New104

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Where should business data be stored?

it is structured data and should be stored in an Azure SQL Database.

How to apply an application file for kubernetes cluster (AKS) using command line?

kubectl apply -f app.yml

What az command do you use to deploy configurations to a kubernetes cluster?

kubectl client

What 4 levels of scope can you apply Azure RBAC roles at?

management groups, subscriptions, resource groups, and resources.

Command to verify the dns delegation?

nslookup -type=SOA wideworldimports.com

Steps to setup load balancer?

1. Create load balancer 2. add backend pools 3. add health probe 4. add load balancing rule 5. In scale set, add inbound port rule in the NSG for website that is being load balanced

What are the steps to configure private DNS zone?

1. Create private DNS zone 2. Identify virtual networks 3. Link your virtual network to a private DNS zone

What are the four steps needed to crate file sync resources in Azure?

1. Create the storage account 2. Create the file share 3. Create the Storage Sync Service 4. Create a sync group

What is an Azure AD account?

An identity created in Azure AD or in services like Microsoft 365. These identities are stored in Azure AD. For example, internal staff members might use Azure AD accounts daily at work.

What is a managed identity?

An identity in Azure Active Directory that is automatically managed by Azure

Example of ARM template resource type?

"type": "Microsoft.Network/virtualNetworks"

Powershell command to apply an Azure policy?

# Get a reference to the resource group that will be the scope of the assignment $rg = Get-AzResourceGroup -Name '<resourceGroupName>' # Get a reference to the built-in policy definition that will be assigned $definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' } # Create the policy assignment with the built-in definition against your resource group New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition

Command to add new security rule?

$RuleConfig = New-AzNetworkSecurityRuleConfig -Name RuleRDP -Protocol Tcp -Direction Inbound -Priority 300 -SourceAddressPrefix "2.49.112.48" -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow

Command to create new virtual network subnet configuration?

$demosubnetConfig = New-AzVirtualNetworkSubnetConfig -Name default -AddressPrefix 10.3.0.0/24

Create virtual network from power shell?

$virtualNetwork = New-AzVirtualNetwork -Name $VNETName -ResourceGroupName $rg -Location $location -AddressPrefix $VNETAddressSpace - Subnet $websubnet

How to resize a virtual machine using powershell?

$vm = Get-AzVM - ResourceGroup Name demorg -VMName demovm $vm.HardwarePorfile.VmSize = "Standard_D4s_v3" Update-AzVM -VM $vm -ResourceGroupName demorg

Command to create new virtual network?

$vnet = New-AzVirtualNetwork -ResourceGroupName eastgroup -Location EastUS -Name demonetworknew -AddressPrefix 10.3.0.0/16 -Subnet $demosubnetconfig

What is Azure Monitoring made up of (3 items)?

- Monitor & Visualize Metrics - Query and Analyze Logs - Setup & Alert Actions

What are the three ARS replication frequencies?

- 30 seconds - 5 minutes - 15 minutes

What resources can an Azure alias record point to?

- A Traffic Manager profile - Azure Content Delivery Network endpoints - A public IP resource - A front door profile

SSPR for administrator roles?

- A strong, two-method authentication policy is always applied to accounts with an administrator role, regardless of your configuration for other users. - The security questions method isn't available to accounts that are associated with an administrator role.

What Azure resources can't be moved?

- AD Domain Services, Container services - Limitations for Virtual Machines: -- VMs with certificate stored in Key Vault can be moved to a new resource group in the same subscription, but not across subscriptions -- VMs configured with Azure backup

What are the limitations of tags?

- Always check whether your Azure resource supports tags. For example, you can't set tags on generalized VMs. - You can apply tags on resource groups, but tags aren't automatically inherited by resources from their resource group. If you want all the resources in a resource group to have a tag, you must do this manually. - You can apply a maximum of 50 tags to a single resource or resource group in Azure.

What are the key features of Log Analytics?

- Central Role in Monitoring - all data is funneled here - Data Sources - things you can connect log analytics to - Other Log analytic sources (security center and App insights) - Search Queries - Output options

What are the steps in Domain lookup requests?

- Checks to see if the domain name is stored in the short-term cache. If so, the DNS server resolves the domain request. - If the domain isn't in the cache, it contacts one or more DNS servers on the web to see if they have a match. When a match is found, the DNS server updates the local cache and resolves the request. - If the domain isn't found after a reasonable number of DNS checks, the DNS server responds with a domain cannot be found (404) error.

What is Azure Firewall?

- Cloud-based network security service to protect Azure Virtual Network resources

What are the 3 ExpressRoute Connectivity Models?

- CloudExchange Co-Location - Point-to-point EthernetConnection - Any-to-any (IPVPN) connection

What is AzCopy Tool?

- Command-line utility that can be used to copy blobs or files to or from a storage account. - Works on Linux, MacOS and Windows

What are the Recommendations for SSPR?

- Enable two or more of the authentication reset request methods. - Use the mobile app notification or code as the primary method, but also enable the email or office phone methods to support users without mobile devices. - The mobile phone method isn't a recommended method because it's possible to send fraudulent SMS messages. - The security question option is the least recommended method because the answers to the security questions might be known to other people. Only use the security question method in combination with at least one other method.

What are the alert states in the resolution process?

- Every new alert has an alert state of New. This state means that the issue has been detected but not yet reviewed. - After an admin has reviewed the alert and is working on it, the alert state changes to Acknowledged. - When the issue is resolved, the alert state is set to Closed.

What reasons should you change your storage account keys?

- For security reasons, you might regenerate keys periodically. - If someone hacks into an application and gets the key that was hard-coded or saved in a configuration file, regenerate the key. The compromised key can give the hacker full access to your storage account. - If your team is using a Storage Explorer application that keeps the storage account key, and one of the team members leaves, regenerate the key. Otherwise, the application will continue to work, giving the former team member access to your storage account.

How to backup a Windows VM and create a recovery services vault?

- Go to Create a resource and enter backup and select Backup and recovery OMS. - Give it a name, subscription, resource group and location. - Go to resource. Under Overview you will see Backup and Replicate - Click on Backup. Under workload, select Azure or on Premises. Select Virtual machine and then click on Backup. - Choose backup policy - use default or create new - Select VM to backup and then enable backup

Where do you enable backups for VMs in azure?

- Go to the vm - Under Operations, click on Backup - Create new recovery service vault, resource group and choose a backup policy - Select Enable Backup

What are the key benefits for ExpressRoute?

- Layer 3 Connectivity - Connectivity in all Regions - Global Connectivity - Dynamic Routing - using BGP - Built-in Redundancy

What are the key features of the Azure Standard Load Balancer?

- Layer 4 - Supports up to 1000 instances - Any virtual machine in a single VNET (blended options supported) - Supports HTTPS (basic only supports HTTP) - Supports Availability Zones - Secure by default (basic one is open by default)

Key features of App Gateway?

- Layer 7 application load balancing - Cookie-based session affinity - SSL offload (encryption) - End-to-End SSL -Web application firewall - URL-based content routing - Requires its own subnet - Highly Available - Supported via probes

What are features of Azure Site Recovery ?

- On= premises to Azure Recovery -Azure to Azure recover (primary region to secondary target region) - Automation and Orchestration (integration into Azure Automation) - RTO and RPO targets - Continuous replication for Azure and VMware and Hyper-V

What are the three common roles in RBAC?

- Owner, which has full access to all resources, including the right to delegate access to others. - Contributor, which can create and manage all types of Azure resources but can't grant access to others. - Reader, which can view existing Azure resources.

What are the 3 VPN gateway architectures?

- Point to site over the Internet - Site to site over the Internet - Site to site over a dedicated network, such as Azure ExpressRoute

Basic load balancers allow?

- Port forwarding -Automatic reconfiguration -Health probes -Outbound connections through source network -address translation (SNAT) -Diagnostics through Azure Log Analytics for public-facing load balancers

What roles are required to use Azure Bastion?

- Reader role on the virtual machine - Reader role on the NIC with private IP of the virtual machine - Reader role on the Azure Bastion resource

What security features does Azure DNS provide?

- Role-based access control, which gives you fine-grained control over users' access to Azure resources. You can monitor their usage, and control the resources and services they have access to. - Activity logs, which let you track changes to a resource, and pinpoint where faults occurred. - Resource locking, which gives a greater level of control to restrict or remove access to resource groups, subscriptions, or any Azure resources.

What Site-to-Site features should you know?

- S2S VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel - Requires a VPN device in enterpreise datacenter that has a public IP address assigned to it - Must not be located behind a NAT - S2S connections can be used for cross-premises and hybrid configurations

How to set User-defined routes?

- Search for Route and that should bring up route tables. - Once in route tables, select Add - Enter name, subscription, resource group, location and create - Select your route table, under Settings, go to Routes, and then Add specific route (route name, address prefix and next hop) and click OK - Now route is added, you need to got to Settings -> Subnet and associate the route table with a subnet

What P2S features should you know for the exam?

- Secure connection from an individual computer. Great for remote worker situation. - No need for a VPN device or public IP. Connect wherever user has internet conneciton. - OS Supports (Windows 7,8,20, Windows Server 2008, 2012) - Throughput up to 100 Mbps - doesn't scale easily, so only a few workstations

How to restore a VM or files from VM backup?

- Select restore VM - Select your restore point - Select how you want to restore the VM (restore type, vm (new) name, resource group, etc) and click OK. - Click on Restore

How to configure the Microsoft Azure Recovery Services (MARS) Agent?

- Select your recovery vault - Select Backup - Select where your workload is running (on-premises) and select what you want to backup and then Prepare Infrastructure - Download and install recovery services agent - Once installed, click on schedule backup through the agent. Add any items and then select Backup Now.

What are the two backup policy tiers?

- Snapshot tier: All the snapshots are stored locally for a maximum period of five days. This is referred to as the snapshot tier. For all types of operation recoveries, it's recommended that you restore from the snapshots since it's much faster to do so. This capability is called Instant Restore. - Vault tier: All snapshots are additionally transferred to the vault for additional security and longer retention. At this point, the recovery point type changes to "snapshot and vault".

What is involved in App Service Plans?

- Subscription the plan belongs to - Location - Pricing tier -Instance -Scale count (1, 2, 3, instances) -Scale rules (auto scaling) - Scale up (increase resources)

When creating a DNS zone is Azure, what do you need to supply?

- Subscription: The subscription to be used. - Resource group: The name of the resource group to hold your domains. If one doesn't exist, create one to allow for better control and management. - Name: The name of your domain, which in this case is wideworldimports.com. - Resource group location: The location defaults to the location of the resource group.

Why use Resource Manager templates?

- Templates improve consistency - Templates help express complex deployments - Templates reduce manual, error-prone tasks - Templates are code - Templates promote reuse - Templates are linkable

Describe the key share used for SSH?

- The public key is placed on your Linux VM or any other service that you wish to use with public-key cryptography. This can be shared with anyone. - The private key is what you present to verify your identity to your Linux VM when you make an SSH connection. Consider this confidential information and protect this like you would a password or any other private data.

Name a few Azure Network Watcher use case scenarios?

- There are connectivity issues in a single-VM network - A VPN connection isn't working - No servers are listening on designated destination ports

How to perform a file recovery?

.- select VM - click on file recovery - select the recovery point and download script to browse and recover files and it will mount the drive that will allow you to browse the files.

What are the benefits of private DNS zones?

- There's no need to invest in a DNS solution. DNS zones are supported as part of the Azure infrastructure. - All DNS record types are supported: A, CNAME, TXT, MX, SOA, AAAA, PTR, and SVR. - Host names for VMs in your virtual network are automatically maintained. - Split-horizon DNS support allows the same domain name to exist in both private and public zones. It resolves to the correct one based on the originating request location.

Where can you assign RBAC roles?

- To the resource itself and it only applies to that resource - To the resource group - and then it applies to all resources in the resource group - To the subscription - it will apply to all of the resource groups that are part of the subscription

How do you configure an internal load balancer?

- When you create the load balancer, for the Type value, select Internal. When you select this setting, the front-end IP address of the load balancer isn't exposed to the internet. - Assign a private IP address instead of a public IP address for the front end of the load balancer. - Place the load balancer in the protected virtual network that contains the virtual machines you want to handle the requests.

What are the rules for moving Azure resources for Virtual Networks?

- You have to move all resources within the network - If the network has been peered, you have to remove the peering first.

When would you use Azure Monitor?

- You need a single solution to help you collect, analyze, and act on log data from both cloud and on-premises. - You're using services such as Azure Application Insights and Azure Security Center. Those services store their collected data in workspaces for Azure Monitor. You can then use Azure Monitor Log Analytics to interactively query the data.

You would use Application Insights if?

- You want to analyze and address issues and problems that affect your application's health. - You want to improve your application's development lifecycle. - You want to analyze users' activities to help understand them better.

What are NSGs?

- a network filter - used to allow or restrict traffic to resources in your Azure network - inbound rules - outbound rules - associate a NSG to a subnet or nic

What are some features of Application Gateway service?

- can enable autoscaling - can enable web application firewall feature for the application gateway - can enable session affinity which allows a user session to directed to the same server for processing. - request to frontend can be SSL terminated and then requests to backend pool can be unencrypted.

What are container groups?

- collection of containers - containers get scheduled on the same host machine and have the same lifecycle.

What are the User Administrator permissions?

- create and manage all aspects of users and groups - manage support tickets - monitor service health - change passwords for users, Helpdesk admins and other User admins

Key features of Azure Basic Load Balancer?

- layer 4 - supports up to 100 instances - service monitoring -automatic reconfiguration (scale up/down) - hash-based 5 tuple - internal and public options

What are the permissions of the Billing Administrator?

- make purchases - manage subscriptions - manage support tickets - monitors service health

What are some of the permissions for the Global administrator?

- manage access to all administrative features in Azure AD as well as services that federate to Azure AD - Assign administrator roles to others - Reset the password for any user and all other administrators

NSG's can be applied to what?

- network interface - subnet - subnet rules apply to ALL resources in a subnet

Use AzCopy tool to upload a blob to azure?

.\azcopy.exe copy Contents.txt "https://demostore.blob.core.net/new...."

What is Azure Blob storage?

- object sotrage for the cloud - can store massive amounts of unstructured data on the cloud - highly recommended when you want to store images, documents, video and audio files - within the blob service, you create a container that is used to store the blob objects.

What are the four types of disks for VMs?

- ultra ssd - premium ssd - standard ssd - standard hdd

In Device Settings (for Azure AD Join), what are the options?

- users may join devices to Azure AD (all, selected, none) - Additional local admins on Azure AD joined devices (selected, None) - Users may register their devices with Azure AD (all, none) - Require Multi-Factor Auth to join devices (yes/non) - Maximum number of devices per user (50 is default).

What is Azure AD Join?

- you can join and register devices with Azure AD join - good for BYOD - employees can register the devices in Azure AD and you can add work or school account - You can configure Azure AD registered devices for Windows 10, iOS, Android and macOS.

What are three ways you can assign access rights?

-Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights. -Group assignment: Assign a group the required access rights, and members of the group will inherit those rights. -Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device's group membership to be valid, the user or device must meet the rules.

Each virtual network can have how many VPN connections?

1 Each virtual network can have only one VPN gateway. All connections to that VPN gateway share the available network bandwidth. Within each virtual network gateway there are two or more virtual machines (VMs). These VMs have been deployed to a special subnet that you specify, called the gateway subnet. They contain routing tables for connections to other networks, along with specific gateway services. These VMs and the gateway subnet are similar to a hardened network device. You don't need to configure these VMs directly and should not deploy any additional resources into the gateway subnet.

How many Account Administrators can you have per account?

1 - per account. The permissions are: - manage all subscriptions in an account - create new subscriptions - cancel subscriptions - change the billing for a subscription - change the service administrator

What are the number of methods required for SSPR and what are the available methods?

1 to 2 - mobile app notification - mobile app code - email - mobile phone - office phone - security questions

How to configure public Azure DNS zones?

1. Add a resource 2. Select DNS Zone and Create 3. Select Resource Group and Name and Create 4. Go to DNS Zone resource and you can see the 4 Azure name servers. 5. Create a new Record set, add type of record, TTL and IP address. 6. Now make change on name provider. In Godaddy, change the default name servers and add azure dns servers.

Steps to create an Express Route circuit?

1. Add and search for ExpressRoute 2. Enter resource group, region, name, Port type (provider or direct), Select provider, SKU, billing model 3. Circuit status is enabled, but Provider status is not provisioned until you set up the provider.

Steps to create a storage account?

1. Add resource storage account. 2. Create and select resource group, account name, Location, Performance, Account Type (storagev2 is general purpose v2) and Replication. 3. Networking 4. Create 5. Now go to storage account and you can create container (blob), file share, tables or queues

How to configure private Azure DNS zones (dns routing within virtual network)?

1. Add resources -> private DNS Zone -> Create 2. Select resource group and name (cloud-internal.com for example - only routable internally) 3. Review and Create 4. Go to Resource 5. Click on Virtual Network Links and then Add 6. Create a name, select subscription and Virtual network and select Enable auto registration and click OK 7. Create a virtual machine in the virtual network and DNS will be auto configured.

Steps to configure Application Gateway? Web traffic

1. All services, Application gateway 2.Add -> name, tier, Instance count, SKU size, Subscription, Resource Group, Location. 3. Select virtual network, Frontend IP configuration (public or private), Listener configuration (http or https), Port, HTTP2, Firewall Status, Firewall Mode. 4. Review and create

What are the three places were permissions can be installed and what are the permissions?

1. Azure AD -> Roles 2. Subscription -> Account 3. Resources & Resource Groups -> RBAC

What are the three device registration options in Azure AD?

1. Azure AD registered: These devices fall into the Bring Your Own Device (BYOD) category. 2. Azure AD joined: These devices are owned by your organization. Users access your cloud-based Azure AD instance through their work account. Device identities exist only in the cloud. This option is available only to Windows 10 or Windows Server 2019 devices. 3.Hybrid Azure AD joined: This option is similar to Azure AD joined. The devices are owned by the organization, and they're signed in with an Azure AD account that belongs to that organization. Device identities exist in the cloud and on-premises. The hybrid option is better suited to organizations that need on-premises and cloud access. This option supports Windows 7, 8.1, and 10, and Windows Server 2008 or later.

What are the Azure Backup Components?

1. Azure Backup (MARS) agent - file level restore, system state restore. 2.System Center DPM - data protection manager 3. Azure Backup Server - an restore on premises or in Azure 4. Azure IaaS vm backup

Steps to create Application Gateway:

1. Create application gateway (name, region, tier, enable autoscaling. Need a new virtual subnet. 2. Configure frontend (public, private or both) 3. Backend pool(s) (add pool and specify VMs, ip, etc)) 4. Routing rules - to route from front to backend. Listener name, IP, Port. Configure backend target. Backend port. Map listener to backend target and HTTP settings, path-based routing.

What are the three load balancing technology services?

1. Azure Traffic Manager provides global DNS load balancing. You would consider using Traffic Manager to provide load balancing of DNS endpoints within or across Azure regions. 2. Azure Application Gateway provides Layer 7 load-balancing capabilities, such as round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single application gateway. 3. Azure Load Balancer is a layer 4 load balancer. You can configure public and internal load-balanced endpoints and define rules to map inbound connections to back-end pool destinations by using TCP and HTTP health-probing options to manage service availability.

What are the Azure Backup supported scenarios? 4 of them.

1. Azure VMs - Back up Windows or Linux Azure virtual machines 2. On-premises - Back up files, folders, and system state using the Microsoft Azure Recovery Services (MARS) agent 3. Azure Files shares - Azure Files - Snapshot management by Azure Backup 4. SQL Server in Azure VMs and SAP HANA databases in Azure VMs -

What are the parts and functions of a load balancer?

1. Backend Pool - your virtual machines. link backend pool to load balancer 2. Frontend IP - public IP address that users hit (if public load balancer) 3. Health Probe - used by load balancer to understand if vms are healthy or not. A ping request or heartbeat on port number. 4. Load balancing rules - is used to tell load balancer to backend pool and port number. If traffic hits load balancer on port 80, then direct it to port 80 on the machines.

What are the three different types of blobs and what are they used for?

1. Block blobs - used for storing text and binary data 2. Append blobs- ideal for logging data 3. Page blobs - used to store virtual hard disk files for Azure virtual machines

What are the key features of Azure Firewall?

1. Built-in HA. HA is managed for you. 2. Availability Zone Support 3. Application FQDN Filtering Rules 4. Network Traffic Filtering Rules 5. FQDN tags (like windows update) 6. Service tags (microsoft managed grouping of services) 7. Threat Intelligence 8. SNAT/DNAT support

How to create a firewall?

1. Click on create a resource 2. Type in firewall and then create 3. Select Subscription, Resource group, Name, Region, Virtual Network name and address space, public IP space. 4. Add route by creating a resource and then Add Route Table

Steps to implement basic load balancer

1. Configure public IP (frontend IP configuration) 2. Configure Azure load Balancer (select public and not internal) 3. Create backend pool (pool of vms in availbility set) 4. Add a health probe (name, protocol, port, interval, unhealthy threshold) 5. Load balancing rule - if request comes in on frontend IP, forward it to backend pool/port.

Three steps to create an Azure resource using Azure CLI?

1. Connect: az login 2. Create: az group create --name <name> --location <location> 3. Verify: az group list --output table

What are the tools available in Network Watcher?

1. Connection Monitor 2. IP Flow verify 3. Next Hop 4. Connection troubleshooter 5. VPN troubleshooter 6. Packet Capture 7. Network Security Group Logging 8. Traffic Analysis

What steps are involved in the ARS process?

1. Converts VM to VHD 2. Uploads to Azure 3. Migration completed from recovery vault

Steps to configure a public DNS zone?

1. Create a DNS zone in Azure 2. Get your Azure DNS name servers 3. Update the domain registrar setting 4. Verify delegation of domain name services 5. Configure your custom DNS settings

What are the steps to encrypt vm disks with Azure Disk Encryption?

1. Create a key vault. 2.Set the key vault up to support disk encryption. 3. Tell Azure to encrypt the VM disks using the key stored in the Key Vault.

Steps to create a public load balancer?

1. Create a new public IP address. 2. Create the load balancer. 3. To allow the load balancer to monitor the status of the healthcare portal, create a health probe. The health probe dynamically adds or removes virtual machines from the load balancer rotation based on their response to health checks. 4. Now you need a load balancer rule that's used to define how traffic is distributed to the virtual machines. You define the front-end IP configuration for the incoming traffic and the back-end IP pool to receive the traffic, along with the required source and destination port. To make sure only healthy virtual machines receive traffic, you also define the health probe to use. 5. Connect the virtual machines to the back-end pool by updating the network interfaces you created in the script to use the back-end pool information. 6. Run the following command to get the public IP address of the load balancer and the URL for your website

What are the two New user options in Azure AD?

1. Create a new user 2. Invite user (invite a new guest user to collaborate with your organization. The user will be emailed an invitation they can accept in order to begin collaborating).

What steps are required to create an Azure Policy?

1. Create a policy definition 2. Assign a definition to a scope of resources 3. View policy evaluation results

What are the steps to move a resources using the azure cli?

1. Create a resource group 2. Get the resource 3. Move the resource to another resource group by using the resource id. 4 Return all the resources in your resource group to verify your resource moved. 5. Update the resource iDs in any tools and script that reference your resources.

How do you create a Log Analytics workspace?

1. Create a resource, in search box enter Log Analytics and then select Log Analytics and then Create. 2. Enter workspace name, select Subscription and Resource Group and Location and then OK. 3. Select your log analytics workspace 4. Then configure your data sources under Workspace Data Sources

What are the steps to setup a VPN gateway?

1. Create a virtual network 2. Add a gateway subnet 3. Specify a DNS server (optional) 4. Create a virtual network gateway 5. Generate certificates 6. Add the client address pool 7. Configure the tunnel type 8. Configure the authentication type 9. Upload the root certificate public certificate data 10. Install an exported client certificate 11. Generate and install the VPN client configuration package 12. Connect to Azure

What is Azure container registry?

A private container registry Azure kubernetes need to authenticate itself with service principal to pull the images from azure container registry.

What steps are needed to setup Azure File Sync on your on premise Windows Server?

1. Disable IE Enhanced Security Configuration 2. Install the Azure File Sync agent 3. Register the Windows server. 4. Add a server endpoint

How to delete recovery services vault?

1. Ensure you have no backup items in place. 2. Disable soft delete (under security settings) 3. Stop the backup process 4. Delete the backup data 5. Go to recovery services vault and select delete

What are the two ways of connecting Express Route?

1. Express Route Direct - connect directly to Microsoft global network at different peering locations. 100Gbps speed. 2. Choose a connectivity provider - choose bandwidth options from 50Mbps, 100Mbps, etc.

How do you send logs to Log Analytics Workspace for a VM?

1. First create a Log Analytics Workspace 2. On the Log Analytics Workspace, under Workspace Data Sources, choose virtual machine. LAW is a global resource, so you can send logs from VMs in different locations to the Log Analytics Workspace. 3. Click on the VM and then Connect - this install an extension, a log analytics agent.

Steps to setup Azure file sync

1. From Dashboard, click on New and then search for Azure File Sync and click on Create. 2. Select resource group, subscription and give it a name. 3. Click on Create 4. On the VM install the file sync agent 5. Back at Azure File Sync service, add a Sync Group (group name, subscription, storage account and Azure File Share). Click Create (this creates the cloud endpoint). 6. From agent on VM, sign into Azure and select resource group and storage sync service and then register. 7. On azure, now you can see the registered vms. 8. Now you have to Add Server Endpoint which integrates a volume or folder from a registered server as a location to sync. 9. Choose the registered server and path and then create.

Steps to create a load balancer?

1. Front-end:Create a resource, networking, Load Balancer 2. Enter Name 3. Type: internal 4. Select virtual network 5. Select subnet 6. Select static or dynamic IP 7. Subscription 8. Resource group 9. location Backend: (under Settings - Backend Pools, Health probes and Load balancing rules) 1. Backend pools - give it a name, associate it via (virtual machine, availability set or vm set), add target network IP for each vm. 2. Health probe (monitors vm health) Add, name, HTTP or TCP, Port, Path, Interval and unhealthy threshold 3. Load balancing Rules - add, name, IP version, frontend IP address, Protocol, backend port, backend pool, Health probe, session persistence, idle timeout and floating Ip (enable or disable)

What are the types of storage accounts in Azure?

1. General-purpose v2 accounts - recommended for most scenarios. Provides the blob, file, queue and table service. 2. General purpose v1. Same as 2 but older version and not as many features. 3. BlockBlobStorage accounts - premium performance for storing block or append blobs. 4. FileStorage account - when you want premium performance for file-only storage. 5. BlobStorage accounts - This is legacy storage account.

How do you create a file share?

1. Go onto the storage account. 2. Under File service, click on file shares and then + file share 3. Enter name, Quota, Tier and then create. 4. From the file share you can create a directory

How do you add a deployment slot?

1. Go to App Services 2. Under Deployment, select Deployment slots 3. Click on Add Slot 4. Enter a name and click on Add 5. Publish your app version 2 to new slot. when production v2 is working, you can click on Swap in the deployment slots configuration and swap the two apps so new version is in the production slot.

How to create Public DNS zone?

1. Go to all services 2. Enter DNS 3. Select DNS Zones 4. Click on Add 5. Choose subscription, resource group, name, resource group location 6. Review + Create 7. Create 8. now you can see the azure dns servers. You could go into godaddy and add these name servers. Can also set Access control (IAM) for your DNS.

How do you create a service endpoint? This limits access to storage accounts from virtual networks.

1. Go to the virtual network 2. Click on Service endpoints 3. Add service endpoint Select the service (Example Microsoft.Storage) Select subnets you want to enable the service endpoint Click on Add Now go to the storage account. Click on Firewalls and virtual networks Change Allow access to selected networks Select the subnet ( you can only see the subnet you enabled the service endpoint on) Select the virtual network or client IP Click on Save

What are core capabilities of vnets?

1. Isolation - isolated from each other 2. All have Internet access by default 3. Allow us to connect multiple Azure resources 4. vnet connectivity - connect vnets to others 5. On premise connectivity 6. Traffic filters - NSGs 7. Routing (default, user defined)

What are the features and benefits of ExpressRoute?

1. Layer 3 connectivity 2. Built-in redundancy 3. Connectivity to Microsoft cloud services 4. Across on-premises connectivity with ExpressRoute Global Reach 5. Dynamic routing

How does SSPR work?

1. Localization: The portal checks the browser's locale setting and renders the SSPR page in the appropriate language. 2. Verification: The user enters their username and passes a captcha to ensure that it's a user and not a bot. 3. Authentication: The user enters the required data to authenticate their identity. They might, for example, enter a code or answer security questions. 4. Password reset: If the user passes the authentication tests, they can enter a new password and confirm it. 5. Notification: A message is usually sent to the user to confirm the reset.

Steps to create a virtual machine scale set?

1. Sign in to the Azure portal and open Azure Cloud Shell. 2. In Cloud Shell, start the code editor and create a file named cloud-init.yaml. 3. Add the following text to the file: This file contains configuration information to install nginx on the VMs in the scale set. 4. Press Ctrl+S to save the file. Then press Ctrl+Q to close the code editor. 5. Run the following command to create a new resource group named scalesetrg for your scale set: az group create \ --location westus \ --name scalesetrg 6. Run the following command to create the virtual machine scale set: az vmss create \ --resource-group scalesetrg \ --name webServerScaleSet \ --image UbuntuLTS \ --upgrade-policy-mode automatic \ --custom-data cloud-init.yaml \ --admin-username azureuser \ --generate-ssh-keys

What are the different replication options?

1. Locally-redundant storage (LRS) - data is replicated synchronously three times within a physical location in the primary region (one data center) 2.Zone-redundant storage (ZRS) - replicated synchronously across 3 availability zones (3 data centers) in the primary region. 3. Geo-redundant storage (GRS) - replicated 3 times in the primary region, then replicated asynchronously in the secondary region (for disaster recovery) 4. Read access Geo-redundant storage (RA-GRS) - same as GRS, except data in the secondary region, is also available for read-only purposes. 5. Geo-zone-redundant storage (GZRS) - replicated synchronously across 3 availability zones in the primary region and then replicated asynchronously to the secondary region. 6. Read Access Geo-zone-redundant storage (RA-GZRS) - same as GZRS except data in the secondary region is also available for read-only purposes.

How to create a NSG from Azure portal?

1. Log in 2. Create a Resource 3. Select Networking 4. Select Network Security Group 5. Name it, select subscription and location

How to create and configure a Log Analytics workspace?

1. Log into the portal and select Log Analytics workspaces 2. Select Add 3. Enter the Project instance and details 4. Select Review + Create > Create 5. After the resource deploys, select Go to resource 6. Under General Select Properties 7. Look for the access control mode and select Use resource or workspace permissions. 1. Setup your environment 1. Onboard virtual machines to Azure Monitor for CM by selecting VM and then under Monitoring, select Insights _ Enable. Select the Log Analytics workspace you created and then enable.

Steps to import data to Azure Storage?

1. Prepare disks 2. Create a job 3. Ship your drives to the Azure datacenter 4. Check your job status 5. Receive disks 6. View data in Azure Storage

What are the 5 key points to Azure VNets?

1. Primary building block for Azure networking 2. Private network in Azure based on address space prefix 3. Create subnets in your Vnet with your IP ranges 4. Bring your own DNS or use Azure-provided DNS 5. Choose to connect the network to on-premises or the internet

What are the six properties of NSGs?

1. Protocol (TCP, UDP) 2. Source & Destination range (or all) 3. Source & Destination Address prefix 4. Direction (inbound or outbound) 5. Priority 6. Access (Allow/Deny)

What are the different sections of the Azure Resource Manager templates?

1. Resources - specify resources that need to be deployed 2. Variables - these values can be reused in the template 3. Parameters - can be used to provide values during the deployment phase 4. Outputs - returns values from the deployed resources.

What two ways can you control routing and overide Azure route traffic?

1. Route tables - A route table allows you to define rules as to how traffic should be directed. You can create custom route tables that control how packets are routed between subnets. 2. Border Gateway Protocol - Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.

Steps to add an empty disk to your vm?

1. Run az vm create: az vm create \ --name support-web-vm01 \ --image UbuntuLTS \ --size Standard_DS1_v2 \ --admin-username azureuser \ --generate-ssh-keys 2. Run the following az vm disk attach command to add a new empty disk to the VM. az vm disk attach \ --vm-name support-web-vm01 \ --name uploadDataDisk1 \ --size-gb 64 \ --sku Premium_LRS \ --new 3. initialize and format the disk.

What are the two types of scale sets?

1. Scheduled scaling: You can proactively schedule the scale set to deploy one or N number of additional instances to accommodate a spike in traffic and then scale back down when the spike ends. 2. Autoscaling: If the workload is variable and can't always be scheduled, you can use metric-based threshold scaling. Autoscaling horizontally scales out based on node usage. It then scales back in when the resources return to a baseline.

How to create an App Service?

1. Select new-> web app 2. Fill in information including: App Service Plan and Sku & Size By default it will select standard. This will create azure web app and app service plan.

How to configure Virtual Networking DNS in Azure portal?

1. Select virtual Network in azure 2. Select DNS Servers from the Settings section 3. Choose Default to stick with Azure DNS 4. Or choose Custom to input your own DNS servers 5. Add DNS servers 6. Save Note - VMs will require restart to utilize updated settings!

Steps to add a new group?

1. Sign in to the Azure portal . 2. Select Azure Active Directory > Groups > New Group. 3. Enter the following information: - Group type: Security -Group name: Developer group - Group description: Developer team 4.Select Create. 5. The new group now appears in the list of Groups.

Steps in site to site recovery?

1. Site recovery mobility service extension is installed on the source vm 2. Continuous replication then occurs via the cache storage account. 3. When the data is processed in the target region, crash consistent recovery points are generate every 5 minutes.

What do Activity Logs do?

Activity Logs record when resources are created or modified

What are the Search Query Fundamentals?

1. Start with the source table (e.g. Event) 2. Follow on with a series of operators 3. Separate out additional operations by using pipe | 4. Join other tables and workspaces using "union

How to expand a disk using the Azure portal?

1. Stop the VM using the Stop button in the toolbar on the Overview page for the VM. 2. Click Disks in the Settings section. 3. Select the data disk you want to resize. 4. In the disk details, type a size larger than the current size. You can also change from Premium to Standard (or vice-versa)here. 5. Click Save to save the changes. 6. Restart the VM

What are the three types of storage accounts?

1. StorageV2 (general purpose v2): the current offering that supports all storage types and all of the latest features 2. Storage (general purpose v1): a legacy kind that supports all storage types but may not support all features 3. Blob storage: a legacy kind that allows only block blobs and append blobs Microsoft recommends that you use the General-purpose v2 option for new storage accounts.

Steps to deploy an Azure Firewall?

1. Under the virtual network, Create a AzureFirewallSubnet 2. Go to Firewall and then Add 3. Give it a name, create a new public IP and Create 4. Go to resource and then Rules to create rules.

Steps to create a storage account and VM with boot diagnostics enabled?

1. Use Azure Cloud Shell on the right to create a storage account to store boot diagnostics. 2. Create your VM with boot diagnostics enabled. az vm create \ --name monitored-linux-vm \ --image UbuntuLTS \ --size Standard_B1s \ --location eastus2 \ --admin-username azureuser \ --boot-diagnostics-storage $STORAGE \ --resource-group learn-20c00bb2-793d-4111-b9ba-bbca7417b4ee \ --generate-ssh-keys

What else gets deployed when you deploy a virtual machine?

1. Virtual network - needs to reside 2. Private IP 3. Public IP 4. virtual Network interface 5. NSG - assigned to nic 6. Disks - os disk and you can add data disk

What two ways can you communicate between Azure resources?

1. Virtual networks 2. Service endpoints

What are some key points to moving Azure resources?

1. You can move resources across resource groups in a tenant 2. The resources will still remain in the same location. 3. Even if the resource group belongs to a different location, the resource will still remain in the same location

What are the two types of shared access signatures and when would you use them?

1. You can use a service-level shared access signature to allow access to specific resources in a storage account. You'd use this type of shared access signature, for example, to allow an app to retrieve a list of files in a file system or to download a file. 2. Use an account-level shared access signature to allow access to anything that a service-level shared access signature can allow, plus additional resources and abilities. For example, you can use an account-level shared access signature to allow the ability to create file systems. You'd typically use a shared access signature for a service where users read and write their data to your storage account.

What are steps involved in Azure Import/Export?

1. You need to download the WAImportExport tool to copy data to disk drives. The drives need to be encrypted with BitLocker. 2. You then create an import job in Azure. Associate the job with an Azure Storage account. You also need to upload the drive journal files to the job. 3. You need to mention the return address in the job. 4. Ship the drives to the Azure data center.

AZ commands to expand a vm disk drive?

1. az vm deallocate \ --resource-group <resource-group-name> \ --name <vm-name> 2. az disk update \ --resource-group <resource-group-name> \ --name <disk-name> \ --size-gb 200 3. az vm start \ --resource-group <resource-group-name> \ --name <vm-name>

What are the different storage accounts that are available?

1. blob storage - for objects like videos, also used for storing disk files for vm (vhd). 2. Table - table-like data. 3. File - file shares in your storage account. SMB 4. Queue- receiving and sending messages

What are the different types of alerts in cost management?

1. budget 2. credit 3. department spending quota

What are the key ARM functions?

1. copy 2. copyIndex() 3.dependsOn

Steps to create a site-to-site vpn?

1. create gateway subnet 2. create local gateway 3. create virtual network gateway 4. establish site-to-site vpn connection

What are the steps to export data from Azure Blob storage?

1. create job 2. ship your disks 3. check job status 4. receive and unlock disks

What can you recover from a VM backup?

1. file recovery 2. VM recovery 3. Disk recovery

How to setup Private DNS in Azure portal?

1. log into portal 2. Under all services, select Private DNS zones 3. Click Add to create private zone 4. Select resource group 5. Add instance name 6. Click review and Create 7. Got to Private DNS Zone 8. Under Settings, click on Virtual network links 9. click on Add to select virtual network to link it to.

What are advantages of Azure File Storage?

1. no need to maintain the physical server 2. No need to maintain storage 3. Save costs on other aspects like networking

What is a docker container?

1. standardized packaging for software and dependencies 2. a way to isolate apps from each other 3. Works with Linux and Windows Servers 4. Allows separate apps to share the same OS kernel

What are the benefits of a container?

1.A container is immutable - the unchanging nature of a container allows it to be deployed and run reliably with the same behavior from one compute environment to another. 2. A container is lightweight - you can think of a container as a VM image, but smaller. A VM image is normally installed on a physical host. The image contains both the OS and the application you want to run. In contrast, a container doesn't need an OS, only the application. The container always relies on the host installed OS for Kernel-specific services. Containers are less resource-intensive, and multiple containers can be installed on the same compute environment. 3.Container startup is fast - containers can start up in few seconds instead of minutes, like a VM.

How do you create a new AD group based on Dynamic User?

1.Go to New group 2. Under membership type, select Dynamic User 3. Add dynamic query and configure rule based on Property. Example: City contains "Miami" and then rule syntax looks like: (user.city -contains "Miami") 4. Save 5. Create IT IS NOT CASE SENSITIVE

What are the options for VPN gateways?

1.Network-to-network connections over IPsec/IKE VPN tunneling, linking VPN gateways to other VPN gateways. 2.Cross-premises IPsec/IKE VPN tunneling, for connecting on-premises networks to Azure through dedicated VPN devices to create site-to-site connections. 3.Point-to-site connections over IKEv2 or SSTP, to link client computers to resources in Azure.

What numbers are used for network id in 10.0.0.0/16?

10.0

What numbers are used for network id in 10.0.0.0/24?

10.0.0

What are the three ranges of non-routable IP addresses?

10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.1 to 192.168.255.255

What is the default for soft delete of recovery services vault?

14 days

How many concurrent RDP connections does Bastion support?

25

You have to move an on-premises application onto an Azure subscription. The app is hosted on several Azure vms. You have to ensure that the application will always be running on at least 4 vms during a planned Azure maintenance period. How many update domains should you have?

5 update vms across 5 update domains.

How many concurrent SSH connections does Bastion support?

50

What SLA do availability sets provide?

99.95%

What SLA do availability zones provide?

99.99%

How does DNS work?

A DNS server carries out one of two primary functions: - Maintains a local cache of recently accessed or used domain names and their IP addresses. This cache provides a faster response to a local domain lookup request. If the DNS server can't find the requested domain, it passes the request to another DNS server. This process repeats at each DNS server until either a match is made, or the search times out. - Maintains the key-value pair database of IP addresses and any host or subdomain that the DNS server has authority over. This function is often associated with mail, web, and other internet domain services.

What is a Recovery Services vault?

A Recovery Services vault enables Site Recovery to complete disaster recovery replication. These vaults use storage accounts to store data backups, VM configuration settings, and workloads.

What are Resource Manager templates?

A Resource Manager template precisely defines all the Resource Manager resources in a deployment. You can deploy a Resource Manager template into a resource group as a single operation. A Resource Manager template is a JSON file, making it a form of declarative automation. Declarative automation means that you define what resources you need but not how to create them. Put another way, you define what you need and it is Resource Manager's responsibility to ensure that resources are deployed correctly.

What is a site-to-site VPN connection?

A Site-to-Site VPN connection is used to establish a secure connection between an on-premise network and an Azure network via the Internet.

What is a container?

A container for all blob objects - can be private or public. Then you can upload objects (files)

What is a container image?

A container image is a portable package that contains software. It's this image that, when run, becomes our container. The container is the in-memory instance of an image. A container image is immutable. Once you've built an image, the image can't be changed. The only way to change an image is to create a new image. This feature is our guarantee that the image we use in production is the same image used in development and QA.

What is a container?

A container is a loosely isolated environment that allows us to build and run software packages. These software packages include the code and all dependencies to run applications quickly and reliably on any computing environment. We call these packages container images.

What is a container - AKS?

A container is an atomic unit of software that packages up code, dependencies, and configuration for a specific application. Containers allow us to split up monolithic applications into individual services that make up the solution. This rearchitecting of our application will enable us to deploy these separate services via containers.

What is a policy definition?

A policy definition expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used.

What is a fault domain?

A fault domain is a logical group of hardware in Azure that shares a common power source and network switch. You can think of it as a rack within an on-premises datacenter. The first two VMs in an availability set will be provisioned into two different racks so that if the network or the power failed in a rack, only one VM would be affected. Fault domains are also defined for managed disks attached to VMs.

For Virtual Wan, in every region (chicago, seattle) that you want connectivity, what must you create?

A hub. All VNETs can take site-to-site, expressroute and vnet connections and connect to other hubs.

What is a A record?

A is the host record, and is the most common type of DNS record. It maps the domain or host name to the IP address.

What is Azure Bastion?

A managed service to log into your other VMs. The subnet needs to have AzureBastionSubnet name. From client machine, you can connect via ssl to Bastion and then connect to your vms.

What is a network security group?

A network security group is an Azure resource that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.

What is a network virtual appliance?

A network virtual appliance is a specialized VM that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing WAN optimization.

To use a custom domain name with Azure AD, what must you create with your domain name registrar?

A new TXT record with info from microsoft to verify that the domain belongs to you.

What type of DNS record should you create to map one or more IP addresses against a single domain?

A or AAAA

What is hot storage good for?

Hot storage, which offers lower access costs but higher storage costs.

What are the limitations on tags?

A resource can have up to 50 tags. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. Tags aren't inherited from parent resources. Not all resource types support tags, and tags can't be applied to classic resources.

What is a role definition?

A role definition is a collection of permissions. It's sometimes just called a role. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can't be performed or operations related to underlying data.

What is a role?

A role is a collection of permissions.

What is a security principal?

A security principal is just a fancy name for a user, group, or application that you want to grant access to.

What is a site-to-site Virtual Private Network?

A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the Internet.

What is a storage account?

A storage account is a container that groups a set of Azure Storage services together. Only data services from Azure Storage can be included in a storage account (Azure Blobs, Azure Files, Azure Queues, and Azure Tables). Combining data services into a storage account lets you manage them as a group. The settings you specify when you create the account, or any that you change after creation, are applied to everything in the account. Deleting the storage account deletes all of the data stored inside it.

What is an Azure virtual hard disk?

A virtual hard disk is conceptually similar to a physical hard disk. You can use a VHD to host the operating system and run a virtual machine. A VHD can also hold databases and other user-defined folders, files, and data. A VHD can hold anything that you can store on a physical hard disk.

A virtual network is scoped to______?

A virtual network is scoped to a single region.

What is a Azure virtual network?

A virtual network is your network in the cloud. You can divide your virtual network into multiple subnets. Each subnet has a portion of the IP address space that is assigned to your virtual network. You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed in it.

How to add a load balancer?

Add resource and select Load balancer

Two commands to add a new data disk to vm?

Add-AzVMDataDisk and Update-AzVM

Root management group for each organization?

After you select Save on your first management group, a root management group is created in the Azure Active Directory (Azure AD) organization. By default, the root management group's display name is Tenant root group. The ID is the Azure AD ID. After this group is created, all existing subscriptions in the Azure AD organization are made children of the root management group. So there's only one management group hierarchy within an organization.

How do you move resources?

After you've identified the resources you want to move and verified they can be moved, you create a resource group and move the resources into that resource group. You can use the Azure portal, the Azure CLI, PowerShell, or Azure REST API to move your resource

Is data encrypted when stored in Azure Storage?

All data written to Azure Storage is automatically encrypted by Storage Service Encryption (SSE) with a 256-bit Advanced Encryption Standard (AES) cipher. SSE automatically encrypts data when writing it to Azure Storage. When you read data from Azure Storage, Azure Storage decrypts the data before returning it. This process incurs no additional charges and doesn't degrade performance. It can't be disabled.

What are deployment slots?

Allows you to deploy in non-production slots.

What is an Azure custom script extension?

An Azure custom script extension downloads and runs a script on an Azure VM. It can automate the same tasks on all the VMs in a scale set.

What is a VPN Gateway?

An Azure virtual network gateway provides an endpoint for incoming connections from on-premises locations to Azure over the Internet. A VPN gateway is a specific type of virtual network gateway that can be an endpoint for encrypted connections. It can also send encrypted traffic between Azure virtual networks over Microsoft's dedicated network that links Azure datacenters in different regions. This configuration allows you to link virtual machines and services in different regions securely.

What are Express Route circuits?

An ExpressRoute circuit is the logical connection between your on-premises infrastructure and the Microsoft Cloud. A connectivity provider implements that connection, although some organizations use multiple connectivity providers for redundancy reasons. Each circuit has a fixed bandwidth of either 50, 100, 200 Mbps or 500 Mbps, or 1 Gbps or 10 Gbps, and each of those circuits map to a connectivity provider and a peering location. In addition, each ExpressRoute circuit has default quotas and limits.

What is RBAC? an authorization system that is built on top of Azure Resource Manager that allows you to provide fine-grained access management of Azure resources.

An authorization system that is built on top of Azure Resource Manager that allows you to provide fine-grained access management of Azure resources.

What is an Availability Set?

An availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter. VMs placed in an availability set should perform an identical set of functionalities and have the same software installed.

What is an unmanaged disk?

An unmanaged disk, like a managed disk, is stored as a page blob in an Azure Storage account. The difference is that with unmanaged disks, you create and maintain this storage account manually. Because unmanaged disks don't support all of the scalability and management features that you've seen for managed disks, they're no longer widely used.

What is cloud init?

Another way to install packages in linux. Create a virtual machine and there is an option called Cloud Init and you can use it to install packages and write files or to configure users and security.

What protocols are allowed in NSG rules?

Any, TCP, UDP, ICMP

What is HTTP load balancing?

App Gateway

What are App security groups?

App security groups let you configure network security for resources used by specific apps. You can group VMs logically, no matter what their IP address or subnet assignment.

Which load balancing strategy does Application Gateway implement?

Application Gateway follows a round-robin approach, distributing requests to each available server in a backend pool in turn.

What is Application Gateway?

Application Gateway manages the requests that client applications can send to a web app. Application Gateway routes traffic to a pool of web servers based on the URL of a request. This is known as application layer routing. The pool of web servers can be Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers.

___________________ is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises.

Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application's operations. Application Insights can diagnose errors without waiting for a user to report them.

What is Application Insights?

Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. It monitors live web applications and you can enable it for many Azure App Service web apps without modifying any of the app's code.

You want to add an extra layer of security to Azure Bastion. Where can you start?

Apply role-based access control (RBAC) and the least privilege to use and manage Azure Bastion

What is the benefit of applying a security group to a subnet instead of individual network interfaces?

Applying a network security group to a subnet instead of individual network interfaces can reduce administration and management efforts. This approach also ensures that all VMs within the specified subnet are secured with the same set of rules.

What is archive storage good for?

Archive-tier storage may be appropriate for secondary backups or backups of data with low expectations for recovery time. It's low in cost, but requires up to 15 hours of lead time to access.

Which access cost tier is the highest?

Archive. The storage cost is the least, but the access cost is the highest.

Define Fault Domain?

Are used to define the group of virtual machines that share a common source and network switch. You can have up to 3 fault domains.

When should you use network security groups?

As a best practice, you should always use network security groups to help protect your networked assets against unwanted traffic. Network security groups give you granular control access over the network layer, without the potential complexity of setting security rules for every VM or virtual network.

At any one time, only one subscription can _____ one directory.

At any one time, only one subscription can trust one directory.

What is Azure Advisor?

Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas.

What is availability?

Availability is the percentage of time a service is available for use.

What are High Availability sets?

Availability sets are a way for you to inform Azure that VMs that belong to the same application workload should be distributed to prevent simultaneous impact from hardware failure and scheduled maintenance. Availability sets are made up of update domains and fault domains.

What are availability zones?

Availability zones are independent physical datacenter locations within a region that include their own power, cooling, and networking. By taking availability zones into account when deploying resources, you can protect workloads from datacenter outages while retaining presence in a particular region.

What is the Az module?

Az is the formal name for the Azure PowerShell module containing cmdlets to work with Azure features. It contains hundreds of cmdlets that let you control nearly every aspect of every Azure resource. You can work with resource groups, storage, virtual machines, Azure Active Directory, containers, machine learning, and so on. This module is an open source component available on GitHub. Note: n October 2018 we announced the replacement of the AzureRM module with the Az module.

What is Azure AD DS?

Azure AD DS lets you add virtual machines to a domain without needing domain controllers. Your internal staff users can access virtual machines by using their company Azure AD credentials. This feature is available for pay-as-you-go, based on the total number of objects in your domain that's managed by Azure AD DS. Objects can include users, groups, and domain-joined computers.

What is Azure AD Identity Protection?

Azure AD Identity Protection helps you to automatically detect, investigate, and remediate identity risks for users. Identity Protection uses risk policies to automatically detect and respond to threats. You configure a risk policy to set up how Identity Protection should respond to a particular type of risk.

What is Azure AD?

Azure AD is a cloud-based identity management solution. It helps your company's internal users to: - Access external resources, like Azure services, Microsoft 365, and third-party SaaS applications. Access internal resources such as applications on your corporate network, and cloud-based applications that your company builds. - Azure AD also helps you keep user identities and applications secure through features like conditional access and identity protection.

What is the difference between Azure AD and Active Directory?

Azure AD is a cloud-based identity solution that helps you manage users and applications. Active Directory manages objects, like devices and users, on your on-premises network.

What does Azure AD join use for mobile device management?

Azure AD join uses the mobile device management (MDM) platform to manage devices attached to Azure AD. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates.

What devices support Azure AD join?

Azure AD join works with Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn't supported. If you're using an earlier Windows operating system, you'll need to upgrade to Windows 10 or Windows Server 2019.

What is Azure Automation State Configuration?

Azure Automation State Configuration is an Azure service built on PowerShell. It allows you to consistently deploy, reliably monitor, and automatically update the desired state of all your resources. Azure Automation provides tools to define configurations and apply them to real and virtual machines.

What is Azure Backup?

Azure Backup is a built-in Azure service that provides secure backup for all Azure-managed data assets. It uses zero-infrastructure solutions to enable self-service backups and restores, with at-scale management at a lower and predictable cost.

What is Recovery Services vault?

Azure Backup uses a Recovery Services vault to manage and store the backup data. A vault is a storage-management entity, which provides a simple experience to carry out and monitor backup and restore operations.

What is Azure Bastion?

Azure Bastion provides a secure remote connection from the Azure portal to Azure virtual machines (VMs) over Transport Layer Security (TLS). Provision Azure Bastion to the same Azure virtual network as your VMs or to a peered virtual network. Then connect to any VM on that virtual network or a peered virtual network directly from the Azure portal.

Azure Import/Export allows you to export data from ____?

Azure Blob Storage

Where are unmanaged disks stored?

Azure Blob storage

What is Azure Blueprints?

Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and deploy new environments with the trust they're building within organizational compliance using a set of built-in components, such as networking, to speed up development and delivery.

Where should product catalog data be stored?

Azure Cosmos DB. It supports semi-structured data.

What is Azure Cost Management?

Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.

What is Azure DNS?

Azure DNS allows you to host and manage your domains by using a globally distributed name server infrastructure. It allows you to manage all of your domains by using your existing Azure credentials. Azure DNS acts as the SOA for the domain. You can't use Azure DNS to register a domain name. You use a third-party domain registrar to register your domain.

What is Azure DNS?

Azure DNS enables you to host your DNS records for your domains on Azure infrastructure. With Azure DNS, you can use the same credentials, APIs, tools, and billing as your other Azure services. Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.

What is Azure ExpressRoute?

Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private. Establishing an ExpressRoute connection enables you to connect to Microsoft cloud services like Azure, Office 365, and Dynamics 365. Security is enhanced, connections are more reliable, latency is minimal, and throughput is greatly increased.

What is Azure File Sync?

Azure File Sync allows you to extend your on-premises file shares into Azure. It works with your existing on-premises file shares to expand your storage capacity and provide redundancy in the cloud. It requires Windows Server 2012 R2 or later. You can access your on-premises file share with any supported file sharing protocol that Windows Server supports, like SMB, NFS, or FTPS.

What is Azure Firewall?

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Can control traffic at Layer 3 and Layer 7 and has automatic threat intelligence.

What is Azure Import/Export?

Azure Import/Export provides a way for organizations to export data from Azure Storage to an on-premises location. The service offers a secure, reliable, and cost-effective method to export large amounts of data.

What is Azure Kubernetes Service?

Azure Kubernetes Service (AKS) manages your hosted Kubernetes environment and makes it simple to deploy and manage containerized applications in Azure. Your AKS environment is enabled with features such as automated updates, self-healing, and easy scaling. The Kubernetes cluster master is managed by Azure and is free. You manage the agent nodes in the cluster and only pay for the VMs on which your nodes run.

What is network load balancing?

Azure Load Balancer

What happens if a health probe isn't configured and a VM fails?

Azure Load Balancer won't notice the failure and continues to route traffic to the failed VM. This issue causes requests to time out.

What are Azure Management Groups?

Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.

What is Azure Mobility Service?

Azure Mobility Service needs to be installed on every VM that you replicate. This client is available for Windows and Linux VMs and will be installed and configured automatically by Site Recovery. If the automatic installation fails, you can install the service manually. The mobility service works in partnership with Site Recovery to keep an up-to-date cache of the VMs' data. The cache is replicated to the target environment's storage account. The replicated data will be used if Site Recovery fails over the environment.

What are the benefits of Azure Monitor?

Azure Monitor centralizes and combines your metrics and log data from different sources.

_______________________ is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes)

Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.

____________________ is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS).

Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected.

What is Azure Monitor logs?

Azure Monitor is a service for collecting and analyzing telemetry. It helps you get maximum performance and availability for your cloud applications, and for your on-premises resources and applications. It shows how your applications are performing and identifies any issues with them. Azure Monitor collects two fundamental types of data: metrics and logs. Metrics tell you how the resource is performing, and the other resources that it's consuming. Logs contain records that show when resources are created or modified.

What is Azure Monitor?

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

Why do the NSG rules need to be created against the private IP address of the VM?

Azure NATs the public IP address to the private IP address of the VM.

What is Network Watcher?

Azure Network Watcher includes several tools that you can use to monitor your virtual networks and virtual machines (VMs). Network Watcher is an Azure service that combines tools in a central place to diagnose the health of Azure networks. The Network Watcher tools are divided into two categories: Monitoring tools Diagnostic tools With tools to monitor for and diagnose problems, Network Watcher gives you a centralized hub for identifying network glitches, CPU spikes, connectivity problems, memory leaks, and other issues before they affect your business.

What is Azure Policy?

Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements

What is Azure PowerShell?

Azure PowerShell is a module that you add to Windows PowerShell or PowerShell Core to let you connect to your Azure subscription and manage resources. Azure PowerShell requires PowerShell to function. PowerShell provides services like the shell window, command parsing, and so on. Azure PowerShell adds the Azure-specific commands.

What are Azure Quickstart templates

Azure Quickstart templates are Resource Manager templates that are provided by the Azure community. Quickstart templates are available on GitHub.

What is Azure Resource Manager?

Azure Resource Manager is the interface for managing and organizing cloud resources. Think of Resource Manager as a way to deploy cloud resources. Resource Manager is what organizes the resource groups that let you deploy, manage, and delete all of the resources together in a single action.

What does Azure Resource Manager let you do?

Azure Resource Manager makes working with these related resources more efficient. It organizes resources into named resource groups that let you deploy, update, or delete all of the resources together. Resource Manager also allows you to create templates, which can be used to create and deploy specific configurations.

What is Azure Security Center?

Azure Security Center is a service that manages the security of your infrastructure from a centralized location. Use Security Center to monitor the security of your workloads, whether they're on-premises or in the cloud.

what is Azure Site Recovery?

Azure Site Recovery replicates your virtual machine workloads between Azure regions. You can also use Site Recovery to migrate VMs from other environments, such as on-premises infrastructure, to Azure. Y

What are Azure VM Extensions?

Azure VM extensions are small applications that allow you to configure and automate tasks on Azure VMs after initial deployment. Azure VM extensions can be run with the Azure CLI, PowerShell, Azure Resource Manager templates, and the Azure portal.

How are Azure VMs backed up?

Azure VMs are backed up by taking snapshots of the underlying disks at user-defined intervals and transferring those snapshots to the Recovery Services Vault as per the customer-defined policy.

What is Azure VPN Gateway?

Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

What are the four types of storage in Azure?

Azure blobs, Azure files, Azure Queues and Azure Tables

How do you configure and capture boot diagnostics?

Azure can collect these metrics by default for hosted VMs without requiring you to install more software. To capture the boot diagnostics, you need to create and associate a storage account. You associate the storage account at the time you create your VM. Or, for an existing VM, you associate one later.

What does Azure file sync do?

Azure file sync extends on-premises file servers into Azure providing cloud benefits while maintaining performance and compatibility.

Cost by location?

Azure has datacenters all over the world. Usage costs vary between locations that offer particular Azure products, services, and resources based on popularity, demand, and local infrastructure costs.

Azure management groups provide a level of scope above _____________________.

Azure management groups provide a level of scope above subscriptions.

Which peering configuration would you use for your Express route circuit where you need to allow direct connections to Azure compute resources?

Azure private peering

If name resolution between role instances or virtual machines in the same virtual network - what is the recommended DNS to use?

Azure provided DNS

Where can the custom scripts for customer script extensions be stored?

Azure storage account or GitHub. A time duration of 90 minutes is allowed for the script to run. The extension won't run after a reboot.

How do you see a list of all the tags that have been assigned?

Both users and custom code can use tags to find resources. In the portal, to see a list of all the tags that have been assigned, search on "Tags".

Azure ___________ help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for.

Azure subscriptions help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and plans by office, department, project, and so on.

What is the difference between Azure tenant and Azure AD directory?

Azure tenant - this is a dedicated and trusted instance of Azure AD Azure AD directory - Each Azure tenant has a dedicated and trusted Azure AD directory. This includes the tenant's users, groups and application and is used for performing identity and access management onto resources.

How are Azure virtual disk sizes measured?

Azure virtual disk sizes are measured in Gibibytes (GiB), which are not the same as Gigabytes (GB); one GiB is approximately 1.074 GB. Therefore, to obtain an approximate equivalent of your virtual disk size in GB, multiply the size in GiB by 1.074, and that will return a size in GB that is relatively close.

What is Azure virtual networking?

Azure virtual networks enable Azure resources, such as virtual machines, web apps, and databases, to communicate with: each other, users on the Internet, and on-premises client computers.

What security features does Azure DNS provide?

Role-based access control, activity logs, and resource locking

What do budget alerts notify you of?

Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget.

What is used to schedule vm backup?

Backup policy. When it is backed up and retention policy. Recovery points are created.

What is the difference between basic and standard load balancers skus?

Basic Load Balancer: Single VM, availability Set, scale set Standard Load Balancer: Multiple VM, availability Set, scale set SLA of 99.99% if using 2 or more vms behind load balancer

____________ balancers can be used only with availability sets.

Basic load balancers can be used only with availability sets.

What encryption is used on Windows VMs and what is used on Linux VMs?

BitLocker on Windows and DM-Crypt on Linux

What does snapshot recovery utilize?

Blob snapshots taken of VM page blob - can be copied into the same or different regions - vms get created from snapshot

What are blobs?

Blobs are files for the cloud. Apps work with blobs in much the same way as they would work with files on a disk, like reading and writing data. However, unlike a local file, blobs can be reached from anywhere with an internet connection.

Blobs in containers configured for public access?

Blobs in a container configured for public access can be downloaded without any kind of authentication or auditing by anyone who knows their storage URLs. Never put blob data in a public container that you don't intend to share publicly.

Storage account access tier?

Blobs inside the container will inherit the performance/access tier that the storage account is set at. Access tier can only be marked as cool or hot. You can go to the file and then click on change tier to change the tier.

Which protocol provides dynamic routing for Azure ExpressRoute?

Border Gateway Protocol (BGP)

What does the Border Gateway Protocol do?

Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.

By default, where do storage account accept connections from?

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. You can restrict access to specific IP addresses, ranges, or virtual networks.

What is a PowerShell Module?

Cmdlets are shipped in modules. A PowerShell Module is a DLL that includes the code to process each available cmdlet. You load cmdlets into PowerShell by loading the module they are contained in. You can get a list of loaded modules using the Get-Module

How many co-administrators can you have per subscription and what are the persmissions?

Co-administrator - 200 per subscription - Same access privileges as the Service Administrator, but can't change the association of subscriptions to Azure directories. - assign users to the Co-administrator role, but cannot change the service administrator

What are Azure App Services>

Composed of Web Apps, Mobile Apps, Logic Apps and API apps.

What is DNS?

DNS, or the Domain Name System, is a protocol within the TCP/IP standard. DNS serves an essential role of translating the human-readable domain names, for example, www.wideworldimports.com, into a known IP address. IP addresses enable computers and network devices to identify and route requests between themselves.

What is a CNAME?

CNAME is the canonical name, or the alias for an A record. If you had different domain names that all accessed the same website, you would use CNAME.

What are metrics for Azure resources?

CPU usage, disk metrics, network stats. Can create alerts and also create alerts based on Activity logs. Part of Azure Monitor.

What does the Packet Capture tool do?

Can be used to capture traffic to and from a virtual machine.

What does the connection troubleshooter do?

Can be used to check the connectivity between virtual machines or from a virtual machine to a fully qualified domain name, URI or IPv4 address.

How do you add a metric to your dashboard?

Can click on VM and then go to monitor and select metric and then Pin to dashboard.

When you add "type": "securestring" to your arm template, what does that do?

Can't see password when you enter it.

What is Log Analytics Workspace?

Central Solution for all of your logs. Part of Azure Monitor.

What are the 3 types of roles that allows users to manage subscriptions?

Classic Roles: 1. Account Administrator - 1 per account 2. Service administrator - 1 per subscription 3. Co-Administrator - 200 per subscription

Steps to access Network Watcher?

Click on All services -> Type in Network Watcher and then select it. This will take you to the overview section.

Where can you view activity logs for RBAC changes?

Click on All services and then find Activity log

How to setup alerts?

Click on Monitor and then Setup Alert & Actions and then Create Alert. 2. Create a Rule by selecting a resource and then entering a condition (what do I want to alert on). 3. Set up Action Group (do you want to send out email alert or automate action?)

How can you reach Monitoring from a VM?

Click on VM and then from Monitoring click on Alerts or Metrics

Where do you change the App Service settings?

Click on the Application, under Settings, select Application settings

Where can you find how many virtual machines are already allocated to you?

Dashboard -> subscriptions -> Usage + quotas

What is conditional access?

Conditional access in Azure AD uses data from sources known as signals, validates them against a user-definable rule base, and chooses the best outcome to enforce your organization's security policies. Conditional access enables device identity management, but conditional access policies can be complex. At their simplest, these policies can be thought of as "if-then" statements.

What are Azure Premium P2 licenses needed for?

Conditional access, self service password reset. $9user/month

What does point to site vpn do?

Connect individual workstations to a vnet

What is the express route service?

Connect on-premises network to a VNET with a dedicated wan link

What does a site-to-site vpn connection do?

Connect on-premises network to a Vnet with a VPN

Point-to-Site (P2S)?

Connect your laptop directly into a virtual network.

Site-to-Site (S2S)?

Connecting your internal site to Azure using VPN On premise datacenter and on other side is Azure VPN gateway. Uses VPN VIP with ipsec IKE S2S VPN Tunnel

What is Container Registry?

Container Registry is an Azure service that you can use to create your own private Docker registries. Like Docker Hub, Container Registry is organized around repositories that contain one or more images. Container Registry also lets you automate tasks such as redeploying an app when an image is rebuilt.

When not to use docker containers?

Containers provide a level of isolation. However, containers share a single host OS kernel, which can be a single point of attack. We also need to take into account configure aspects such as storage and networks to make sure that we consider all security aspects.

What are Activity Logs?

Control place activities. Shows when a vm is stopped or created. Part of Azure MOnitor.

What is cool storage good for?

Cool storage offers the best cost-to-performance ratio for most backups

Costs are ________________, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type.

Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type.

How to use your own DNS service?

Create VM with DNS installed. Go to the Windows VM and DNS Servers and change it from Default (Azure-provided) to Custom. Enter IP of DNS server.

How do you create a management group?

Create your first management group by entering a management group ID and display name. The management group ID is the directory unique identifier and isn't editable after the group is created. The management group display name is displayed within the Azure portal and can be changed at any time.

Create a tenant is the same as?

Creating a directory

If name resolution is between role instances or virtual machines in different virtual networks, what DNS is recommended?

Customer managed DNS servers

ExpressRoute?

Dedicated circuit between us and Microsoft Azure. Need to choose a partner to work with customer's network -> partner edge -> ExpressRoute Circuit -> Microsoft Edge (Peering to O365, Dynamics and public services or Azure Private Peering for Virtual Networks)

How to start a vm with azure cli?

az vm start \ --name SampleVM \ --resource-group learn-40dac50a-a537-41c1-8e71-d48af2520849

You have 4 web apps, each running on a different runtime stack. With is the minimum number of App service plans that you need to create for the web apps?

Depends on the Runtime stack that is supported on the App Service Plan OS. You would have to have 2 - one for stack for Windows and one for Linux.

What does the Next Hop tool do?

Detect virtual machine routing problems. Checks if traffic is sent to the destination based on the routes associated with the network interface.

What does IP Flow Verify do?

Detects traffic filtering problems. Check if packet has been denied or allowed access to a VM. Looks at the tools in the NSG and made sure they are applied properly. Can be used to confirm whether a rule is blocking ingress or egress traffic.

What is device identity?

Device identity in Azure Active Directory (Azure AD) helps you control the devices that you add to your organization's Azure AD instance. It also helps you control the data, resources, and assets that those devices can access. It provides a framework to implement device-based conditional access. You can use a device-based conditional access policy to limit device access to your organization's assets.

What is a service tag?

Different services in Azure. Example could be Internet or client machine.

Purpose of load balancer?

Distribution of traffic onto your VMs.

What should you not do with storage account keys?

Do not place storage account keys in code or in unprotected configuration files. Storage account keys enable full access to your storage account. Leaking a key can result in unrecoverable damage and large bills.

What is Docker Hub?

Docker Hub is a Software-as-a-Service (SaaS) Docker container registry. Docker registries are repositories that we use to store and distribute the container images we create. Docker Hub is the default public registry Docker uses for image management.

What is Docker?

Docker is a containerization platform used to develop, ship, and run containers. Docker doesn't use a hypervisor, and you can run Docker on your desktop or laptop if you're developing and testing applications. The desktop version of Docker supports Linux, Windows, and macOS. For production systems, Docker is available for server environments, including many variants of Linux and Microsoft Windows Server 2016 and above. Many clouds, including Azure, supports Docker.

How many VPN gateways can each virtual network have?

Each virtual network can have only one VPN gateway. All connections to that VPN gateway share the available network bandwidth.

What can you do with Connection Monitor?

Enables you to configure and track connection reachability, latency and network topology changes. If there is an issue, it tells you why it occurred and how to fix it. Click add and select the virtual machines.

What is Enterprise State Roaming?

Enterprise State Roaming enables users of Windows 10 devices to sync settings and application data with their organization's cloud service

What would the query look like if you were searching the event log for demovm2?

Event | search "demovm2"

What is Azure Express Route?

ExpressRoute is a service that enables you to create private connections between Azure datacenters and infrastructure that's on your premises or in a colocation environment. A dedicated connection circuit. All traffic flows over the Microsoft backbone network and makes it much faster. You can also connect to Microsoft SaaS accounts. Used by large companies.

ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ________________.

ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ExpressRoute partner. The partner provides the edge service: an authorized and authenticated connection that operates through a partner-controlled router. The edge service is responsible for extending your network to the Microsoft cloud.

Azure command to create a web app?

First have to create a appservice plan: az appservice plan create -name webappplan7000 - resource-group azuredemo -sku B1 then create the Azure web app: az webapp create --name webapp9000 --plan webappplan7000 --resource-group azuredemo

How can you delete an availability set?

First we have to ensure no virtual machine is associated with the availability set. Delete VMs first and then delete availability set.

What is the default distribution type for traffic through a load balancer?

Five-tuple hash

What is an Application Gateway used for?

For balancing web traffic

What is Azure ExpressRoute?

For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. Azure ExpressRoute provides dedicated private connectivity to Azure that does not travel over the Internet.

When should you use Azure ExpressRoute?

For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. Azure ExpressRoute provides dedicated private connectivity to Azure that does not travel over the Internet.

For export jobs, the Import/Export Service uses _________ to encrypt the drive before it's shipped back to you

For export jobs, the Import/Export Service uses BitLocker to encrypt the drive before it's shipped back to you. Microsoft provides you with the encryption key. You then use the encryption key to access the data and transfer it to your on-premises location.

How does Azure use network rules?

For inbound traffic, Azure processes the security group associated to the subnet and then the security group applied to the network interface. Outbound traffic is handled in the opposite order (the network interface first, followed by the subnet). The rules are evaluated in priority order, starting with the lowest priority rule. Deny rules always stop the evaluation.

What are Web Apps?

Formerly "websites" Build and host apps with various programming languages Auto-scalable Highly Available DevOps features

What are the different Azure App Service Plans?

Free Shared Basic - up to 3 instances, Unlimited apps Standard - up to 10 instances, unlimited apps Premium - up to 30 instances, unlimited apps Isolated - up to 100 instances, unlimited apps App Service Linux - unlimited apps SLAs on basic - isolated. 99.95%

What are the App Service Plan Pricing tier for shared compute resources?

Free and shared

What is Azure Storage Explorer?

Free tool to manage storage resources on Linux, Windows, MacOS. You can upload/download files and crate a folder and look at tables.

How to deploy from a template?

From Dashboard -> New -> search for Template Deployment Click on Create You can use a common template, or find one on github or build your own and just add the JSON code.

Where do you view metrics in Azure?

From Monitoring and then Metrics

Where are VM backups configured and what two items are needed?

From VM -> Operations -> Backup You will need a Recovery Services vault and you will need to select or create a backup policy.

How to enable Azure Bastion?

From VM, Connect, select Bastion. You will need to create a subnet called AzureBastionSubnet and you will need a public IP.

How to create an availability set?

From marketplace, select Availability Set. Configure subscription, resource group, availability set name, region, fault domains and update domains. Select whether to use managed disks. You can create an availability set when you create the VM too: Create a new VM and select availability set and create a new one or use existing one.

Where do you make changes to scale rules?

From virtual machine scale set, go to Settings -> Scaling

Example of Storage REST APIs to list all the blobs in a container?

GET https://[url-for-service-account]/?comp=list&include=metadata

For a point-to-site Azure VPN gateway, what are the key parameters that you must specify when you create it?

Gateway type is Vpn, vpn type is RouteBased, and you need to specify a gateway sku.

Which storage account type supports all storage services, all performance tiers and all replication options?

General-purpose v2.

Who can manage custom roles?

Generally, administrators with the Owner or User Access Administrator roles have permissions to create and manage custom roles. By default, those roles have the Microsoft.Authorization/roleDefinitions/write permission on all role assignment scopes. That permission is required to create, delete, or update custom roles.

We can find the VM restart action in the Azure Resource Manager resource provider operations list or by running the following command to return operations for VMs:

Get-AzProviderOperation */virtualMachines/* Operation : Microsoft.Compute/virtualMachines/restart/action OperationName : Restart Virtual Machine ProviderNamespace : Microsoft Compute ResourceName : Virtual Machines Description : Restarts the virtual machine IsDataAction : False

How can you view the role definition for a RBAC role?

Get-AzureRmRoleDefinition -Name Owner

What does Network Security Group Logging do?

Gives information on the ingress and egress IP traffic flowing via a Network Security Group. Logs are written in JSON format.

What is a Traffic Manager used for?

Globally distributed applications and you want to do DNS traffic management and load balancing to separate traffic across regions, like UK and it redirects your traffic to service in UK.

How do you assign a license?

Go into Azure AD Licenses and then Assign. Search for user and assign. Note - you need to go into the new user -> Profile -> Settings and assign the location otherwise you won't be able to assign the license.

How to add users in Azure AD?

Go to Azure AD (your identity provider) and then Manage -> Users.

Where do you go to create an App Service plan in azure portal?

Go to Create Resource and then select App Service Plan.

What are access keys on storage account?

Go to storage account Go to Access Keys There are two keys so you can swap them. Copy the key and then in Azure Storage explorer, you can use name and key to access storage account. This gives you access to all services in that storage account from Storage Explorer.

How do you resize a VM?

Go to the VM Under Settings - > Size Select the size you want and click on Resize When you resize, the underlying VM will be restarted.

How do you create a shared access signature for a storage account?

Go to the storage account. Click on Shared Access Signature. Select allowed services (blob, file, queue, table) and resource type. Select Allowed permissions (read, write, delete, list, add, create, update, process). Start and expiry times. Select signing key Then Generate SAS and connection string Now you can use the storage explorer and use shared access signature URI.

How do you create a shared access key for a file?

Go to the storage container, blob and then file. Click on Generate SAS. Select Signing method (account key or user delegation) Select Permissions Start and Expiry Time Allowed IP Addresses Allowed Protocols (HTTPS or HTTP) Then click on Generate SAS Token and URL. Copy the token and URL and share with user.

How do you install the Network Watcher Agent on a VM?

Got to VM and then Settings -> Extensions. Click Add. Scroll down and select Network Watcher Agent You can also install it during provisioning. This helps monitor and diagnostics to run inside the machine.

Where can you attach and detach a network interface for a VM?

Got to VM and then to networking and select either detach or attach.

Where do you configure logging for Web App Service?

Got to web app service and under Monitoring, select App Service logs and enable the logging you require.

Standard load balancers support:

HTTPS health probes Availability zones Diagnostics through Azure Monitor, for multidimensional metrics High availability (HA) ports Outbound rules A guaranteed SLA (99.99% for two or more virtual machines)

What OS can you have for the App Service Plan?

Has to be Linux OR Windows. Not both.

Example of a log analytics query?

Heartbeat | where Computer == "WINDOWSVM01" where TimeGenerated > ago(1d)

What is horizontal scaling?

Horizontal scaling is the process of adding or removing several VMs in a scale set.

What are the network Watcher diagnostic tools?

IP flow verify Next hop Effective security rules Packet capture Connection troubleshoot VPN troubleshoot

If multiple routes are available in a route table, Azure uses the route with the _____________.

If multiple routes are available in a route table, Azure uses the route with the longest prefix match. For example, if a message is sent to the IP address 10.0.0.2, but two routes are available with the 10.0.0.0/16 and 10.0.0.0/24 prefixes, Azure selects the route with the 10.0.0.0/24 prefix because it's more specific.

You closed a port in a network security group used by a virtual network that hosts the VMs in the Load Balancer pool. How might this affect load balancing?

If the port is used to send traffic to the VMs in the pool, then this traffic is blocked. All requests time out and eventually fail. If this port was a probe port, the VM is removed from rotation.

Why might you want to redeploy your virtual machine?

If you can't connect to your virtual machine, redeploying it will migrate it to a new host. The vm will be restarted and you will lose any data on the temporary drive. Redeploy from Support + troubleshooting -> redeploy

Steps to delete a custom role?

If you decide you no longer need the custom role, you need to remove the role assignments before you can delete the role.

When can you change the IP range of a subnet?

If you don't have any virtual machines defined on the subnet.

What does Allow gateway transit mean in terms of Virtual Network Peering?

If you have a VPN connection from your on-premise data center to Azure Vnet, it allow data to transfer to it from the vnet peering of other virtual network.

When should you consider creating a BlockBlobStorage account?

If you have applications like AI or Machine Learning applications that require rapid responses to change in data, you can consider this type of storage account.

When will you be charged for a VM?

If you stop the VM from inside the vm, it will still be allocated and charged. If you stop it from azure, it won't be charged and will be deallocated.

How to use tags to shutdown and startup virtual machines?

If you want to automate the shutdown and startup of virtual machines in development environments during off-hours to save costs, you can use tags to assist in this automation. Add a shutdown:6PM and startup:7AM tag to the virtual machines, then create an automation job that looks for these tags, and shuts them down or starts them up based on the tag value.

What is a service endpoint used for?

If you want to connect to a public service like azure storage accounts or Azure sql database. Establish a service endpoint from your virtual network to either of the services. The endpoint creates a secure connection over the Azure backbone network. Then you can link a service endpoint to a virtual network.

If you want to move a virtual machine, what must go with it?

If you want to move a virtual machine, all of its dependants must go with it. -You can't move virtual machines with certificates in Azure Key Vault between subscriptions. -You can't move virtual machine scale sets with standard load balancers or a standard public IP. -You can't move any managed disks that are in availability zones to different subscriptions.

If you're trying to move resources through t________________, you don't need to validate the move before attempting it. The Azure portal does an automatic validation before allowing you to move resources.

If you're trying to move resources through the Azure portal, you don't need to validate the move before attempting it. The Azure portal does an automatic validation before allowing you to move resources.

If your user account has the _________ or ______ role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell. In PowerShell, use the cmdlet New-AzureADUser.

If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell. In PowerShell, use the cmdlet New-AzureADUser.

What are shared keys for storage accounts called?

In Azure Storage accounts, shared keys are called storage account keys. Azure creates two of these keys (primary and secondary) for each storage account you create. The keys give access to everything in the account. You'll find the storage account keys in the Azure portal view of the storage account. Just select Settings > Access keys.

In Azure, VHDs are stored in an Azure storage account as ___________.

In Azure, VHDs are stored in an Azure storage account as page blobs.

For scaling, what is the cool down?

In minutes. If it is 10 minutes, wait for 10 minutes before checking trigger again to increate instance count.

For ARM template, if you have a variable called: "networkname": "armnewnetwork", how would you access that variable?

In resources, it would look like: "name": "[variables('networkname')]",

How can you bring up Azure Monitor?

In search box enter Monitor

What authentication methods does Azure AD use?

Includes SAML, OAuth, WS-Federation

What are initiatives?

Initiatives work alongside policies in Azure Policy. An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time. Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.

What is the main advantage of an availability set?

It allows virtual machines to be available across physical server failures.

What happens when you add a management group?

It becomes a child of "Tenant Root Group". You can add Access Control (IAM) at the group level or add Policies and add subscriptions to the management group.

What is an Application Gateway?

It is a web traffic load balancer service that can load balance at OSI layer 7 - application layer. Can route traffic based on URL of request. You can create different listeners and rules to route traffic from front end to different endpoints like a VM, Azure App Service or on premise service (backend pool). Need an empty subnet on your virtual network. Can also enable a web application firewall.

For Azure AD Join, what is Enterprise State Roaming?

It's with the Premium tier. Allows users the ability to securely synchronize their user settings and application settings data to the cloud.

What should you do with storage keys?

Key Vaults include support to synchronize directly to the Storage Account and automatically rotate the keys periodically. Using a Key Vault provides an additional layer of security, so your app never has to work directly with an access key.

What do you need to use azure disk encryption?

Key vault to store the encryption key

What is Kubernetes?

Kubernetes is a portable, extensible open-source platform for automating deployment, scaling, and the management of containerized workloads. Kubernetes abstracts away complex container management and provides us with declarative configuration to orchestrate containers in different compute environments. This orchestration platform gives us the same ease of use and flexibility as with Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings.

Which layer does the Azure Load Balancer look at?

Layer 4 - Transport Layer

Which layer does the Azure Application Gateway look at?

Layer 7 - Application Layer Slightly slower in routing traffic than azure load balancer.

What is load balancing?

Load balancers manage how network traffic is distributed across an application. Load balancers are essential in keeping your application resilient to individual component failures and to ensure your application is available to process requests. For applications that don't have service discovery built in, load balancing is required for both availability sets and availability zones.

What is locally redundant storage?

Locally redundant storage (LRS) copies your data three times across separate racks of hardware in a datacenter, inside one region. Even if there's a hardware failure, or if maintenance work is happening in the datacenter, this replication type ensures data is available for use. LRS doesn't protect you from a datacenter-wide outage. If the datacenter goes down, you could lose your data.

What do you need to have in place to enable backup reports?

Log Analytics workspace

When should you use log alerts?

Log alerts use log data to assess the rule logic and, if necessary, trigger an alert. This data can come from any Azure resource: server logs, application server logs, or application logs.

What can you send to Log Analytics Workspace?

Logs from Azure VMs, on-premise servers, audit logs from Azure SQL databases. Uses the Kusto query language

What is the inheritance order for scope in Azure?

Management group, Subscription, Resource group, Resource

What is Microsoft peering?

Microsoft peering supports connections to cloud-based SaaS offerings, such as Microsoft 365 and Dynamics 365. This peering option provides bi-directional connectivity between your company's WAN and Microsoft cloud services.

Example of Read authorization for RBAC?

Microsoft.Authorization/*/read

What is Application Gateway multiple site hosting?

Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site. Application Gateway uses separate listeners to wait for requests for each site.

How to create a daily export of your cost and usage data?

Navigate to Subscriptions, select a subscription from the list, and then select Cost analysis in the menu. At the top of the Cost analysis page, select Settings. On the Configuration page, select Exports and then choose an export option. For example, select Schedule export.

What is need for a point to site vpn configuration?

Need to setup a gateway subnet. Once that is in place, you need to deploy a Virtual Network Gateway. Then you configure a Point-to-Site connection. From the client side, you need to have certificates in place. Generate your own or use certificate provider. Export the public key and upload it to the point-to-site connection. The client machine must have the user certificate with the private key in place. Then download the VPN client from Azure to establish point-to-site connection.

What service provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network?

Network Watcher Not ment to monitor your PaaS solution or Web Analytics

What are Network security groups?

Network security groups filter network traffic to and from Azure resources. Network security groups contain security rules that you configure to allow or deny inbound and outbound traffic. You can use network security groups to filter traffic between VMs or subnets, both within a virtual network and from the internet.

What is an NVA?

Network virtual appliances or NVAs are virtual machines that control the flow of network traffic by controlling routing. You typically use them to manage traffic flowing from a perimeter-network environment to other networks or subnets. An NVA often includes various protection layers like: a firewall a WAN optimizer application-delivery controllers routers load balancers proxies an SD-WAN edge

How to add container instances (ACI)?

New -> Container Instances Fill out configuration, image source, image size, OS type. Makes sure VM image is in place and docker is installed so you can run containers. Platform as a service.

How do you configure user defined routes?

New Resource Route table Name, subscription, RG, Location, virtual network gateway route propagation. Custom Route Routes Add - name, address prefix and next hop type. Then associate route with subnet. Go to VM, network interface, IP configurations, enable IP forwarding. Add routing role to VM.

Command to add new public IP address?

New-AzPublicIPAddress

The following command shows how to assign the Owner role to a user at the subscription scope by using Azure PowerShell:

New-AzRoleAssignment ` -SignInName [email protected] ` -RoleDefinitionName "Owner" ` -Scope "/subscriptions/<subscriptionID>"

Create a VM using Azure PowerShell?

New-AzVm ` -ResourceGroupName "TestResourceGroup" ` -Name "test-wp1-eus-vm" ` -Location "East US" ` -VirtualNetworkName "test-wp1-eus-network" ` -SubnetName "default" ` -SecurityGroupName "test-wp1-eus-nsg" ` -PublicIpAddressName "test-wp1-eus-pubip" ` -OpenPorts 80,3389

PowerShell command to create a new user?

New-AzureADUser

What is Next Hop used for?

Next Hop provides the next hop from the target virtual machine to the destination IP address.

Can MFA be enabled for External (guest accounts)?

No

Can you move a resource in a resource group that has a read-only lock?

No

If you have onpremise network connected to Azure network A via VPN and you have Azure network B connected to A and you want network B to access on premise, what must be enabled?

On network A, enabled Allow gateway transit. On network B, enable Use remote gateways. If you want on premise to access network B, you need to create routing on network A

Where do you configure VNET peering?

On the virtual machine, under settings, select Peerings and then Add. The wizard creates 2 peerings. One in one direction and the other in the other direction.

Where do you select proximity placement group when creating a VM?

Once PPG is created, you can select it from Advanced -> Proximity placement group and select from dropdown. This places VM closer to each other.

Can you expand a disk while the vm is running?

Operations on VHDs cannot be performed with the VM running. The first step is to stop and deallocate the VM with az vm deallocate, supplying the VM name and resource group name.

What is Archive tier?

Optimized for storing data that is rarely accessed and stored for at least 180 days. This can only be set at the blob level. Note - when a blob is in the archive tier, you can't access the blob. You have to rehydrate the blob first before it can be accessed.

What are Management Groups?

Organize your subscription into groups called "management groups" to help you manage access, policy and compliance across your subscriptions.

RBAC - what is the key difference between the Contributor and Owner role?

Owner lets you manage everything, including access to resources. Contributor lets you manage everything except access to resources

What access does the RBAC owner role have?

Owner: Has full access to all resources, including the ability to delegate access to other users.

What are examples of PaaS HA capabilities?

PaaS services come with high availability built in. Services such as Azure SQL Database, Azure App Service, and Azure Service Bus include high availability features and ensure that failures of an individual component of the service will be seamless to your application.

Several of your peers are having trouble connecting to VMs by using Azure Bastion. What isn't likely to cause the problem?

Several of your peers are having trouble connecting to VMs by using Azure Bastion. What isn't likely to cause the problem?

What is Application Gateway path-based routing?

Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers. For example, you could direct requests with the path /video/* to a back-end pool containing servers that are optimized to handle video streaming, and direct /images/* requests to a pool of servers that handle image retrieval.

Who can create shared views in cost analysis?

People with Cost Management Contributor (or greater) access can create shared views. You can create up to 50 shared views per scope. Anyone can save up to 50 private views, even if they only have read access. These views cannot be shared with others directly in cost analysis, but they can be pinned to a dashboard or shared via URL so others can save a copy.

If you change the replication strategy from LRS to ZRS or vice versa, what do you have to do?

Perform a manual or live migration. The manual migration could result in application downtime.You have to perform the migration by creating a new storage account and copying the date from the existing storage account to the new one. Or a live migration. Microsoft will do it when you request it.

What is Application Insights?

Performance Management system for your live applications. Part of Azure Monitor.

What are the RBAC permissions for Storage Account Contributor?

Permits management of storage accounts. Does not provide access to data in the storage account.

What is Azure App Service (Azure Web Apps)?

Platform as a service Managed by Azure. Has features such as autoscaling and security. Also has DevOps capabilities which includes continuous deployment.

What is PowerShell DSC?

PowerShell DSC is a declarative management platform that Azure Automation State Configuration uses to configure, deploy, and control systems. A declarative programming language separates intent (what you want to do) from execution (how do you want to do it). You specify the desired state and let DSC do the work to get there. You don't have to know how to implement or deploy a feature when a DSC resource is available. Instead, you focus on the structure of your deployment.

What does the Connection Monitor do?

Provides a unified end-to-end connection monitoring in Azure Network Watcher. Supports Azure and hybrid and get better visibility into network performance. Supports connectivity checks based on HTTP, TCP and ICMP.

What does Network Watcher Connection Troubleshoot do?

Provides the capability to check a direct TCP connection from a virtual machine (VM) to a VM, fully qualified domain name, URI or IPv4 address.

What does Traffic Analysis do?

Provides visibility into the user and application activity and analyzes flow logs.

What's the difference between Azure Policy and RBAC?

RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to anything in that resource group. Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

What is the range of priorities and which ones have higher priority?

Range from 100 - 4096 and lower numbers have higher priority

When you take a backup of a virtual machine, where is the data stored?

Recovery Services vault - should be in same region as VM. Additional changes will be incremental.

Azure and PowerShell commands to delete user accounts?

Remove-AzureADUser and az ad user delete. When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored.

What are Azure Resource Manager templates?

Resource Manager templates are JSON files used to define a set of resources to deploy to Azure. You can write them from scratch, and for some Azure resources, including VMs, you can use the Azure portal to generate them.

What are resource groups?

Resource groups are a fundamental element of the Azure platform. A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances. All resources must be in a resource group and a resource can only be a member of a single resource group.

What are resource locks?

Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.

What's the composition of an alert rule?

Resource, condition, actions, alert details

Two types of Kubernetes authentication and authorization to control user access to the cluster?

Role-based access control or AKS-managed Azure Active Directory

Azure Task to complete: Set passwords to never expire for cloud-based user accounts.

Routine password resetting tempts users to increment their existing passwords. For example, they might change their password from R4ndom1Strong to R4ndom2Strong, and so on. In this case, because most of the password remained the same it increases the risk of using already exposed credentials to gain access to an account.

What is the Run command used for?

Run Command uses the VM agent to let you run a script inside a virtual machine. This can be helpful for troubleshooting and recovery, and for general machine and application maintenance.

Security Features of App Services

Run on isolated VM Integrated with Azure AD Support custom domains, SSL/TLS Integrates with Web Application Firewall (WAF)

Where is network watcher located in Azure?

Search for Network Watcher. On the left-hand side under Network diagnostic tools, you can see the different diagnostics you can use. Or under monitoring, you can use connection monitor or network performance monitor.

What is Azure Import/Export service used for?

Securely import large amounts of data to the Azure Blob and Azure File service. Store the data on your own drives or use disk drives provided by Microsoft. Ship the drives to Azure datacenter. Data is then imported to Azure Blob or Azure File storage.

How to assign a role to a user?

Select user and then go to Directory role and then add role.

What provisioning options are available through Azure AD join?

Self-service by using the Windows out-of-box experience (OOBE), Windows Autopilot, or bulk enrollment

What is one purpose of storage accounts?

Separate data from application

What are the key benefits of using Enterprise State Roaming?

Separation of corporate and consumer data. Enhanced security, because all applicable device data is encrypted through Azure Rights Management before synchronizing with the cloud. All stored data remains encrypted. Better management and monitoring, so you decide who can sync their data and from which devices. Enterprise State Roaming requires a Premium Azure Active Directory subscription.

How many Service Administrators can you have per subscription and what are the permissions?

Service Administrator - 1 per subscription - manage services in the Azure portal - assign users to the Co-Administrator role

Cluster infrastructure authentication used by Azure Kubernetes Service to manage cloud resources attached to the cluster can be _______ or ____?

Service principal System-assigned managed identity

What is the powershell command to write changes to the vnet?

Set-AzVirtualNetwork

True or False: By default, a Global Administrator for Azure AD doesn't have access to Azure resources.

True

What are the steps to create a budget?

Sign in to the Azure portal and enter your credentials. Navigate to Budgets - In the portal search box, type Subscriptions. - In the list of services, select Subscriptions. - In the list of subscriptions, select the subscription that you analyzed in the previous exercise. The subscription contains your most expensive resource. - In the Cost Management area, select Budgets. Select +Add in the Budgets area, then select Add filter. Select the Filter list item, select ResourceID. Select the selection list and then select your most expensive resource that you identified in the pervious exercise. A suggested budget is shown. The budget is associated with your selection. Name your budget. For example, MyFirstBudget. Set the Reset period to Monthly. Examine the Budget amount recommendation based on your filter. Then, analyze the View of monthly cost data graph to determine if the threshold meets your needs. Optionally, change the budget amount to any value that you like. When you've decided on a budget amount, select Next.

What are smart groups?

Smart groups are an automatic feature of Azure Monitor. By using machine learning algorithms, Azure Monitor joins alerts based on repeat occurrence or similarity. Smart groups enable you to address a group of alerts instead of each alert individually. The name of the smart group (its taxonomy), is assigned automatically, and is the name of the first alert in the group. It's important to assign meaningful names to each alert that you create, because the name of the smart group can't be changed or amended.

What is an Identity?

Something that has to be identified and authenticated. An identity is typically a user who has username and password credentials, but the term can also apply to applications or services.

What are Deployment Slots used for?

Staging Environments for webapps. Version 1 of your app will default to the production slot. Version 2 will then go to staging slot. You can then swap the staging slot with the production slot and eliminate the downtime for your application when new changes are deployed. You can also easily rollback the changes.

There are two skus when it comes to public IP addresses. What sku do you need if you want to support for availability zones?

Standard SKU. - zone redundant by default The basic SKU does not support availability zones.

What plans do you need to run a deployment slots?

Standard or premium plans

What is Storage Explorer?

Storage Explorer is a GUI application developed by Microsoft to simplify access to, and the management of, data stored in Azure storage accounts. Storage Explorer is available on Windows, macOS, and Linux.

What is shared access signatures (SAS)?

Storage accounts offer a separate authentication mechanism called shared access signatures that support expiration and limited permissions for scenarios where you need to grant limited access. You should use this approach when you are allowing other users to read and write data to your storage account.

You decide to deploy Azure Bastion to an existing virtual network by using the Azure CLI. What resources do you need to create?

Subnet named AzureBastionSubnet, public IP, and Azure Bastion

What is a subscription?

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, web sites, and databases are always associated to a single subscription. Each subscription also has a single account owner who is responsible for any charges incurred by resources in that subscription. If your organization wants the subscription to be billed to another account, you can transfer ownership of the subscription. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.

What is a TXT record?

TXT is the text record. It's used to associate text strings with a domain name. Azure and Microsoft 365 use TXT records to verify domain ownership.

What are tags?

Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource.

What is a temporary disk used for in a virtual machine?

Temporary disk. Each virtual machine contains a single temporary disk, which is used for short-term storage applications such as page files and swap files. The contents of temporary disks are lost during maintenance events, so don't use these disks for critical data. These disks are local to the server and aren't stored in a storage account.

What is the Azure pricing calculator?

The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.

What is the Network Watcher Connection monitor tool?

The Connection Monitor tool provides a way to check that connections work between Azure resources. To check that two VMs can communicate if you want them to, use this tool. This tool also measures the latency between resources.

What is the Custom Script Extension?

The Custom Script Extension is an easy way to download and run scripts on your Azure VMs. It's just one of the many ways you can configure a VM once it's up and running. You can store your scripts in Azure storage or in a public location such as GitHub. You can run scripts manually or as part of a more automated deployment.

What IP does the azure local gateway get assigned in a site-to-site vpn?

The IP address of the external router ip of your on premise router or vm routing device. Then in IP range, you add the onpremise IP range.

What does the IP flow verify tool do?

The IP flow verify tool tells you if packets are allowed or denied for a specific virtual machine. If a network security group denies a packet, the tool tells you the name of that group so that you can fix the problem.

How do you automatically install Log Analytics Agent on all virtual machines?

The Log Analytics Agent can be installed automatically on all virtual machines. You'll need to set automatic provisioning to On in Azure Security Center under Settings - Data Collection. From that point, your data will be stored in a Log Analytics workspace. A workspace is created for you, or you choose an existing one. A workspace can be used with multiple subscriptions. You can gather data from machines across multiple subscriptions, and analyze it together from one central location. You can analyze log data in workspaces by using Log Analytics. Log Analytics is an interactive tool in Azure that you use to write and test queries for your logs, and analyze results.

What is the Network Watcher Network Performance Monitor Tool?

The Network Performance Monitor tool enables you to track and alert on latency and packet drops over time. It gives you a centralized view of your network.

What is the network watcher extension?

The Network Watcher extension is used by features like Connection Monitor, Connection Monitor (preview), connection troubleshoot, and packet capture. It needs to be enabled on the VM under extensions. You need to click on Add and search for AzureNetworkWatcherExtension for Windows. Gives you the ability to send information to the network watcher.

What does the PsPing command do?

The PsPing command tests ping connectivity through an endpoint. This command also measures the latency and bandwidth availability to a service.

What is the REST endpoint made up of - for example Blobs?

The REST endpoint is a combination of your storage account name, the data type, and a known domain. For example: https://[name].blob.core.windows.net/

What is the Storage Sync Service responsible for?

The Storage Sync Service is responsible for establishing trust between your company's server and Azure. This service is where you connect the file share in Azure with the file directory on your server.

What is throughput?

The amount of data that is being sent to the storage disk at a specified interval.

What is an apex domain?

The apex domain is the highest level of your domain. In our case, that's wideworldimports.com. Note that the apex domain is also sometimes referred to as the zone apex or root apex. It's often represented by the @ symbol in your DNS zone records.

What are typical symptoms and causes of failure with Load Balancer?

The application is unreachable. The VMs running the application are unreachable. Response times are slow. User requests are timing out.

In docker, what is the image?

The basis of a Docker container. The content is at rest.

What is a docker bridge network?

The bridge network is the default configuration applied to containers when launched without specifying any additional network configuration. This network is an internal, private network used by the container, and isolates the container network from the Docker host network.

What's the difference between a VHD and a physical hard disk?

The difference between a VHD and a physical hard disk is that a VHD is stored as a virtual file in Azure. It isn't a piece of physical hardware.

What is the effective security rules tool?

The effective security rules tool in Network Watcher displays all the effective NSG rules applied to a network interface.

In docker, what is the container?

The image when it is "running".

What is the difference between the deployment model for storage: classic and Resource Manager?

The key feature difference between the two models is their support for grouping. The Resource Manager model adds the concept of a resource group, which is not available in the classic model. A resource group lets you deploy and manage a collection of resources as a single unit.

For a site-to-site vpn what is the local gateway?

The local gateway set in azure is just a representation of your onpremise network environment. It uses the address space of your on prem network and the extenal IP of your routing device. The local network gateway is a service from Azure.

What is the main difference between Azure RBAC roles and Azure AD roles?

The main difference between Azure RBAC roles and Azure AD roles is the areas they cover. Azure RBAC roles apply to Azure resources, and Azure AD roles apply to Azure AD resources (particularly users, groups, and domains). Also, Azure AD has only one scope, the directory. The Azure RBAC scope covers management groups, subscriptions, resource groups, and resources.

What are IOPS?

The number of Input/Output operations per setion. Read and writes to data. For databases, there will be a lot of read, write and update statements.

What is Azure AD Join?

With Azure AD join, you can join devices to your Azure Active Directory organization without needing to sync with an on-premises Active Directory instance. Azure AD join is best suited to organizations that are principally cloud based, although it can operate in a hybrid cloud and on-premises environment.

What happens if you move a resource to another resource group?

The resources will still remain in the same location. So even if the resource group belongs to a different location, the resource will still remain in the same location.

What does tcping do?

The tcping utility is similar to ping except that it operates over a TCP connection instead of ICMP, which Load Balancer doesn't route.

What are the tools for generalizing a Windows and Linux machine?

The tools for preparing a virtual machine for generalization vary according to the operating system that's being installed and configured. For Windows, use the Microsoft System Preparation (Sysprep) tool. For Linux, use the Windows Azure Linux Agent (waagent) tool.

What is the Network Watcher topology tool?

The topology tool generates a graphical display of your Azure virtual network, its resources, its interconnections, and their relationships with each other.

What are the quota limits on each subscription?

There are quota limits on each subscription that can impact VM creation. By default, you cannot have more than 20 virtual cores across all VMs within a region. You can either split up VMs across regions or file an online request to increase your limits.

Where should photos and videos be stored?

They are unstructured data and should be stored in Azure Blob storage.

What is a point-to-site Virtual Private Networks?

This approach is like a Virtual Private Network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it's working in the opposite direction. In this case, the client computer initiates an encrypted VPN connection to Azure, connecting that computer to the Azure virtual network.

What does a tenant represent?

This default directory is sometimes referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

What is Azure Data Factory?

This is a cloud-service that can be used to perform ETL (extract-transform-load) ELT (extract-load-transform) and data integration project. Key Components: - Data set - source of data: on premise file server, SQL database server, Azure SQL database server. - define a linked service that is used to connect to the data source - then define the activity ( ingesting data, cleaning data) - all these activities run as a pipeline.

What is Azure Data Box?

This is similar to the Azure Import/Export service, but here the device itself is sent to you for storing the data is a Microsoft-provided appliance. Used to transfer LARGE amounts of data. - Data Box - 100 TB - Data Box Disk - 8 TB - Data Box Heavy - 1 PB

How can policy be assigned and are they inherited?

This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resources. This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment.

What are Azure Dedicated Hosts?

This service provides physical servers to host virtual machines - no other virtual machines from any other customers would be placed on the physical server.

What does the VPN troubleshooter do?

This tool can be used to check the connectivity between on-premise resources and other virtual networks in Azure.

Why might you use virtual network peering?

To connect virtual networks together in the same region or across regions.

Why would you use a custom route in a virtual network?

To control the flow of traffic in your Azure virtual network.

How do you see who connected to your vms through Bastion?

To generate these logs, you must configure diagnostic settings on Azure Bastion. It can take several hours for the logs to stream to a storage account.

How do you integrate Application Insights with your applications?

To integrate Application Insights with your applications, you set up an Application Insights resource in the Azure portal. You also install an instrumentation package in your application. The package will monitor your application and send log data to the Log Analytics workspace.

Where can NSG be assigned?

To just the NIC of one VM or to the entire subnet (those affecting all vms on that subnet).

When would you configure a private DNS zone?

To provide name resolution for virtual machines (VMs) within a virtual network and between virtual networks, create a private DNS zone.

To publish a private DNS zone to your virtual network, you specify the list of ____________ that are allowed to resolve records within the zone.

To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone.

How do you analyze Azure Monitor logs?

To retrieve, consolidate, and analyze data, you specify a query to run in Azure Monitor logs. You write a log query with the Kusto query language, which is also used by Azure Data Explorer.

What are the Network Watcher monitoring tools?

Topology Connection Monitor Network Performance Monitor

What is global, cross region load balancing?

Traffic Manager

By default, Azure Monitoring collects host-level metrics (CPU, disk) for all vms without any additional software. For more insight, you can collect guest-level metrics, logs, and other diagnostic data by using the Azure Diagnostics agent. True or False?

True It is enabled by click on VM, then under Monitoring, select Diagnostics setting and then enable guest-level monitoring. Note - you need to pick a storage account

What are the types of disks for VMs?

Ultra disk, premium SSD, standard SSD and standard HDD

Where can you view costs of resources based on tags?

Under Cost Management + Billing -> Cost analysis -> filter by tag

Where do you add rules to firewall and what are the 3 types?

Under Firewall and Rules. Types are: NAT rule, Network rule and Application rule

From appcluster (kubernetes services) where do you deploy service file?

Under Kubernetes resources -> services and ingresses Add and paste yaml file and add Service is load balancer

From appcluster (kubenetes service), where do you deploy app file?

Under Kubernetes resources -> workloads Add -> copy yaml content into cluster and add. App is nginx container from docker hub

Where do you enable NSG flow logs?

Under Network Watcher, select your Subscription and Resource Group and then select the Network Security Group that you want to look at logs for. Flow Log - turn on. Need a storage account and set retention days. Logs are in JSON format You can also enable Traffic Analytics from here as well.

How do you save a deployment as an ARM template?

Under Resource Group, click on Automation script and then Download the template.

Where can you find Cost Management?

Under Subscription and resource group windows or Under Cost Management + Billing window.

Where do you assign RBAC role in VM?

Under VM, select Access Control (IAM) and then click on Add Role Assignment

What are some diagnostics you can enable?

Under resource settings, you can enable Diagnostics - Enable guest-level monitoring - Performance counters: collect performance data - Event Logs: enable various event logs - Crash Dumps: enable or disable - Sinks: send your diagnostic data to other services for more analysis - Agent: configure agent settings

Where do you view boot diagnostics?

Under the VM, under the Monitoring section, select Support + Troubleshooting and then select Boot diagnostics.

Where do you define the data type that is logged in Log Analytics Workspace?

Under the Workspace, go to Settings -> Advanced Settings. Click on Data Under Data you can decide what to collect (Windows event logs, Windows Performance Counters, Linux Performance Counters, IIS Logs, Custom Fields, Custom Logs).

When creating virtual machines with unmanaged disks, how to you change it to unmanaged?

Under the disks section, Advanced, Use managed disks needs to be set to no. This will create a storage account or you can use an existing one. Be aware of storage performance type for storage account.

What are Availability Zones?

Unique physical locations (in a region)that are equipped with independent power, cooling and networking. There are normally 3 availability zones in a region. This is availability across Data Centers. If you have 2 or more instances deployed in the same AZ, you will get an SLA of 99.99% for virtual machine connectivity to at least one instance.

What is an update domain?

Update domains are used to group virtual machines and physical hardware that can be rebooted at the same time. You can have up to 20 update domains.

What is Azure AD B2B?

Use Azure AD to invite external users to your tenant. Your organization can then collaborate with external healthcare partner staff members through Azure AD B2B Collaboration. This feature is available for all licensing tiers in Azure AD.

When should you use a virtual network gateway?

Use a virtual network gateway to send encrypted traffic between Azure and on-premises over the internet and to send encrypted traffic between Azure networks. A virtual network gateway contains routing tables and gateway services.

How can you understand the extent of data loss you might experience?

Use last sync time to understand the extent of data loss you might experience. This property shows the most recent point in time that data from your primary region was written to the secondary region. All data written to the primary before this point in time is guaranteed to be available on the secondary. Data written to the primary region after this last sync time might not be available in the secondary region, and might be lost.

Where do you configure disaster recovery?

VM -> Operations -> disaster recovery

What is needed for standard load balancer?

VMs don't have to be part of availability set, but you can select vms from the same virtual network.

What does VPN troubleshoot do?

VPN Troubleshoot diagnoses the health of the virtual network gateway or connection.

VPN gateways need a gateway subnet called __________________.

VPN gateways need a gateway subnet called GatewaySubnet

When you design your VPN gateways to connect virtual networks, VPN gateways need a gateway subnet called ____?

VPN gateways need a gateway subnet called GatewaySubnet

What is vertical scaling?

Vertical scaling is the process of adding resources such as memory, CPU power, or disk space to VMs.

When do you use virtual network service endpoints?

Virtual network endpoints extend your private address space in Azure by providing a direct connection to your Azure resources. This connection restricts the flow of traffic: your Azure virtual machines can access your storage account directly from the private address space and deny access from a public virtual machine. As you enable service endpoints, Azure creates routes in the route table to direct this traffic.

At what resource level or scope does an Azure Bastion connection apply to?

Virtual network or peered virtual networks

Azure ExpressRoute enables organizations to extend their on-premises networks into the Microsoft Cloud over a private connection implemented by a connectivity provider.

Virtual network peering

What is virtual network peering and service chaining?

Virtual network peering and service chaining let virtual networks within Azure be connected to one another. With this connection, virtual machines can communicate with each other within the same region or across regions. This communication in turn creates additional routes within the default route table. Service chaining lets you override these routes by creating user-defined routes between peered networks.

What is a network security group (NSG)?

Virtual networks (VNets) are the foundation of the Azure networking model and provide isolation and protection. Network security groups (NSGs) are the primary tool you use to enforce and control network traffic rules at the networking level. NSGs are an optional security layer that provides a software firewall by filtering inbound and outbound traffic on the VNet.

If you're importing data into Azure Storage, your data must be written to disk in a specific format. Use the _________ drive preparation tool to do this. This tool checks a drive and prepares a journal file that's then used by an import job when data is being imported into Azure.

WAImportExport Prepares disk drives to be shipped to the Azure datacenter. WAImportExport formats the drive and checks it for errors before data is copied to the disks. Encrypts the data on the drive. Quickly scans the data and determines how many physical drives are required to hold the data being transferred. Creates the journal files that are used for import and export operations. A journal file contains information about the drive serial number, encryption key, and storage account. Each drive you prepare with the Azure Import/Export tool has a single journal file.

What are guest level metrics?

What the operating system sees.

What is the next hop tool?

When a VM sends a packet to a destination, it might take multiple hops in its journey. For example, if the destination is a VM in a different virtual network, the next hop might be the virtual network gateway that routes the packet to the destination VM.

Key vault for disk encryption, what must you enable?

When creating the keyvault, under access policy, select Azure Disk Encryption for volume encryption. The following permissions are required: Decrypt, Encrypt, Unwrap Key, Wrap Key, Verify, sign

Will there be data loss on replication failover?

When you fail over your account, you'll have some data loss. This loss happens because your data is copied asynchronously. When data is copied in this way, there's always a delay before it's copied from the primary region and written to the secondary. It might be that your most recent writes haven't been copied to your secondary region yet, before your primary failed. Also, when you start a failover, data in your primary region is lost. Any data that wasn't written to the secondary before you started the failover is also lost.

Where do you create an ExpressRoute circuit and peering?

When you're using the Azure portal, select Create a resource > Networking > ExpressRoute. The Create ExpressRoute circuit page

While the Basic Load Balancer is scoped to an _____________, the Standard Load Balancer is scoped to the ________________?

While the Basic Load Balancer is scoped to an availability set, the Standard Load Balancer is scoped to the entire virtual network.

What would you use a Load Balancer for?

With Azure Load Balancer, you can spread user requests across multiple virtual machines or other services. That way, you can scale the app to larger sizes than a single virtual machine can support, and you ensure that users get service, even when a virtual machine fails. Azure Load Balancer is a service you can use to distribute traffic across multiple virtual machines. Use Load Balancer to scale applications and create high availability for your virtual machines and services. Load balancers use a hash-based distribution algorithm.

What is RA-GRS?

With GRS, your secondary region isn't available for read access until the primary region fails. If you want to read from the secondary region, even if the primary region hasn't failed, use RA-GRS for your replication type

What is geographically redundant storage?

With geographically redundant storage (GRS), your data is copied three times within one region, and three times in a secondary region that's paired with it. This way, if your primary region is experiencing an outage, your secondary region is available for use.

Can you share disks?

Yes, you need to select the correct premium or ultra ssd that has max shares option.

Is the Microsoft Monitoring agent the same as the Log Analytics agent?

Yes.

Can you use a policy to enforce naming conventions?

Yes. You could also use policy to enforce naming conventions. If your organization has standardized on specific naming conventions, using policy to enforce the conventions helps us to keep a consistent naming standard across your Azure resources.

What is a jump server?

You add a vm to your virtual network. Enable public IP. From your client, rdp to jump server and then rdp to other servers in the subnet by using their private IPs. You are managing it.

How to you install the Azure Diagnostics extension when you create a linux or Windows VM?

You can add the extension for Linux or Windows when you create the VM in Azure. In the Monitoring section, you set OS guest diagnostics to On.

What is Azure AD B2C?

You can also use Azure AD B2C to manage your customers' identities and access. Your doctors' accounts should have protected access to resources and services. Use Azure AD B2C to securely authenticate the doctors through their preferred identity providers. This feature is available on a pay-as-you-go basis.

What can live migration be used for?

You can also use live migration to migrate your data to an account that uses ZRS, GZRS, or RA-GZRS. Use live migration to avoid downtime or data loss. The duration of your live migration generally depends on the amount of data in your account. Live migrations are done by creating an Azure support request in the Azure portal.

Can Azure Policy be used with Azure DevOps?

You can even integrate Azure Policy with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.

How do you connect virtual networks?

You can link virtual networks together using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, allowing you to create a global interconnected network through Azure.

What is a NSG default tag?

You can select Service Tag as a source rule and then select any of the Source service tags that Azure has available such as Azure loadBalancer

What is Azure Files?

You can think of Azure Files as a standard file share, hosted on Azure, that you can access with the industry standard SMB protocol. You can mount or connect to an Azure file share at the same time on all the main operating systems.

Azure cli command to install IIS on a vm called BackendVM?

az vm extension set \ --publisher Microsoft.Compute \ --name CustomScriptExtension \ --vm-name BackendVM \ --resource-group $RG \ --settings '{"commandToExecute":"powershell.exe Install-WindowsFeature -Name Web-Server"}' \ --no-wait

How to access internal VM using Bastion.

You can use Azure Bastion to easily open an RDP or SSH session from the Azure portal to a VM that's not publicly exposed. Azure Bastion connects to your virtual machines over private IP. You don't have to expose RDP ports, SSH ports, or public IP addresses for your internal VMs. Because Azure Bastion is a fully managed platform as a service (PaaS) service, you don't need to apply any network security groups to the Azure Bastion subnet.

What are Service Endpoints?

You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks, thereby improving security and providing optimal routing between resources.

When would you use Azure ExpressRoute?

You can use the Azure ExpressRoute service to extend your on-premises networks into the Microsoft cloud. Connections are made over a private high-bandwidth connection. The ExpressRoute service provides a secure and reliable way to connect your on-premises network directly to Azure.

What is the VPN troubleshoot tool?

You can use the VPN troubleshoot tool to diagnose problems with virtual network gateway connections. This tool runs diagnostics on a virtual network gateway connection and returns a health diagnosis.

To create an RBAC role assignment, you need these three elements:

You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as "who", "what", and "where".

What is generalization?

You must reset these items back to a default state before you use the image to create more virtual machines. Otherwise, you might end up with multiple virtual machines that have the same identities. The process of resetting this data is called generalization, and the result is a generalized image.

What are Dynamic Groups?

You need Azure AD Premium licenses. Allows users to be allocated to a group automatically based on attributes of the user or the attributes of a device. They have to be separate though - can't use users and device attributes together.

What do you need for site to site recovery?

You need a cache storage account where the continuous replication occurs and then is sent to disk storage in the target region.

How to connect storage explorer to Azure?

You need two permissions to access your Azure storage account: management and data. However, you can use Storage Explorer with only the data-layer permission. The data layer requires the user to be granted, at a minimum, a read data role. The nature of the read/write role should be specific to the type of data stored in the storage account. The data layer is used to access blobs, containers, and other data resources. The management role grants access to see lists of your various storage accounts, containers, and service endpoints.

What is Azure Application Insights?

You use Azure Application Insights to monitor and manage the performance of your applications. Application Insights automatically gathers information related to performance, errors, and exceptions in applications. You also use Application Insights to diagnose what has caused the problems that affect an application.

What is Azure Sentinel?

You use Azure Sentinel to collect data on the devices, users, infrastructure, and applications across your enterprise. Built-in threat intelligence for detection and investigation can help reduce false positives. Use Sentinel to proactively hunt for threats and anomalies, and respond by using orchestration and automation.

What is the connection troubleshoot tool?

You use the connection troubleshoot tool to check TCP connectivity between a source and destination VM. You can specify the destination VM by using an FQDN, a URI, or an IP address.

What is the packet capture tool?

You use the packet capture tool to record all of the packets sent to and from a VM. You'll then review the captured to gather statistics about network traffic or diagnose anomalies, such as unexpected network traffic on a private virtual network.

In order to ensure that Microsoft Azure DNS can resolve names for your registered domain, you should use:

Zone delegation

Using Azure CLI, how would you list VM images?

az vm image list --output table

How to use the Azure CLI to resize a vm?

az vm resize \ --resource-group learn-40dac50a-a537-41c1-8e71-d48af2520849 \ --name SampleVM \ --size Standard_D2s_v3

azure cli to add a new user?

az ad user create

How do you create a new Kubernetes cluster via command line?

az aks create --resource-group kubernetes --name companycluster --node-count 1 --enable-addons monitoring --generate-ssh-keys

Azure cli how to enable backups?

az backup protection enable-for-vm \ --resource-group vmbackups \ --vault-name azure-backup \ --vm NW-APP01 \ --policy-name DefaultPolicy

Azure CLI command to validate and deploy a template?

az deployment group validate az deployment group validate \ --resource-group $RESOURCEGROUP \ --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json" \ --parameters adminUsername=$USERNAME \ --parameters adminPassword=$PASSWORD \ --parameters dnsLabelPrefix=$DNS_LABEL_PREFIX and then az deployment group create

Azure CLI - find the most popular commands related to the word blob?

az find blob

What's the command to create an application gateway?

az network application-gateway create \ --resource-group $RG \ --name vehicleAppGateway \ --sku WAF_v2 \ --capacity 2 \ --vnet-name vehicleAppVnet \ --subnet appGatewaySubnet \ --public-ip-address appGatewayPublicIp \ --http-settings-protocol Http \ --http-settings-port 8080 \ --private-ip-address 10.0.0.4 \ --frontend-port 8080

Command to add a app service application gateway probe.

az network application-gateway probe create \ --resource-group $RG \ --gateway-name vehicleAppGateway \ --name customProbe \ --path / \ --interval 15 \ --threshold 3 \ --timeout 10 \ --protocol Http \ --host-name-from-http-settings true

Azure CLI command to create a route table?

az network route-table create \ --name publictable \ --resource-group learn-bdeebc18-3812-4ff4-999b-fca039afe778 \ --disable-bgp-route-propagation false

What is the command to confirm the virtual network configuration?

az network vnet list --output table

Azure cli command to show all subnets in the vnet virtual network?

az network vnet subnet list \ --resource-group learn-bdeebc18-3812-4ff4-999b-fca039afe778 \ --vnet-name vnet \ --output table

CLI command to Associate the route table with the public subnet?

az network vnet subnet update \ --name publicsubnet \ --vnet-name vnet \ --resource-group learn-bdeebc18-3812-4ff4-999b-fca039afe778 \ --route-table publictable

Azure cli command to create a virtual network gateway?

az network vnet-gateway create \ --resource-group learn-ea1d15bf-ff95-4ec1-8802-3ba06e09a440 \ --name VNG-Azure-VNet-1 \ --public-ip-address PIP-VNG-Azure-VNet-1 \ --vnet Azure-VNet-1 \ --gateway-type Vpn \ --vpn-type RouteBased \ --sku VpnGw1 \ --no-wait

How do you call a specific Azure REST method using Azure CLI?

az rest --method post --uri <enter the correct REST operation URI here>

The following command allows you to see who's assigned to the custom role you've created in Azure CLI:

az role assignment list --role "Virtual Machine Operator"

Azure cli command to create custom role from your json file?

az role definition create --role-definition vm-operator-role.json

The following command returns the permissions for the built-in role Virtual Machine Contributor.

az role definition list --name "Virtual Machine Contributor" --output json | jq '.[] | .permissions[0].actions'

az command to create a storage account?

az storage account create \ --name <name> \ --resource-group <learn-resource-group> \ --location eastus \ --sku Standard_LRS

How to upload a blob to an azure storage container via command line?

az storage blob upload

Create a VM using Azure CLI?

az vm create \ --resource-group TestResourceGroup \ --name test-wp1-eus-vm \ --image win2016datacenter \ --admin-username jonc \ --admin-password aReallyGoodPasswordHere

What is Azure CLI command to deploy the network virtual appliance?

az vm create \ --resource-group learn-bdeebc18-3812-4ff4-999b-fca039afe778 \ --name nva \ --vnet-name vnet \ --subnet dmzsubnet \ --image UbuntuLTS \ --admin-username azureuser \ --admin-password <password>

What is the AZ command to enable encryption on a vm called keyvm with a keyvaults of demovault9080?

az vm encryption enable -g azuredemo --name keyvm --disk-encryption-keyvault demovault9080 encrypts c drive and also temp drive. You can selectively encrypt drives as well.

How to stop your vm with Azure cli?

az vm stop \ --name SampleVM \ --resource-group learn-40dac50a-a537-41c1-8e71-d48af2520849 Then to check status: az vm get-instance-view \ --name SampleVM \ --resource-group learn-40dac50a-a537-41c1-8e71-d48af2520849 \ --query "instanceView.statuses[?starts_with(code, 'PowerState/')].displayStatus" -o tsv

AZ command to create a scale set?

az vmss create

What command would you run to copy all blobs, directories, and containers in your storage account to another one?

azcopy copy 'https://<source-storage-account-name>.blob.core.windows.net/?<your-SAS-token>' 'https://<destination-storage-account-name>.blob.core.windows.net/' --recursive

What are the App Service Plan Pricing Tiers for the dedicated computer resources?

basic standard premium isolated

What port is required for the network performance monitoring agent to be opened on the NSG?

port 8404 You also need to run the EnableRules.ps1 file. It opens the firewall ports on the computers so that the network performance monitor agents on them are able to talk to each other.

What's a scenario where you would use management groups?

provide user access to multiple subscriptions. By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group that will allow that access to all the subscriptions. One assignment on the management group can enable users to have access to everything they need instead of scripting RBAC rules over different subscriptions.

Azure Web App is a _____ service.

public

What are Azure role-based access control (RBAC) roles used for?

roles are used to manage access to virtual machines, storage, and other Azure resources.

What is SSPR?

self-service password reset With SSPR, users can reset their passwords in a web browser or from a Windows sign-in screen to regain access to Azure, Microsoft 365, and any other application that uses Azure AD for authentication.

What is the five-tuple has composed of?

source IP, source port, destination IP, destination port, and protocol type.

What are the docker container benefits?

speed, portability, efficiency

What are the two types of load balancers?

standard and basic

To get a full set of metrics, what two tools do you need to install on a VM?

the Azure Diagnostics extension and the Log Analytics agent. Both tools are available for Windows and Linux. The tools need a storage account to save the data that they collect. After you've installed the tools, you can access near real-time metric alerts

What are Azure AD roles used for?

to manage access to Azure AD resources, such as user accounts and passwords.

What does IP Flow Verify do?

verify checks if a packet is allowed or denied to or from a virtual machine based on 5-tuple information. The security group decision and the name of the rule that denied the packet is returned.

How are Azure File Storage shares accessed?

via the Server Message Block - SMB

Resource Manager template can contain the following sections:

{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "", "parameters": { }, "variables": { }, "functions": [ ], "resources": [ ], "outputs": { } }


Ensembles d'études connexes

PowerPoint 2016- module 1: creating a presentation in PowerPoint 2017

View Set

High Acuity: Sexually Transmitted Diseases

View Set

Writing a Narrative about Overcoming a Challenge

View Set