Az-104

Traffic Manager Route: Weighted

At times you might have multiple endpoints. Lets say you want to equally balance the load between two applications. If you put the weight at 50 50 for two endpoints, the traffic will be distributed equally

Azure AD Connect. What is it?

Azure AD Connect is a tool that is used to synchronize On Prem AD with Azure AD. You need to install Azure AD Connect on a server that will have access to both the on prem DC and Azure AD.

Subscription Types

Free- Access to popular services for 12 months Pay-as-you-go- Charges you monthly for subscriptions you use in that monthly pay period Enterprise Agreement- Allows purchase of cloud services and software licenses under 1 agreement Student- Similar to free, gives $100 credit

Azure AD B2C (Business to Consumer)

Function of Azure AD that is targeted to developers.

What are the 3 types of storage accounts you can make in Azure?

General Purpose V1, General Purpose V2, BLOB storage

What is a Health probe?

It allows the load balancer to monitor the status of the application on the web server. The health probe dynamically removes any unhealthy webservers on the backend, so it doesn't send traffic there. When a probe to the webserver fails, it stops sending traffic.

What is a Health Probe?

It allows the load balancer to monitor the status of the application on the web server. The health probe dynamically removes any unhealthy webservers on the backend, so it doesn't send traffic there. When a probe to the webserver fails, it stops sending traffic. This could be from, you are patching the server, its down for maintenance, etc.

What is a JSON?

Javascript object notation. A JSON is a collection of key-value pairs. Example Vmname = webserver

What are Azure DNS Private Zones

Let's say you need the name resolution to be private. This is where private zones come in handy. (Not accessible from internet). These can be used where you need name resolution between multiple Vnets.

What is the default domain in Azure AD?

The default domain when you make a subscription is *domainname*.onmicrosoft.com.

Subscription Type Account Administrator

The person who creates the subscription - Does not have access to any other service in that subscription, they would need to be a service or co-admin for that - Can only be changed by calling Azure support (whoever holds it) - Must login every 2 years to keep account active, inactive accounts are cancelled - Can add or remove subscriptions, can change billing, can assigned service/co administrators - FULL CONTROL over subscription and has control over billing

You have a virtual machine that has a multi-network interface with private IP addressing. To which IP address in Azure managed DNS is the hostname mapped? So if you have 2 NICs which one does it look at for DNS?

The primary network interface

You need to ensure that Azure DNS can resolve names for your registered domain. What should you implement? Zone delegation? A CNAME record? AN MX Record? A secondary zone? A primary zone with a NS record?

Zone delegation.

Features of Az Cloud Shell

- Temporary - Offers an integrated graphical text editor - Authenticates automatically - Runs a temporary host - Times out after 20 min of inactivity - Requires a resource group and storage account - Uses the same azure file share for both bash and ps - Is assigned one machine per user account Meaning that cloud shell is basically like a little virtual machine, and it needs storage to run and store scripts and files, this is why it needs a storage account.

Joining your device to Azure AD gives you

-SSO -Enterprise roaming (users use their corporate email instead of microsoft email, which saves settings) -Access to WIndows store for business -Restriction of access to apps -gives cloud and onprem access

What are Tables in Azure Storage?

- Azure Cosmos DB (service) - A NoSQL key-value store for rapid development using massive semi structured datasets - Made for enterprise - low latency, high throughput

Services that can use Service Endpoints

- Azure Storage This endpoint, gives traffic an optimal route to Azure storage services - Azure SQL Database and DataHouse - Postgress SQL and MySQL - Cosmos - Azure Keyvault - Allows you to restrict access to specific networks or IP address ranges - Azure service bus

What are Queues in Azure Storage?

- Azure ____ service is used to store and retrieve messages - Queue messages can be up to 64KB in size and a queue can contain millions of messages - Generally used to store lists of messages to be processed asynchronously

Subscription Type Service Administrator

- First co-admin for a subscription, has management access to cloud resources by using portal - Can add or remove other co-admins - Can change associations of subscriptions to Azure directories - Authorized to access management portal - Most of the time this is also the account administrator

When you make a Storage account, you can choose between 3 different account types. What are they?

- General Purpose V2 Latest storage feature Lowest per GB prices Supports blobs tables. Used for most scenarios Has all V1 has and more - General Purpose V1 Has access to all services but not best pricing and featrues Not used much - BLOB Storage Specialized storage for unstructured data as block blobs

What are Azure Fileshares?

- Highly available network file share (accessed by SMB) (SMB= Multiple VMs can share the same files, with both read and write access at the same time) - Access the files from anywhere in the world just by using the URL - Migrating on-premise applications and data - Store configuration files on file share and access from multiple VMs

What are the perks to Service Endpoints

- Improved security for your azure service resources - Optimal Routing - Internal traffic routing - Keeps traffic on Azure backbone - Simple to setup with less management overhead - You don't have to reserve a public IP For example. Storage accounts are an example that are used by service endpoints.

What is Blob Storage?

- Is an object storage Optimized to store massive amounts of data Serve images or documents via browser Storing files for distributed access Streaming video and audio Storing data for backup & restore, backup and Archive Can be accessed from anywhere in the world by HTTP/HTTPS

What are the two types of load balancers?

- Public Load Balancers Maps the public IP address and the port number of the incoming traffic to the private IP and port of the VM. Public Load balancers are exposed to the internet on a port you define. Used to access web applications and other external sources. - Internal Load Balancer Directs traffic only to the resources that are inside the Vnet. The front end IP address and the virtual networks are never exposed to an internet endpoint. this can be done for - Within a VM to antoher VM in the Vnet - For Cross premise Vnet From an on prem computer to a set of VMs that reside on the Vnet - For multi-tier applications Can help connect backend appliances to internet - For line of business apps

Subscription Type Co-Administrator

- Same as service admin, but cannot change associations of subscriptions to Azure directories - Cannot delete service admin, only account admin can do this

What are the two tiers of Storage Accounts in regards to performance?

- Standard Magnetic drives (HDD) Lowest cost per GB Best for applications that require bulk storage Data is accessed infrequently - Premium Solid state drives (ssd) Offer consistent low latency performance Use with Azure virtual machine disks Best for I/O-intensive applications, like databases Note* you can't transform Premium to Standard or vice versa

What are the 3 Azure Storage Categories?

- Storage for VMs Disks - Unstructured data Blobs - Structured data Tables, SQL

What are the two ways of joining a device to Azure AD

1) Registering- Enables you to manage the devices indetity, that is then used to authenticate it every time a user signs in to Azure AD. 2) An extension of registering a device. Provides all benefits of registering a device, and also you can change the local state of the device. Changing the local state allows users to sign into the device using an org, work, or school account instead of a personal one.

Subscription User Types

Account administrator Service Administrator Co-Administrator

What is a Gateway Transit?

Adding these allows traffic outside the Vnet peering. When enabled, 1 of the Vnets can act as a gateway to allow the other Vnet access to resources it normally wouldn't have access to. For example: On prem ---> Vnet1 (Gateway Transit is enabled) ---> Vnet2. Vnet2 can access on prem resources because Vnet 1 has GT enabled.

What is a traffic manager?

Allows you to control the distribution of traffic to the endpoints running in different datacenters around the world. It does this by DNS to direct end user to appropriate endpoint.

What is Azure Traffic Manager?

Allows you to control the distribution of traffic to the endpoints running in different datacenters around the world. Load balancers are bounded by region. But what if you have 2 regions? It does this by DNS to direct end user to appropriate endpoint. It connects the client directly to the endpoint, not through Traffic Manager.

What is CIDR?

A block of IP address information (basically a subnet). Categorized as class A,B,C,D,E

Cloud Identity

A type of Azure AD user. Accounts that are created in Azure AD and are native to the cloud. (Not sync'd from an on premise)

Directory Sync Identities

A type of Azure AD user. Accounts that are in Azure AD, that have sync'd from on premise AD.

Guest Identity

A type of Azure AD user. External Accounts that can access internal resources without having to create them in Azure AD or On Prem AD.

What is a Vnet?

A virtual network, a representation of your own networking in the cloud.

What is IAM?

Access Control- where you can assign user roles in Azure AD like owner, contributor, or reader.

Traffic Manager Route: Geographic

An example for geographic is when a user needs the content in a certain language. In this case, the client connects directly to selected endpoint.

What is a resource lock

An option toggled on and off to prevent other users in your organization from accidentally deleting or modifying critical resources

You are configuring the Azure Firewall. YOu need to allow WIndows Update Network traffic through the firewall. Which of the following should you use? Application rules Destination inbound rules NAT rules Network Rules

Application rules. These define fully qualified domain names (FQDNs) that can be accessed from the subnet. So this is the best option.

Membership Types: Direct Assignment

Assigning a user rights by directly assigning a role that has those access rights for that user

What are User Defined Routes (UDR)

Azure automatically handles traffic routing, but what if you wanted to do something different. For example you have a VM that does routing or FW. You might want certain subnet traffic to be sent somewhere first, then elsewhere. You would configure a ______

What is Azure Cloud Shell?

Azure cloud shell is the bash shell you can use from the Azure Portal to interact with resources.

What is Azure Storage?

Azure storage is a service to store files messages and tables. Can be used for apps, websites, and desktop apps.

What are the 3 types of Blobs?

Block Blob- Consists of blocks of data to make a blob. More of a "block storage" Good for binary data, images, videos Page- Can be up to 8TB in size. Good for frequent read write operations. Azure VMs use this most Append- Similar to block blobs. Optimized for append operations, which happens when you are logging data one after another.

What is a backend pool?

Contains IP address of the Virtual network cards that are connected to the load balancer

What is a Backend Pool?

Contains IP address of the Virtual network cards that are connected to the load balancer. (so when the load balancer gets a hit for the website, it knows all the possible VMs it can send it to)

There is a new branch for a client, and they would like to enforce policies to that new branch. What should you do?

Create a policy initiative. A policy initiative would include all the policies of interest. Once your initiative is created, you can assign the definition to establish its scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.

What is an ARM template?

Templates that can deploy the same set of resources again and again.

Remember about Routing Tables

Each route table can be associated to multiple subnets, but subnets can only be associated to 1 route table.

Point to Site VPN

Easiest way to connect to internal resources through internet. Secure encrypted connection. Good for only a small group of users need access to it. Not good for large amount of users

What is Vnet Peering? What are the two types? Benefits?

Enables you to easily connect 2 Vnets. Once complete, they will appear as one in connectivity purposes. There are 2 types of Vnet peering Regional Vnet peering - If you have Azure Vnets in the same region and have completed a peering, its this Global Vnet peering - Connects Azure Vnets in different regions. East US and West US Benefits Traffic between peered Vnets is private (kept on microsoft backbone network) Low latency and high bandwidth Once peered, the resources from each vnet will be able to talk No downtime in creation

What features come with Premium 1 that aren't available in Free versions of Azure

Group management Self Service Password resets

What is a Service Endpoint?

Help our Vnet environment interact with other resources like SQL. Rather than our Vnet accessing them over public means. The Service Endpoint makes it act as though SQL is apart of our Vnet.

What is Azure AD B2B (Business to Business) what is the use case?

Helps connect external users to internal Azure AD environments without creating an Azure AD account for them. We would traditionally create an AD account for them and let them access the app. B2B adds another layer of security to this by making a Guest account and assigning them access to specific resources.

What is Azure DNS?

Hosting service. Once you own the domain, you can manage DNS records using Azure DNS. Like a www. record to hit your website.

What are the 3 Blob Performance Tiers?

Hot Tier- Optimized for frequent access. Most cost effective. Good for webapps or streaming. (this is default) Cool Tier- Optimized for storing large amounts of data that isn't accessed frequently (stored for at least 30 days) more cost effective. But accessing is more expensive Archive- Optimized for data that can tolerate several hours of data retrieval frequency. Accessing data is more expensive than the other two. When you put data here, you aren't going to touch it much.

What is a Standard SKU in Vnetworking

IP Assignment- Static Security- Are secure by default and closed to inbound traffic Resources- Network interfaces or public standard load balancers Redundancy- Zone redundant by default

What is a Basic SKU in VNetworking

IP Assignment- Static or Dynamic Security- Open by default Resources- Network Interfaces, VPN gateways, Application Gateways, and internet-facing load balancers Redundancy- Not Zone redundant

What is Transitivity?

If A trusts B and B trusts C. C will trust A

Traffic Manager Route: Performance

If you want to make sure users are getting directed to the closest endpoint for the best performance, and least latency, doesn't necessarily mean geographic closeness, but least latency.

Azure AD Health Connect

Important for hybrid identites. It tells us whether the sync has happened, or if there are errors. REQUIRES PREMIUM P1

What are the two kinds of Network Security Rules?

Inbound and Outbound rules.

What is not apart of the template schema?

Inputs are not a part of the template schema. Functions, outputs, and parameters are.

Membership Types: Group Assignment

Instead of assigning a role to a user, we create a group with rights, that the user then inherits after we add them to the group

What are Mangement Groups for?

Manages access and policies for subscriptions

What is Password Write Back in terms of Azure AD Connect?

Must be enabled when installing the AD Connect tool. Writes the password from Azure AD to On Prem AD. Instead of on prem to Azure only.

In the Azure Cloud Shell, can each user be assigned multiple machines?

NO, the cloud shell is assigned one machine per user account.

Membership Types: Rule-based Assignment (Dynamically assigned groups)

Users are added automatically added to a group, based on certain validation rules. Example: Only allow users into "Managers" group, if their name Job title is "manager". If I created a user with "manager" in the job title, they would automatically be added to the "Managers" Group

Can Resource Group be Nested?

No, resource groups cannot be nested

Group Memberships. Who can manage group membership requests in the access panel?

Only owners can, this requires AZ AD Premium

Roles Within Azure AD

Owner- can manage everything, including access Contributor- Can manage everything except access Reader- Can view everything but can't make changes

Membership Types: Owners and Members

Owners can change who has access, members just get what their given

Verifying your Domain

When adding your companies domain, the most important part is veryifing that domain. You'll have to sign into your domain provider and get a TXT or MX file to prove it in Azure.

Blob pricing

Performance Tier- Cost is based on how much GB is used. If it gets "hotter" prices will rise. Data Access Costs- Access charges increases as the GB usage gets cooler. Transaction Costs- There is a per transaction charge for each tier, this will increase if usage gets cold Geo-Replication data transfer costs- includes per GB charge. This replicates data Outbound Data Transfer costs- data that is transferred out of an Azure region. Billing for bandwidth usage on a per GB bases.

What port is windows RDP listening on?

Port 3389

What are the 4 Traffic Manager Routes?

Priority Performance Geographic Weighted

Express Route

Private connection for On prem to Vnet. Doesn't go through public internet, kept private for faster speeds. Redundant connections to network. High level of security. BEST SOLUTION. Most expensive solution for On prem to Vnet connections.

What are Network Security Groups?

Protects our Vnet by: Controls inbound and outbound access to vnet Allow and deny specific ports / protocols We can bind security groups to our subnet, and individually to resources within the subnet.

What services does Monitoring Azure AD provide?

Risky Users/Sign Ins- With P1, you can view risky users within the environment. With P2 you can see their location, their device etc. Usage and Insights- P1 or P2 required. Where you can get reports of usage of your apps, activities of fed applications and any activities dealing with authentication

Site to Site VPN

Single private connection from On prem network to Vnet over public internet. Projects on prem LAN to Vnet. Would need a hardware appliance to build this.

Azure AD Policies

Sort of work like GPOs. Helps meet compliance, allows you to pull reports for specific devices. Can enforce all types of things like name convention. In Azure you can create policies to restrict or allow access to doing certain actions. For example you can make a rule to only allow VMs to be created in the West Europe region.

Point to Point VPN

Specific number of connections that have to be defined individually. Single Sender, single receiver

What is Azure Storage Explorer?

Standalone app from microsoft that lets you work with Azure storage data. Feature SET - Connect with multiple subscriptions using 1 single application. You can: Manage blobs Manage Tables Manage CosmosDB ManageQueues ManageFiles

Can 2 Vnets communicate by default?

They cannot communicate by default. There are 2 ways of allowing them to.

Traffic Manager Route: Priority

Think about the org that has multiple endpoints and they want the traffic to go to 1 service endpoint, but in case that endpoint goes down they want a backup. Sends traffic to primary connection first. If it's down, traffic manager routes the traffic to the failover.

What is a Resource Provider? What two types of resources can they give access to?

Those who give us the resource we need, either Compute or Storage. Compute- Images, snapshots, VMs Storage- Files, Blobs, Storage Accounts, Tables

What is a Blob Container?

To create a blob, you need a container to put them in. It provides a grouping for the blobs. All blobs must be in a container. A storage account can have unlimited number of containers, and containers blobs. Everything is lower case and must begin with a letter and number. Name must be 3-63 characters long.

What is a UDR?

User defined route, if you want to change the way Azure route traffic, you make your own route, and assign it to the subnets.

What is a Parameter?

Values are configurable when the template runs. For example if I did a New-azaduser, and the script asked for "Name?" or "Mailnickname?". Any value that we don't have to reuse in the template, is this.

What is a Variable?

Values that are used throughout the template. That will be passed through all resources. For example you might define a storage account name once, then use that variable throughout the script. If you needed to change the name, you just update the variable. Example: Pancake=10.0.1.1/24 and now you can use pancake as a ______

What are the 2 ways of allowing 2 Vnets to communicate?

Vnet Peering Virtual Network Gateway

What is a Load Balancer

We need to make sure users have 100% uptime to the applications they are accessing. IF we have 1 webserver and it goes down. Users will have issues accessing applications that are hosted on the web server. Users --> Webserver (if webserver went down users can't get to anything on that webserver) To fix this, companies make multiple Webservers behind a load balancer. Users --> Load Balancer --> Webserver1, webserver2, webserver3 The load balancer takes the traffic and evenly distributes it between web servers using rules specified in the Azure portal. Azure provides this service by providing "Azure Load Balancer". Ensures that the applications hosted on your datacenter are highly available. Purpose: Distribute traffic to the VMs

Can users reset their own password with Azure AD?

Yes as long as it's enabled in the "Password Reset" section of the portal

Can a VM have multiple NICs?

Yes they can have multiple. A VM must be shutdown to add another NIC.

Can two subnets within 1 Vnet communicate?

Yes, VMs from different subnets are allowed to communicate by default as long as they are in the same Vnet. Both VMs must be in the same region.

Can users create security group of their own in Azure AD?

Yes, as long as the option on the backend "Users can create security groups in azure portal" is enabled.

What are Tags?

You can create tags to help identify resources. You can then retrieve all resources with a certain tag. Resources can have a max of 15 tags.

What keeps track of communication between subnets and all front end communication to internet?

managed by Azure, with default System Routes. This information is kept in a Route Table.