AZ-204
ACID guarantees
- Atomicity: a transaction must execute exactly once and must be atomic; all of the work is done, or none of it is. - Consistency: ensures the data is consistent before and after the transaction. - Isolation: ensures that one transaction is not impacted by another. - Durability: the changes made due to the transaction are permanently saved.
Topic filters can be specified as:
- Boolean filters: specifies that all or none of the messages are selected - SQL filters: a SQL-like expression to evaluate against message properties - Correlation filters: matched against properties in the message
Azure Storage Client Library for .NET types
- CloudStorageAccount represents your Azure storage account. - CloudQueueClient represents Azure Queue storage. - CloudQueue represents a queue instance. - CloudQueueMessage represents a message. The library has both synch and asynch methods; use async. Available in the Azure.Storage.Queues NuGet package.
Using the Core Tools to publish functions:
- Core Tools don't validate or test functions during publishing. - Existing functions in the target app are stopped and deleted beforehand. You can't combine functions from multiple projects into one app. - You can publish a single functions project to multiple function apps and also re-publish a project to the same app repeatedly. - By default, HTTP functions created by the Core Tools are configured with an authorization level of function.
CosmosDB Stored procedures
- Stored procedure must be defined in JavaScript - Executes on a single partition, and it only has access to that partition - Partition key must be provided with the execution request - Supports a transaction model as all statements will be removed if it fails
Azure Queue Storage Use Cases
- Total storage for queue needs to be over 80 GB - Logs needed for all transactions executed against queue - Need to track progress of message processing
Deciphering CRON expression
0 */5 * * * * The first item is seconds and supports 0-59. The second field is minutes, also 0-59. The value "*/5". The asterisk means "select every value within the field." The slash represents an increment. When you combine these characters together, it means for all values 0-59, select every fifth value or "every five minutes." The remaining four fields represent the hour, day, month, and weekday of the week. An asterisk for these fields means to select every possible value, or select "every hour of every day of every month." When you put all the fields together, the expression is read as "on the first second, of every fifth minute of every hour, of every day, of every month".
Data Classifications have two metadata attributes:
1. Labels - the main classification attributes used to define the sensitivity level of the data stored in the column. 2. Information Types - provide additional granularity into the type of data stored in the column. SQL data discovery and classification comes with a built-in set of sensitivity labels and information types and discovery logic. You can now customize this taxonomy and define a set and ranking of classification constructs specifically for your environment.
a user, group, or application
1. Security principal (who) - consists of ___.
Azure Storage supports three types of shared access signatures:
1. User delegation SAS: secured with Azure AD credentials and by the permissions specified for the SAS. Applies to Blob storage only. 2. Service SAS: secured with the storage account key. Delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. 3. Account SAS: secured with the storage account key. Delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.
Azure currently provides three versions of the runtime environment required to run Azure Functions.
1. Version 1 (v1) uses the .NET Framework 4.7; 2. version 2 (v2x) runs using .NET Core 2; 3. version 3 (v3x) contains JavaScript and .NET changes. Using v2 triggers enables you to develop and host the trigger in different environments. Version 1 triggers can only be created using Windows. Use v2 triggers wherever possible.
binding expression
A ___ is specialized text in function.json, function parameters, or code that is evaluated when the function is invoked to yield a value. For example, if you have a Service Bus Queue binding, you could use a ___ to get the name of the queue from App Settings.
tags
A resource can have up to 50 ___. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. Tags aren't inherited from parent resources. Not all resource types support tags, and tags can't be applied to classic resources.
App service autoscale
Autoscale only available on standard, premium, and isolated pricing tiers.
X.509 based certificates
Azure Key Vault manages ___ that can come from several sources. 1. Create self-signed certificates directly in the Azure portal. This creates a public/private key pair and signs the certificate with its own key. These certificates can be used for testing and development. 2. create an X.509 certificate signing request (CSR). This creates a public/private key pair in Key Vault along with a CSR you can pass over to your certification authority (CA). The signed X.509 certificate can then be merged with the held key pair to finalize the certificate in Key Vault.
strong and bounded staleness
Both ___ reads will consume twice the normal amount of request units for a request, as Cosmos DB will need to query two replicas to meet the criteria of the consistency level.
all blobs require authentication to access.
By default, all blobs require authentication to access. Individual containers can be configured to allow public downloading without authentication. This is useful for hosting static website assets and sharing files. Enabling public access is important for scalability because data downloaded directly from Blob storage doesn't generate any traffic in your server-side app. Use separate containers for data you want publicly available.
Integration account
Create a ___ when you want to define and store B2B artifacts for use in a workflow. After you link this account to your logic app, your workflows can use these B2B artifacts and exchange messages that comply with Electronic Data Interchange (EDI) and Enterprise Application Integration (EAI) standards.
Standard, Premium, or Isolated tier
Deployment slots are available only when your web app uses an App Service plan in the ___. The maximum number of slots you can create: Free 0, Shared 0, Basic 0, Standard 5, Premium 20, Isolated 20
Azure Client SDK
Even though the REST API is platform and language agnostic. The ___ encapsulates the Azure REST API, making it much easier for developers to interact with Azure.
Sending messages to an Event Hub, provide the following information, to create connection credentials:
Event Hub namespace name Event Hub name Shared access policy name Primary shared access key
4
Event Hubs default to ____ partitions. Partitions are the buckets within an Event Hub. Each publication will go into only one partition. Each consumer group may read from one or more than one partition.
Serverless
For SignalR Service to work properly with Azure Functions, you need to set its service mode to ___.
WebSockets API
For clients that support HTML 5, the ___ transport is used by default. If the client doesn't support ___, then SignalR falls back to Server Sent Events (also known as EventSource). For older clients, Ajax long polling or Forever Frame (IE only) is used to mimic a two-way connection.
Azure Queue Storage
Fully-managed service that is a part of the Azure Storage suite that enables you to create durable and configurable message queues to enable application modularity and fault tolerance.
Reasons to regenerate your storage account keys:
If the storage account keys are compromised, change the key values in the Azure portal. - For security reasons, regenerate keys periodically. - Someone hacks an application and gets the key that was hard-coded or saved in a config file - If your team is using a Storage Explorer application that keeps the storage account key, and one of the team members leaves.
identity and access management
In the Azure portal, you'll see a pane named Access control (IAM), also known as ___. On this pane, you can see who has access to that area and their role. Using this same pane, you can grant or remove access.
Visibility Timeout
Message are delivered to consumers, but are not immediately deleted from the queue. However, messages will not be visible in the queue again until a period of time has passed from the initial delivery. This period of time is the ___, and it enables fault tolerance for your applications.
datagrams
Messages and events are both ___: packages of data sent from one component to another. They are different in ways that at first seem subtle, but can make significant differences in how you architect your application.
durable, secure, scalable, and managed
Microsoft Azure Storage is a managed service that provides ___ storage in the cloud. A single Azure subscription can host up to 200 storage accounts, each of which can hold 500 TB of data.
Tasks and Streams for Moving Data
Moving data to and from a blob is a network operation that takes time. In the Azure Storage SDK for .NET Core, all methods that require network activity return Tasks. A recommendation when working with large data objects is to use streams instead of in-memory structures like byte arrays or strings. This avoids buffering the full content in memory before sending it to the target.
Use Event Grid when you need these features:
Simplicity Advanced filtering Fan-out: You can subscribe to an unlimited number of endpoints to the same events and topics. Reliability: Event Grid retries event delivery for up to 24 hours for each subscription. Pay-per-event: Pay only for the number of events that you transmit. Event Grid is a simple but versatile event distribution system. Use it to deliver discrete events to subscribers.
Azure CLI
The ___ is a command-line program to connect to Azure and execute administrative commands on Azure resources. It runs on Linux, macOS, and Windows and allows administrators and developers to execute their commands through a terminal or command-line prompt (or script!) instead of a web browser.
Azure Queue service
The ___ is used to store and retrieve messages. Queue messages can be up to 64 KB in size, and a queue can contain millions of messages. Queues are used to store lists of messages to be processed asynchronously. Use queues to loosely connect different parts of your application together.
XML, JSON, YAML
Three common serialization languages you're likely to encounter: ___
Queue storage
Use ___if you: Need an audit trail of all messages that pass through the queue. Expect the queue to exceed 80 GB in size. Want to track progress for processing a message inside of the queue.
currentUtcDateTime
You should always use ___ to obtain the current date and time, instead of Date.now or Date.UTC.
SQL Information Protection (SQL IP)
___ brings a set of advanced services and SQL capabilities, forming a new information protection paradigm in SQL aimed at protecting the data, not just the database: Azure SQL Auditing, Data Discovery & Classifications, Dynamic data masking, Security Center, Transparent data encryption.
Azure API Management (APIM)
___ is a fully managed cloud service that you use to publish, secure, transform, maintain, and monitor APIs. You can publish APIs to external, partner, and internal developers. ___ handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management. ___ enables you to create and manage modern API gateways for existing backend services.
Azure Database Migration Service
___ is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime (online migrations).
Service Bus
___ is a message broker system for enterprise applications that utilize multiple communication protocols, have different data contracts, higher security requirements, and can include both cloud and on-premises services. ___ is built on top of a dedicated messaging infrastructure designed for exactly these scenarios.
Workflow
___: A series of steps in a Logic App that defines a task or process, starting with a single trigger and followed by one or multiple actions.
Cost sensitivity
___: A storage account itself has no cost. The settings for the account influence the cost of services in the account. Geo-redundant storage costs more than locally-redundant storage. Premium performance and the Hot access tier increase the cost of blobs. You could partition your data into critical and non-critical categories. You could place your critical data into a storage account with GRS and put your non-critical data in a different storage account with LRS.
Process Automation
___: Assume you have a VM that is monitored for a specific error event. Process automation enables you to set up watcher tasks that can respond to events that may occur in your datacenter.
Data diversity
___: Do you have data that is specific to a country or region? You might want to locate it in a data center in that country for performance or compliance reasons. You will need one storage account for each location. 2. Do you have some data that is proprietary and some for public consumption? You could enable virtual networks for the proprietary data and not for the public data. This will also require separate storage accounts.
Tolerance for management overhead
___: Each storage account requires some time and attention from an administrator to create and maintain. It also increases complexity for anyone who adds data to your cloud storage; everyone in this role needs to understand the purpose of each storage account so they add new data to the correct account.
Action
___: Each subsequent step in a Logic App that follows after the trigger and runs some operation in a workflow.
Function chaining
___: In this pattern, the workflow executes a sequence of functions in a specified order. The output of one function is applied to the input of the next function in the sequence. The output of the final function is used to generate a result.
Azure Blob Storage
___: Massively scalable and secure object storage for cloud-native workloads, archives, data lakes, high-performance computing, and machine learning.
Activity functions
___: These durable function types are the basic units of work in a durable function orchestration. An ___ contains the actual work performed by the tasks being orchestrated.
Orchestrator functions
___: These durable function types describe how actions are executed, and the order in which they are run. You write the orchestration logic in code (C# or JavaScript).
Two kinds of WebJobs
• Continuous. Run in a continuous loop. For example, you could use a continuous WebJob to check a shared folder for a new photo. • Triggered. Run when you manually start them or on a schedule.
2 ways to test an Azure function
• Manual execution: Start a function by manually triggering the trigger. For an HTTP trigger, use Postman or cURL, to initiate an HTTP request to a function endpoint URL, (in the HTTP trigger definition 'Get function URL'). • From Azure portal: right side of code window, a tabbed flyout menu. This menu contains a Test item to execute a function, and view the result. When you select Run in this test window, the results appear in the output window, along with a status code.
Azure provides several pre-made function templates for common scenarios:
• Quickstart: Quickstart screen lets you choose the trigger for a function. Azure will generate the function code and configuration with some sample code provided to display the input data received in the log. • Custom functions: over 30 additional templates. These can be selected from the template list screen when creating functions, or select them by using the Custom function option on the Quickstart screen.
Steps for Creating a CosmosDB
# create a sql api cosmos db account az cosmosdb create - -name pluralsight - -resource-group pluralsight # create a sql database az cosmosdb sql database create - -account-name pluralsight - -name sampledb # create a sql database container az cosmosdb sql container create - -resource-group pluralsight - -account-name pluralsight - -database-name sampledb - -name samplecontainer - -partition-key-path "/employeeid"
Tag limitations
- Always check that the Azure resource supports tags. eg, you can't set tags on generalized VMs. - You can apply tags on resource groups, but tags aren't automatically inherited by resources from their resource group. If you want all the resources in a resource group to have a tag, you must do this manually. - You can apply a maximum of 50 tags to a single resource or resource group in Azure.
Azure Backup Features
- Automatic storage management: Automatically allocates and manages backup storage. Uses a pay-as-you-use model. - Unlimited scaling: high availability. - Multiple storage options: offers locally redundant storage (all copies exist within the same region) and geo-redundant storage (replicated to a secondary region) - Unlimited data transfer: no limit of inbound or outbound data. does not charge for data that is transferred. - Data encryption: secure transmission and storage. - Application-consistent backup: A recovery point has all required data to restore the backup copy. - Long-term retention: doesn't limit the length of time you keep the backup data.
Azure supports automated deployment directly from the following
- Azure DevOps: Push code to Azure DevOps, build code in the cloud, run tests, generate a release, and push code to an Azure Web App. - GitHub: Azure supports automated deployment directly from GitHub. When you connect your GitHub repository to Azure for automated deployment, any changes you push to your production branch on GitHub will be automatically deployed for you. - Bitbucket: you can configure an automated deployment with Bitbucket. - OneDrive: Microsoft's cloud-based storage. You must have a Microsoft Account linked to a OneDrive account to deploy to Azure. - Dropbox: Azure supports deployment from Dropbox, which is a popular cloud-based storage system that is similar to OneDrive.
Tools that create a storage account.
- Azure Portal - Azure CLI (Command-line interface) - Azure PowerShell - Management client libraries The portal provides a GUI. The other tools all support automation. The Azure CLI and Azure PowerShell let you write scripts, while the management libraries allow you to incorporate the creation into a client app.
Azure supports triggers for these services
- Blob storage: When a new or updated blob is detected. - Azure Cosmos DB: When inserts and updates are detected. - Event Grid: When an event is received from Event Grid. - HTTP: Starts a function with an HTTP request. - Microsoft Graph Events: A response to an incoming webhook from the Microsoft Graph. - Queue storage: When a new item is received on a queue. The message is provided as input. - Service Bus: Response to messages from a Service Bus queue. - Timer: Starts a function on a schedule.
How to choose messages or events
- Events, more likely for broadcasts, often ephemeral. - Messages, used when the app requires a guarantee that the communication will be processed. Does the sending component expect the communication to be processed in a particular way by the destination component? If the answer is yes, choose to use a message. If the answer is no, you may be able to use events.
Drawbacks of a serverless compute solution
- Execution time: Functions have default timeout of 5 minutes, configurable to max of 10 minutes. Functions requiring more than 10 to execute should be hosted on a VM. If initiated through an HTTP request and you expect an HTTP response, the timeout is restricted to 2.5 minutes. Durable Functions allows you to orchestrate the executions of multiple functions without any timeout. - Execution frequency: If the function is executed continuously by multiple clients, it might be cheaper to host on a VM. While scaling, only 1 function app instance can be created every 10 seconds, up to 200 total instances. Each instance can service multiple concurrent executions, so there is no set limit on how much traffic a single instance can handle.
VM workload options are classified as:
- General purpose: balanced CPU-to-memory ratio. Ideal for testing and dev, small to medium DB, and low to medium traffic web servers. - Compute optimized: high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and app servers. - Memory optimized: high memory-to-CPU ratio. Great for relational DB servers, medium to large caches, and in-memory analytics. - Storage optimized: high disk throughput and IO. Ideal for VMs running DB. - GPU: heavy graphics rendering and video editing. Ideal options for model training and inferencing with deep learning. - High performance computes: fastest and most powerful CPU VMs with optional high-throughput network interfaces.
Manual deployment. Options to manually push code to Azure:
- Git: App Service web apps feature a Git URL that you can add as a remote repository. Pushing to the remote repository will deploy your app. - az webapp up: a feature of the az command-line interface that packages your app and deploys it. Unlike other deployment methods, az webapp up can create a new App Service web app. - ZIP deploy: Use az webapp deployment source config-zip to send a ZIP of your application files to App Service. ZIP deploy can also be accessed via basic HTTP utilities such as curl. - WAR deploy: an App Service deployment mechanism specifically designed for deploying Java web applications using WAR packages. - Visual Studio: features an App Service deployment wizard. - FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including App Service.
Virtual machines have their own limitations for moving
- If you want to move a virtual machine, all of its dependants must go with it. - You can't move virtual machines with certificates in Azure Key Vault between subscriptions. - You can't move virtual machine scale sets with standard load balancers or a standard public IP. - You can't move any managed disks that are in availability zones to different subscriptions.
Azure Service Bus Use Cases
- Need support for receiving messages without polling (with AMQP 1.0) - There is a need to guarantee message processing order (FIFO) - There is a need to detect duplicate messages - You need to support messages up to 256KB - You may need to support topic based notifications (one to many) - You need to support publishing and consuming in batches
Settings for queues in queue storage
- Queues are only available with general-purpose storage accounts (v1 or v2). Not Blob storage. - The Access tier setting for StorageV2 accounts applies only to Blob storage, doesn't affect queues. - Choose location close to the source or destination components. - choice of replication strategies: Locally Redundant Storage (LRS) is low-cost but vulnerable to disasters that affect an entire data center while Geo-Redundant Storage (GRS) replicates data to other Azure data centers. - The performance tier determines storage: Standard uses magnetic drives, Premium uses solid-state drives. Choose Standard if you expect peaks in demand to be short. Premium if queue length can become long and you need to minimize the time to access messages. - Require secure transfer if sensitive information may pass through the queue. This ensures all connections to the queue are encrypted using SSL.
Integration Service Environment (ISE) Benefits
- Reduce the impact from other Azure tenants on app performance, "noisy neighbors" effect. - Static IPs, separate from static IPs shared by the logic apps in multi-tenant service. - Increased limits on run duration, storage retention, throughput, HTTP request and response timeouts, message sizes, and custom connector requests. - with an ISE, Azure injects or deploys that ISE into your Azure virtual network. Use this ISE as the location for the logic apps and integration accounts that need access.
App service plan pricing levels
- Shared compute: Free and Shared, the two base tiers, run an app on the same Azure VM as other App Service apps, including other customers. These tiers allocate CPU quotas to each app, and the resources cannot scale-out. Best for small-scale personal projects with limited traffic demands, set limit of 165 MB of outbound data every 24 hours. - Dedicated compute: The Basic, Standard, Premium, and Premium V2 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. -- Standard service plan is best suited for live production workloads. -- Premium service plans support high-capacity web apps where you do not want the additional costs of a dedicated (isolated) plan. - Isolated: Runs dedicated Azure VMs on dedicated Azure virtual networks, which provide network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities. Use when you have a specific requirement for the highest levels of security and performance.
File shares can be used for many common scenarios:
- Storing shared configuration files for VMs, tools, or utilities so that everyone is using the same version. - Log files such as diagnostics, metrics, and crash dumps. - Shared data between on-premises applications and Azure VMs to allow migration of apps to the cloud over a period of time.
CosmosDB Consistency Levels
- Strong consistency guarantees that reads get the most recent version of an item - Bounded staleness guarantees that a read has a max lag (either versions or time) - Session consistency guarantees that a client session will read its own writes - Consistent prefix consistency guarantees that updates are returned in order - Eventual consistency provides no guarantee for order
Resources that must exist (and be selected during VM creation), or they will be created with the VM:
- VM that provides CPU and memory - Azure Storage account for the virtual hard disks - Virtual disks to hold the OS, applications, and data - Virtual network (VNet) - Network interface to communicate with the VNet - Optional public IP address
Benefits of using Durable Functions
- Write event driven code. Durable functions can wait asynchronously for external events, and perform tasks in response. - Chain functions together. Implement patterns such as fan-out/fan-in, which uses one function to invoke others in parallel, and then accumulate the results. - Orchestrate and coordinate functions, specify the order functions execute. - The state is managed for you.
.deployment file
.deployment file Deployment configuration files let you override the default heuristics of deployment by allowing you to specify a project or folder to be deployed. It has to be at the root of the repository and it's in .ini format. Here are some examples: Deploying with custom script You can specify the custom deployment script to build and deploy your application. Here is an example: [config] command = deploy.cmd
Message delivery guarantees
1 At-Least-Once Delivery: Each message is guaranteed delivery to at least one of the components. the same message may be delivered more than once. 2 At-Most-Once Delivery: Each message is not guaranteed for delivery, and there is a small chance that it may not arrive. Unlike At-Least-Once delivery, there is no chance that the message will be delivered twice. Sometimes referred to as automatic duplicate detection. 3 First-In-First-Out (FIFO): If your distributed application requires that messages are processed in precisely the correct order, choose a queue system that includes a FIFO guarantee.
characteristics of messages
1. A message contains raw data, produced by one component, to be consumed by another component. 2. A message contains the data itself, not just a reference to the data. 3. The sender expects the message content to be processed in a certain way by the destination. The integrity of the system may depend on both doing a specific job.
Azure Container Instances three restart policies
1. Always: Containers in the container group are always restarted. This is the default setting 2. Never: Containers in the container group are never restarted. The containers run at most once. 3. OnFailure: Containers in the container group are restarted only when the process executed in the container fails (when it terminates with a nonzero exit code). The containers are run at least once.
Event characteristics
1. An event is a lightweight notification that indicates that something happened. 2. Events are often intended to "fan out," or have a large number of subscribers for each publisher. Events may have multiple receivers, or none. 3. The publisher of the event has no expectation about the action a receiving component takes. 4. Some events are discrete units and unrelated to other events. 5. Some events are part of a related and ordered series.
An Azure Function triggered by an HTTP request supports three levels of access rights:
1. Anonymous. No authentication is required, and any user can trigger the function. 2. Function. The HTTP request must provide a key that enables the Azure Function runtime to authorize the request. Create the key separately, and maintain it using the Azure portal. 3. Admin. Similar to Function, the user must specify a key with the HTTP request The difference is that the key is an admin key. This key can be used to access any function in the function app. Create this key separately.
Queue access authorization
1. Azure AD: You can use RBAC and identify specific clients based on AAD credentials. 2. Shared Key: aka account key. An encrypted key signature associated with the storage account. Every storage account has two of these keys that can be passed authenticate access. Using this approach provides full access to the storage account. 3. Shared access signature: SAS is a generated URI that grants limited access to objects in your storage account to clients. You can restrict to specific resources, permissions, and use to a date range. * Use shared access signature (SAS) or Azure Active Directory (AAD) in production apps.
Three types of Topic Filters
1. Boolean Filters. TrueFilter ensures all messages sent to the topic are delivered. FalseFilter ensures none of the messages are delivered. (This effectively blocks or switches off the subscription.) 2. SQL Filters. Specifies a condition using the same syntax as a WHERE clause. Are the most flexible, but they're also the most computationally expensive 3. Correlation Filters. Holds a set of conditions that are matched against the properties of each message.
Two steps when creating Azure Event Hubs
1. Define the Event Hubs namespace. A namespace is a containing entity for managing Event Hubs. namespace.servicebus.windows.net. namespace capacity (throughput units), pricing tier, and performance metrics are defined at the namespace level. These settings apply to all the Event Hubs within that namespace. 2. Create an Event Hub in that namespace.
Options for publishing an Azure Function
1. Deploy from Visual Studio: The Publish wizard. Requires that you have access to the Azure Functions app or an Azure subscription. 2. Continuous deployment: Configure from the Azure portal, using the Deployment Center feature of an Azure Functions app. Deployment is configured on a per-function app basis. 3. Zip deployment: from a zip file using the push deployment technique using the Azure CLI or REST interface.
Parameters required to create an Event Hub:
1. Event Hub name - Unique within subscription. 1 to 50 chars. Only letters, numbers, periods, hyphens, and underscores. Starts/ends with letter or number. 2. Partition Count - Number of partitions required (between 2 and 32). Directly related to the expected number of concurrent consumers. Can't be changed after hub created. Separates the message stream so that consumer or receiver apps only need to read a specific subset of the data stream. Defaults to 4. 3. Message Retention - Number of days (1 to 7) messages will remain if the data stream needs to be replayed. Defaults to 7. 4. You can also optionally configure an Event Hub to stream data to an Azure Blob storage or Azure Data Lake Store account
Programmatic methods subscribers use to receive and process events from an Event Hub
1. EventHubReceiver - A simple method that provides limited management options. 2. EventProcessorHost - An efficient method
Azure Storage provides three distinct account options:
1. General-purpose v2 (GPv2): storage accounts that support all the latest features for blobs, files, queues, and tables. Pricing is designed to deliver the lowest per gigabyte prices. 2. General-purpose v1 (GPv1): provide access to all Azure Storage services but may not have the latest features or the lowest per gigabyte pricing. Pricing is lower for GPv1 transactions, so workloads with high churn or high read rates may benefit from this account type. 3. Blob storage accounts: A legacy account type, support all the same block blob features as GPv2, but are limited to supporting only block and append blobs.
Event Hub publishers
1. HTTPS: the better option for intermittent publishing. No session initialization overhead. 2. Advanced Message Queuing Protocol (AMQP) 1.0. When sending data frequently, AMQP has better performance, but a higher initial session overhead, because a persistent bidirectional socket and transport-level security (TLS) or SSL/TLS has to be set up first. 3. Kafka-based clients, using Apache Kafka 1.0 and newer client versions
Benefits of queues
1. Increased reliability: At times of high demand, messages can wait until a destination component is ready to process them. 2. Message delivery guarantees At-Least-Once Delivery, At-Most-Once Delivery, First-In-First-Out (FIFO) 3. Transactional support: You can group messages into a transaction. Message transactions succeed or fail as a single unit.
Three properties required in all bindings.
1. Name - Defines the function parameter through which you access the data. 2. Type - the type of binding. 3. Direction - the direction data is flowing, eg, is it an input or output binding? Most binding types also need a fourth property: 4. Connection - the name of an app setting key that contains the connection string. Bindings use connection strings stored in app settings to keep secrets out of the function code.
two virtual hard disks (VHDs) will be created for your Linux VM:
1. Operating system disk: Primary drive, max capacity of 2048 GB. Labeled as /dev/sda by default. 2. Temporary disk: Temporary storage for the OS or any apps. On Linux VMs, the disk is /dev/sdb and is formatted and mounted to /mnt by the Azure Linux Agent. Sized based on the VM size and is used to store the swap file. The temporary disk is not persistent. Only write data to this disk that is not critical to the system.
Two payment options for compute costs.
1. Pay as you go: pay for compute capacity by the second. No long-term commitment or upfront payments. Increase or decrease capacity on demand. Start or stop at any time. Use this if you run applications with short-term or unpredictable workloads that cannot be interrupted. 2. Reserved Virtual Machine Instances (RI): An advance purchase of a virtual machine for one or three years in a specified region. Get up to 72% price savings compared to pay-as-you-go pricing. RIs are flexible and can be exchanged or returned for an early termination fee. Use if the VM has to run continuously, or you need budget predictability, and you can commit to using the VM for at least a year.
2 ways to Access queues
1. REST API: a URL that combines the storage account name with the domain queue.core.windows.net and path to the queue. eg: http://<storage account>.queue.core.windows.net/<queue name>. Include an Authorization header with every request, using any of the three authorization styles. 2. Azure Storage Client Library for .NET: formulates REST requests and parses REST responses. Requires the same information (storage account name, queue name, and account key).
Event Topics are divided into system topics, and custom topics.
1. System topics: are built-in topics provided by Azure services. You don't see system topics in your Azure subscription because the publisher owns the topics, but you can subscribe to them. To subscribe, you provide information about the resource you want to receive events from. As long as you have access to the resource, you can subscribe to its events. 2. Custom topics: are application and third-party topics. When you create or are assigned access to a custom topic, you see that custom topic in your subscription.
The two components which make up Azure PowerShell.
1. The base PowerShell product This comes in two variants: PowerShell on Windows, and PowerShell Core on macOS and Linux. 2. The Azure PowerShell module This extra module must be installed to add the Azure-specific commands to PowerShell.
Two pieces of information to connect to a queue in a Service Bus namespace:
1. The location of the Service Bus namespace, aka endpoint. This is a fully qualified domain name FQDN within the servicebus.windows.net domain. eg: pizzaService.servicebus.windows.net. 2. An access key. Service Bus restricts access to queues, topics, and relays by requiring an access key. Both are provided to the QueueClient object in the form of a connection string.
Two options for managing the relationship between the storage account and each VHD.
1. Unmanaged disks: you are responsible for the storage accounts. You pay the storage account rates for the amount of space you use. A single storage account has a fixed-rate limit of 20,000 I/O operations/sec. A storage account is capable of supporting 40 standard virtual hard disks at full utilization. If you need to scale, then you'll need more storage accounts. 2. Managed disks: the newer and recommended disk storage model. You specify the size of the disk, up to 4 TB, and Azure creates and manages both the disk and the storage. You don't have to worry about storage account limits, which makes managed disks easier to scale out.
Choosing WebJobs over Functions
1. You want the code to be a part of an existing App Service application and to be managed as part of that application, for example in the same Azure DevOps environment. 2. You have specific customizations that you want to make to the JobHost that are not supported by Azure Functions. JobHost listens for events that trigger the code, and you have more flexibility to modify its behavior in WebJobs. Webjobs only supports C# on Microsoft Windows.
username and password, or an SSH key pair
2 ways to authenticate SSH connection: ___. Using passwords with SSH connections leaves the VM vulnerable to brute-force attacks. A more secure method of connecting to a Linux VM with SSH is a public-private key pair, also known as SSH keys.
Role definition
2. Role definition (what you can do) - A collection of permissions (aka a role). Lists the permissions that can be performed, like read, write, and delete. Create your own custom roles. Azure includes built-in roles that you can use. four fundamental built-in roles: - Owner - Full access to all resources, including the right to delegate access to others. - Contributor - Can create and manage all types of Azure resources, but can't grant access to others. - Reader - Can view existing Azure resources. - User Access Administrator - manage user access to Azure resources.
Scope
3. Scope (where) - You can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. When you grant access at a parent scope, those permissions are inherited by the child scopes.
cmdlet
A PowerShell command is called a ___. A ___ is a command that manipulates a single feature. By convention, ___ authors are encouraged to keep them simple and single-purpose. The base PowerShell product ships with ___ that work with features such as sessions and background jobs. You add modules to your PowerShell installation to get ___ that manipulate other features.
workload
A Visual Studio ___ is a pre-configured bundle of tools within Visual Studio that are grouped to enable developers to build certain types of applications, use certain development languages, or develop for specific platforms.
data retention policy
A ___ defines the principles for data recovery and disposal and enforced in the same manner as data reclassification. A ___ should address the required regulatory and compliance requirements and corporate legal retention requirements. Properly classified data should influence decisions made about retention duration. Data classification rules that pertain to data retention must be addressed when moving to the cloud.
Queue
A ___ holds sent messages until the target is ready to receive them.
key
A ___ in a key vault is a cryptographic asset. Microsoft and your apps don't have access to the stored keys directly once a key is created or added to a key vault. Applications use keys by calling cryptography methods on the Key Vault service. The Key Vault service performs the requested operation within its hardened boundary.
binding
A ___ is a connection to data within your function. ___ are optional and come in the form of input and output ___. An input ___ is the data that your function receives. An output ___ is the data that your function sends. Unlike a trigger, a function can have multiple input and output bindings. There are also triggers, which are special types of input bindings that cause a function to run.
database account
A ___ is a container for managing one or more databases. Before we can create a database, we need to create a ___.
storage account
A ___ is a container that groups a set of Azure Storage services together. Only data services from Azure Storage can be included in a ___ (Azure Blobs, Azure Files, Azure Queues, and Azure Tables). A ___ lets you manage them as a group. The settings in the account are applied to everything in the account. Deleting the ___ deletes all of the data stored inside it. A ___ is an Azure resource and is included in a resource group. A subscription can contain multiple resource groups, where each group contains one or more ___. Other Azure data services like Azure SQL and Azure Cosmos DB are managed as independent Azure resources and cannot be included in a ___.
transaction
A ___ is a logical group of database operations that execute together. ___ are often defined by a set of four requirements, referred to as ACID guarantees (Atomicity, Consistency, Isolation, and Durability) Will a change to one piece of data in your dataset impact another? If the answer is yes, you'll need support for ___ in your database service.
fault domain
A ___ is a logical group of hardware in Azure that shares a common set of hardware components, and that share a single point of failure. Like a rack within an on-premises datacenter. The first two VMs in an availability set will be provisioned into two different racks so that if the network or the power failed in a rack, only one VM would be affected. ___ are also defined for managed disks attached to VMs.
queue
A ___ is a simple temporary storage location for messages. A sending component adds messages. A destination component picks up messages. ___ decouple the components to insulate destination components from high demand. Destination components remove messages as they are able to handle them. When demand drops, destination components can catch up and the ___ shortens.
CRON expression
A ___ is a string that consists of six fields that represent a set of times. The order of the six fields in Azure is: {second} {minute} {hour} {day} {month} {day of the week}. For example, a CRON expression to create a trigger that executes every five minutes looks like: 0 */5 * * * *
timer trigger
A ___ is a trigger that executes a function at a consistent interval. Supply two pieces of information. 1. A Timestamp parameter name, which is an identifier to access the trigger in code. 2. A Schedule. A CRON expression that sets the interval for the timer.
blob trigger
A ___ is a trigger that executes a function when a file is uploaded or updated in Azure Blob storage. To create a ___, you create an Azure Storage account and provide a location that the trigger monitors. The Path tells the ___ where to monitor to see if a blob is uploaded or updated. By default, the Path value is: samples-workitems/{name}
Log Analytics workspace
A ___ is a unique environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace. You require a ___ if you intend on collecting data from the following sources: Azure resources in your subscription On-premises computers monitored by System Center Operations Manager Device collections from Configuration Manager Diagnostics or log data from Azure storage
relay
A ___ is an object that performs synchronous, two-way communication between applications. Unlike queues and topics, it is not a temporary storage location for messages. Instead, it provides bidirectional, unbuffered connections across network boundaries such as firewalls. Use a ___ when you want direct communications between components as if they were located on the same network segment but separated by network security devices. Note: Although relays are part of Azure Service Bus, they do not implement loosely coupled messaging workflows.
topic
A ___ is similar to a queue but can have multiple subscriptions. Multiple destination components can subscribe to a single ___, each message is delivered to multiple receivers. Subscriptions can also filter the messages in the topic. Use a ___ if you want messages delivered to multiple destination components. ___ are not supported in the Basic pricing tier.
role assignment
A ___ is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.
deployment model
A ___ is the system Azure uses to organize your resources. It defines the API that you use to create, configure, and manage resources. Azure provides 2: 1. Resource Manager: the current model that uses the Azure Resource Manager API 2. Classic: a legacy offering that uses the Azure Service Management API Most Azure resources only work with Resource Manager. Storage accounts, virtual machines, and virtual networks support both, so you must choose one or the other when you create your storage account. The key feature difference between the two models is their support for grouping. The Resource Manager model adds the concept of a resource group, not available in the classic model. Use Resource Manager for all new resources.
publisher
A ___ to Event Hub is the user or organization that decides to send events to Event Grid. eg, Microsoft publishes events for several Azure services. You can publish events from your own application. Organizations that host services outside of Azure can publish events through Event Grid. The event source is the publisher and the specific service generating the event for that publisher.
data diversity, cost sensitivity, and tolerance for management overhead
A storage account represents a collection of settings like location, replication strategy, and subscription owner. You need one storage account for every group of settings that you want to apply to your data. The number of storage accounts you need is typically determined by your ___.
Always on
A web app can time out after 20 minutes of inactivity, and only requests to the actual web app can reset the timer. If you set your web app to run continuous or scheduled (timer-trigger) WebJobs, enable the ___ setting on your web app's Azure Configuration page to ensure that the WebJobs run reliably. This feature is available only in the Basic, Standard, and Premium pricing tiers.
App Service plan
A web app running in Azure typically uses Azure App Service to provide the hosting environment. App Service can arrange for multiple instances of the web app to run and will load balance incoming requests across these instances. Each instance runs on a virtual machine. The resources available to each instance are defined by an ___. The ___ specifies the operating system (Windows or Linux), the hardware (memory, CPU processing capacity, disk storage, and so on), and the availability of services like automatic backup and restore.
Protect data in transit
Access from multiple workstations located on-premises to an Azure virtual network - Use site-to-site VPN. Access from an individual workstation located on-premises to an Azure virtual network - Use point-to-site VPN. Move large data sets over a dedicated high-speed WAN link - Use Azure ExpressRoute. With ExpressRoute, you can also encrypt the data at the application level by using SSL/TLS or other protocols for added protection. Interact with Azure Storage through the Azure portal All transactions occur via HTTPS. You can also use Storage REST API over HTTPS to interact with Azure Storage and Azure SQL Database. Fail to protect data in transit and be susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking.
subnets
After deciding the virtual network address space(s), you can create one or more ___ for your virtual network. You do this to break up your network into more manageable sections. For example, you might assign 10.1.0.0 to VMs, 10.2.0.0 to back-end services, and 10.3.0.0 to SQL Server VMs. Note: Azure reserves the first four addresses and the last address in each subnet for its use.
ICloudBlob
After you have a reference to a blob, you can upload and download data. ___ objects have Upload and Download methods that support byte arrays, streams, and files as sources and targets. Specific types have additional methods for convenience, eg, CloudBlockBlob supports uploading and downloading strings with UploadTextAsync and DownloadTextAsync.
Storage Service Encryption (SSE)
All data written to Azure Storage is automatically encrypted by ___ with a 256-bit Advanced Encryption Standard (AES) cipher, and is FIPS 140-2 compliant. SSE automatically encrypts data when writing it to Azure Storage. When you read data from Azure Storage, Azure Storage decrypts the data before returning it. This process incurs no additional charges and doesn't degrade performance. It can't be disabled.
access control lists (ACLs)
Along with role-based access control (RBAC), Azure Data Lake Storage Gen2 provides ___ that are POSIX-compliant, and that restrict access to only authorized users, groups, or service principals.
new slots
Although you can clone settings to a new slot, you can't clone content. New slots always begin with no content. You must deploy content by using git or another deployment strategy. The clone operation copies the configuration to the new slot. After you clone the settings, the configuration of the two slots can be changed independently.
When do I need to validate input?
Always. You must validate every input for your application. This includes parameters in the URL, input from the user, data from the database, data from an API and anything that is passed in the clear that a user could potentially manipulate.
Azure Storage account
An Azure Function App stores management information, code, and logs in Azure Storage. Create a ___ to hold this data. The ___ must support Azure Blob, Queue, Files, and Table storage; use a general ___ for this purpose.
Azure Function metadata
An Azure Function contains metadata to specify trigger type and security requirements. eg the HttpTrigger, BlobTrigger, or other trigger attributes. The FunctionName attribute that precedes the function is an identifier for the function used by the function app. This name doesn't have to be the same as the name of the function.
Run
An Azure Function is implemented as a static class. The class provides a static, async method named ___. The parameters passed to Run provide the context. The attributes applied to this function specify the authorization, and the HTTP operations to which it responds (GET and POST).
ILogger
An Azure Function is passed an ___ parameter. The function can use this parameter to write log messages, which the function app will write to storage for later analysis.
Azure Functions app
An Azure Function runs in the cloud in the context of an ___. A ___ is a container that specifies the operating system for running an Azure Function, together with the resources available, such as the memory, computing power, and disk space. The ___ also provides the public URL for running your functions. Behind the scenes, an ___ is a collection of one or more virtual machines (VMs), running a web server. When you publish an Azure Function, you deploy it to these VMs.
consumer group
An Event Hub ___ represents a specific view of an Event Hub data stream. By using separate ___, multiple subscriber apps can process an event stream independently, and without affecting other apps. The use of many ___s isn't a requirement. For many apps, the single default ___ is sufficient.
event handler
An ___ (aka an event "subscriber") is any component (application or resource) that can receive events from Event Grid. Subscribers can decide which events to handle and Event Grid will notify each subscriber when a new event is available - no polling required.
availability set
An ___ ensures that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time. VMs placed in an ___ should perform an identical set of functionalities and have the same software installed. Microsoft offers a 99.95% external connectivity SLA for multiple-instance VMs deployed in an ___. There must be at least two instances of the VM deployed within an availability set.
Azure Function App
An ___ hosts Azure Functions. Functions are hosted in an execution context called a ___. that provides the environment and runtime. Define a ___ to logically group and structure functions and a compute resource in Azure. Choose a service plan and select a compatible storage account when creating. A ___ supports a single language runtime.
update domain
An ___ is a logical group of hardware that can undergo maintenance, or be rebooted at the same time. Azure will automatically place availability sets into ___ to minimize the impact when the Azure platform introduces host operating system changes. Azure then processes each ___ one at a time.
event
An ___ is a small packet of information (a datagram) that contains a notification. Events can be published individually, or in batches, but a single publication (individual or batch) can't exceed 1 MB.
Azure SQL Database Auditing
An important aspect of the SQP IP paradigm is the ability to monitor access to sensitive data. ___ has been enhanced to include a new field in the audit log. The data_sensitivity_information field logs the sensitivity classifications (labels) of the actual data that was returned by the query.
Cross-Site Scripting (XSS)
Any output you present either visually or within a document should always be encoded and escaped. This design principle will make sure that everything is displayed as output and not inadvertently interpreted as something that should be executed, which is another common attack technique that is referred to as ___.
Types of binding expressions
App settings, Trigger filename, Trigger metadata, JSON payloads, New GUID, Current date and time Most expressions are wrapped in curly braces. However, app setting binding expressions are wrapped in percent signs. eg, the blob output binding path is %Environment%/newblob.txt. You can use binding expressions in the function.json file, function parameters, or code.
structured, semi-structured, and unstructured
Application data can be classified in one of three ways: ___.
Advanced Message Queuing Protocol (AMQP)
Applications that publish messages to Azure Event Hub usually get the best performance using ___ because it establishes a persistent socket. Publishers can use either HTTPS or AMQP. AMQP opens a socket and can send multiple messages over that socket.
Partitions
As Event Hubs receives communications, it divides them into ___. ___ are buffers into which the communications are saved. Because of the event buffers, events are not completely ephemeral, and an event isn't missed just because a subscriber is busy or even offline. The subscriber can use the buffer to "catch up." By default, events stay in the buffer for 24 hours before they automatically expire. The buffers are called ___ because the data is divided amongst them. Every event hub has at least two ___, and each ___ has a separate set of subscribers.
Azure Integration Services
As a member of ___, Logic Apps simplifies the way that you connect legacy, modern, and cutting-edge systems across cloud, on premises, and hybrid environments.
Storage Analytics service
Audit Azure Storage access using the built-in ___. ___ logs every operation in real time, and you can search the logs for specific requests. Filter based on the authentication mechanism, the success of the operation, or the resource that was accessed.
Azure PowerShell
Automate repetitive tasks after a script has been verified so it will run consistently. ___ is ideal for one-off interactive tasks and/or the automation of repeated tasks. PowerShell is a cross-platform shell. ___ is an optional add-on package that adds the Azure-specific commands (referred to as cmdlets). You can use the New-AzVM cmdlet to create a new Azure VM.
webhooks
Azure App Service supports continuous deployment using ___, a service offered by Azure Container Registry. Services and applications can subscribe to the webhook to receive notifications about updates to images in the registry. A web app that uses App Service can subscribe to an ACR webhook to receive notifications about updates to the image that contains the web app. When the image is updated, and App Service receives a notification, your app automatically restarts the site and pulls the latest version of the image.
deployment slots
Azure App Service web app can have multiple ___. Each slot is a separate instance of that web app, with a separate hostname. Deploy a different version of your web app into each slot. One slot is production slot. Use additional slots to host new versions of the web app. You can run tests on the slot. Deploy by swapping the slot with the production slot. A slot swap is instantaneous, the slot hostnames are exchanged, immediately sending production traffic to the new version. With slot swap deployment, the app is never exposed in a partially deployed state. If the new version has a problem, you can roll back the version by swapping the slots back.
process automation, configuration management, and update management
Azure Automation enables you to integrate services that allow you to automate tasks. These services include ___.
Azure Active Directory OAuth 2.0 bearer tokens
Azure Data Lake Storage Gen2 authenticates through ___. This allows for flexible authentication schemes, including federation with Azure AD Connect and multifactor authentication. These auth schemes are integrated into the main analytics services that use the data. Including Azure Databricks, HDInsight, and Azure Synapse Analytics. Management tools, such as Azure Storage Explorer.
Event Hub resilience
Azure Event Hubs keeps received messages from your sender application, even when the hub is unavailable. Messages received after the hub becomes unavailable are successfully transmitted to our application as soon as the hub becomes available
Object types in Azure that can receive and handle events from Event Grid
Azure Functions: Use an Azure function as an event handler when you want to code a custom response to the event. Webhooks: A webhook is a web API that implements a push architecture. Azure Logic Apps: An Azure logic app hosts a business process as a workflow. Microsoft Power Automate: Flow also hosts workflows.
Azure Active Directory (Azure AD)
Azure Key Vault uses ___ to authenticate users and apps. Authentication is performed by associating the Azure AD tenant of the subscription that the Key Vault is part of, and every user or app making a request to Azure AD. No support for anonymous access to a Key Vault.
NotActions
Azure RBAC uses ___ permissions. Use ___ to create a set of not allowed permissions. The access granted by a role, the effective permissions, is computed by subtracting the ___ operations from the Actions operations.
allow model
Azure RBAC uses an ___. When you are assigned a role, Azure RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group.
Transport Layer Security (TLS)
Azure SQL Database enforces ___ encryption at all times for all connections, which ensures all data is encrypted "in transit". ___ encryption is a standard of securing traffic over the internet, and in this case ensures your network traffic to and from your Azure SQL database is secure by default.
Azure SQL Database built-in firewall
Azure SQL Database has a built-in firewall to allow and deny network access to the DB server itself and individual databases. Initially, all public access to the Azure SQL DB is blocked by the SQL Database firewall. You must specify one or more server-level IP firewall rules that enable access to your DB. Use the IP firewall rules to specify IP address ranges and whether Azure applications can connect. Rules are configured at the server and/or db level. The rules you can apply: 1. Server-level firewall rules Allow access to Azure services, IP address rules, Virtual network rules 2. Database-level firewall rules IP address rules Whenever possible use database-level IP firewall rules. Use server-level IP firewall rules for administrators and when you have several databases with the same access requirements.
transparent data encryption (TDE)
Azure SQL Database protects data at rest using ___. ___ performs real-time encryption and decryption of the database, backups, and transaction log files at rest without requiring changes to the application. Using a database encryption key, transparent data encryption performs real-time I/O encryption and decryption of the data at the page level. Each page is decrypted when it's read into memory and then encrypted before being written to disk. ___ is enabled for all newly deployed Azure SQL databases. Azure Security Center will flag any databases that don't have TDE enabled on them.
Free and Standard
Azure Security Center provides unified security management and advanced threat protection for hybrid cloud workloads and is offered in two tiers: ___. The free tier provides security policies, assessments, and recommendations while the Standard tier provides a robust set of features, including threat intelligence.
queues, topics, and relays
Azure Service Bus can exchange messages in three different ways: ___.
shared key
Azure Storage accounts can create authorized apps in Active Directory to control access to the data in blobs and queues. For other storage models, clients can use a ___, or shared secret. This authentication option is one of the easiest to use, and it supports blobs, files, queues, and tables. The client embeds the ___ in the HTTP Authorization header of every request, and the Storage account validates the key.
Azure Active Directory and role-based access control (RBAC)
Azure Storage supports both ___ for resource management and data operations. For security principals, you can assign RBAC roles that are scoped to the storage account. Use Active Directory to authorize resource management operations. AD is supported for data operations on Blob and Queue storage. To a security principal or a managed identity for Azure resources, you can assign RBAC roles that are scoped to a subscription, a resource group, a storage account, or an individual container or queue.
cross-origin resource sharing (CORS)
Azure Storage supports cross-domain access through ___. ___ uses HTTP headers so a web app at one domain can access resources from a different domain. By using ___, web apps ensure that they load only authorized content from authorized sources. ___ support is an optional flag you can enable on Storage accounts. The flag adds the appropriate headers when you use HTTP GET requests to retrieve resources from the Storage account.
Block, Page, Append
Azure Storage supports three kinds of blobs: ___
Events can be generated by the following Azure resource types:
Azure Subscriptions and Resource Groups Container registry Event Hub Service Bus Storage accounts Azure IoT Hub Custom events: can be generated using the REST API, or Azure SDK on Java, GO, .NET, Node, Python, and Ruby.
Azure Blobs, Azure Files, Azure Queues, and Azure Tables
Azure four main data services and placed them together under the name Azure Storage. The four services are ___. These four were given special treatment because they are all primitive, cloud-based storage services and are often used together in the same application.
Autoscale
Azure offers many other services that scale automatically. For example, the ___ feature is available on Azure virtual machine scale sets, cloud services, Azure App Service plans, and App Service environments.
Azure Region
Azure operates in multiple geographies around the world. Azure geography is a defined area of the world that contains at least one ___. An Azure region is an area containing one or more data centers. Each Azure region is paired with another region within the same geography, forming a region pair (exception is Brazil South). Across the region pairs, Azure serializes platform updates so that only one region is updated at a time. If an outage affecting multiple regions occurs, one region in each pair will be prioritized for recovery. It's recommended that you configure business continuity and disaster recovery (BCDR) across regional pairs to benefit from Azure's isolation and VM policies.
Methods to create VMs in Azure
Azure portal In code Azure CLI Azure Powershell (AZ Module) Azure ARM Templates
Continuous integration/deployment CI/CD
Azure portal provides continuous integration and deployment with Azure DevOps, GitHub, Bitbucket, FTP, or a local Git repository on your development machine. With Azure DevOps, you can define your own build and release process that compiles, runs the tests, builds a release, and finally deploys the release into your web app every time you commit the code. You can use the tight integration with Visual Studio to publish your web app to Azure via Web Deploy technology. App Service also supports FTP-based publishing for more traditional workflows.
The Azure portal, The Azure CLI, Azure PowerShell
Azure provides three administration tools to choose from: ___. The portal does not provide any way to automate repetitive tasks.
Three pricing tiers for Azure Event Hubs:
Basic, Standard, and Dedicated. They differ in terms of supported connections, the number of available Consumer groups, and throughput. When using Azure CLI to create an Event Hubs namespace, if you don't specify a pricing tier, the default of Standard (20 Consumer groups, 1000 Brokered connections) is assigned.
Azure Cache for Redis tiers:
Basic: An OSS Redis cache running on a single VM. No SLA and is ideal for dev/test. Standard: An OSS Redis cache running on two VMs in a replicated configuration. Premium: High-performance OSS Redis caches. Offers higher throughput, lower latency, better availability, and more features. Premium caches are deployed on more powerful VMs compared to the VMs for Basic or Standard caches. Enterprise: High-performance caches powered by Redis Labs' Redis Enterprise software. Supports Redis modules including RediSearch, RedisBloom, and RedisTimeSeries. Offers higher availability than the Premium tier. Enterprise Flash: Cost-effective large caches powered by Redis Labs' Redis Enterprise software. Extends Redis data storage to non-volatile memory, which is cheaper than DRAM, on a VM. It reduces the overall per-GB memory cost.
Tabs when Creating a Function App
Basics Hosting Monitoring Tags Review + create
API Management
Because you can publish Azure Functions through ___, you can use them to implement a microservices architecture; each function implements a microservice. By adding several functions to a single API Management product, you can build those microservices into an integrated distributed application. Once the application is built, you can use API Management policies to implement caching or ensure security requirements
Can Core Tools create a function app?
Before Core Tools can publish a project, you need to create a function app in Azure. This is not a capability of the Core Tools: creating function apps is one of the responsibilities of the Azure management tools, which include the Azure portal, Azure CLI and Azure PowerShell.
validate move
Before attempting to move a resource, you can test whether it will be successful by calling the ___ operation from the Azure REST API. The operation only tests whether your move operation would succeed, based on the options you provide. The Azure portal does an automatic validation before allowing you to move resources.
Binding definition
Bindings are defined in JSON. A binding is configured in your function's configuration file, which is named function.json and lives in the same folder as your function code.
The following deployment sources are currently supported for Continuous deployment for Function apps :
Bitbucket Dropbox External repository (Git or Mercurial) Git local repository GitHub OneDrive Azure DevOps
unstructured
Blobs give you file storage in the cloud and a REST API to access the data. Azure Blob storage is ___, no restrictions on the kinds of data it can hold. Not limited to common file formats. Blobs are usually not appropriate for structured data that is queried frequently. Apps use GUIDs as blob names and reference them in DB records. Apps use the DB to determine where blobs are stored and the kind of data they contain.
Azure storage includes four types of data:
Blobs: Massively scalable object store for text and binary data. Can include support for Azure Data Lake Storage Gen2. Files: Managed file shares for cloud or on-premises deployments. Queues: Messaging store for reliable messaging between application components. Table Storage: NoSQL store for schema-less storage of structured data. All are accessible from anywhere over HTTP or HTTPS. Microsoft provides SDKs for Azure Storage and a REST API. You can also visually explore data in the Azure portal.
VM Security
By default, new VMs are locked down. Apps can make outgoing requests, the only inbound traffic allowed is from the virtual network and from Azure Load Balancer. When you create a new VM, you can open ports (RDP, HTTP, HTTPS, and SSH). If you require other changes to the firewall, you will need to adjust them manually. The process for this involves two steps: 1. Create a network security group. 2. Create an inbound rule allowing traffic on the ports you need.
IP addresses, ranges, or virtual networks
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. You can restrict access to specific ___. If you set the default network rule to deny, you'll block all access to the data unless specific network rules grant access.
Network Security Groups (NSGs)
By default, there is no security boundary between subnets, so services in each can communicate. You can set up ___, which allow you to control the traffic flow to and from subnets and to and from VMs. ___ act as software firewalls, applying custom rules to each inbound or outbound request at the network interface and subnet level. This allows you to fully control every network request coming in or out of the VM.
Consumption service plan
Choose ___ plan when using the Azure serverless application platform. ___ provides automatic scaling and bills you when your functions are running. ___ has a configurable timeout period for the execution of a function. Default it is 5 minutes, but may be configured up to 10 minutes.
PowerShell Module
Cmdlets are shipped in modules. A ___ is a DLL that includes the code to process each available cmdlet. You load cmdlets into PowerShell by loading the module they are contained in. You can get a list of loaded modules using the Get-Module command:
Function left side menu
Code + Test Integration Monitor Function Keys
groups and subgroups
Commands in the CLI are structured in ___. Each group represents a service provided by Azure, and the subgroups divide commands for these services into logical groupings. eg, the storage group contains subgroups including account, blob, and queue.
VM Compute Costs
Compute costs - Priced on a per-hour basis, billed on a per-minute basis. Not charged for compute capacity if you stop and deallocate the VM. Price varies based on the VM size and OS. The cost includes the charge for the Windows OS. Linux-based instances are cheaper because there is no OS license charge. Tip: save money by reusing existing licenses for Windows with the Azure Hybrid benefit.
az acr task create
Container Registry tasks must be created from the command line. The "___" command creates and registers a long-lived task. Before running this command, you need to create a GitHub personal access token with permissions to create a webhook in your repository.
the native Core (SQL) API, API for MongoDB, Cassandra API, Gremlin API, and Table API.
CosmosDB API Types: ___
Microsoft Azure Disk Encryption
Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. Use ___, to encrypt both Windows IaaS and Linux IaaS VM disks. Disk encryption combines BitLocker feature and the Linux DM-Crypt feature to provide volume encryption for the OS and the data disks. Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an option. You can use Azure Key Vault to maintain control of keys that access and encrypt your data. Encrypt your drives before you write sensitive data to them.
at rest, in process, and in transit
Data exists in one of three states: ___. Data classified as confidential needs to stay confidential in each state. Data can also be either structured or unstructured. Typical classification processes for structured data found in databases and spreadsheets are less complex and time-consuming to manage than those for unstructured data such as documents, source code, and email. Generally, organizations will have more unstructured data than structured data.
data sovereignty
Digital information is always subject to the laws of the country or region where it's stored. This concept is known as ___. Many of the concerns that surround data sovereignty relate to enforcing privacy regulations and preventing data that are stored in a foreign country from being subpoenaed by the host country or region's government. Microsoft does not control or limit the locations from which customers or their end users might access their data.
Event Types
Discrete: report state changes and are actionable. (Event Grid) Series: report a condition, time-ordered, and analyzable. (Event Hub) User notification: prompt user or their device for attention. (Notification Hub)
Dockerfile
Docker can build images automatically by reading the instructions from a ___. A ___ is a text document that contains all the commands a user could call on the command line to assemble an image. Using docker build users can create an automated build that executes several command-line instructions in succession.
Selecting an Event-based Service
Does your solution have an expectation of how data is handled or does it contain app data? If so, select a Messaging service. Do you need a solution to send events to mobile devices as push notifications? Select Azure Notification Hub. Does your solution produce discrete events, that report state changes that a system can act on? Select Azure Event Grid. Does your solution report state over time for analysis by another system, such as in a data pipeline? Select Azure Event Hub.
Function chaining Fan-out/fan-in Async HTTP APIs Monitoring Human interaction Aggregator (stateful entities)
Durable Functions can implement many common workflow patterns. These patterns include: ___
timers
Durable Functions provides ___ for use in the orchestrator functions, which you can use to implement delays or set up timeouts for asynchronous actions. You should use durable ___ in orchestrator functions instead of the setTimeout() and setInterval() functions. You create a durable ___ by calling the createTimer() method of the DurableOrchestrationContext. This method returns a task that resumes on a specified date and time.
Azure Subscriptions
Each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. Subscriptions use Azure AD for SSO and access management. Extend on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD.
Logic Apps Pricing
Each logic app type, which differs by capabilities and where they run (multi-tenant, single-tenant, integration service environment), has a different pricing model. For example, multi-tenant logic apps use consumption pricing, while logic apps in an integration service environment use fixed pricing.
Storage Account Name
Each storage account has a name. The name must be globally unique within Azure, use only lowercase letters and digits and be between 3 and 24 characters.
Rotating keys for storage account
Each storage account has two access keys. Keys can be rotated (regenerated) periodically. This can be done from the Azure portal or the Azure CLI/PowerShell command line tool. Rotating a key will invalidate the original key value immediately. - Update the connection strings in your application code to reference the secondary access key of the storage account. - Regenerate the primary access key for your storage account using the Azure portal or command line tool. - Update the connection strings in your code to reference the new primary access key. - Regenerate the secondary access key in the same manner.
Change Feed
Enables you to be notified for any insert and update on your data Deletes are not directly supported, but you can leverage a soft-delete flag A change will appear exactly once in the change feed Reading data from the database will consume throughput Partition updates will be in order, but between partitions there is no guarantee Is not supported for the Azure Table API
Azure SQL Database auditing
Enabling auditing, operations that occur on the database are stored for inspection or automated tools to analyze them. Auditing is also used for compliance management or understanding how your database is used. Auditing is also required if you wish to use Azure threat detection on your Azure SQL database. Audit logs are written to Append Blobs in an Azure Blob storage account that you designate. Audit policies can be applied at the server-level or database-level. Once enabled, you can use the Azure portal to view the logs, or send them to Log Analytics or Event Hub for further processing and analysis.
to receive messages from an Event Hub, provide the following information, to create connection credentials:
Event Hub namespace name Event Hub name Shared access policy name Primary shared access key Storage account name Storage account connection string Storage account container name * If you have a receiver application that stores messages in Azure Blob Storage, you'll also need to configure a storage account.
Azure Event Grid Concepts
Event sources send events to the Event Grid. Event Grid forwards relevant events to the subscribers. Event Grid use topics to decide which events to send to which handlers. Events sources tag each event with one or more topics, and event handlers subscribe to the topics they are interested in.
Concepts in Azure Event Grid that connect a source to a subscriber:
Events: What happened. Event sources: Where the event took place. Topics: The endpoint where publishers send events. Event subscriptions: The endpoint or built-in mechanism to route events, sometimes to multiple handlers. Subscriptions are also used by handlers to filter incoming events intelligently. Event handlers: The app or service reacting to the event.
blob container
Every blob lives inside a ___. You can store an unlimited number of blobs in a ___ and an unlimited number of containers in a storage account. ___ can only store blobs, not other ___. Blobs and containers support metadata in the form of name-value string pairs. Blob storage does not provide any mechanism for searching or sorting blobs by metadata.
function app
Every function published to Azure belongs to a ___: a collection of functions that are published together into the same environment. All functions in an app share a common set of configuration values, and must all be built for the same language runtime. Each ___ is an Azure resource that can be configured and managed independently.
EDIFACT, AS2, X12, and RosettaNet
Exchange messages using ___ protocols. Process XML messages and flat files. Using the enterprise integration capabilities supported by Logic Apps, create workflows that transform message formats. Logic Apps handles these exchanges securely with encryption and digital signatures.
True or false: an Azure Function can have multiple triggers associated with it?
False. Every Azure Function must have exactly one trigger associated with it. If you want to use multiple triggers, you must create multiple functions.
Some resources can't be moved, while it's OK to move others with certain restrictions.
For example, these resources can be moved: Azure Storage accounts Azure virtual machines Azure virtual networks These resources can't be moved: Azure Active Directory domain services Azure Backup vaults Azure App Service gateways
How Azure uses network rules
For inbound traffic, Azure processes the security group associated to the subnet, then the security group applied to the network interface. Outbound traffic is handled in the opposite order (network interface, then subnet). Rules are evaluated in priority order, starting with the lowest priority rule. Deny rules always stop the evaluation. The last rule is always a Deny All rule. This is a default rule added to every security group for both inbound and outbound traffic with a priority of 65500. That means to have traffic pass through the security group, you must have an allow rule, or the final default rule will block it.
Azure Disk Encryption
For virtual machines (VMs), Azure lets you encrypt virtual hard disks (VHDs) by using ___. This encryption uses BitLocker for Windows images, and it uses dm-crypt for Linux.
Azure Service Bus
Fully-managed enterprise message broker service that enables multiple modes of messaging with integrations for common messaging systems including Java Message Service (JMS).
HTTP trigger Authorization levels
Function and Admin levels are "key" based. To send an HTTP request, you must supply a key for authentication. Two types of keys: function and host. The difference is scope. Function keys are specific to a function. Host keys apply to all functions inside the function app. If your Authorization level is set to Function, you can use either a function or a host key. If your Authorization level is set to Admin, you must supply a host key. Anonymous level means that there's no authentication required.
Serverless Workloads
Functions and Logic Apps are Azure services that enable ___. Azure Functions is a serverless compute service, whereas Azure Logic Apps provides serverless workflows.
Orchestrations
Functions and Logic Apps can create complex ___, . An ___ is a collection of functions or steps, called actions in Logic Apps, that are executed to accomplish a complex task. You can mix and match services when you build ___, calling functions from logic apps and calling logic apps from functions.
event driven
Functions are ___. This means they run only in response to an event (called a "trigger"), such as receiving an HTTP request, or a message being added to a queue. You configure a trigger as part of the function definition. This allows you to declare where the data comes from (trigger/input binding) and where it goes (output binding). You don't need to write code to watch queues, blobs, hubs, etc.
functions host
Functions are hosted by ___, which powers everything outside of the function code: it loads configuration, listens for triggers and HTTP requests, starts the worker process for the function language, writes log output and more. To start the ___ locally, run func start from a functions project folder. The Core Tools will display local URLs you can use to call each of your functions.
ListBlobsSegmentedAsync
Get a list of the blobs in a container using CloudBlobContainer's ___ method. Segmented refers to the separate pages of results. A single call to ___ is never guaranteed to return all the results in a single page. You may need to call it repeatedly using the ContinuationToken it returns to work through the pages. Never assume that ListBlobsSegmentedAsync results will arrive in a single page. Always check for a continuation token and use it if it's present.
at-least-once delivery
Get and delete are separate operations. This handles failures in the receiver and implements a concept called ___. After the receiver gets a message, that message remains in the queue but is invisible for 30 seconds. If the receiver fails, it won't delete the message. After 30 seconds the message will reappear.
HTTP triggers and API keys
HTTP triggers can use API keys to block unknown callers by requiring the key to be present on each request. You select the authorization level when you create a function. By default, it's set to Function, which requires a function-specific API key. It can be set to Admin to use a global "master" key, or Anonymous so no key is required. You can change the authorization level through the function properties after creation.
az find
How do you find the particular commands you need? One way is to use ___, the AI robot that uses the Azure documentation to tell you more about commands, the CLI and more.
WebJobs source control
If you have source control configured with your application, the Webjobs should be deployed as part of the source control integration. Once source control is configured with your application a WebJob cannot be added from the Azure Portal.
Topics
If you want every message sent to be delivered to all subscribing components, use ___. Use the Microsoft.Azure.ServiceBus NuGet package, configure connection strings, and use asynch programming patterns. You'll use the TopicClient class instead of the QueueClient class to send messages and the SubscriptionClient class to receive messages.
Azure VM extensions
If you want to configure and install additional software on your VM after the initial deployment. ___ are small applications that enable you to configure and automate tasks on Azure VMs after initial deployment. ___ can be run with the Azure CLI, PowerShell, ARM templates, and the Azure portal. You bundle extensions with a new VM deployment, or run them against an existing system.
multi-tenant logic app
If you're creating a ___, get started faster when you create a workflow from the templates gallery. These templates are available for common workflow patterns, which range from simple connectivity for Software-as-a-Service (SaaS) apps to advanced B2B solutions.
write once, read many (WORM)
Immutable storage for Azure Blob Storage enables users to store business-critical data in a ___ state. This state makes the data unerasable and unmodifiable for a user-specified interval. Blobs can be created and read, but not modified or deleted, for the duration of the retention interval. Immutable storage enables: Time-based retention policy support, Legal hold policy support, Support for all blob tiers, Container-level configuration, Audit logging support. The audit log is kept for the lifetime of the container, in accordance with the SEC 17a-4(f) regulatory guidelines.
time-based retention and legal holds
Immutable storage for Azure Blob storage supports two types of WORM or immutable policies: ___. Time-based retention policy or a legal hold is applied on a container, all existing blobs move to the immutable (write-protected and delete-protected) state. All new blobs that are uploaded to the container will also move to the immutable state. When a time-based retention policy is applied on a container, all blobs in the container will stay in the immutable state for the duration of the effective retention period. The effective retention period for existing blobs is equal to the user-specified retention interval minus the time elapsed since the blob creation time. For new blobs, the effective retention period is equal to the user-specified retention interval. Because users can extend the retention interval, immutable storage uses the most recent value of the user-specified retention interval to calculate the effective retention period. For example, a user creates a time-based retention policy with a retention interval of five years. The existing blob in that container, testblob1, was created one year ago. The effective retention period for testblob1 is four years. A new blob, testblob2, is now uploaded to the container. The retention period for this new blob is five years.
X-ARR-ClientCert request header
In App Service, TLS termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled, App Service injects an ___ with the client certificate. App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.
container
In Azure Cosmos DB, a ___ holds arbitrary user-generated entities. Inside a ___, we store documents.
namespace
In Azure Service Bus, a ___ is a container, with a unique fully qualified domain name, for queues, topics, and relays. You must start by creating the ___. Each ___ has primary and secondary shared access signature encryption keys. To gain access to the objects within the ___, a component must provide these keys when it connects.
storage account keys
In Azure Storage accounts, shared keys are called ___. Azure creates two of these keys (primary and secondary) for each storage account. The keys give access to everything in the account. find the ___ in the Azure portal view of the storage account. Settings > Access keys.
Azure Storage SDK
In the ___ for .NET Core, the standard pattern for using Blob storage consists of: 1. To get a CloudStorageAccount, call CloudStorageAccount.Parse (or TryParse) with your connection string. 2. To get a CloudBlobClient, call CreateCloudBlobClient on the CloudStorageAccount. 3. To get a CloudBlobContainer, call GetContainerReference on the CloudBlobClient. To get a list of blobs and/or get references to individual blobs to upload and download data, use methods on the container. None of this initialization code makes calls over the network. Exceptions that occur because of incorrect information won't be thrown until later.
Disk Management
Initialize data disks. Any additional drives you create from scratch will need to be initialized and formatted. The process for doing this is identical to a physical drive. Launch the ___ tool from the Start Menu.
How to choose a communications technology
Is the communication an event? If so, consider using Event Grid or Event Hubs. Should a single message be delivered to more than one destination? If so, use a Service Bus topic. Otherwise, use a queue.
CosmosDB create a synthetic partition key
It's a best practice to have a partition key with many distinct values, such as hundreds or thousands. The goal is to distribute your data and workload evenly across the items associated with these partition key values. If such a property doesn't exist in your data, you can construct a synthetic partition key. - You can form a partition key by concatenating multiple property values into a single artificial partitionKey property. These keys are referred to as synthetic keys. - Another strategy to distribute the workload more evenly is to append a random number at the end of the partition key value. When you distribute items in this way, you can perform parallel write operations across partitions. - The pre-calculated (hash) suffixes strategy. Instead of using a random number to distribute the items among the partitions, use a number that is calculated based on something that you want to query. eg, calculate a hash suffix based on the VIN and append it to the partition key date.
periodically rotate your access keys
It's recommended that you periodically rotate your access keys to ensure they remain private. You can use an Azure Key Vault to store the access key. Key Vaults include support to synchronize directly to the Storage Account and automatically rotate the keys periodically. Using a Key Vault provides an additional layer of security, so your app never has to work directly with an access key.
secure transfer
Keep data secure by enabling transport-level security between Azure and the client. Always use HTTPS to secure communication over the public internet. When you call the REST APIs to access objects in storage accounts, you can enforce the use of HTTPS by requiring ___ for the storage account. After you enable ___, connections that use HTTP will be refused. This flag will also enforce ___ over SMB by requiring SMB 3.0 for all file share mounts.
the management plane and the data plane
Key Vault access has two facets: the management of the Key Vault itself, and accessing the data contained in the Key Vault. ___. They are separated because the creation of the Key Vault is a different role than storing and retrieving a secret stored in the Key Vault.
Software-protected keys
Key Vault can also generate and protect keys using software-based RSA and ECC algorithms. In general, software-protected keys offer most of the features as HSM-protected keys except the FIPS 140-2 Level 2 assurance: - Your key is still isolated from the application (and Microsoft) in a container that you manage - It's stored at rest encrypted with HSMs - You can monitor usage using Key Vault logs The primary difference (besides price) with a software-protected key is when cryptographic operations are performed, they are done in software using Azure compute services while for HSM-protected keys the cryptographic operations are performed within the HSM.
server applications
Key Vault is designed to store configuration secrets for ___. It's not intended for storing data belonging to your app's users, and it shouldn't be used in the client-side part of an app. User data should be stored elsewhere, such as in an Azure SQL database with Transparent Data Encryption, or a storage account with Storage Service Encryption. Secrets used by your application to access those data stores can be kept in Key Vault.
Hardware-protected keys
Key Vault service supports hardware security modules (HSMs) that provide a hardened, tamper-resistant environment for cryptographic processing and key generation. Azure has dedicated HSMs validated to FIPS 140-2 Level 2 that Key Vault uses to generate or store keys. These HSM-backed keys are always locked to the boundary of the HSM. When you query the Key Vault service to decrypt or sign with a key, the operation is performed inside an HSM. You can import keys from your own HSMs, and transfer them to Key Vault without leaving the HSM boundary. (bring your own key, or BYOK). You can also use these Azure HSMs directly through the Microsoft Azure Dedicated Hardware Security Module (HSM) service if you need to migrate HSM-protected apps or maintain a high security compliance requirement.
single instanced or versioned keys
Keys can be ___. Versioned keys have an object with a primary (active) key, and a collection of zero, one or more secondary (archived) keys created when keys are rolled (renewed). Key Vault supports asymmetric keys (RSA 2048). Your applications may use these for encryption or digital signatures.
Azure App Service
Like Azure Functions, Azure App Service WebJobs with the WebJobs SDK is a code-first integration service. Both are built on ___ and support features such as source control integration, authentication, and monitoring with Application Insights integration.
How to install the Azure CLI
Linux and macOS, use a package manager to install the Azure CLI. The package manager differs by OS and distribution: Linux: apt-get on Ubuntu, yum on Red Hat, and zypper on OpenSUSE Mac: Homebrew The Azure CLI is available in the Microsoft repository, add that repository to your package manager. On Windows, install the Azure CLI by downloading and running an MSI file.
data redundancy options
Locally Redundant Storage (LRS) Zone-redundant Storage (ZRS) Geo-redundant storage (GRS) Geo-zone-redundant Storage (GZRS) Read-access Geo-redundant Storage (RA-GRS) Read-access Geo-zone-redundant Storage (RA-GZRS)
multi-tenant, single-tenant (preview), or integration service environment (ISE)
Logic App: The Azure resource to create when you want to develop a workflow. You can create logic apps that run in these 3 environments ___.
Integration Service Environment (ISE)
Logic app workflows can access secured resources, like VMs and other systems or services, that are inside an Azure virtual network when you create an ___. An ___ is a dedicated instance of the Logic Apps service that uses dedicated resources and runs separately from the global multi-tenant Logic Apps service.
MongoDB, Express, AngularJS, and Node.js
MEAN is a development stack for building and hosting web applications. MEAN is an acronym for its component parts: ___. The main reason you might consider MEAN is if you're familiar with JavaScript. The components of the MEAN stack are reliable, well-understood, and open source. MEAN is well documented and runs almost anywhere.
Management operations (creating a new Azure Key Vault) use RBAC
Management operations (creating a new Azure Key Vault) use RBAC. There is a built-in role, Key Vault Contributor, that provides access to management features of key vaults, but doesn't allow access to the key vault data. Recommended role to use. There's also a Contributor role that includes full administration rights - including the ability to grant access to the data plane. Reading and writing data in the Key Vault uses a separate Key Vault access policy. A Key Vault access policy is a permission set assigned to a user or managed identity to read, write, and/or delete secrets and keys.
cold start
Many of the technologies that developers use to create web apps require final compilation and other actions on the server before they deliver a page to a user. The initial delay is called a ___. You can avoid a ___ by using slot swaps to deploy to production. When you swap a slot into production, you "warm-up" the app because your action sends a request to the root of the site. The warm-up request ensures that all compilation and caching tasks finish.
Tools to verify if dependencies are vulnerable
Many tools exist to verify if dependencies are vulnerable. Run these tools against your codebase or add them to your CI/CD pipeline: OWASP Dependency Check, which has a Jenkins plugin OWASP SonarQube Snyk, which is free for open-source repositories in GitHub Black Duck, used by many enterprises RubySec an advisory database just for Ruby Retire.js a tool for verifying if JavaScript libraries are out of date; can be used as a plugin for various tools, including Burp Suite
2 Workloads to add to Visual Studio
Modify Visual Studio from the Installer. Under the Workloads tab, select 1. ASP.NET and Web development 2. Azure development
Application Insights integration
Monitoring functions is critical during dev and in prod. Azure portal provides a monitoring dashboard if you turn on the ___. In the function app nav menu, after you expand the function node, you'll see a Monitor menu item. This monitor dashboard provides a quick way to view the history of function executions, and displays the timestamp, result code, duration, and operation ID populated by Application Insights.
rules
NSGs use ___ to allow or deny traffic. Each ___ identifies the source and destination address (or range), protocol, port (or range), direction (inbound or outbound), a numeric priority, and whether to allow or deny the traffic. Each security group has a set of default security rules to apply the default network rules. These default rules cannot be modified but can be overridden.
ssh-keygen
On Windows 10, Linux, and macOS, you can use the built-in ___ command to generate the SSH public and private key files. Windows 10 includes an SSH client. Earlier versions require additional software. Or you can install the Linux subsystem.
Event Grid
Otherwise, if you need a simple event publish-subscribe infrastructure, with trusted publishers (for instance, your own web server), you should choose ___.
Webhooks configuration options:
Payload URL: The URL of the server that will receive the webhook POST requests. Content type: Webhooks can have two content types: 1. application/json: Delivers the JSON payload directly as the body of the POST request. 2. application/x-www-form-urlencoded: Sends the JSON payload as a form parameter, called payload.
Performance Setting for Storage Accounts
Performance: 1. Standard allows you to have any data service (Blob, File, Queue, Table) and uses magnetic disk drives. 2. Premium introduces additional services for storing data. eg, storing unstructured object data as block blobs or append blobs, and specialized file storage used to store and create premium file shares. These storage accounts use solid-state drives (SSD) for storage.
To connect to the VM via SSH, you need the following items:
Public IP address of the VM Username of the local account on the VM Public key configured in that account Access to the corresponding private key Port 22 open on the VM
3389 and 22
RDP port is ___. SSH is ___
publish-subscribe
Receiving components "subscribe" to communications they are interested in. The subscription is managed by an intermediary, like Azure Event Grid or Azure Event Hubs. When publishers send an event, the intermediary will route that event to interested subscribers. This pattern is known as a ___ architecture.
Hybrid Runbook Worker
Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the machine that's hosting the role and against resources in the environment to manage those local resources. Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned machines.
func new
Running ___ in a functions project folder will create a new function and all the necessary files. It will prompt for type of function trigger and name. ___ will generate a complete, publish-ready starter implementation in function project's language.
PowerShell
Running the Azure CLI from ___has some advantages over running the Azure CLI from the Windows command prompt. PowerShell provides additional tab completion features over those available from the command prompt.
SQL authentication and Azure Active Directory (Azure AD) authentication.
SQL Database supports two types of authentication: ___
64-bit operating systems
Search the Azure Marketplace for more sophisticated install images, you can leverage a Marketplace image and install the entire stack all at once. You can create your disk image, upload it to Azure storage, and use it to create an Azure VM. Keep in mind that Azure only supports ___.
GitHub Secret
Setting a webhook secret allows you to ensure that POST requests sent to the payload URL are from GitHub. When you set a secret, you'll receive the x-hub-signature header in the webhook POST request. In GitHub, you can set the secret field by going to the repository where you have setup your webhook, and then editing the webhook.
transport
SignalR supports ___ fallbacks. A ___ is method of communicating between the client and server. SignalR connections begin with a standard HTTP request. As the server evaluates the connection, the most appropriate communication method (___) is selected. ___ are chosen depending on the APIs available on the client.
Storage account creation
Storage account creation is an activity that takes place before deploying and running your app. Accounts are usually created by a deployment or environment setup script, an ARM template, or manually by an admin. Apps other than administrative tools generally should not have permissions to create storage accounts.
To access a queue, you need three pieces of information:
Storage account name Queue name Authorization token - The queue name must be unique within your storage account but doesn't need to be globally unique (unlike the storage account name). The combination of your storage account name and your queue name uniquely identifies a queue.
shared access signatures
Storage accounts offer a separate authentication mechanism called ___ that support expiration and limited permissions for scenarios where you need to grant limited access. You should use this approach when you are allowing other users to read and write data to your storage account.
VM Storage costs
Storage costs - You are charged separately for the storage the VM uses. The status of the VM has no relation to the storage charges that will be incurred; even if the VM is stopped/deallocated and you aren't billed for the running VM, you will be charged for the storage used by the disks.
The settings that are defined by a storage account
Subscription, Location, Performance: Standard or Premium Replication: Access tier: Controls how quickly you will be able to access the blobs in this storage account. Hot gives quicker access than Cool, but at increased cost. This applies only to blobs, and serves as the default value for new blobs. Secure transfer required: A security feature that determines the supported protocols for access. Enabled requires HTTPs, while disabled allows HTTP. Virtual networks: A security feature that allows inbound access requests only from the virtual network(s) you specify.
Advantages of Service Bus queues:
Supports larger messages sizes of 256 KB (standard tier) or 1MB (premium tier). Supports both at-most-once and at-least-once delivery Guarantees first-in-first-out (FIFO) order Can group multiple messages into a transaction Supports role-based security Does not require destination components to continuously poll the queue
Advantages of storage queues:
Supports unlimited queue size (versus 80-GB limit for Service Bus queues) Maintains a log of all messages
Azure.Storage.Blobs
The Azure Storage Blobs client library for .NET is distributed with NuGet. You'll want to add the ___ package to your .NET or .NET Core applications.
Continuous Deployment
The Container settings page of an App Service resource in the Azure portal automates the setup of continuous integration. If you turn on ___, App Service configures a webhook in your container registry to notify an App Service endpoint. Notifications from the registry that reach this endpoint cause your app to restart and pull the latest version of the container image.
Initialize data disks for Linux VM
The Data drive (sdc) is present but not mounted into the file system. Azure added a VHD but didn't initialize it. Any additional drives you create from scratch need to be initialized and formatted. You can use fdisk to initialize the drive. Next, write a file system to the partition with the mkfs command. Finally, mount the drive to the file system.
Azure Functions extension
The Functions development tools, such as the Functions-related features in Visual Studio and the ___ for Visual Studio Code, are built on top of the Core Tools.
Blob trigger path and name
The Path tells the blob trigger where to monitor to see if a blob is uploaded or updated. By default, the Path value is: samples-workitems/{name} samples-workitems, represents the blob container that the trigger monitors. {name} means that every type of file will cause the trigger to invoke the function. We could invoke the function only for PNG file by using syntax like: samples-workitems/{name}.png The name parameter represents the name of the added file.
QueueClient.SendAsync()
The Service Bus client library makes async methods available for interacting with the queues to avoid problems with delays. Use these methods to avoid blocking a thread while waiting for calls to complete. When sending a message to a queue, for example, use the ___ method with the await keyword. Use a using statement too.
VM name
The VM name is used as the computer name. Up to 15 characters on a Windows VM and 64 characters on a Linux VM. Not trivial to change later. A good convention is to include the following information in the name: Environment, Location, Instance, Product or Service, Role
Azure Functions Core Tools
The ___ are command-line utilities to develop and run functions locally and publish them to Azure. Their primary purpose is to: 1. Generate the files and folders to develop functions on your local. 2. Run functions locally to test and debug them 3. Publish functions to Azure They are packaged as a single command-line utility named func.
Remove-AzVM
The ___ command just deletes the VM. It doesn't clean up any of the other resources.
dotnet
The ___ command-line tool that's part of the .NET SDK allows you to directly create the code for a new web application. In particular, the "dotnet new" can be used to generate a new application from a template.
Dynamic data masking
The ___ feature of Azure SQL Database can limit the data that is displayed to the user. ___ is a policy-based security feature that hides sensitive data in the result set of a query over designated database fields. ___ rules consist of the column to apply the mask to, and how the data should be masked. You can create your own masking format, or use one of the standard masks,
Azure App Service Environment (ASE)
The ___ is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. - Fully isolated and dedicated environment for running web apps - High scale, high memory utilization - Isolation and secure network access - Fine-grained control over network traffic - Apps can connect over VPN to onpremises resources - Dedicated to a single subscription and can host 100 App Service Plan instances. - Can create multiple ASEs within a single Azure region or across multiple Azure regions.
consumption tier in API Management
The ___ is especially suited to microservice-based architectures and event-driven systems. The ___ aligns perfectly with serverless computing models; there is no infrastructure to manage, no idle capacity, high-availability, automatic scaling, and usage-based pricing, all of which make it an especially good choice for solutions that involve exposing serverless resources as APIs.
Azure REST API
The ___ provides operations categorized by resource as well as the ability to create and manage VMs. Operations are exposed as URIs with corresponding HTTP methods. The Azure Compute APIs give you programmatic access to virtual machines and their supporting resources.
Azure AD app manifest
The definition of an application object within the Microsoft Identity platform which includes all configuration for allowed authentication and authorization integrations. The ___ contains a definition of all the attributes of an application object in the Microsoft identity platform. It also serves as a mechanism for updating the application object. Scenarios where you'll need to edit the ___ to configure an app's attribute: - If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you can't change the supported Microsoft accounts in the UI. Instead, you must use the application manifest editor to change the supported account type. - To define permissions and roles that your app supports, you must modify the application manifest.
WebJobs supported file types for scripts or programs
The following file types are supported: .cmd, .bat, .exe (using Windows cmd) .ps1 (using PowerShell) .sh (using Bash) .php (using PHP) .py (using Python) .js (using Node.js) .jar (using Java)
1 MB
The maximum size for a single publication (individual or batch) that is allowed by Azure Event Hub is ___.
Do all binding types support input and output?
There are multiple types of input. However, not all types support both input and output. You'll use them whenever you want to ingest data of that type.
virtual cores
There are quota limits on each subscription that can impact VM creation. By default, you cannot have more than 20 ___ across all VMs within a region. You can either split up VMs across regions or file an online request to increase your limits.
Authenticate with an Azure container registry (Admin account or Service Principal)
There are several ways to authenticate with an Azure container registry. Recommended ways include: 1. Authenticate to a registry directly via individual login 2. Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal Admin account Each container registry includes an admin user account, which is disabled by default. You can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI, Azure PowerShell, or other Azure tools. The admin account has full permissions to the registry. The admin account is currently required for some scenarios to deploy an image from a container registry to certain Azure services. For example, the admin account is needed when you use the Azure portal to deploy a container image from a registry directly to Azure Container Instances or Azure Web Apps for Containers. Service principal If you assign a service principal to your registry, your application or service can use it for headless authentication. Service principals allow Azure role-based access control (Azure RBAC) to a registry, and you can assig
vaults, keys, and secrets
There are three primary concepts used in an Azure Key Vault: ___.
hardware-protected, and software-protected
There are two variations on keys in Key Vault: ___. For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There is an additional charge for HSM-backed keys per-month if the key is used in that month.
Azure SQL DB Database-level firewall rules
These rules allow access to an individual database on a logical server and are stored in the database itself. Only IP address rules can be configured. Function the same as when applied at the server-level, but are scoped to the database only. Benefits are their portability. When replicating a database to another server, the database-level rules will be replicated, since they are stored in the database itself. The downside is that you can only use IP address rules. This may limit the flexibility you have and can increase administrative overhead. Can be created and manipulated only through T-SQL.
Azure SQL DB Server-level firewall rules
These rules enable access to your entire Azure SQL server - all the dbs within the same logical server. can be created and manipulated through the portal, PowerShell, the CLI, and T-SQL. 3 types of server level rules: 1. Allow access to Azure services rule 2. IP address rules 3. Virtual network rules
events or messages
This difference between events and messages is fundamental because communications platforms are generally designed to handle one or the other. Service Bus is designed to handle messages. If you want to send events, you would likely choose Event Grid. Azure also has Azure Event Hubs, but it is most often used for a specific type of high-flow stream of communications used for analytics.
Request parameter name
This setting in a HTTP trigger is a string that represents the name of the parameter that contains the information about an incoming HTTP request. By default, the name of the parameter is req.
Client, Orchestrator, and Activity
Three durable function types: ___.
SSH key
To apply the ___ while creating a new Linux VM, you will need to copy the contents of the public key and supply it to the Azure portal, or supply the public key file to the Azure CLI or Azure PowerShell command. If you have already created a VM, you can install the public key onto your Linux VM with the ssh-copy-id command. It grants access to the server without a password, though you will still be prompted for the passphrase on the key if you set one.
input binding
To connect to a data source, you have to configure an ___. The ___ makes it possible to write minimal code to create a message. You don't have to write code for tasks such as opening a storage connection. The Azure Functions runtime and binding take care of those tasks for you.
CreateIfNotExistsAsync
To create a container when your app starts or when it first tries to use it, call ___ on a CloudBlobContainer. ___ won't throw an exception if the container already exists, but it does make a network call to Azure Storage. Call it once during initialization, not every time you try to use a container.
Upload
To create a new blob, call one of the ___ methods on a reference to a blob that doesn't exist in storage. This does two things: creates the blob in storage, and uploads the data.
func init
To create a new functions project, run ___ on the command line. ___ will ask for a language runtime and tailor the project folder's contents appropriately. The files included in the project folder depend on the language runtime you select. Functions projects that ___ generates don't have any functions in them.
To get an ICloudBlob by name.
To get an object that includes methods and properties tailored for a specific blob type, use (GetBlockBlobReference, GetAppendBlobReference, or GetPageBlobReference) on a CloudBlobContainer. None of these methods make network calls, or confirm whether the targeted blob exists. Only create a blob reference object locally, which can then be used to call methods that do operate over the network and interact with blobs in storage. GetBlobReferenceFromServerAsync, does call the Blob storage API, and will throw an exception if the blob doesn't exist.
swap-with-preview
To help discover problems before the app goes live, Azure App Service offers a ___ feature. The swap proceeds in two phases: - Phase 1: Slot settings from the target slot are applied to the web app in the source slot. Then Azure warms up the staging slot. At this point, the swap operation pauses so you can test the app in the source slot to make sure it works with the target slot configuration. - Phase 2: The hostnames for the two sites are swapped. The version of the app now in the source slot receives its slot settings.
Invoke an HTTP trigger
To invoke an HTTP trigger, send an HTTP request to the function URL. The URL is on the code page at the Get function URL link. If the function receives data, you can use query string parameters or supply the data through the request body. An HTTP trigger invokes an Azure function when it receives an HTTP request to its function URL. HTTP triggers allow you to receive data and return data back to the caller.
func azure functionapp publish <app_name>
To publish a functions project to Azure, run ___ from the functions project folder. <app_name> is the name of the target function app in Azure. The Core Tools loads your session information from the Azure CLI or Azure PowerShell. You need an active session in one of those tools.
Receive messages from the queue
To receive messages, you must first register a message handler. queueClient.RegisterMessageHandler(MessageHandler, messageHandlerOptions); Do your processing work. Then call the QueueClient.CompleteAsync() method to remove the message from the queue.
Access control (IAM)
To view access permissions, use the ___ panel for the resource in the Azure portal. On this panel, you can see who can access an area and their assigned role. Using this same panel, you can also grant or remove access.
Access key and REST API endpoint
To work with data in a storage account, your app will need two pieces of data:___
Microsoft.Azure.ServiceBus NuGet package
To write code that sends and receives messages through Service Bus, Microsoft provides a library of .NET classes to interact with a Service Bus queue, topic, or relay. Include this library in your application by adding the ___. The most important class in this library for queues is the QueueClient class. You start by instantiating this class both in sending and receiving components.
OLTP (Online Transaction Processing)
Transactional databases are often called ___ systems. ___ systems commonly support lots of users, have quick response times, and handle large volumes of data. They are also highly available (meaning they have very minimal downtime), and typically handle small or relatively simple transactions.
CosmosDB Triggers
Triggers must be defined in JavaScript Triggers can be executed either before (pre) of after (post) data is written Pre triggers can handle data transformation and validation Post triggers can handle aggregation and change notifications Triggers are not guaranteed to execute, as they have to be specified in a request Errors in either the pre or post trigger will result in data being rolled back
Service Bus and Azure Storage accounts
Two Azure features that include message queues: ___. As a general guide, storage queues are simpler to use but are less sophisticated and flexible than Service Bus queues.
compute and storage
Two separate costs the subscription will be charged for every VM: ___
container creation
Unlike storage account creation, ___ is a lightweight activity that makes sense to perform from within an app. It's not uncommon for apps to create and delete containers as part of their work. For apps that rely on a known set of containers with hard-coded or preconfigured names, the typical practice is to let the app create the containers it needs on startup or first usage if they don't already exist. This eliminates the need for both your app and your deployment process to know the names of the containers.
Protect data in transit
Use SSL/TLS protocols to exchange data across different locations. You might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN. For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use Azure VPN Gateway.
Azure Disk Storage
Use ___ for high-performance, durable block storage designed to be used with Azure Virtual Machines. Four disk storage options - Ultra Disk Storage, Premium SSD, Standard SSD, and Standard HDD. Achieve high performance with sub-millisecond latency for throughput and transaction-intensive workloads such as SAP HANA, SQL Server, and Oracle.
Service Bus topics
Use ___ if you need multiple receivers to handle each message. If you have multiple destinations for a single message, but need queue-like behavior.
Service Bus queues
Use ___ if you: Need an At-Most-Once delivery guarantee. Need a FIFO guarantee. Need to group messages into transactions. Want to receive messages without polling the queue. Need to provide a role-based access model to the queues. Need to handle messages larger than 64 KB but less than 256 KB. Queue size will not grow larger than 80 GB. Want to publish and consume batches of messages.
Azure Batch
Use ___ to run large-scale parallel and high-performance computing (HPC) batch jobs efficiently in Azure. ___ creates and manages a pool of compute nodes (virtual machines), installs the applications you want to run, and schedules jobs to run on the nodes. There's no cluster or job scheduler software to install, manage, or scale. Instead, you use Batch APIs and tools, command-line scripts, or the Azure portal to configure, manage, and monitor your jobs
account-level SAS
Use an ___ to allow access to anything that a service-level SAS can allow, plus additional resources and abilities. For example, you can use an account-level SAS to allow the ability to create file systems.
parameterized SQL statements or stored procedures
Use parameterized SQL statements or stored procedures. With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.
WebJobs SDK
Use the WebJobs feature of App Service to run a script or code in the context of an App Service web app. The ___ is a framework designed for WebJobs that simplifies the code you write to respond to events in Azure services. The ___ runs as a .NET console application, which you can deploy to a WebJob. Azure Functions is built on the ___, so it shares many of the same event triggers and connections to other Azure services
Deployment slots
Using the Azure portal, you can add __ to an App Service web app. eg, you can create a staging deployment slot where you can push your code to test on Azure. You can swap the staging deployment slot with the production slot with a few simple mouse clicks in the Azure portal.
VM Resources
VMs have several associated resources: - The VM itself - Storage account for the disks - Virtual network (shared with other VMs and services) - Network interface to communicate on the network - NSG(s) to secure the network traffic - Public Internet address (optional) If Azure creates the resource, it will use the VM name to generate a resource name.
virtual hard disks (VHDs)
VMs should have at least two ___. One for the OS, the second for temporary storage. You can add additional disks, the max number is determined by the VM size (typically two per CPU). It's common to create one or more data disks. Separating out the data to different VHDs allows you to manage the security, reliability, and performance of the disk independently. The data for each VHD is held in Azure Storage as page blobs.
Azure Premium Storage
Virtual disks can be backed by either Standard or Premium Storage accounts. ___ leverages solid-state drives (SSDs) to enable high performance and low latency for VMs running I/O-intensive workloads. Use ___ for production workloads, especially those that are sensitive to performance variations or are I/O intensive. For development or testing, Standard storage is fine.
Network security groups (NSGs)
Virtual networks (VNets) are the foundation of the Azure networking model, and provide isolation and protection. ___ are the primary tool you use to enforce and control network traffic rules at the networking level. ___ are an optional security layer that provides a software firewall by filtering inbound and outbound traffic on the VNet. ___ can be associated to a network interface (for per host rules), a subnet in the virtual network (to apply to multiple resources), or both levels.
Visual Studio workloads
Visual Studio 2019 has 2 workloads with templates for ASP.NET Core sites to connect and deploy sites to Azure. 1. ASP.NET and web development 2. Azure development: installs the latest Azure SDK for .NET and tools for Visual Studio. View resources in Cloud Explorer, create resources using Azure Resource Manager tools, build applications for Azure web and Cloud Services, and perform big data operations using Azure Data Lake tools.
WebJobs and the WebJobs SDK
WebJobs and the WebJobs SDK work best together, but you can use WebJobs without the WebJobs SDK and vice versa. A WebJob can run any program or script that runs in the App Service sandbox. A WebJobs SDK console application can run anywhere console applications run, such as on-premises servers.
Consumption service plan and Azure App Service plan
What are the two types of service plans for Function apps?
Legal holds
When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI). This expectation often exists before the specifics of the case are known, and preservation is often broad. When you set a legal hold, all new and existing blobs stay in the immutable state until the legal hold is cleared. A container can have both a legal hold and a time-based retention policy simultaneously. All blobs in that container stay in the immutable state until all legal holds are cleared, even if their effective retention period has expired. Conversely, a blob stays in an immutable state until the effective retention period expires, even though all legal holds have been cleared.
storage account
When creating a function app, it must be linked to a ___. Use existing or create a new one. The function app uses this ___ for internal operations such as logging function executions and managing execution triggers. On the Consumption service plan, this is also where the function code and configuration file are stored.
Scaling out a web app
When creating a web app, you can create a new App Service plan or use an existing one. Using an existing plan, any other web apps that use the same plan will share resources with your web app. They scale together, so they need to have the same scaling requirements. If your apps have different requirements, use a separate App Service plan for each one. You scale out by adding more instances to an App Service plan, up to the limit available for your selected tier. If you're not using the Free tier, you're charged for each instance by the hour. You can perform this task in the Azure portal.
Creating a web app
When deploying your app as code, some runtime stacks are limited to one OS. If your application is packaged as a Docker image, choose the operating system on which your image is designed to run. Selecting Windows activates the Monitoring tab, where you have the option to enable Application Insights. Enabling this feature will configure your app to automatically send detailed performance telemetry to the Application Insights monitoring service without requiring any changes to your code. Application Insights can be used from Linux-hosted apps as well, but this turnkey, no-code option is only available on Windows.
Moving Resources
When starting a move operation, the resource group holding the resources and the new destination resource group are locked. You can't do write or delete operations on the resource groups until the move operation ends. You can't add, delete, or update any resources in these resource groups. Your moved resources don't change location. eg, if you have a storage account in the East US region, and you move it to another resource group, it keeps its East US region location. In most cases, a child resource can't be moved independently from its parent resource. Depending on the resource type, you can move your resources between subscriptions, or between resource groups within the same subscription.
az login
When working with your own machine and Azure subscription, you'll need to first sign in to Azure using the ___ command. Signing in is unnecessary when you are using the browser-based Cloud Shell environment. You create a resource group for all your related Azure resources with an az group create command
Connect-AzAccount
When you are working with a local install of Azure PowerShell, you will need to authenticate before you can execute Azure commands. The ___ cmdlet prompts for your Azure credentials and then connects to your Azure subscription.
functions project
When you develop functions locally, you work within a ___: a folder that contains the code and configuration files that define your functions. A ___ on your computer is equivalent to a function app in Azure, and can contain multiple functions that use the same language runtime.
address spaces, subnets, and security
When you set up a virtual network, you specify the available ___. If the VNet will be connected to other VNets, you must select address ranges that are not overlapping. This is the range of private addresses that the VMs and services in your network can use. You can use unroutable IP addresses such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, or define your own range.
slot app configuration
When you swap slots, the app's configuration travels to the new slot along with the app. You can override this behavior for individual application settings and configuration strings by configuring them as slot settings. eg, you have two databases. You always want the app version in the staging slot to use the testing database. The app version in the production slot should always use the production database. To achieve this, you can configure the database connection string as a slot setting.
Slot resources
When you use more than one deployment slot for a web app, those slots are treated as separate instances of that web app. eg, they're listed separately on the All resources page in the Azure portal. They each have their own URL. However, each slot shares the resources of the App Service plan, including virtual machine memory and CPU and disk space.
Change Feed Processing
While all other server-side programming approaches enable execution on the Cosmos DB engine, ___ enables you to react to data changes using server-side code outside of the Cosmos DB engine.
ASC Standard Tier
While you can use a free Azure subscription tier with ASC, it is limited to assessments and recommendations of Azure resources only. To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin. After the 30-day trial period is over, ASC Standard is priced at $15/node per month and will be billed to your account.
Request Unit (RU)
With Cosmos DB, a ___ encapsulates many of the resources needed for the database into a single unit. As a baseline, one ___ is equal to a 1kb item read operation from a Cosmos DB container.
Azure Function is PaaS
With Web Jobs, you pay for the entire VM or App Service Plan that hosts the job. Azure Function can run on a consumption plan, so you only pay when the function runs.
CosmosDB Autoscaling (Provisioned)
With ___ throughput, you can specify a maximum RU throughout amount, and Cosmos DB will ensure that your data is available up to that throughput amount. The minimum throughput is calculated as 10% of the maximum
Auto swap
With ___, Azure automatically swaps it whenever you push code or content into that slot. You can't test the new app version in the staging slot before the swap. ___ mainly benefits users who want zero-downtime deployments and simple automated deployment pipelines. Auto swap is not available in App Service on Linux.
serverless architecture
With ___, the developers do not have to concern themselves with the supporting hardware, operating systems, underlying software, and other infrastructure. Instead, the code is run in stateless computing resources that are triggered by requests. Costs are only incurred when the services execute.
SSH key pair
With an ___, you can sign in to Linux-based Azure VMs without a password. A more secure approach if you only plan to sign in to the VM from a few computers. If you need access from a variety of locations, a username and password combination might be a better approach. Two parts to an SSH key pair: a public key and a private key. 1. Public key: placed on the Linux VM. This can be shared with anyone. 2. Private key: what you present to verify your identity when you make an SSH connection. Protect this like you would a password. You can use the same single public-private key pair to access multiple Azure VMs and services.
ICloudBlob
Working with an individual blob in the Azure Storage SDK for .NET Core requires a blob reference — an instance of an ___ object. You can get an ___ by requesting it with the blob's name, or selecting it from a list of blobs in the container. Both require a CloudBlobContainer.
XML
XML allows you to express relationships and has standards for schema, transformation, and displaying on the web. XML uses tags. Including: elements and attributes. Elements can have child elements to express relationships. XML is flexible and can express complex data easily. It tends to be more verbose making it larger to store, process, or pass over a network.
Get-AzContext
You can configure Azure PowerShell to execute commands against a particular subscription. You can only be in one subscription at a time. Use the ___ cmdlet to determine which subscription is active. If it's not the correct one, you can change it.
Gibibytes (GiB)
You can create and attach additional dedicated data disks to the Linux VM. Each disk can hold up to 32,767 gibibytes (GiB) of data. Azure virtual disk sizes are measured in ___, which are not the same as Gigabytes (GB); one GiB is approximately 1.074 GB.
NCRONTAB expression
You can enter a ___ in the portal or include a settings.job file at the root of your WebJob .zip file: Copy { "schedule": "0 */15 * * * *" } The default time zone used to run CRON expressions is Coordinated Universal Time (UTC). To have your CRON expression run based on another time zone, create an app setting for your function app named WEBSITE_TIME_ZONE.
passphrase
You can provide a ___ while generating your private key. This is a password you must enter when you use the key. This ___ is used to access the private SSH key file and is not the user account password. When you add a ___ to your SSH key, it encrypts the private key using 128-bit AES so that the private key is useless without the ___ to decrypt it.
CORS rules
You can set ___ individually for each of the Azure Storage services, by calling Set Blob Service Properties, Set File Service Properties, Set Queue Service Properties, and Set Table Service Properties.
Secure Shell (SSH)
You can start/stop VMs and manage them from the Azure portal or the Azure CLI. You can also use ___ to connect directly to the running VM and execute commands. ___ is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH allows you to connect to a terminal shell from a remote location using a network connection.
Upgrade a VM
You can upgrade or downgrade a VM if your current hardware configuration is allowed in the new size. The VM size can be changed while the VM is running, as long as the new size is available in the current hardware cluster the VM is running on. Changing a running VM size will automatically reboot the machine to complete the request. If you stop and deallocate the VM, you can then select any size available in your region since this removes your VM from the cluster it was running on.
Durable functions orchestration function benefits
You can use Durable Functions to orchestrate a long-running workflow as a set of activities. You can map each step in the process to a function type, and each task to an activity. - Define the workflows in code. No need to write a JSON description or use a workflow design tool. - Can be called synchronously and asynchronously. Output from the called functions is saved locally in variables and used in subsequent function calls. - Azure checkpoints the progress when the function awaits. Azure may dehydrate the function and save its state while it waits, to preserve resources and reduce costs. When it starts running again, Azure will rehydrate it and restore its state.
Azure Container Registry
You can use ___ to hold Docker images, and you can construct web apps based on these images. By using a webhook, you can configure continuous deployment for a web app. This process monitors the image for the web app in Container Registry and causes the web app to be redeployed automatically if the image changes.
service-level SAS
You can use a ___ to allow access to specific resources in a storage account. You'd use this type of SAS, for example, to allow an app to retrieve a list of files in a file system, or to download a file.
You can deploy a web app to Azure App Service directly from Azure Container Registry.
You configure the following properties: Registry that contains the image: Docker Hub, Azure Container Registry, or private registry. Image: name of the repository. Tag: indicates which version of the image to use from the repository. Startup file: name of an executable file or a command to be run when the image is loaded. If deploying a ready-to-run, containerized app that already has the ENTRYPOINT and/or COMMAND values configured, you don't need to fill this in. After you've configured the web app, the Docker image is pulled, and runs as a cold start operation the first time a user attempts to visit the site.
a security principal, a role definition, and a scope
You control access to resources using Azure RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: ___ ("who", "what", and "where").
create a registry
You create a registry using the Azure portal or the Azure CLI "az acr create" command. You can also use Container Registry to build images. Instead of building an image yourself and pushing it to Container Registry, use the CLI to upload the Docker file and other files that make up your image. Container Registry will then build the image for you. Use the acr build command to run a build. ACR named needs to be globally unique.
virtual directories
You give your blobs hierarchical names that look like file paths. This enables you to navigate the list as if it was a hierarchical system of files and folders. This feature is often called ___. Some tools and client libraries use it to visualize and navigate Blob storage as if it was a file system. Each folder navigation triggers a separate call to list the blobs in that folder. Using names that are like filenames for blobs is a common technique for organizing and navigating complex blob data.
scope
You grant access by assigning the appropriate Azure role to users, groups, and applications at a certain ___. The ___ of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the child scopes contained within it.
NoSQL database
You might choose the MEAN stack if your data isn't highly structured. MongoDB is a ___. MongoDB stores its data in JSON-like documents. You can install MongoDB on Linux, macOS, and Windows. MongoDB provides two editions: MongoDB Community Server MongoDB Enterprise Server
Monitor a web app for scaling
You monitor the performance of a web app by using the metrics available for the App Service. The simplest way is to use the Azure portal. If you notice a steady increase in resource use, such as CPU utilization, memory occupancy, or disk queue length, you should consider scaling out. You should also monitor the average response time of requests and the number of failing requests. Allow the system to stabilize. If the metrics indicate that the app is still underpowered (or overpowered), add or remove instances as needed.
If you decide that you need a queue: Choose queue storage if:
You need a simple queue with no particular additional requirements You need an audit trail of all messages that pass through the queue You expect the queue to exceed 80 GB in size You want to track progress for processing a message inside of the queue
If you decide that you need a queue: Choose Service Bus queues if:
You need an at-most-once delivery guarantee You need a FIFO guarantee You need to group messages into transactions You want to receive messages without polling the queue You need to provide role-based access to the queues You need to handle messages larger than 64 KB but smaller than 256 KB Your queue size will not grow larger than 80 GB You would like to be able to publish and consume batches of messages
Choose Event Hubs if:
You need to support authenticating a large number of publishers. You need to save a stream of events to Data Lake or Blob storage. You need aggregation or analytics on your event stream. You need reliable messaging or resiliency.
Scale up a web app
You scale an App Service plan up and down by changing the pricing tier and hardware level that it runs on. You can scale down if you no longer need the resources associated with a particular tier. Scaling up can cause an interruption in service to client apps. New connections might be rejected until scaling finishes. Scaling up can cause the outgoing IP addresses to change. If your web app depends on other services that have firewalls restricting incoming traffic, you'll need to reconfigure these services.
shared access signature (SAS)
You shouldn't share storage account keys with external third-party applications. You'll need to secure their connections without using storage account keys. For untrusted clients, use a ___. A ___ is a string that contains a security token that can be attached to a URI. Use a ___ to delegate access to storage objects and specify constraints, such as the permissions and the time range of access.
ACR tasks
You use the ___ feature of Container Registry to rebuild your image whenever its source code changes automatically. You configure a Container Registry task to monitor the GitHub repository that contains your code and trigger a build each time it changes. If the build finishes successfully, Container Registry can store the image in the repository. If your web app is set up for continuous integration in App Service, it receives a notification via the webhook and updates the app.
dedicated account
Your application should use a ___ to authenticate, to limit the permissions granted to the application and reduce the risks of malicious activity in case the application code is vulnerable to a SQL injection attack. The recommended approach is to create a contained database user, which allows your app to authenticate directly to the database. Use Azure AD authentication to centrally manage identities of database users and as an alternative to SQL Server authentication.
AngularJS
___ (the A in MEAN) is a front-end JavaScript framework. ___ runs in the browser, not the web server. You don't really install ___. Instead, you add a reference to the JavaScript file in your HTML page. You can load AngularJS from a CDN. A CDN is a way to distribute images, video, and other content geographically to improve download speeds.
SQL authentication
___ - uses a username and password. User accounts can be created in the master database and can be granted permissions in all databases on the server, or they can be created in the database itself (called contained users) and given access to only that database.
Azure Container Instances
___ a fast and simple way to run a container in Azure, no management of virtual machines. ___ is great for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. If you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, use Azure Kubernetes Service (AKS).
Serverless compute
___ akin to a function as a service (FaaS), or a microservice that is hosted on a cloud platform. business logic runs as functions and no manually provision or scale infrastructure. Apps are automatically scaled out or down depending on load. The two most common approaches are Azure Logic Apps and Azure Functions.
.gitignore and extensions.json
___ are configuration files that can be used by the Git version control tool and Visual Studio Code, respectively.
Stateless functions
___ are great candidates for serverless compute; function instances are created and destroyed on demand. If state is required, it can be stored in an associated storage service.
Events
___ are lighter weight than messages, and are most often used for broadcast communications. The components sending the ___ are known as publishers, and receivers are known as subscribers.
Azure Service Bus topics
___ are like queues, but can have multiple subscribers. A message sent to a ___ (vs a queue), can trigger multiple components. Internally, ___ use queues. When you post to a ___, the message is copied and dropped into the queue for each subscription. The queue ensures the message copy will remain to be processed by each subscription branch.
WebJobs
___ are part of Azure App Service that you can use to run a program or script automatically. ___ is a feature of Azure App Service that enables you to run a program or script in the same instance as a web app, API app, or mobile app. No additional cost to use ___. With a ___ , you can create a custom retry policy for calls to external systems. This kind of policy can't be configured in an Azure Function.
Event sources
___ are responsible for sending events to Event Grid. Each ___ is related to one or more event types. eg, Azure Storage is the event source for blob created events. IoT Hub is the event source for device created events. Your application is the ___ for custom events that you define.
Vaults
___ are secure containers that help reduce the chances of accidental loss of security information by centralizing application secrets storage. Organizations will have several key vaults. Each key vault is a collection of cryptographic keys and cryptographically protected data ("secrets"). These key vaults represent the logical groups of keys and secrets for your organization. Key vaults also control and log the access to anything stored in them. You can create and manage vaults using command line tools such as Azure PowerShell or the Azure CLI, using the REST API, or through the Azure portal.
Secrets
___ are small (< 10K) data blobs protected by a HSM-generated key created with the Key Vault. ___ exist to simplify the process of persisting sensitive settings that almost every application has: storage account keys, .PFX files, SQL connection strings, data encryption keys, etc.
Events
___ are the data messages passing through Event Grid that describe what has taken place. Each ___ is self-contained, can be up to 64 KB, and contains several pieces of information based on a schema defined by Event Grid:
Virtual networks (VNets)
___ are used in Azure to provide private connectivity between Azure Virtual Machines and other Azure services. VMs and services that are part of the same ___ can access one another. By default, services outside the ___ cannot connect to services within the ___. You can, however, configure the network to allow access to the external service, including your on-premises servers.
Webhooks
___ are user-defined HTTP callbacks. They're triggered by some event. When the event occurs, the source site makes an HTTP request to the URL configured for the webhook. With Azure Functions, we can define logic in a function that can be run when a webhook message is received.
Resource locks
___ can be applied to any resource to block modification or deletion. ___ can be either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. ___ can be applied to subscriptions, resource groups, and individual resources, are inherited when applied at higher levels. You must first remove the lock in order to perform that activity. ___ apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock to perform the blocked activity.
Event topics
___ categorize events into groups. ___ are represented by a public endpoint and are where the event source sends events to. Larger solutions will create a custom topic for each category of related events, while smaller solutions might send all events to a single topic. Event subscribers can filter for the event types they want from a specific topic.
Event Subscriptions
___ define which events on a topic an event handler wants to receive. A ___ can also filter events by their type or subject, so you can ensure an event handler only receives relevant events.
Azure Defender for Storage
___ detects unusual and potentially harmful attempts to access or exploit storage accounts. Security alerts are integrated with Azure Security Center ASC. Review and manage security alerts from ASC Security alerts tile. You can turn on ___ in the Azure portal through the configuration page of the Azure Storage account, or in the advanced security section of the portal.
Azure Files
___ enables you to set up highly available network file shares that can be accessed using the standard Server Message Block (SMB) protocol. This means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries. You can also associate a unique URL to any file to allow fine-grained access to a private file for a set period of time.
Azure Container Registry
___ enables you to store Docker images in the cloud, in an Azure storage account. ___ is an Azure service that you can use to create your own private Docker registries. Like Docker Hub, ___ is organized around repositories that contain one or more images. ___ also lets you automate tasks such as redeploying an app when an image is rebuilt.
HTTP trigger
___ executes a function when it receives an HTTP request. - Provide authorized access by supplying keys. - Restrict which HTTP verbs are supported. - Return data back to the caller. - Receive data through query string parameters or through the request body. - Support URL route templates to modify the function URL.
Advanced Data Security (ADS)
___ for Azure SQL Database provides a set of advanced SQL security capabilities: 1. Data discovery & classification (preview): provides capabilities for discovering, classifying, labeling & protecting the sensitive data. Used to provide visibility into your database classification state, and track access to sensitive data. 2. Vulnerability assessment: a service that can discover, track, and help remediate potential database vulnerabilities. It provides visibility into your security state, and includes actionable steps to resolve security issues. 3. Advanced Threat Protection: detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. It continuously monitors your database for suspicious activities, and provides immediate security alerts on potential vulnerabilities, SQL injection attacks, and anomalous database access patterns. ATP alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.
Azure Key Vault
___ helps safeguard cryptographic keys and secrets that cloud applications and services use. ___ streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
Polly
___ is a .NET resilience and transient-fault-handling library that allows developers to express policies such as Retry, Circuit Breaker, Timeout, Bulkhead Isolation, and Fallback in a fluent and thread-safe manner.
package.json
___ is a JavaScript-specific file that keeps track of any packages you install and use within your code.
Connector
___ is a Logic Apps component that provides an interface to an external service. eg, Twitter and the Office 365 Outlook ___ (over 200 are available). You can also create your own ___ if your system exposes a REST API.
Azure Functions Tools
___ is a Visual Studio extension to create, test, and deploy Azure Functions on your local. The extension provides a template to quickly create a new Azure Function App. You can then deploy an Azure Function directly to Azure from Visual Studio. The Azure Functions and Web Jobs Tools extension is included in Visual Studio 2019.
Azure Backup
___ is a backup as a service offering that protects physical or virtual machines no matter where they reside: on-premises or in the cloud.
cURL
___ is a command line tool that can be used to send or receive files. It's included with Linux, macOS, and Windows 10, and can be downloaded for most other operating systems. ___ supports numerous protocols like HTTP, HTTPS, FTP, FTPS, SFTP, LDAP, TELNET, SMTP, POP3, and so on.
Azure Spot instance
___ is a cost-saving option to run a virtual machine in Azure. The VM runs when there is unused capacity on Azure infrastructure for a particular region. But if this capacity is no longer available the VM is deallocated. The price is not fixed like standard instances.
Azure CLI
___ is a cross-platform command-line program to connect to Azure and execute administrative commands on Azure resources. Available inside a browser via the Azure Cloud Shell or with a local install on Linux, Mac, or Windows. It can be used interactively or scripted. For interactive use, you first launch a shell such as cmd.exe on Windows or Bash on Linux or macOS and then issue the command at the shell prompt. To automate repetitive tasks, you assemble the commands into a shell script and then execute the script.
Azure Service Fabric
___ is a distributed systems platform to package, deploy, and manage scalable and reliable microservices and containers. ___ also addresses the challenges developing and managing cloud native applications. Key differentiator of ___ is a strong focus on building stateful services. Use the ___ programming model or run containerized stateful services. Create ___ clusters anywhere, including Windows Server and Linux on premises and other public clouds.
Azure Event Grid
___ is a fully-managed event routing service running on top of Azure Service Fabric. It distributes events from different sources to different handlers. ___ makes it easier to build event-based and serverless applications on Azure. ___ supports most Azure services as a publisher or subscriber and can be used with third-party services. It provides a dynamically scalable, low-cost, messaging system that allows publishers to notify subscribers about a status change.
Azure PowerShell
___ is a module that you add to Windows PowerShell or PowerShell Core to connect to an Azure subscription and manage resources. Requires PowerShell to function. PowerShell provides services like the shell window and command parsing. Azure PowerShell adds the Azure-specific commands. Available inside a browser via the Azure Cloud Shell or with a local install on Linux, Mac, or Windows. You can use it in interactive mode, in which you manually issue one command at a time, or in scripting mode, where you execute a script that consists of multiple commands.
Azure Security Center (ASC)
___ is a monitoring service that provides threat protection across all services both in Azure, and on-premises. Provide security recommendations Monitor security settings across on-prem and cloud workloads. Automatically apply required security to new services. Continuously monitor services and perform security assessments. Use machine learning to detect and block malware. Analyze and identify potential inbound attacks. Help to investigate threats. Just-In-Time access control for ports. ASC is part of the Center for Internet Security (CIS) recommendations.
Azure Accelerated Networking
___ is a new option for Azure IaaS Virtual Machine on the NIC level providing several benefits by enabling single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. This high-performance path bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, for use with the most demanding network workloads on supported VM types. You would typically use this feature with heavy workloads that need to send or receive data at high speed with reliable streaming and lower CPU utilization. It will enable speeds of up to 25Gbps per Virtual Machine. It's free.
Mitre
___ is a non-profit organization that maintains the Common Vulnerabilities and Exposures list. This list is a publicly searchable set of known cybersecurity vulnerabilities in apps, libraries, and frameworks. If you find a library or component in the CVE database, it has known vulnerabilities.
Azure Event Hubs
___ is a scalable event processing service that ingests and processes large volumes of events and data, with low latency and high reliability. ___ lets you build a big data pipeline capable of processing millions of events per second. It can handle data from concurrent sources and route it to a variety of stream-processing infrastructures and analytics services. It enables real-time processing and supports repeated replay of stored raw data.
Mongoose
___ is a schema-based system for modeling data. Use ___ to simplify the process of transferring data in and out of MongoDB.
Azure Key Vault
___ is a secret store: a centralized cloud service for storing application secrets. It keeps application secrets in a single central location and provides secure access, permissions control, and access logging. Secrets are stored in individual vaults, each with their own configuration and security policies. Access the data through a REST API, or through a client SDK available for most languages.
Node.js
___ is a server-side host for web applications and handles inbound HTTP traffic. Node.js also provides a way to communicate with MongoDB. Node.js is open source. Runs on Windows, macOS, and Linux. It also supports Unix-based operating systems such as SunOS and AIX. 2 versions: 1. Long Term Support (LTS) - more stable and is recommended for most users and for production. 2. Current - for those who want to experiment with the latest features. not recommended for production.
Azure Functions
___ is a serverless application platform. It allows devs to host business logic that can be executed without provisioning infrastructure. ___ provides intrinsic scalability and you are charged only for the resources used. You can write function code in many languages, including C#, F#, JavaScript, Python, and PowerShell Core. Support for package managers like NuGet and NPM is also included.
Queue storage
___ is a service that uses Azure Storage to store large numbers of messages that can be securely accessed from anywhere using a REST-based interface. Queues can contain millions of messages, limited only by the capacity of the storage account that owns it.
Azure Policy
___ is a service to create, assign, and manage policies. Policies enforce rules that your resources need to follow. Policies can enforce rules when resources are created, and can be evaluated against existing resources to give visibility into compliance. eg, only allowing specific types of resources to be created, or only allowing resources in specific Azure regions, enforce naming conventions, enforce that specific tags are applied to resources.
Storage account kind
___ is a set of policies that determine which data services you can include in the account and the pricing of those services. 3 kinds of storage accounts: 1. StorageV2 (general purpose v2): the current offering that supports all storage types and all of the latest features 2. Storage (general purpose v1): a legacy kind that supports all storage types but may not support all features 3. Blob storage: a legacy kind that allows only block blobs and append blobs Microsoft recommends that you use the General-purpose v2 option for new storage accounts. The core advice here is to choose the Resource Manager deployment model and the StorageV2 (general purpose v2) account kind for all your storage accounts.
Azure API Management (APIM)
___ is a way to create consistent and modern API gateways for existing back-end services. The ___ service enables you to construct an API from a set of disparate microservices.
Express
___ is a web server framework for Node.js. The main purpose of ___ is to handle request routing. Routing is how the application responds to a request to an endpoint. An endpoint is made up of a path, or URI, and a request method, such as GET or POST. Express can also work with HTTP cookies and process query strings. Express is a Node.js package. Use the npm utility, which comes with Node.js, to install and manage Node.js packages.
Unstructured data
___ is ambiguous and often delivered in files, like photos or videos. The video file itself may have an overall structure and come with semi-structured metadata, but the data that comprises the video itself is unstructured. Therefore, photos, videos, and other similar files are classified as ___. Media files, such as photos, videos, and audio files Office files, such as Word documents Text files, Log files
Azure Queue storage
___ is an Azure service that implements cloud-based queues. It is a high-performance message buffer that can act as a broker between the front-end components (producers and consumers). - A message is a byte array up to 64 KB (48 KB using Base64 encoding).. Message contents are not interpreted by Azure components. You can structure messages with XML or JSON. - A queue must be part of a storage account. A queue can contain messages up to the capacity of the storage account. - Each queue maintains a list of messages. Components access a queue using a REST API or client library. - A queue can be up to 500 TB, or millions of messages. Throughput is 2000 messages per second - Pricing is based on queue size and number of operations. Larger queues cost more than smaller queues. Charges are incurred for each operation, like adding or deleting a message.
CORS
___ is an HTTP feature that enables a web application in one domain to access resources in another domain. Browsers implement a security restriction, same-origin policy, that prevents a web page from calling APIs in a different domain; ___ provides a secure way to allow one domain (the origin domain) to call APIs in another domain.
SignalR
___ is an abstraction for a series of technologies that allows your app to have two-way communication between the client and server. ___ handles connection management automatically, and lets you broadcast messages to all connected clients simultaneously. You can also send messages to specific clients. The connection between the client and server is persistent, unlike a classic HTTP connection, which is re-established for each communication.
Microservices
___ is an approach to the architecture of distributed applications. You create many different small services. Each service has a defined domain of responsibility, and is developed, deployed, and scaled independently. This modular architecture results in an application that is easier to understand, improve, and test. It makes continuous delivery easier, because you change only a small part of the whole application.
Azure role-based access control (Azure RBAC)
___ is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With ___, you can grant the exact access that users need to do their jobs.
Durable Functions
___ is an extension of Azure Functions that enables you to implement complex stateful functions in a serverless-environment. Azure Functions operate in a stateless environment, ___ can retain state between function calls using an orchestration function. There are templates to help develop ___ using VS 2019, VS Code, and the Azure portal.
Event Hubs
___ is an intermediary for the publish-subscribe pattern. Unlike Event Grid, it is optimized for extremely high throughput, a large number of publishers, security, and resiliency. Whereas Event Grid fits perfectly into the pub/sub pattern in that it simply manages subscriptions and routes communications to those subscribers, ___ performs some additional services that make it look more like a service bus or message queue, than a simple event broadcaster.
Azure Blob storage
___ is an object storage solution optimized for storing massive amounts of unstructured data, such as text or binary data. Ideal for: - Serving images or documents directly to a browser, including full static websites. - Storing files for distributed access. - Streaming video and audio. - Storing data for backup and restoration, disaster recovery, and archiving. - Storing data for analysis by an on-premises or Azure-hosted service.
Azure Defender for Storage
___ is available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Azure Defender: general-purpose v2, block blob, and Blob storage accounts. ___ is available in all public clouds and US government clouds, but not in other sovereign or Azure Government cloud regions.
Authorization in Azure SQL Database
___ is controlled by permissions granted directly to the user account and/or database role memberships. A database role is used to group permissions together to ease administration, and a user is added to a role to be granted the permissions the role has.As a best practice, you should grant users the least privileges necessary. The process of granting authorization to both SQL and Azure AD users is the same.
Semi-structured data
___ is less organized than structured data, and is not stored in a relational format, as the fields do not neatly fit into tables, rows, and columns. ___ contains tags that make the organization and hierarchy of the data apparent - eg, key/value pairs. ___ is also referred to as non-relational or NoSQL data. The expression and structure of the data in this style is defined by a serialization language.
Microsoft Graph
___ is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model. The ___ API offers a single endpoint, graph.microsoft.com, for access to people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security. ___ includes services to manage user and device identity, access, compliance, security, and help protect organizations from data leakage or loss. ___ connectors (preview) work in the incoming direction, delivering data external to the Microsoft cloud into Microsoft Graph services and applications. Connectors exist for many commonly used data sources such as Box, Google Drive, Jira, and Salesforce.
Az
___ is the name for the Azure PowerShell module containing cmdlets to work with Azure features. It contains hundreds of cmdlets to control most aspects of Azure resources. This module is an open source component available on GitHub.
HTTP trigger Authorization
___ level is a flag that indicates if an incoming HTTP request needs an API key for authentication reasons. There are three Authorization levels: Function Anonymous Admin
Webhooks
___ offer a lightweight mechanism for apps to be notified by another service when something of interest happens via an HTTP endpoint. You can use a ___ to trigger an Azure function, and then analyze the message, to determine what happened and how to respond.
Azure Resource Manager
___ organizes resources into named resource groups that let you deploy, update, or delete all of the resources together. ___ also enables you to create templates, used to create and deploy specific configurations. ARM templates are JSON files that define the resources you need to deploy for your solution. Create resource templates from the Automation section for a specific VM by selecting Export template.
Blob soft delete
___ protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted. After the retention period, the object is permanently deleted. You can use ___ to restore an individual blob, snapshot, directory (in a hierarchical namespace) or version. To restore a container and its contents, container soft delete must also be enabled for the storage account. ___ does not protect against the deletion of a storage account, configure a lock on the storage account resource to prevent. All soft deleted data is billed at the same rate as active data.
Azure Data Lake Storage Gen2
___ provides a first-class data lake solution that enables enterprises to consolidate their data. It's built on Azure Blob storage, so it inherits all of the security features we've reviewed in this module.
Data discovery and classification (currently in preview)
___ provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling and protecting sensitive data in databases. ___ is part of the Advanced Data Security offering, which is a unified package for advanced Microsoft SQL Server security capabilities. You access and manage data discovery and classification via the central SQL Advanced Data Security portal.
RBAC
___ provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. ___ is considered a core service and is included with all subscription levels at no cost. To view access ___ uses an allow model for access. When you are assigned to a role, ___ allows you to perform specific actions, such as read, write, or delete.permissions.
Remote Desktop (RDP)
___ provides remote connectivity to the UI of Windows-based computers. An ___ connection enables you to carry out most operations, with the exception of some power and hardware-related functions. An ___ connection requires an ___ client. MS has clients for the following OS: Windows (built-in), macOS, iOS, Android, open-source Linux clients, such as Remmina that enable you to connect to a Windows PC from an Ubuntu distribution.
Azure Site Recovery
___ replicates workloads from a primary site to a secondary location. ___ is about replication of virtual or physical machines; it keeps your workloads available in an outage. Key part of BCDR strategy. Two business advantages: 1. Enables the use of Azure as a destination for recovery, eliminating the need of maintaining a secondary physical datacenter. 2, Makes it simple to test failovers for recovery drills without impacting production environments. This makes it easy to test your planned or unplanned failovers.
sudo
___ runs the command with administrative privileges.
LAMP
___ stack, which consists of Linux, Apache, MySQL, and PHP (sometimes with Perl or Python instead of PHP),
host.json
___ stores runtime configuration values for the function app. These settings are used locally and in Azure. local.settings.json stores configuration values that only apply locally.
Azure Key Vault
___ stores the keys automatically to help you control and manage the disk-encryption keys and secrets. So even if someone gets access to the VHD image and downloads it, they can't access the data on the VHD.
Azure Cosmos DB
___ supports semi-structured data, or NoSQL data. ___ supports SQL for queries and every property is indexed by default. Use for highly unstructured and variable data where you cannot predict what properties should be indexed. ___ is ACID-compliant. ___ enables you to replicate your data anywhere. You can choose from five consistency levels.
Azure Blob storage
___ supports storing files such as photos and videos. It works with Azure Content Delivery Network (CDN) by caching the most frequently used content and storing it on edge servers. Azure CDN reduces latency in serving up those images You can move images from the hot storage tier to the cool or archive storage tier, to reduce costs and focus throughput on the most frequently viewed images and videos.
OLAP (Online Analytical Processing)
___ systems commonly support fewer users, have longer response times, can be less available, and typically handle large and complex transactions.
Structured data
___, aka relational data, is data that adheres to a strict schema, so all of the data has the same fields or properties. The schema allows this type of data to be searched with query languages such as SQL. ___ is often stored in database tables with rows and columns with key columns to indicate how one row in a table relates to data in another row of another table.
JSON
___, has a lightweight specification and relies on curly braces to indicate data structure. Less verbose and easier to read. ___ is frequently used by web services to return data. Not as formal as XML. It's closer to a key/value pair model than a formal data expression. JavaScript has built-in support for this format. It tends to be more programmer-oriented making it harder for non-technical people to read and modify.
YAML - or YAML Ain't Markup Language
___, is a relatively new data language growing quickly in popularity in part due to its human-friendliness. The data structure is defined by line separation and indentation, and reduces the dependency on structural characters like parentheses, commas and brackets. More readable than JSON and often used for configuration files written by people but parsed by programs. ___ is the newest of these data formats and doesn't have as much support in programming languages as JSON and XML.
Update Management
___. Manage updates and patches for your VMs. You're able to assess the status of available updates, schedule installation, and review deployment results. ___ incorporates services that provide process and configuration management. You enable ___ for a VM directly from your Azure Automation account. You can also enable update management for a single virtual machine from the virtual machine pane in the portal.
Configuration Management
___. You want to track software updates that become available for the OS that runs on your VM. ___ enables you to track these updates, and take action. You use Microsoft Endpoint Configuration Manager to manage your company's PC, servers, and mobile devices. You can extend this support to your Azure VMs with Configuration Manager.
Built-in trigger or action
___: A natively running Logic Apps operation that allows you to control the workflow schedule or structure, run your own code, manage or manipulate data, or complete other tasks. Most aren't associated with any service or system. Many also don't require that you authenticate your identity. Built-in operations are also available for some things, such as Azure Functions, Azure API Management, Azure App Service, and more.
Managed connector
___: A prebuilt proxy or wrapper around a REST API that provides prebuilt triggers and actions for a workflow to access a specific app, data, service, or system. Before you can use most ___, you must first create a connection from your workflow and authenticate your identity.
Azure CLI
___: Microsoft's cross-platform command-line tool for managing Azure resources from the command line. It's available for Windows, Linux and macOS, or in the browser using the Cloud Shell. Unlike Azure PowerShell, the ___ does not need PowerShell to function. You can create an Azure VM with the az vm create command.
Azure Files
___: Simple, secure, and serverless enterprise-grade cloud file shares. Accessible via SMB and NFS protocols. ___ shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Azure file shares can also be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
Trigger
___: The first step in a Logic App that starts every workflow and specifies the condition to meet before running any actions in the workflow. Each workflow always starts with a single ___. Many ___ include scheduling capabilities. Following the ___, one or more actions run operations that can process, handle, or convert data , or that advance the workflow to the next step.
Client functions
___: These durable function types are the entry point for creating an instance of a Durable Functions orchestration. They can run in response to an event from many sources, such as a new HTTP request arriving, a message being posted to a message queue, an event arriving in an event stream. You can write them in any of the supported languages.
Async HTTP APIs
___: This pattern addresses the problem of coordinating state of long-running operations with external clients. An HTTP call can trigger the long-running action. Then, it can redirect the client to a status endpoint. The client can learn when the operation is finished by polling this endpoint.
Human interaction
___: This pattern combines automated processes that also involve some human interaction. A manual process within an automated process is tricky. People aren't as available and responsive. Human interaction can be incorporated using timeouts and compensation logic that runs if the human fails to interact correctly within a specified response time. eg, an approval process.
Monitor
___: This pattern implements a recurring process in a workflow, possibly looking for a change in state. For example, you could use this pattern to poll until specific conditions are met.
Fan out/fan in
___: This pattern runs multiple functions in parallel and then waits for all the functions to finish. The results of the parallel executions can be aggregated or used to compute a final result.
Azure App Service plan
___: This plan allows you to avoid timeout periods by having your function run continuously on a VM that you define. When using an ___, you are responsible for managing the app resources the function runs on, so this is technically not a serverless plan. It may be a better choice if your functions are used continuously or if your functions require more processing power or execution time than the Consumption plan can provide.
action group
___: a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use ___ to notify users that an alert has been triggered. Various alerts may use the same action group or different ___ depending on the user's requirements.
Bindings
___: a declarative way to connect data and services to a function. Make it easier to integrate with data streams consistently in a function. You can have multiple ___ providing access to different data elements. Don't have to code specific connection logic (like DB connections or web API interfaces). Each ___ has a direction - your code reads from input bindings, and writes to output bindings. A function can have zero or more bindings. A trigger is a special input binding that also initiates execution.
Azure WebJobs SDK
___: a framework that simplifies the task of writing background processing code that runs in Azure WebJobs. It includes a declarative binding and trigger system that works with Azure Storage Blobs, Queues and Tables as well as Service Bus. The trigger system automatically invokes a function in your code whenever any new data is received in a queue or blob. The SDK also provides an integrated Dashboard experience in the Azure management portal, with monitoring and diagnostics information for your WebJob runs.
App Service plan
___: a set of virtual server resources that run App Service apps. A plan's size (aka sku or pricing tier) determines the performance characteristics of the virtual servers that run the apps and the App Service features. Every App Service web app you create must be assigned to a single ___ that runs it. A single ___ can host multiple App Service web apps. the number of apps you can run on a single plan will be limited by the performance characteristics of the apps and the resource limitations of the plan. ___ are the unit of billing for App Service. The size of each ___ in your subscription, in addition to the bandwidth resources used by the apps deployed to those plans, determines the price that you pay. The number of web apps deployed to your ___ has no effect on your bill.
Allow access to Azure services rule
___: allows services within Azure to connect to Azure SQL DB. This setting allows communications from all Azure public IP addresses. Can be configured through the ON/OFF option in the firewall pane in the portal, or by an IP rule that has 0.0.0.0 as the start and end IP addresses. Used when you have applications running on PaaS services. Many of these services don't have a static IP address, so this rule is needed to ensure they are able to connect to the database. This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.
Zip deployment for Functions
___: deploy from a zip file using the push deployment technique using the Azure CLI or REST interface. The zip file contains the executable code for your functions. Copies these files to the wwwwroot folder in the function app. You can perform zip deployment using the functionapp deployment command in the Azure CLI.
Block blobs
___: hold text or binary files up to ~5 TB (50,000 blocks of 100 MB). Primarily used for files read from beginning to end, like media or image files. Named ___ because files larger than 100 MB are uploaded as small blocks. Blocks are then consolidated (or committed) into the final blob. Composed of blocks of different sizes that can be uploaded independently and in parallel. Writing to a ___ involves uploading data to blocks and committing them to the blob.
Transient faults
___: intermittent deviations from normal behavior in downstream services or underlying infrastructure. Such faults occur with any cloud platform. They may also occur in the on-premises environments, although not as frequent as they may do in the cloud-based infrastructures.
Append blobs
___: made up of blocks, but are optimized for append operations. Frequently used for logging from one or more sources into the same blob. eg, you might write all of your trace logging to the same append blob for an app running on multiple VMs. A single ___ can be up to 195 GB. Specialized block blobs that support only appending new data (not updating or deleting existing data), very efficient. ___ are great for scenarios like storing logs or writing streamed data.
IP address rules
___: rules that are based on specific public IP address ranges. IP addresses connecting from an allowed public IP range will be permitted to connect to the database. These rules can be used when you have a static public IP address that needs to access your database.
Azure Functions
___: run small pieces of code in the cloud, serverless. Use C#, Java, JavaScript, PowerShell, Python, et al. With the consumption plan option, you only pay for the time when the code runs. Azure automatically scales ___ in response to the demand from users.
Virtual network rules
___: these rules allow you to explicitly allow connection from specified subnets inside one or more Azure VNets. ___ can provide greater access control to databases. Azure VNet address spaces are private so you can eliminate exposure to public IP addresses. ___ are used when you have Azure VMs that need to access your database.
Page blobs
___: used to hold random-access files up to 8 TB in size. Primarily used as the backing storage for the VHDs used to provide durable disks for Azure VMs. Named ___ because they provide random read/write access to 512-byte pages. Designed for scenarios that involve random-access reads and writes. Page blobs are used to store the virtual hard disk (VHD) files used by Azure Virtual Machines, but they're great for any scenario that involves random access.
Azure Active Directory authentication
___:uses identities managed by Azure AD, and is supported for managed and integrated domains. Use Azure AD authentication (integrated security) whenever possible. You can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users, and simplifies permission management. If you want to use Azure AD authentication, you must create another server admin called the Azure AD admin, which is allowed to administer Azure AD users and groups. This admin can also perform all operations that a regular server admin can.
CosmosDB System Properties for record
_rid: Resource ID. Unique identifier. Hierarchical per the resource stack on the resource model. Used internally for placement and navigation of the item resource. _self: Unique addressable URI for the resource. _etag: Required for optimistic concurrency control. _attachments: Addressable path for the attachments resource. _ts: Timestamp of the last update.
JMESPath
az group list --query "[?name == '$RESOURCE_GROUP']" The query is formatted using ___, which is a standard query language for JSON requests.
cURL command to test function
curl --header "Content-Type: application/json" --header "x-functions-key: <your-function-key>" --request POST --data "{\"name\": \"Azure Function\"}" https://<your-url-here>
Event properties
topic: The full resource path to the event source. subject: Publisher-defined path to the event subject. id: The unique identifier for event. eventType: One of the registered event types for this event source . data: Specific information that is relevant to the type of event.optional. dataVersion: Schema version of the data object. The publisher defines the schema version. metadataVersion: Schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value.
Azure Functions trigger and binding example
{ "bindings": [ { "type": "queueTrigger", "direction": "in", "name": "order", "queueName": "myqueue-items", "connection": "MY_STORAGE_ACCT_APP_SETTING" }, { "type": "table", "direction": "out", "name": "$return", "tableName": "outTable", "connection": "MY_TABLE_STORAGE_ACCT_APP_SETTING" } ] } The first element is the Queue storage trigger. The name property identifies the function parameter that receives the queue message content. The name of the queue to monitor is in queueName, and the connection string is in the app setting identified by connection. The second element is the Azure Table Storage output binding. The name property specifies how the function provides the new table row, in this case by using the function return value. The name of the table is in tableName, and the connection string is in the app setting identified by connection.