross-Origin Resource Sharing
Which is the most efficient way for a testing team to save costs on virtual machines on weekends, when testers are not at work?
Deallocate the VMs when they are not in use
Why deallocate a VM without deleting its storage?
Deallocating a VM when you don't plan on using it for some time is just one way to minimize costs (cut out compute time and public IP address usage)
Azure Content Delivery Network
Delivers high-bandwidth content to customers globally.
Adding a third virtual machine reduces your composite SLA. How can you offset this reduction?
Deploy extra instances of the same VM across different availability zones in the same region
Azure Cognitive Search
Deploy this fully managed search as a service.
bring together people, process, and tech by automatizing software delivery using this service category
DevOps
Azure Service Fabric
Distributed systems platform that runs in Azure or on-premises.
Azure Traffic Manager
Distributes network traffic across Azure regions worldwide.
Common characteristic shared by azure storage services (5)
Durable and highly available with redundancy and replication. Secure through automatic encryption and role-based access control. Scalable with virtually unlimited storage. Managed, handling maintenance and any critical problems for you. Accessible from anywhere in the world over HTTP or HTTPS.
What is a region pair?
Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources (such as VM storage) across a geography that helps reduce the likelihood of interruptions because of events such as natural disasters, civil unrest, power outages, or physical network outages that affect both regions at once. If a region in a pair was affected by a natural disaster, for instance, services would automatically failover to the other region in its region pair.
ExpressRoute Built-in redundancy
Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature. All redundant connections are configured with Layer 3 connectivity to meet service-level agreements.
Layers of defense in depth
Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. - physical security - identity and access - perimeter - network - compute - application - data
What do the roles do in RBAC
Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all of the associated access permissions.
Which of the following options isn't a benefit of ExpressRoute? - Redundant connectivity - Consistent network throughput - Encrypted network communication - Access to Microsoft cloud services
Encrypted network communication is not provided. ExpressRoute does provide private connectivity, but it isn't encrypted.
Defense in depth: application
Ensure apps are secure and free of vulnerabilities. Store sensitive secrets in secure storage. Make security a design requirement Integrating security into the application development lifecycle
CIA availability
Ensure that services are functioning and can be accessed only by authorized users. Denial-of-service attacks are designed to degrade the availability of a system, affecting its users.
Microsoft Privacy Statement
Explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes..
T/F Every region has support for availability zones
False
T/F Network traffic is unrelated to costs in Azure
False
T/F You need an Azure Subscription to use the TCO calculator
False
T/F You need to purchase an Azure account before you can use any Azure resources.
False
T/F Azure DevOps is a lighter-weight tool than GitHub
False - GitHub is lighter weight and focused on individual developers and open source, DevOps is focused on enterprise dev with more tools and access control
T/F Subscriptions within a management group do not automatically inherit the conditions applied to the management group.
False - all subscriptions automatically inherit from their management group
T/F An azure account can only have one subscription
False - could have multiple; maybe with different billing models
T/F Resources can not be moved between resource groups
False - many resources can be moved although some have limitations
T/F Public cloud takes a lot of CapEx to scale up
False - no CapEx is needed in public cloud
T/F with OpEx you are responsible for purchasing and maintaining your computing resources
False - only maintaining
T/F A management group and subscription can have more than one parent.
False - only support one parent
T/F Organizations have to pay for unused resources when they use the public cloud
False - orgs only pay for what they use
T/F You must choose a region for any service that you create
False - some global Azure services don't require you to select a particular region, such as Azure Active Directory, Azure Traffic Manager, and Azure DNS.
T/F Azure Database for PostgreSQL Single Server is free
False - the benefits are of no additional cost but to use the db you need a pricing tier (basic, general purpose, memory optimized)
T/F Organizations are not responsible for hardware maintenance and updates when they are private cloud
False - they are responsible for maintenance as a private cloud
T/F Resource groups can be nested
False - they can not
T/F ExpressRoute supports site-to-site virtual private networks
False - this is not an ExpressRoute model
T/F With CapEx you are only responsible for the computing resources you use
False - you pay an upfront cost no matter what you use
T/F Azure AD helps users access external resources while you manage the internal access rights
False; Azure AD can handle both external and internal resource access management
T/F You must bring your own training data to Azure Cognitive Service to train the model
False; Azure Cognitive Services has pre-trained models which can be used
T/F Azure Government provisions separate memory space for deployments to protect apps from the other non-government apps running on the same servers
False; Azure Government offers physical isolation from non-US government deployments and provides screened US personnel
T/F Azure Policies check resources on create to see if they are compliant and it is up to you to keep them compliant after that
False; Azure Policies do make sure resources or complicate on creation and can prevent noncompliant resources from being created but, they also evaluate resources and highlight ones that are not compliant when changes are made to the resources - and can sometimes fix non-compliant resource automatically
T/F Azure Firewall is stateless
False; Azure firewall is stateful
T/F deallocating a VM means you don't need to pay for it anymore
False; Deallocating a VM means that the VM is no longer running. But the associated hard disks and data are still kept in Azure. --> you cut compute time and public IP addr time, but still pay for disk storage
T/F Virtual Network only allows you to create a single isolated virtual network
False; It can create multiple isolated virtual networks
T/F Security Center does not advanced cloud defense capabilities for VMs
False; It does provide this for VMs, and also, network security, and file integrity
T/F you can apply tags to a resource group, and they will automatically applied to the resources within that resource group
False; They will not automatically apply to the resources within the resource group -- but you can accomplish this using Azure Policies
T/F You only pay for the VMs you deploy on a dedicated host
False; With dedicated hosts you pay for the host price (base don VM family, type, etc) independent of how many VMs you deploy to it bc you're just buying a physical server in Microsoft's cloud datacenter
T/F You can not get any reports when using IoT Hub
False; You can create a customized set of management tools and reports by using the IoT Hub RESTful API
T/F You must create role in order to use Azure RBAC
False; You can create custom roles, but there are also built-in roles
T/F Since policies are inherited by their parent scopes, you can not exclude a subscope from the parent scope of an Azure Policy
False; You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment
T/F Azure VMs use Azure Disk Storage to store virtual disks. And you can use Azure Disk Storage to store a disk outside of a virtual machine.
False; You can not use Azure Disk Storage to store a disk outside a VM
T/F You can deploy more than one one VPN gateway in each virtual network
False; You can only deploy ONE per virtual network, but it can connect to multiple locations including other vNets and on-prem datacenters
T/F Azure Government is only available in one location for security
False; currently has 8 geographies
T/F Resources are evaluated to see if they meet Azure Policy requirement on a daily basis
False; hourly
T/F When you grant access at a parent scope using RBAC, those permissions are inherited by all child scopes that you specify should inhert
False; inheritance is automatic
T/F Azure Service Health only displays the major issues that broadly affect Azure customers
False; it also provides localized issues that affect you
T/F With ExpressRoute, your data still travels over the public internet, so it is exposed to the potential risks associated with internet communications
False; it does not travel over the public internet and is therefore not exposed to risks associated with internet communications
T/F Azure Security Center monitors your cloud-based resources to ensure they retain the correct security settings
False; it does this for both cloud and on-prem resources
T/F Azure SQL Database is a IaaS database engine
False; it is PaaS
T/F you need machine learning or data science knowledge to use azure cognitive services
False; no knowledge required
T/F Previews have their own SLA and promise of data protection, security, compliance, privacy, etc.
False; often previews have little or no guarantees and are not recommended for production use or critical workloads
T/F All blueprint artifacts must be configured
False; some have no additional parameters/configurations to handle e.g. Deploy threat detection on SQL servers
T/F Azure Policy does not have built in support for HIPAA and ISO 27001
False; there are initiative that support compliance with HIPAA and ISO 27001
T/F If you need to exceed the limit for resources in a subscription you can apply to increase the limit for a small fee
False; there's no flexibility to increase limits
T/F You lose your Azure services when you free trial ends
False; they are disabled
T/F Any customer claiming to be US Gov entity can use Azure Government
False; they must be validated
T/F You can elastically and independently scale throughput and storage across a single Azure region anywhere in the world using Cosmos DB
False; you can do this across any number of Azure regions worldwide, not just one
T/F To stay on top of outages and other incidents, you must regularly check the Azure Service Health dashboard
False; you can set up alerts to help you stay on top of incidents and downtime
T/F Condition Access if provided to all users for free
False; you need an Azure AD Premium P1 or P2 license. If you have a Microsoft 365 Business Premium license, you also have access to Conditional Access features.
T/F all storage accounts cost the same
False; you specify a type (such as block blob storage or table storage), a performance tier (standard or premium), and an access tier (hot, cool, or archive). These selections present different costs.
Azure Database for MariaDB
Fully managed and scalable MariaDB relational database with high availability and security.
Azure Database for MySQL
Fully managed and scalable MySQL relational database with high availability and security.
Azure Database for PostgreSQL
Fully managed and scalable PostgreSQL relational database with high availability and security.
IoT Central
Fully managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage IoT assets at scale.
Azure SQL Database
Fully managed relational database with auto-scale, integral intelligence, and robust security. allows you to build modern cloud apps with an always up-to-date relational database service that includes serverless compute, hyperscale storage, and automated features to optimize performance and durability.
Azure Cache for Redis
Fully managed service caches frequently used and static data to reduce data and application latency. create fast, scalable apps with an open-source compatible, in-memory data store.
IoT Edge
Fully managed service that allows data analysis models to be pushed directly onto IoT devices, which allows them to react quickly to state changes without needing to consult cloud-based AI models.
Azure Functions v. Logic Apps purpose
Functions = serverless compute service / programming Logic Apps = erverless orchestration service / workflow (you could use Azure Functions to orchestrate a long-running business process that involves various connections, but this was not its primary use case when it was designed.)
If you already have your orchestration or business logic expressed in C#, Java, Python, or another popular programming language should you use Functions or Logic Apps?
Functions bc you can port your code into the body of Azure Functions which might be easier than recreating with a Logic App
Your company hopes to publish an API that would allow third parties to integrate their own inventories of new and used items Although the internal implementation of the API is closed source, the company wants to create a set of examples that call the API to perform various actions and get feedback, issues, and feature requests What should be used to do this?
GitHub - it's open source, simple permissions, doesn't need intense project mgmt = GitHub
the preferred host for open-source software
GitHub Although Azure DevOps can publish public code repositories, visibility and general acceptance by the open-source development community
Azure Cosmos DB
Globally distributed, multi-model database service that supports NoSQL options. Developers can build apps with guaranteed low latency and high availability anywhere, at any scale. You can also migrate Cassandra, MongoDB, and other NoSQL workloads to the cloud.
How can you add, view, or delete locks in Azure portal?
Go to the Settings section of a resource's settings pane and then choose Locks
GitHub and GitHub Actions
Good for open source & widely accepted Developers can publish code, accept contributions, accept feedback and bug reports has a long history with public repositories and is trusted by tens of thousands of open-source project owners
You want to allow one user to manage VMs in a subscription and another to manage virtual networks. What can you do?
Grant RBAC at the resource and/or resource group level (depending on where the networks and VMs are deployed)
What allows Azure to provide a high guarantee of availability?
Having a broadly distributed set of datacenters
HIPAA
Health Insurance Portability and Accountability Act
What blob storage tier should you use to access images for your website
Hot access tier as this will be accessed frequently
An advantage of this cloud service model is rapid deployment of new compute devices. Setting up a new virtual machine is considerably faster than procuring, installing, and configuring a physical server. What cloud service model am I?
IaaS
Azure Virtual Networks are IaaS, PaaS, or SaaS?
IaaS
The most flexible cloud service model is
IaaS
This cloud service model is the closest to managing physical servers; a cloud provider will keep the hardware up-to-date, but operating system maintenance and network configuration is up to you as the cloud tenant. What cloud service am I?
IaaS
You configure and manage the hardware for your application in this cloud model
IaaS
the most flexible category of cloud services
IaaS - It aims to give you complete control over the hardware that runs your application. Instead of buying hardware, with IaaS, you rent it.
Multi-Tier Cloud Security Singapore granted Microsoft cloud services MTCS 584:2013 Certification for
Iaas, PaaS, and also SaaS Microsoft is the first global solution provider to receive this cert across all three
How can VMs be used in disaster recovery?
If a primary datacenter fails, you can create VMs running on Azure to run your critical applications and then shut them down when the primary datacenter becomes operational again.
RBAC uses an allow model which means
If one role grants you read permissions and another grants you write for the same resource, you will have both read and write permissions (instead of neither)
How do you define an Azure Policy Initiative?
In Portal of via command-line You can search for built-in initiatives or create your own
Zone-redundant gateways
In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. These gateways require different gateway SKUs and use Standard public IP addresses instead of Basic public IP addresses.
ISO
International Organization of Standards
enables devices to gather and then relay information for data analysis
IoT
you can connect, monitor, and manage all IoT assets; analyze data as it arrives from sensors and take action with it using this service category
IoT
A company wants to quickly manage its individual IoT devices by using a web-based user interface. Which IoT technology should it choose?
IoT Central
With this IoT Service you can control a single device or all devices at once, and you can set up alerts for certain conditions, such as a device failure.
IoT Central
if you want a pre-built customizable user interface with which you can view and control your devices remotely, you might prefer to start with
IoT Central
A company has a fleet of delivery vehicles with shipments of goods that have sensors to collected and monitor temperature, humidity, tilt, shock, light, and location. Their sensors will be from a third-party vendor. Goals of this system include: - Shipment monitoring with real-time tracing and tracking. - Shipment integrity with real-time ambient condition monitoring. - Security from theft, loss, or damage of shipments. - Geo-fencing, route optimization, fleet management, and vehicle analytics. - Forecasting for predictable departure and arrival of shipments. The company would prefer a pre-built solution to collect sensor and vehicle computer data and provide an interface that displays reports about shipments and vehicles. What IoT Service should be used + why?
IoT Central We definitely want a UI and lots of report capabilities and pre-built stuff which leads us away from the IoT Hub and toward IoT Central Although security is mentioned, it is not of upmost importance and the sensors the company has will be from a third-part vendor, therefore Azure Sphere is not the best option bc it can't provide its own hardware to take care of security and the UI capabilities of IoT Central are more important
You want to send messages from the IoT device to the cloud and vice versa. Which IoT technology can send and receive messages?
IoT Hub
A company has appliances that will send telemetry information to a centralized location, where the data can be analyzed and maintenance can be scheduled. The devices will not require remote control. They will merely be sending their telemetry data for analysis and pro-active maintenance. Because Tailwind Traders already has software in place for managing appliance maintenance requests, the company wants to integrate all functionality into this existing system. What IoT Service should be used + why?
IoT Hub bc security is not top priority we don't need Sphere and data will be analyzed with their existing system so we don't need Dashboard and other capabilities from IoT Central
Costs with Azure Virtual Desktop
It is available to you at no additional cost if you have an eligible Microsoft 365 license. Just pay for the Azure resources used by Azure Virtual Desktop. (bing your own licenses)
How can your IT department use biometric properties, such as facial recognition, to enable delivery drivers to prove their identities?
MFA
Machine Learning
Machine learning is a data science technique that allows computers to use existing data to forecast future behaviors, outcomes, and trends. Using machine learning, computers learn without being explicitly programmed.
Defense in depth: compute
Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues. Secure access to VMs Implement endpoint protection on devices and keep systems patched and current.
Knowledge mapping
Map complex information and data to solve tasks such as intelligent recommendations and semantic search.
provides support for several popular No-SQL APIs
Microsoft Cosmos DB
The ___________________ can generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration.
Microsoft Data Migration Assistant
Where can the team access details about the personal data Microsoft processes and how the company processes it, including for Cortana?
Microsoft Privacy Statement
What's Azure AD Multi-Factor Authentication?
Microsoft service that provides multifactor authentication
Azure Sentinel
Microsoft's cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
What does the Online Services Terms OST apply to
Microsoft's online services that you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps
MVP
Minimum Viable Product
Azure Network Watcher
Monitors and diagnoses network issues by using scenario-based analysis.
MFA
Multifactor authentication
NIST
National Institute of Standards and Technology
Why combine Network security groups and Azure Firewall
Network security groups provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as a service. It provides network-level and application-level protection across different subscriptions and virtual networks. together they provide better defense-in-depth network security.
Azure table storage
NoSQL datastore for key-value pairs; cheap for semi-structured data
NoSQL means
Not only SQL More than just a relational db
VM cons
Only run one OS at a time (con if mult apps need different OSes) Starting VM can be slow bc it starts a whole computer
a consumption-based model of expenses
OpEx
Azure Application Gateway
Optimizes app server farm delivery while increasing application security. provides a web application firewall - which has centralized, inbound protection for your web apps against common exploits and vulnerabilities
Azure App Services provides a managed hosting environment where developers can upload their web applications, without having to worry about the physical hardware and software requirements. This is an example of what cloud service model?
PaaS
The cloud service to focus on app dev
PaaS
This cloud service model is a managed hosting environment. The cloud provider manages the virtual machines and networking resources, and the cloud tenant deploys their applications into the managed hosting environment. What cloud service am I?
PaaS
Azure Container Instance a IaaS, PaaS, or SaaS?
PaaS; allows you to upload your containers, which it runs for you
PCI DSS
Payment Card Industry Data Security Standard
Disadvantage of PaaS
Platform limitations. There can be some limitations to a cloud platform that might affect how an application runs.
Point-to-point Ethernet connection for ExpressRoute
Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and Azure. You can connect your offices or datacenters to Azure by using the point-to-point links.
CIA integrity
Prevent unauthorized changes to information - at rest (where its stored) - in transit (during transfers including local to cloud) e.g. using hashes
Azure DDoS Protection
Protects Azure-hosted applications from distributed denial of service (DDOS) attacks. helps protect your Azure applications by analyzing and discarding DDoS traffic at the Azure network edge, before it can affect your service's availability
Azure DNS
Provides ultra-fast DNS responses and ultra-high domain availability.
Azure API Management
Publish APIs to developers, partners, and employees securely and at scale.
Azure App Service
Quickly create powerful cloud web-based apps.
different geographical locations around the globe that contain Azure datacenters
Regions
Where can you see the health of resources from a security perspective categorized as low, medium, and high?
Resource security hygiene section of Azure Security Center
Resource groups
Resources are combined into resource groups, which act as a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed. Good to break into resource type
How do you protect your resources once they've been deployed?
Role based access control to limit users to authorization adding locks to prevent deletion
Azure Synapse Analytics
Run limitless analytics at a massive scale by using a cloud-based enterprise data warehousing and big data analytics that takes advantage of massively parallel processing to run complex queries quickly across petabytes of data.
Which is the best first step a team should take to compare the cost of running environments on Azure versus in their datacenter?
Run the Total Cost of Ownership Calculator TCO
How can your company ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers?
Run the VMs on an Azure Dedicated Host
How can your IT department reduce the number of times users must authenticate to access multiple applications?
SSO
In this cloud service model, the cloud provider manages all aspects of the application environment, such as virtual machines, networking resources, data storage, and applications. The cloud tenant only needs to provide their data to the application managed by the cloud provider. What cloud service am I?
SaaS
Is Azure DevOps IaaS, PaaS, or SaaS?
SaaS
Microsoft Office 365 provides a fully working version of Microsoft Office that runs in the cloud. All you need to do is create your content, and Office 365 takes care of everything else. This is an example of what cloud service?
SaaS
Users pay for the software they use on a subscription model with this cloud service model
SaaS
pay as you go pricing model is linked to which cloud service model
SaaS
software that's centrally hosted and managed for you and your users or customers. Usually one version of the application is used for all customers, and it's licensed through a monthly or annual subscription. What cloud service model is this?
SaaS
Azure Virtual Machine Scale Sets
Scaling for Windows or Linux VMs hosted in Azure.
Adaptive network hardening
Security Center can monitor the internet traffic patterns of the VMs, and compare those patterns with the company's current network security group (NSG) settings. From there, Security Center can make recommendations about whether the NSGs should be locked down further and provide remediation steps.
Azure Notification Hubs
Send push notifications to any platform from any back end.
the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code & architectures are highly scalable and event-driven, only using resources when a specific function or trigger occurs What is this called?
Serverless computing
Microsoft-covered cloud services are audited at least annually against the
Service Organization Controls (SOC) report framework by independent third-party auditors this covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service
SQL Server on Azure Virtual Machines
Service that hosts enterprise SQL Server apps in the cloud.
Azure Database Migration Service
Service that migrates databases to the cloud with no application code changes. allows you to accelerate your transition to the cloud using a simple, self-guided migration process.
Public cloud
Services are offered over the public internet and available to anyone who wants to purchase them. Cloud resources, such as servers and storage, are owned and operated by a third-party cloud service provider, and delivered over the internet.
Conditional Access Flow
Signals: collect info on user location, device, identity, etc Decision: about how much access to grant or deny and if MFA is needed Enforcement: to carry out the decision and prompt for MFA or deny access or grant access.
Azure Database for PostgreSQL is available in two deployment options:
Single Server and Hyperscale (Citus).
SSO
Single Sign-on enables users to remember only one ID and one password to access multiple applications - reduce what user must remember, reduce work to provide access to multiple user identities, reduce IT help for forgotten passwords, and etc.
Disadvantage of SaaS
Software limitations. There can be some limitations to a software application that might affect how users work. Because you're using as-is software, you don't have direct control of features.
Your company experiences surges in e-commerce traffic that coincide with national holidays and weekends. In the past employees would come in to keep an eye on stuff, but the manager wished they could do this from how. How can this be done?
The Azure Mobile App - we want to handle stuff on the go, and it isn't really repeatable stuff
Bandwidth
The amount of data that can be transmitted over a network in a given amount of time.
REST API
The design of the URL style that's used to expose the API's functionality. Typically GET, PUT, POST, DELETE requests over HTTP
Web API endpoint
The location of the code library
CIA confidentiality
The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work. This information includes protection of user passwords, email content, and access levels to applications and underlying infrastructure.
Point-to-site virtual private networks
The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network.
Management groups
These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.
What does it means for Conditional Access to provide a more granular multifactor authentication experience for users
They need to authenticate with MFA only in certain cases - done by collecting signals from user (like location, device, etc) and making a decision about access rights and MFA from those signals e.g. If they are at a known location they may not be prompted for a 2nd factor of auth - but will at an unexpected location or if sign-ons are unusual
for a VPN gateway you need to create a Public IP address, explain
This address provides a public-routable IP address as the target for your on-premises VPN device. This IP address is dynamic, but it won't change unless you delete and re-create the VPN gateway.
OSI layer 2
This layer is the Data Link Layer, which provides node-to-node communication between two nodes on the same network.
OSI Layer 3
This layer is the Network Layer, which provides addressing and routing between nodes on a multi-node network
TCO
Total Cost of Ownership
TCO Calculator
Total Cost of Ownership helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenters
T/F A management group tree can support up to six levels of depth. This limit doesn't include the root level or the subscription level.
True
T/F A subscription is a deployment boundary for Azure resources
True
T/F All capabilities that are available in the Azure portal are also available through PowerShell, the Azure CLI, REST APIs, and client SDKs
True
T/F All resources must be in a resource group
True
T/F All subscriptions and management groups are within a single hierarchy in each directory
True
T/F All subscriptions within a single management group must trust the same Azure AD tenant.
True
T/F Any number of Azure virtual machines or roles can mount and access the file storage share in Azure Files simultaneously.
True
T/F App Service has built-in load balancing and traffic manager provide high availability.
True
T/F App Service is a platform as a service (PaaS) offering.
True
T/F Azure Cosmos DB provides comprehensive service level agreements for throughput, latency, availability, and consistency guarantees.
True
T/F Azure Database for MySQL is a relational database service in the cloud with 99.99 percent availability
True
T/F Azure Firewall provides a central location to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
True
T/F Azure Policy integrates with DevOps by applying CI/CD policies in pre-deployment and post-deployment
True
T/F Azure SQL Database handles most of the database management functions, such as upgrading, patching, backups, and monitoring, without user involvement
True
T/F Azure compliance documentation includes Audit reports
True
T/F Azure is the only major cloud provided that contractually commits to conformance with CJIS Security Policy to meet the same requirements as law enforcement and public safety entities
True
T/F Azure management groups provide a level of scope above subscriptions.
True
T/F Azure supports Saas, Paas, and IaaS
True
T/F Both Logic Apps and Functions are trigger based
True
T/F By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure
True
T/F Free products typically don't have an SLA
True
T/F Hardware must be purchased for start-up and maintenance of private clouds
True
T/F If a policy is applied to a resource group, that policy is applied to all resources within that resource group
True
T/F Organizations control security, compliance, or legal requirements when they are hybrid cloud
True
T/F Organizations have complete control over resources and security when they are private cloud
True
T/F Policy assignments are inherited by all child resources within that scope
True
T/F Preview features for existing services are available on deploy, configure, and mgmt
True
T/F Role based access control can be applied to the resource group
True
T/F SQL Database can be the right choice for a variety of modern cloud applications because it enables you to process both relational data and non-relational structures, such as graphs, JSON, spatial, and XML.
True
T/F Some services or VM features are only available in certain regions
True
T/F The IoT Hub service supports communications both from the device to the cloud and from the cloud to the device
True
T/F There's a minimum of three zones within a single region.
True
T/F To build enterprise integration solutions with Azure Logic Apps, you can choose from a gallery of 200+ connectors. The gallery includes services such as Salesforce, SAP, Oracle DB, and file shares
True
T/F Unlike virtual machines, you don't manage the operating system for a container.
True
T/F When a user sends a request from any of the Azure tools, APIs, or SDKs, Azure Resource Manager receives the request, authenticates it, authorizes it, and send it to the Azure service
True
T/F You can call Azure Functions from Azure Logic Apps and vice versa
True
T/F You store blobs in containers, which helps you organize your blobs depending on your business needs.
True
T/F Your storage account will contain all of your Azure Storage data objects, such as blobs, files, and disks
True
T/F a hypervisor can run multiple VMs with different OSes at the same time
True
T/F a resource can only be a member of a single resource group
True
T/F both Azure DevOps and GitHub allow public and private code repositories
True
T/F plans with 99.99% availability have max 1 minute of downtime per week
True
T/F the newest capabilities of SQL Server are released first to SQL Database, and then to SQL Server itself so you get the newest SQL Server capabilities, with no overhead for updates or upgrades, tested across millions of databases
True
T/F you can automate the provisioning of new labs as part of a toolchain by using Azure Pipelines or GitHub Actions
True
T/F you can choose to create subscriptions to set up separate environments for development and testing, security, or to isolate data for compliance reasons
True
T/F VPN gateways use a pre-shared key as the only method of authentication
True They also rely on also rely on Internet Key Exchange (IKE) t set up association between endpoint and Internet Protocol Security (IPSec) to encrypt and decrypt data packets in the VPN tunnel
T/F Resource groups are a scope for applying role-based access control (RBAC) permissions
True - easing admin work and limiting access
T/F You can apply access-management policies at the subscription level
True - this is called access control boundary you can create separate subscriptions to reflect different organizational structures like departments
T/F Cloud computing is a consumption-based model
True - you only pay for what you use
T/F If you delete a resource group, all resources contained within it are also deleted
True! Careful
T/F If you want to prevent users from gaining access to something you should use RBAC, but to audit resource use you should use Azure Policy
True; RBAC prevents! Azure Policy is more monitor-y
T/F When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges
True; You can also divide that IP address space into subnets and allocate part of the defined address space to each named subnet.
T/F You can buy one-year or three-year Azure Reserved Virtual Machine Instances to save you up to 72 percent versus pay-as-you-go pricing.
True; You can pay for a reservation up front or monthly. Reservations provide a billing discount and don't affect the runtime state of your resources.
T/F Azure Sentinel supports a number of data sources, which it can analyze for security events including connectors for AWS
True; as long as logs are in an open-standard logging format
T/F You need to configure, update, and maintain the software that runs on the VM in Azure VM
True; but don't need to buy and maintain the physical hardware
T/F ARM Templates can even execute PowerShell and Bash scripts before or after the resource has been set up.
True; gives you the ability to utilize scripts for tasks that may not be possible with the ARM template itself
T/F ExpressRoute connections don't go over the public Internet.
True; this allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.
T/F Blueprints are versioned
True; to track and comment on changes to a blueprint
T/F You can configure a VPN gateway as a secure failover path for ExpressRoute connections
True; xpressRoute circuits have resiliency built in. But they aren't immune to physical problems that affect the cables delivering connectivity or outages that affect the complete ExpressRoute location. In high-availability scenarios, where there's risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway that uses the internet as an alternative method of connectivity. In this way, you can ensure there's always a connection to the virtual networks.
T/F You can have multiple dashboards generated from IoT Central
True; you can also integrate with IoT Hub to create reports, and target dashboard at a variety of users
T/F You can specify the relevant configuration parameters for a blueprint definition when you assign it to a scope
True; you can define it when the blueprint is created, or when you assign it to a scope this allows flexibility to specify relevant params at each scope e.g. different allowed locations for different resource groups
Where can the legal team access information around how the Microsoft cloud helps them secure sensitive data and comply with applicable laws and regulations?
Trust Center
Where can you find whether Azure meets a security standard or not?
Trust Center
The Health Insurance Portability and Accountability Act (HIPAA) is a
US federal law that regulates patient Protected Health Information (PHI).
How can you protect your organization's resources from network-based attacks (perimeter layer)?
Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users. Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
Your company wants to be more methodical and careful when it pushes new versions of its e-commerce website to production. The company will expand its quality assurance (QA) team, and it will use the cloud to create and host virtual machines (VMs). Through this approach, it will create testing environments that match the production environment. They don't want QA people having to configure stuff al the time, and doesn't want a bunch of VMs sitting around unused, what should they do?
Use Azure DevTest Labs
Suppose you need to test a new feature on an old version of an operating system. What can you do?
Use Azure DevTest Labs which can set up everything automatically upon request. After the testing is complete, DevTest Labs can shut down and deprovision the VM, which saves money when it's not in use. To control costs, the management team can restrict how many labs can be created, how long they run, and so on.
Team of developers with Windows experience want to perform one-off testing, mgmt, and other tasks and find Azure Portal too slow, what can they do?
Use Azure PowerShell - one off tasks with a Windows background
You want to allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets. How can you do this?
Use RBAC at the resource group level
You need to allow a database administrator group to manage SQL databases in a subscription. How can you grant this access?
Use RBAC on the subscription (or resource group/resource level if there are things they should not have access to)
Vision
Use image-processing algorithms to smartly identify, caption, index, and moderate your pictures and videos.
Azure DevTest Labs
Used to manage VMs for testing including configuration, provisioning, and automatic deprovisioning Can quickly create on-demand Windows and Linux environments to test or demo applications directly from deployment pipelines.
What if you want to configure governance and other requirements for your resources accross subscriptions? How can you do this?
Using Azure Blueprints ensures a dev team can build and deploy stuff rapidly while staying compliant
How can you automatically apply security settings to new resources when they are created?
Using Azure Security Center
How can you automated responses to security alerts in Secure Center?
Using a workflow automation with Azure Logic Apps and Security Center connectors triggered by a threat detection alert or by a Security Center recommendation Your logic app can then send an email and post a teams message in response
How do you manage Azure RBAC permissions?
Using the Access control (IAM) pane in the Azure portal The pane should who has access to what scope and what roles apply - you can also grant/remove access from this pane
Choosing VM v. Container
VM if needs complete control Container for portability and performance and more lightweight etc.
VM virtualize the ____________ while containers virtualize the __________________
VM virtualize the hardware while containers virtualize the OS
To start using Azure Firewall, you should build
VMs on a virtual network
Why use VMs for testing and development?
VMs provide a quick and easy way to create different OS and application configurations. Test and development personnel can then easily delete the VMs when they no longer need them.
All transferred data is encrypted in a private tunnel as it crosses the internet via
VPN/VPN gateway
These are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet).
VPNs Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks. VPNs use an encrypted tunnel within another network
Imagine you're running a website that enables scientists to upload astronomy images that need to be processed. If you duplicated the VM, you'd normally need to configure an additional service to route requests between multiple instances of the website. What can you use to have that work done for you?
Virtual Machine Scale Sets
These allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. What am I?
Virtual Machine Scale Sets
If you need complete control over your computing environment you should use
Virtual Machines
an Azure compute resource that you can use to deploy and manage a set of identical VMs. With all VMs configured the same, these are designed to support true autoscale. No pre-provisioning of VMs is required. What am I?
Virtual machine scale set
How can you stay updated the latest update to Azure products, services, features, products, and announcements?
Visit the Azure Updates page azure.microsoft.com updates filter by available, in preview, and in development browse or search updates, subscribe to a RSS feed to get notifications, and access Microsoft Connect to read product news and announcements
you can build, deploy, manage, and scale web apps and APIS using this service category
Web
Why combine Azure Application Gateway web application firewall and Azure Firewall
Web application firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides: - Inbound protection for non-HTTP/S protocols (e.g. ssh) - Outbound network-level protection for all ports and protocols. - Application-level protection for outbound HTTP/S. Combining them provides more layers of protection.
Policy evaluation
When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant. You can review the noncompliant policy results and take any action that's needed. If you make changes to your policy definition and create a policy assignment, that policy is evaluated over your resources within the hour. (are resources are re-evaluated hourly)
How can VMs be used during lift and shift?
When moving from a physical server to the cloud. You can create an image of the physical server and host it within a VM with little or no changes. Like a physical server, you must update the installed OS and the software it runs.
stateless v. stateful Azure functions
When they're stateless (the default), they behave as if they're restarted every time they respond to an event. When they're stateful (called Durable Functions), a context is passed through the function to track prior activity.
Azure costs by usage meters
When you provision a resource, Azure creates meters to track usage of that resource and determine billing e.g. CPU time, bandwidth, number of operations, size of resource, etc
How can DDoS (standard) Protection help manage cloud consumption
When you run on-premises, you have a fixed number of compute resources. But in the cloud, elastic computing means that you can automatically scale out your deployment to meet demand. A cleverly designed DDoS attack can cause you to increase your resource allocation, which incurs unneeded expense DDoS Protection Standard helps ensure that the network load you process reflects customer usage - and you can receive a credit for costs accrued from a DDoS attack
Azure Virtual Machines
Windows or Linux virtual machines (VMs) hosted in Azure.
Azure PowerShell is available for
Windows, Linux, and Mac, and you can access it in a web browser via Azure Cloud Shell.
Difference between functions and logic apps
With Functions, you write code to complete each step. With Logic Apps, you use a GUI to define the actions and how they relate to one another. functions are usually stateless, logic apps are always stateful functions can be run locally or in the cloud, logic apps are cloud only
Any-to-any networks with ExpressRoute
With any-to-any connectivity, you can integrate your wide area network (WAN) with Azure by providing connections to your offices and datacenters. Azure integrates with your WAN connection to provide a layer 3 connection like you would have between your datacenter and any branch offices.
Micro-billing in serverless computing
With serverless computing, you pay only for the time your code runs. If no active function executions occur, you are not charged.
How can you handling different types of billing requirements for resources
With subscriptions using it as a billing boundary Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
Does Azure Government have level 5 DoD approval?
Yep - and it offers the most compliance certifications of any cloud provider
Does Azure meet ISO 27001
Yes
Is there a difference in availability between 99% SLA and 99.9%?
Yes 99% means it can be down 7.2hr/month or 1.68 hr/week 99.9% means 43.2 min / month or 10 minutes a week
Does location of resources affect cost?
Yes, Different regions can have different associated prices And geographic regions can impact where your network traffic flows and therefore influence data transfer costs between regions
Should you deallocate virtual machines during off hours?
Yes; disks and data stay, deallocating saves money by for compute costs and this can be automated
Can the OS you choose affect costs?
Yes; so compare pricing if the OS doesn't matter to you
What approach might you take to add a preview service to your architecture?
You can create a new prototype version of the app that tests with smaller group of users
geo-distribution
You can deploy apps and data to regional datacenters around the globe, thereby ensuring that your customers always have the best performance in their region.
How can you prevent a lock from being removed?
You can specify it in your Azure Blueprints, then if the lock is removed it will be replaced
How can you use Azure Policy to manage tags?
You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group. Or to enforce tagging rules and conventions like added tags to new resources when they're made or reapplying tags that were removed
How can you delete/change a locked resource?
You must remove the lock (whether you are an owner of the resource or not)
Abstraction of servers in Serverless computing
You never explicitly reserve server instances. The platform manages that for you. Each function execution can run on a different compute instance. This execution context is transparent to the code. With serverless architecture, you deploy your code, which then runs with high availability.
Why is cloud computing typically cheaper to use?
You're billed only for what you use. it uses a pay-as-you-go pricing model. You typically pay only for the cloud services you use, which helps you: - Lower your operating costs. - Run your infrastructure more efficiently. - Scale as your business needs change.
What happens after your free trial subsription
Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription
Azure services that support availability zones fall into three categories:
Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks, IP addresses). Zone-redundant services: The platform replicates automatically across zones (for example, zone-redundant storage, SQL Database). Non-regional services: Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.
Azure's SLAs are represented as
a % representing availability also called uptime
Azure Pipelines
a CI/CD pipeline automation tool
You typically deploy Azure Firewall on
a central virtual network to control general network access
Azure Key Vault
a centralized cloud service for storing an application's secrets, such as passwords, encryption keys, and certificates, in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
toolchain
a combination of software tools that aid in the delivery, development, and management of software applications throughout a system's development lifecycle output of one tool is input for next tool in the chain e.g. automated dependency updates; building software; delivering artifacts to places
Containers are managed through
a container orchestrator, which can start, stop, and scale out application instances as needed.
Git
a decentralized source-code management tool
Azure Virtual Desktop
a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. works across Windows, Mac, iOS, Android, and Linux less likely to have confidential info on personal device; separates desktop from user hardware can be full desktop or just certain apps
workload
a distinct capability or task that's logically separated from other tasks, in terms of business logic and data storage requirements defines a set of requirements for availability, scalability, data consistency, and disaster recovery
service-level agreement (SLA)
a formal agreement between a service company and the customer. For Azure, this agreement defines the performance standards that Microsoft commits to for you, the customer.
Define region
a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network
Payment Card Industry (PCI) Data Security Standard (DSS)
a global standard seeks to prevent fraud through increased control of credit card data applies to any organization that stores, processes, or transmits payment and cardholder data
GitHub (+features)
a hosted version of Git that serves as - a shared source-code repository, including tools that enable developers to perform code reviews by adding comments and questions in a web view of the source code before it can be merged into the main code base. - facilitates project management, including Kanban boards. - supports issue reporting, discussion, and tracking. - features CI/CD pipeline automation tooling. - includes a wiki for collaborative documentation. - can be run from the cloud or on-premises
Online Services Terms OST
a legal agreement between Microsoft and the customer defines the obligations by both parties with respect to the processing and security of customer data and personal data
Azure Firewall
a managed, cloud-based network security service that helps protect resources in your Azure virtual networks by implementing high-security, high-availability firewall with unlimited scalability.
How can you manage resources across subscriptions?
a management group manages access, policies, and compliance across multiple Azure subscriptions
secure score
a measurement of an organization's security posture. which allows you to see how things change when you change your security stuff
Azure Security Center
a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises And provide centralized view of security alerts
A resource tag consists of
a name and value
firewall
a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules
Azure China 21Vianet
a physically separated instance of cloud services located in China and operated independently by 21Vianet
Policy assignment
a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group. This is how you assign definitions to resources.
ExpressRoute
a private connection from your on-premises infrastructure to your Azure infrastructure lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider; you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365
Azure Artifacts
a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps
What are scopes in RBAC?
a resource or set a resources access applied to can be - a management group (mult. subscriptions) - single subscription - resource group - single resource
Azure Government
a separate instance of the Microsoft Azure service addressing the security and compliance needs of US federal agencies, state and local governments, and their solution providers
Azure Policy
a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across all of your resource configurations so that those configurations stay compliant with corporate standards.
Azure Storage
a service that you can use to store files, messages, tables, and other types of information App/clients can read and write data from Azure Storage Azure Storage is also used by IaaS virtual machines, and PaaS cloud services
Network virtual appliances
a specialized VM that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
ISO 27001
a standard that applies to the security of IT systems, published by the International Organization for Standardization
What is a VM image
a template used to create a VM include an OS and often other software, like development tools or web hosting environments
Conditional Access
a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Containers
a virtualization environment - you can run multiple containers on a single physical or virtual host. lightweight and designed to be created, scaled out, and stopped dynamically. While it's possible to create and deploy virtual machines as application demand increases, containers are designed to allow you to respond to changes on demand.
You create logic app workflows by using
a visual designer on the Azure portal or in Visual Studio. The workflows are persisted as a JSON file with a known workflow schema.
Azure Policy initiatives
a way of grouping related policies together it contains all the policy definitions to help track compliance toward a larger goal
Azure Portal
a web-based user interface to view all the services you're using, create new services, configure your services, and view reports, pay for stuff for simple one-time mgmt tasks
STAR Certification is based on
achieving International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the Cloud Controls Matric (CCM) involves rigorous independent third-part assessment of a cloud provider's security posture
Any US state or local agency that wants access to the FBI's Criminal Justice Information Services CJIS databases is required to
adhere to the CJIS Security Policy (Supported under compliance category US Gov in Azure)
Azure offers customers a HIPAA Business Associate Agreement (BAA), which stipulates
adherence to certain security and privacy provisions in HIPAA and the HITECH Act Microsoft offers a BAA to Azure customers as a contract addendum
Being able to deploy and configure cloud-based resources quickly as your app requirements change is called
agility
The Microsoft Privacy Statement covers
all of Microsoft's services, websites, apps, software, servers, and devices
Azure Database for PostreSQL
allows developers to build scalable, secure, an fully managed enterprise-ready apps. You can scale out single-nodes with high performance, or migrate PostgreSQL and Oracle workloads to the cloud.
Azure Hybrid Benefit
allows you to to repurpose software licenses on Azure -- saving costs
To begin using Azure Storage, you first create
an Azure Storage account to store your data objects. (done with Azure portal, PowerShell, or the Azure CLI)
Network security groups
an Azure resource that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
To create and use Azure services, you need
an Azure subscription
Azure Boards
an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
why use VMs to run apps in the cloud?
an application might need to handle fluctuations in demand. Shutting down VMs when you don't need them or quickly starting them up to meet a sudden increase in demand means you pay only for the resources you use
Azure Test Plans
an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.
landing zone
an environment in the cloud to begin hosting your workloads - includes cloud infrastructure as well as governance, accounting, and security capabilities
Azure account
an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts
Azure Data Lake Analytics
an on-demand analytics job service that simplifies big data you write queries to transform your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it's running, making it more cost-effective.
After a blueprint is made for a management group, the artifacts are deployed to
any existing subscriptions in the blueprint's scope (the mgmt group in this case), and any new subscriptions as they're created and added to the scope
A storage account provides a unique namespace for your Azure Storage data, that's accessible from
anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly available, durable, and massively scalable.
__________ storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data
archive
Azure queue storage
asynchronous message queuing for communication between apps
AuthZ
authorization
unique physical location within an Azure region
availability zone - 1+ datacenters with independent power, cooling, networking, schedules for maintenance etc
You want to ensure your services and data are redundant so you can protect your information in case of failure. Azure can help make your app highly available through
availability zones
China East, China North are regions that are
available through a unique partnership between Microsoft and 21Vianet, whereby Microsoft doesn't directly maintain the datacenters.
Which of the following services should be used when the primary concern is to perform work in response to an event (often via a REST command) that needs a response in a few seconds? - Azure functions - Azure app service - Azure container instances
azure functions
_________ can act as an extension of your own datacenter into the cloud
azure virtual networks
You can access SLAs from
azure.microsoft.com support, legal, sla
Just-in-time VM access
blocks traffic by default to specific network ports of VMs, but allows traffic for a specified time when an admin requests and approves it.
What kinds of policies can be created with Azure Policy
both individual policies and groups of related policies (initiatives)
How can you detect threats in Azure Sentiel
build in analytics based on known threats and vectors using customizable templates or build custom analytics with specific rules for your environment
Azure IoT Central
builds on top of IoT Hub by adding a prebuilt customizable dashboard that allows you to view, connect, monitor, and manage your IoT devices You can also set up alerts to send messages when a certain device needs maintenance
A VM in Azure can connect to the internet by default, but how can you enable incoming connections?
by defining a public IP address or a public load balancer
How do you build a Logic App
by linking triggers to actions (a task or step that can execute) with connectors
Azure Repos
centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration.
How can you cutover from your on-premises SQL Server to your Azure SQL Managed Instance
changing the connection string in your applications
Sore application or backup data safely and securely using
cloud based storage in Azure
a way to rent compute power and storage from someone else's datacenter
cloud computing
The United Kingdom (UK) Government G-Cloud is a
cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK government.
You can use availability zones to run mission-critical applications and build high-availability into your application architecture by
co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones
What are blueprint artifacts?
components in a blueprint definition
you can use these cloud services to help scale computing capabilities on demand while only paying for what you use using this service category
compute services
File integrity monitoring
configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.
What is Azure Marketplace?
connect users with Microsoft partners, independent software vendors, and startups that are offering their solutions and services, which are optimized and certified to run on Azure. Includes open-source container platforms, virtual machine images, databases, application build and deployment software, developer tools, threat detection, and blockchain
assume that you have a private datacenter in California connected to ExpressRoute in Silicon Valley. You have another private datacenter in Texas connected to ExpressRoute in Dallas. With ExpressRoute Global Reach, you can
connect your private datacenters through two ExpressRoute circuits. Your cross-datacenter traffic will travel through the Microsoft network.
Logic Apps excel at
connecting a large array of disparate services via their APIs to pass and process data through many steps in a workflow you supply only a few details and the details of calling the necessary APIs is abstracted away
Defining your strategy with the Cloud Adoption Framework
consider why you're migrating to the cloud, what business outcomes you expect, and what project to lead with 1. define and document motivations by meeting with stakeholders and leadership 2. document business outcomes like finance, marketing, sales, human resources to write goals 3. evaluation financial considerations by measuring objectives and identifying the return expected 4. understand technical considerations for your first proj
Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide
contractual guarantees around transfers of personal data outside of the EU
Adaptive application controls
control which applications are allowed to run on VMs. Security Center uses machine learning to look at the processes running on a VM and creates rules for each resource group that holds the VMs and provides recommendations and alerts that inform the company about unauthorized applications that are running on its VMs.
Defense in depth: data
controls access to business and customer data that you need to protect ensure the confidentiality, integrity, and availability of the data - follow regulatory requirements
Data in this access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics. This has a slightly lower availability service-level agreement (SLA) and higher access costs than other options.
cool access tier
At any time, you can check the ______________ page in the Azure portal to get a summary of your current usage and review invoices from prior months
cost management and billing
Readying your organization with the Cloud Adoption Framework
create a landing zone environment in azure to structure subscriptions, shared resources, tools, governance, security 1. Azure setup guide: review it and know stuff 2. Azure landing zone: build subscriptions 3. Expand landing zone: ensure it meets operations, governance, and security needs 4. best practices: follow recommended and proven practices to stay scalable and maintainable
Each time the Logic App trigger fires, the Logic Apps engine
creates a logic app instance that runs the actions in the workflow. These actions can also include data conversions and flow controls, such as conditional statements, switch statements, loops, and branching.
Azure agreements and contracts in China are signed by
customers and 21Vianet
security posture
cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Usage patterns
define when and how users access your application consider if availability changes during critical and non-critical periods
service lifecycle
defines how every Azure service is released for public use 1. development phase -- collect & define requirements + build it 2. public preview phase -- public can access/experiment with it, provide feedback 3. general availability -- production ready service after testing and validation
application SLA
defines the SLA requirements for a specific application - typically one you build on Azure
What is meant by cloud computing?
delivery of computing services over the internet
Azure Resource Manager
deployment and management service for Azure to create, update, and delete resources, access control, locks, and tags to secure and organize your resources
Imperative code
details each individual step that should be performed to achieve a desired outcome
declarative code
details only a desired outcome, and it allows an interpreter to decide how to best achieve that outcome possibly more robust for deploying 100s of resources simultaneously and reliably
Azure Functions can perform orchestration tasks by using an extension called Durable Functions, which allow
developers to chain functions together while maintaining state.
IoT Hub monitoring helps you maintain the health of your solution by tracking events such as
device creation, device failures, and device connections.
By taking advantage of cloud-based backup services, data replication, and geo-distribution, you can deploy your apps with the confidence that comes from knowing that your data is safe in the event of disaster. This is called
disaster recovery
Disk Storage provides
disks for Azure virtual machines. Applications and other services can access and use these disks as needed allowing persistently stored and accessed data
What are DDoS attacks?
distributed denial of service attack attempts to overwhelm and exhaust an application's resources, making the application slow or unresponsive to legitimate users. can target anything publicly reachable through the internet
One advantage of blob storage over disk storage is that it
does not require developers to think about or manage disks; data is uploaded as blobs, and Azure takes care of the physical storage needs.
Event-driven scale in Serverless computing
e.g. if you need to response to events like timers, http/api/webhooks, queues, etc. The platform automatically schedules the function to run and scales the number of compute instances based on the rate of incoming events. Triggers define how a function is invoked. Bindings provide a declarative way to connect to services from within the code.
Pros of microservices
each service can be created with a different tech stack so each job can be completed with the best tools for that service easier for new team members to ramp up and get started bc each service has a small scope to pick up can update and deploy single service at a time bugs and features = more manageable and less risky a service can go down without taking out entire app good for high release velocity; highly scalable, good if app has many domains/subdomains; good for small development teams
Before you jump in to build a custom chat experience by using Bot Service, it might make sense to
earch for prebuilt, no-code solutions that cover common scenarios e.g. QnA Maker on Azure Marketplace that uses FAQ/support/manuals etc to build a bot
You can configure cloud-based apps to take advantage of autoscaling, so your apps always have the resources they need. This is considered
elasticity
Azure virtual networks
enable Azure resources, such as VMs, web apps, and databases, to securely communicate with each other, with users on the internet, and with your on-premises client computers. You can think of an Azure network as a set of resources that links other Azure resources.
Azure Databse for MySQL and Azure Databse for MariaDB
enable you to deliver highly-available, scalable apps with managed open-source database services. You can also migrate your existing MySQL and MariaDB workloads to the cloud.
Azure Batch
enables large-scale parallel and high-performance computing (HPC) batch jobs with the ability to scale to tens, hundreds, or thousands of VMs.
GitHub Actions
enables workflow automation with triggers for many lifecycle events like CI/CD toolchain
App Service
enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. Supports automated deployments for Continuous deployment
Azure Blueprints
enables you to define a repeatable set of standard Azure resources that your organization requires e.g. define that a certain resource lock must exist --> if the lock is removed it will be replaced
network security group
enables you to filter network traffic to and from Azure resources within an Azure virtual network like an internal firewall can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol
Azure SQL Managed Instance
enables you to migrate your SQL workloads to Azure while maintaining complete SQL server compatibility. With SQL Server on Azure VMs, you can also migrate your SQL workloads to Azure while maintaining OS-level access
for a VPN gateway you need to deploy a virtual network with
enough address space for the additional subnet that you'll need for the VPN gateway. The address space for this virtual network must not overlap with the on-premises network that you'll be connecting to. You can deploy only one VPN gateway within a virtual network.
Defense in depth: identity and access
ensuring that identities are secure, access is granted only to what's needed, and sign-in events and changes are logged controls access to infrastructure and change control Use single sign-on (SSO) and multifactor authentication MFA audit events and changes
Define your workloads with the TCO Calculator
enter the specifications of your on-premises infrastructure - servers: OS, virtualization, CPI cores, RAM memory - databases: types, hardware, Azure service replacement - Storage: type and capacity, archive storage - networking: bandwidth you currently consume etc
Authentication
establishing the identity of a person or service that wants to access a resource - get legit creds, confirm user is who they say they are
Authorization
establishing what level of access an authenticated person or service has - what data they're allowed to access and what they can do with it
Azure Advisor
evaluates configuration and usage Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs designed to help you save time on cloud optimization recommendation service includes suggested actions you can take right away, postpone, or dismiss
When you assign the Owner role to a user at the management group scope, that user can manage
everything in all subscriptions within the management group.
You can enable ExpressRoute Global Reach to
exchange data across your on-premises sites by connecting your ExpressRoute circuits
Azure CLI
executable program that can execute commands in Bash that call the Azure Rest API to perform any mgmt task in Azure used for routine setup, teardown, and maintenance of resources or the deployment
Policy definition
expresses what to evaluate and what action to take e.g. prevent VMs from being deployed in certain Azure regions Every policy definition has conditions under which it's enforced and an accompanying effect that takes place when the conditions are met
tags provide
extra info (metadata) about your resources
T/F A private cloud is always on prem
false - it can be hosted by a third party. Private just means only you can access and use it
Cloud computing offers
faster innovation, flexible resources, and economies of scale.
How can you request a service credit from Microsoft?
file a claim within the timeline your SLA states (typically 1-2 months: end of calendar month after the month the incident occurred in)
Defense in depth: physical security
first line of defense to protect computing hardware in the datacenter access to buildings and computing hardware
99.99 percent uptime is called
four-nines
When can you use spending limits to prevent accidental overun?
free or credit-based subscriptions when you run out of credits, deployed resources are removed rom production and VMs are stopped and deallocated - your data becomes read-only for credit-based subscriptions, your subscription is suspended until the next billing period
Azure Cost Management + Billing
free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use
Azure file storage
fully managed file shares in the cloud accessibly with industry standard network protocols (Server Message Block and Network File System (preview) protocols)
Azure db offerings include
fully managed relational and in-memory databases spanning proprietary and open source engines
Azure HDInsight
fully managed, open-source analytics service for enterprises that processes massive amounts of data with clusters types like Apache Spark, Hadoop, Kafka, HBase, and Storm in the cloud. also supports a broad range of scenarios such as extraction, transformation, and loading (ETL), data warehousing, machine learning, and IoT.
Data Protection Addendum DPA
further defines the data processing and security terms for online services including - Compliance with laws - Disclosure of data - Data Security practices and policies: data encryption, data access, customer responsibilities, compliance with auditing - Data transfer, retention, and deletion
Why are regions important?
give you the flexibility to bring applications closer to your users no matter where they are. Global regions provide better scalability and redundancy. They also preserve data residency for your services.
How can you access DPA (Data protection addendum)
go to licensing resources and documents on micrsoft.com search for DPA
security controls
groups of related security recommendations
Capital Expenditure (CapEx)
he up-front spending of money on physical infrastructure, and then deducting that up-front expense over time. The up-front cost from CapEx has a value that reduces over time.
Azure Pricing Calculator
help determine which Azure service best fit your budget with estimations of resources and their configurations
Azure Databricks
helps unlock insights from all your data and build artificial intelligence solutions using an interactive Apache Spark-based analytics service with other big data services in Azure. supports Python, Scala, R, Java, and SQL, as well as data science frameworks and libraries including TensorFlow, PyTorch, and scikit-learn.
Cloud Adoption Framework for Azure
helps you create and implement the business and technology strategies needed to succeed in the cloud by providing you with proven guidance to help with your cloud adoption journey
Azure Blob Storage is unstructured, meaning that
here are no restrictions on the kinds of data it can hold
Depending on the service-level agreement (SLA) that you choose, your cloud-based apps can provide a continuous user experience with no apparent downtime, even when things go wrong. This is considered
high availability
Advantages of using cloud
high availability; scalability; elasticity; agility; geo-distribution; disaster recovery
Azure Database for PostgreSQL Hyperscale (Citus)
horizontally scales queries across multiple machines by using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance, generally workloads that are approaching, or already exceed, 100 GB of data. It supports multi-tenant applications, real-time operational analytics, and high throughput transactional workloads. Apps for PostgreSQL can run distributed queries on Hyperscale (Citus) with standard connection libraries and minimal changes.
What access tiers for blob storage can be set at the blob level, during upload or after upload?
hot, cool, or archive
App Service plans determine
how much hardware is devoted to your host. For example, the plan determines whether it's dedicated or shared hardware and how much memory is reserved for it.
The main difference between policy-based and route-based VPNs is
how traffic to be encrypted is specified
Which cloud model (private, public, hybrid) is more flexible?
hybrid
This layer is now more often the target of attack than the network is.
identity layer
What happens if a pod crashed or is removed in kubernetes
if a pod crashed a new instance can be created if a pod is removed, the workload can be moved to a different pod in the cluster
When to use route based VPN gateways
if you need - Connections between virtual networks - Point-to-site connections - Multisite connections - Coexistence with an Azure ExpressRoute gateway
When is Conditional Access useful?
if you need to - require MFA - for certain users or networks, or all users/networks - require access only via approved apps (like only accessing outlook via the outlook app) - require access only via managed devices (a device meeting your standard for security and compliance) - block access from untrusted sources (like unknown/unexpected locations)
What does it mean for inbound data traffic to be free but outbound to cost money?
inbound = data going into Azure datacenters outbound = data leaving Azure datacenters some inbound data stuff is free outbound data transfer pricing is based on billing zones
Who can you apply Azure RBAC to?
individuals, groups, service principals, and managed identities
code that performs setup and configuration can be stored, versioned, and maintained along with application source code in a source code-management tool such as Git. This approach to managing hardware and cloud resources, is referred to as
infrastructure as code
Why use initiatives even when you only have a single policy?
initiatives enable you to increase the number of policies apply to a scope over time w/o having to change the policy assignment for your resources
Resources
instances of services that you create, like virtual machines, storage, or SQL databases
Why care about SLAs?
it affects your performance and the SLA you can make with your customers
What does it mean for a firewall to be stateful
it analyzes the complete context of a network connection, not just an individual packet of network traffic
Describe the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed)
it is preserved - Azure creates a record that associates a resource with the blueprint that defines it so you can track and audit deployment
How does Azure Firewall enables outside firewalls to identify traffic coming from your virtual network
it uses a static (unchanging) public IP address for your virtual network resources
combines container management automation with an extensible API to create a cloud native application management powerhouse
kubernetes
Virtual machine scale sets
let you create and manage a group of identical, load-balanced VMs
Conditional Access comes with a What If tool, which
lets you test our Conditional Access policies before you implement them by modeling your proposed Conditional Access policies across recent sign-in attempts from your users to see what the impact would have been if those policies had been enabled.
What is it called when you move from a physical server to the cloud
lift and shift
How do you assign Azure Policy Initiatives?
like policy assignment, just assign it a specific scope of a management group, subscription, or resource group
Which is not a feature of cloud computing? - faster innovation - limited pool of services - speech recognition and other cognitive services
limited pool of services is not a feature of cloud computing
Defense in depth: network
limits communication between resources through segmentation and access controls to allow only what is required restrict inbound internet access and limit outbound where appropriate Implement secure connectivity to on-premises networks
resource quotas
limits on the number of similar resources you can provision in a subscription -- mostly so Microsoft can plan its datacenter copacity
Azure Logic Apps
low/no code development platform using Logic Apps Designer UI to help automate and orchestrate tasks based on event triggers Build by linking triggers to actions using a library of connectors (or a custom connector)
Azure IoT Hub
managed service that's hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the (maybe millions) devices it manages.
What can be used to manage governance across multiple Azure subscriptions
management groups
You organize subscriptions into containers called
management groups
Making a plan with the Cloud Adoption Framework
map goals to specific actions 1. digital estate: identify existing workloads you want to migrate to the cloud 2. initial organization alignment: who needs to be involved (tech + governance) 3. skills readiness plan: how to train them to operate in the cloud 4. cloud adoption plan: to bring together the devlopment, operations, and business teams toward a shared goal
Containers are often used to create solutions that break solutions into smaller, independent pieces this is called
microservice achitecture
you might split a website into a container hosting your front end, another hosting your back end, and a third for storage. This split allows you to separate portions of your app into logical sections that can be maintained, scaled, or updated independently. This is an example of?
microservice architecture
this is a way to simplify an application architecture by focusing on creating smaller, more manageable, autonomous, and independently deployed web services that address a single business domain or capability
microservice architectures
Adopting the cloud MIGRATION with the Cloud Adoption Framework
migrate your first workload using migration guide, and innovate stuff 1. migrate your first workload 2. migration scenarios: use additional in-depth guides to explore complex migrations 3. best practices: check Azure cloud migration best practice checklist to verify you've got them 4. process improvements: find ways to make migration process scale with less effort + innovate
Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available to Azure SQL Database. These include
migrating dbs to the cloud that do not use SQL_Latin1_General_CP1_CI_AS server collation (the only one SQL Database supports)
you can build and deploy cross platform and native apps for any mobile device, use Xamarin services in Azure using this service category
mobile
As you move your workloads to the cloud, a natural evolution is to start with infrastructure as a service (IaaS) services because they map more directly to concepts and operations you're already familiar with. But to save costs you can
move from IaaS to PaaS which are less expensive and require less to manage but can still meet your requirements
UDR (user defined routing) is a significant update to Azure's Virtual Networks as this allows
network admins to control the routing tables between subnets within a VNet, as well as between VNets, thereby allowing for greater control over network traffic flow.
These have security rules that enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. After it is created it is associated with a VNet What is it?
network security group
What is like an internal firewall (firewall but within the same network)
network security group
Connect virtual networks to other virtual networks through a _____________ connection
network-to-network
for a VPN gateway you need to create a Virtual network gateway, explain
o route traffic between the virtual network and the on-premises datacenter or other virtual networks. The virtual network gateway can be either a VPN or ExpressRoute gateway
Azure blob storage
object storage solution for massive amounts of unstructured data like text and binary good for serving images and documents directly to a browser; storing archive data; steaming video and audio; disaster recovery
Azure Reservations
offers discounted prices on certain Azure services by reserving services and resources by paying in advance save you up to 72 percent as compared to pay-as-you-go prices
Azure Container Instances
offers the fastest and simplest way to run a container in Azure without having to manage any virtual machines or adopt any additional services. Containerized apps run on Azure without provisioning servers or VMs.
How is Azure RBAC enforced?
on any action that's initiated against an Azure resource that passes through Azure Resource Manager
Managing your cloud environments with the Cloud Adoption Framework
ongoing work for your cloud environment 1. establish a mgmt baseline: define minimum set of tools that should be applied to every asset in the environment - your commitment to operations 2. define business commitments: document supported workloads and operations and agree on cloud investments 3. expand the management baseline: apply recommended best practices to iterate on your initial management baseline 4. advanced operations and design principles: perform a deeper architecture review to deliver on your resiliency and reliability
Governing your cloud environments with the Cloud Adoption Framework
ongoing work for your cloud environment 1. methodology: consider end goal - how can you get there in steps 2. benchmark: use the governance benchmark tool to assess your current and future states to establish a vision 3. initial governance foundation: create an MVP capturing the first steps of your governance plan 4. improve the initial governance foundation: iteratively add governance controls that address tangible risks as you progress toward your final goal
What access tiers can be set at the account level?
only hot and cool (not archive)
Azure Government uses physically isolated datacenters and networks located
only in the US
The task of automating, managing, and interacting with a large number of containers is known as
orchestration
If you have multiple departments and need to do a "chargeback" of cloud costs by department you can
organize subscription by department or project or use tags
Bot Service solutions usually rely on
other AI services for such things as natural language understanding or even translation for localizing replies into a customer's preferred language
You can link virtual networks together by using virtual network
peering
DevOps is a concept that combines
philosophies and practices to facilitate technical teams as they work toward common goals by employing processes that automate the ongoing development, maintenance, and deployment of software systems to expedite the release of software changes, ensure the ongoing deploy-ability of the system, and ensure that all changes meet a high quality bar.
US DoD Central, US Gov Virginia, US Gov Iowa are regions that are
physical and logical network-isolated instances of Azure for U.S. government agencies and partners. These datacenters are operated by screened U.S. personnel and include additional compliance certifications.
Availability zone
physically separate datacenters within an Azure region
When done correctly, DevOps practices and processes touch nearly every aspect of a company and the software development lifecycle, including
planning, project management, and the collaboration of software developers and operations and quality assurance teams. Tooling automates and enforces most of the practices and processes, making it both difficult and unnecessary to work around.
Azure Bot Service & Bot Framework
platforms for creating virtual agents that understand and reply to questions just like a human; it creates a virtual agent that can intelligently communicate with humans. can include ordering food by text, simple QA, or sophisticated convo that provides access to services
Connect individual devices to virtual networks through a ____________ connection
point-to-site
compliance blueprints on policy definitions, for common standards
policy definitions for common security standards that you can apply to your Azure subscription helps make sure you meet standards
resource lock
prevent resources from being accidently deleted or changed
What is Azure
private and public cloud platform with an ever-expanding set of services to help you build solutions to meet your business goals. Azure services range from simple web services for hosting your business presence in the cloud to running fully virtualized computers for you to run your custom software solutions. Azure provides a wealth of cloud-based services like remote storage, database hosting, and centralized account management. Azure also offers new capabilities like AI and Internet of Things (IoT).
Multifactor authentication
process where a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan. Makes it more difficult to fully authenticate and steal credentials
Defense in depth: perimeter
protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure. uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users use perimeter firewalls to identify and alert on malicious attacks against your network.
Azure Dedicated Host
provides dedicated physical servers to host your Azure VMs for Windows and Linux (instead of shared hardware like normal VMs in Azure)
Azure Mobile App
provides iOS and Android access to your Azure resources when you're away from your computer You can - monitor health and status of resources - check alerts, diagnose and fix issues, restart a web app or VM, etc - run Azure CLI or PowerShell commands to manage resources
Azure Cognitive Services
provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason.
Azure compliance documentation
provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
How can you avoid defining role based access controls for multiple subscriptions that user should have access to?
put the subscriptions in a management group and apply the role based access control to the group
Regulatory compliance
refers to the discipline and process of ensuring that a company follows the laws that governing bodies enforce
tenant
representation of an organization (in Azure)
manageable item that's available through Azure. Virtual machines (VMs), storage accounts, web apps, databases, and virtual networks are examples of this
resource
A container that holds related resources for an Azure solution. This container includes resources that you want to manage as a group.
resource group
Before any resource can be provisioned, you need a
resource group for it to be placed in.
virtual network Peering enables
resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure.
When you assign the Contributor role to an application at the resource group scope, the application can manage
resources of all types within that resource group, but not other resource groups within the subscription.
ExpressRoute connectivity can be
rom an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility
this is automatically created for each subnet within an Azure vNet with default routes. You can add custom routes to modify traffic between virtual networks. This is?
route table
Azure Service Health
rovides a personalized view of the health of the Azure services, regions, and resources you rely on as well as incident history and root cause analysis
when you increase compute capacity by adding instances of resources, such as adding VMs to the configuration you are
scaling horizontally (scalability)
to increase compute capacity by adding RAM or CPUs to a single virtual machine you are
scaling vertically (scalability)
ARM Templates
scripts for deploying multiple servers that may need to connect to each other or be deployed in a certain order describe the resources you want to use in a declarative JSON format. The entire ARM template is verified before any code is executed to ensure that the resources will be created and connected correctly. You only need to define the desired state and configuration of each resource in the ARM template, and the template does the rest
What is your secure score based on?
security controls: he percentage of security controls that you satisfy
SIEM system
security information and event management aggregates security data from many different sources
define virtualization
separates the tight coupling of the computers hardware and OS using an abstraction layer called hypervisor which emulates the functioning of a real computer and its CPU in a VM optimizing the capacity of the hardware
a term used to describe an execution environment that's set up and managed for you. You merely specify what you want to happen by writing code or connecting and configuring components in a visual editor, and then specify the actions that trigger your functionality. You never have to worry about an outage, your code can scale instantly to meet demand, and you pay based only on the actual usage of your code.
serverless computing
a cloud-hosted execution environment that runs your code but abstracts the underlying hosting environment so that you're not responsible for setting up or maintaining the server. You don't have to worry about scaling it when there's increased demand, and you don't have to worry about outages. It is responsible for sending messages from one system to another, or processing messages that were sent from other systems. It's not used for user-facing systems but, rather, it works in the background.
serverless computing (Azure Functions or Logic Apps)
Trust Center
showcases Microsoft's principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services providing support and resources for the legal and compliance community on microsoft.com -- not in Azure!
How fast are Cosmos DB data accesses?
single-digit-millisecond data access
Connect on-premises datacenters to virtual networks through a __________ connection
site-to-site
Firewall rules can
specify ranges of IP addresses to allow, or include specific network protocol and port information
Key features of policy-based VPN gateways in Azure include
specify statically the IP address of packets that should be encrypted through each tunnel - Support for IKEv1 only - Use of static routing, where combinations of address prefixes from both networks control how traffic is encrypted and decrypted through the VPN tunnel - must be used in specific scenarios that require them, such as for compatibility with legacy on-premises VPN devices
Adjust assumptions with TCO calculator
specify whether your current on-premises licenses are enrolled for Software Assurance, which can save you money by reusing those licenses on Azure specify whether you need to replicate your storage to another Azure region for greater redundancy see the key operating cost assumptions across several different areas certified by Nucleus Research like electricity, IT admin costs, network maintenance etc. --- adjust these for your current costs
Operational Expenditure (OpEx)
spending money on services or products now, and being billed for them now. You can deduct this expense in the same year you spend it. There is no up-front cost, as you pay for a service or product as you use it.
Are Azure Functions stateless of stateful?
stateless by default - behaves as if it's restarted every time it responds to an event
SKU
stock-keeping unit
Azure disk storage
stores disks for VMs and apps to access and use as needed SSD (solid state drives for higher performance work loads) HDD (hard drive disk for less critical stuff)
a logical unit of Azure services that links to an Azure account,
subscription
Teams often start their Azure governance strategy at what level
subscription level
What is a logical unit of Azure services that links to an Azure account?
subscriptions
Azure DevOps
suit of services addressing every stage of development using tools like high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing. Formerly known as Visual Studio Team Services. Good for sophisticated project management and reporting.
What helps organize existing resources and groups?
tags
IoT Central provides starter templates, explain
templates for retail, energy, healthcare, and government can be provided and customized in the UI and tailor to the specific data that's sent from your devices, the reports you want to see, and the alerts you want to send. You can use the UI to update or modify a device with little code required to get started bc of the templates
Azure Cognitive Services is general purpose, meaning
that many different kinds of customers can benefit from the work that Microsoft has already done to train and test these models and offer them inexpensively at scale.
How can you estimate total cost of Azure resources?
the Azure Pricing calculator displays Azure products in categories for you to configure and add to your estimate Then you get a total estimate and price breakdown
Serverless computing
the abstraction of servers, infrastructure, and operating systems Azure takes care of managing the server infrastructure and the allocation and deallocation of resources based on demand. Infrastructure isn't your responsibility. Scaling and performance are handled automatically. You're billed only for the exact resources you use.
How do you get billed for Azure Marketplace purchases?
the billing structures are set by the vendor of the thing you use
What is cloud computing
the delivery of computing services over the internet, which is otherwise known as the cloud. These services include servers, storage, databases, networking, software, analytics, and intelligence.
What if state is required in an Azure Function?
the function can be connected to an Azure storage account
what is responsible for handling everything that happens in Azure including responding to user requests
the orchestrator, a piece of software connected to a fabric controller a fabric controller is software located on a server on each rack in an azure datacenter e.g. user wants new VM, orchestrator gets everything needed and sends request to a fabric controller which creates the VM and lets the user know when its ready
An availability zone is set up to be an isolation boundary. If one zone goes down,
the other continues working. Availability zones are connected through high-speed, private fiber-optic networks.
service credit
the percentage of the fees you paid that are credited back to you according to the claim approval process.
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, which covers
the processing of personal information by cloud service providers
When planned maintenance or unplanned disruption affects the active instance of a VPN Gateway
the standby instance automatically assumes responsibility for connections without any user intervention connections are restored restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions
The primary difference between Azure PowerShell and Azure CLI is
the synax you use
Downtime
the time duration that the service is unavailable
Where can you apply locks?
to a subscription, resource group, or resource
for a VPN gateway you need to create a connection, explain
to create a logical connection between the VPN gateway and the local network gateway. The connection is made to the on-premises VPN device's IPv4 address as defined by the local network gateway. The connection is made from the virtual network gateway and its associated public IP address. You can create multiple connections.
for a VPN gateway you need to create a Local network gateway, explain
to define the on-premises network's configuration, such as where the VPN gateway will connect and what it will connect to. This configuration includes the on-premises VPN device's public IPv4 address and the on-premises routable networks. This information is used by the VPN gateway to route packets that are destined for on-premises networks through the IPSec tunnel.
The objective of defense in depth is
to protect information and prevent it from being stolen by those who aren't authorized to access it. A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.
T/F You pay for the Azure compute resources your app uses while it processes requests based on the App Service plan you choose.
true
UDR
user-defined Routing
Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. How can you override this?
using route tables (rules to direct packets) and border gateway protocol (works with Azure VPN gateways or ExpressRoute to handle routes)
Azure PowerShell
utilized Azure mgmt API to automate identical tasks like updating VMs with software patch - execute cmdlets that call the Azure Rest API to perform any mgmt task in Azure. - Cmdlets can be used for routine setup, teardown, and maintenance of resources or the deployment of an entire infrastructure from imperative code.
Azure Monitor
very comprehensive platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment helps identify and drill into the root cause of issues
How can you add, modify, or delete tags?
via powershell, azure cli, ARM templates, the REST API, or Azure Portal You can also use Azure Policy
When you assign the Reader role to a group at the subscription scope, the members of that group can
view every resource group and resource within the subscription.
it's easier to build large-scale services targeting big compute, big data, and containerized workloads. As demand goes up, more VM instances can be added. As demand goes down, VM instances can be removed. The process can be manual, automated, or a combination of both. What am I?
virtual machine scale set
Which Azure compute resource can be deployed to manage a set of identical virtual machines?
virtual machine scale sets
What can you use to link virtual networks?
virtual network peering
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a
voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks
How does Azure Active Directory enforce MFA
w/ Microsoft Authenticator app; SMS code, or phone call
microservice (define and pros)
web service with a small well defined scope and is loosely couple from any other web service typically create multiple to work together via APIs or parent app and each have a single functionality each service should be completely autonomous with no dependencies on other services
Adopting the cloud INNOVATION with the Cloud Adoption Framework
while migrating to the cloud, you may find ways to innovate 1. business value consensus: verify your changes add value and meet customer needs 2. azure innovation guide: use this to accelerate development and build a MVP for your idea 3. best practices: verify your progress maps to recommended practice before continuing 4. feedback loops: check with customers often to verify you're meeting their needs
logic apps execute
workflows that are designed to automate business scenarios and are built from predefined logic blocks.
Examples of actions in Logic Apps include
working with variables, decision statements and loops, and tasks that parse and modify data
in an active/active configuration
you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address
One thing that distinguishes Azure Files from files on a corporate file share is that
you can access the files from anywhere in the world, by using a URL that points to the file. You can also use Shared Access Signature (SAS) tokens to allow access to a private asset for a specific amount of time.
After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's cloud datacenter. What can you do for high availability?
you can provision multiple hosts in a host group (collection of dedicated hosts), and deploy your VMs across this group also take advantage of maintenance control to control when regular maintenance updates occur
ExpressRoute provides Layer 3 (address-level) connectivity between
your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point or any-to-any network. They can also be virtual cross-connections through an exchange.