AZ-900 Overview
What is a Security Principal?
aka IDENTITY - is an Azure object that can be assigned to a role (ex: users, groups, or apps) in Role Assignment it is: "Who can do it"
Fault Tolerance is ___
the ability to maintain system uptime, despite any physical component failures or service component failures.
Agility is ___
the ability to react(scale) quickly
Scalability is ___
the ability to scale (adding or removing resources). **scaling up vs scaling out.
Elasticity is ___
the ability to scale dynamically. (Automatic Scaling basically)
What is DevOps? (the term, not the service)
the combination of Development & Operations. It aims to make development FASTER and higher QUALITY. (CI/CD) = the "faster" part Shortens development life cycle by providing (CI/CD). CI/CD is "Continuous Integration / Continuous Delivery. aka Continuous Deployment
Define Composite SLA
the combined SLA of all components in your App.
Disaster Recovery is ___ . Give an Example.
the design principle that allows a system to recover from disasters. ex: Creating two copies of the same application into 2 separate azure regions, then setting up replication between them. DNS routing is then setup to re-route in the event of disaster
Azure Policy
they ARE inherited Designed to help with RESOURCE governance, security, compliance, cost management, etc. An INITIATIVE - is a group of policies. Policy DEFINITION - defines what should happen (simple if/else, condition -> effect) Policy Exclusion - also exists to exclude a resource from Policy Assignment. Focuses on RESOURCE PROPERTIES
Resource Tags (details)
they are NOT inherited (a tag placed on a Resource Group will NOT be applied to Resources within) They are a simple Name & Value pair. In addition to being used for resource governance, organization, security, etc, they can also be used for automation (shutdown scheduling, script running, etc) They are used for: Resources, Resource Groups, and Subscriptions They are unique within a scope, meaning you can have exactly 1 VALUE per NAME per resource/scope.
Regions are described as ___
"A set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network." Geographical area with ONE OR MORE data centers. ALL Regions have exactly ONE Region Pair. Government regions = USA Partnered regions = China Data centers are connected with a low-latency network (<2 milliseconds) between them.
What controls Access and Management of Resources & Resource Groups? (centralized management layer)
(ARM) Azure Resource Manager - is a centralized Management Layer for all Resources & Resource Groups. Same Unified language. Also checks & stores Azure AD Privileges.
What is Security and Governance? (and manageability by extension)
(The same Hierarchy when considering Scope:) Management Group > Subscription > Resource Groups > Resources Security and Governance is the consideration of how that Hierarchy is managed by these 4 things: Policy - (Rules and Actions) RBAC - (Roles and Assignments) Inheritance - (of policy, roles, etc) Budget - (Actual use vs Forecast) * PRIB = acronym
What is Azure File Sync? What is Cloud Tiering?
(one of the Data Movement and Migration services) ONLINE An 'Azure Files' service for moving and synchronizing files across multiple SMB file shares using endpoints. Can use CLOUD TIERING - to OFFLOAD responsibility of certain files to other SMB file shares.
What is Azure Storage Explorer?
(one of the Data Movement and Migration services) ONLINE An visual 'Explorer' interface for interacting with BLOB storage (other storage too though).
What is Azure Migrate?
(one of the Data Movement and Migration services) ONLINE Assesses & recommends a file migration solution. VMs / DBs
What is Azure Copy? (Az Copy)
(one of the Data Movement and Migration services) ONLINE Used for AUTOMATION of file transfers/copying/syncing. Also useful for transferring files from other cloud services (AWS, etc).
What are examples of Reliability?
- Auto healing from failures. - Redundancy with duplicate storage. - Auto scaling. - SLA guarantees. - Design for failure (multi-region, etc). - Monitoring (Monitor, Insights, etc).
DEFINE the LAST 2 Stages of Cloud Adoption Framework
- Govern - ensure environment will be compliant, controlled, and secure - Manage - manage ongoing operations & optimizations of environment. *These "supporting" stages technically begin at stage 1, encompassing the entire Cloud Adoption Framework.
DEFINE the 3 MAIN Stages of Cloud Adoption Framework (the 3 key stages)
- Plan - Create an actionable plan based on current digital assets (Five R's of Rationalization) - Ready - Prepare the Azure environment (Azure Landing Zone - is the provided starting point) - Adopt - Implement the plan by either Migrating, Innovating, or Both.
What are examples of Predictability?
- Predefined SKUs, behavior. - Using Templates. - Using Automation. - Using DevOps. Automation is key.
What are the Stages of Cloud Adoption Framework?
- Strategy - Plan* - Ready* - Adopt* - Govern - Manage Stupid People Really Anger GM's *3 main/key stages
DEFINE the FIRST Stage of Cloud Adoption Framework
- Strategy - Business justifications & outcomes (ROI)
Service Lifecycle
1. Public Preview - (no SLA, not for production) 2. General Availability(GA) - something is "GA'd" when it gets a 'production' release.
What are the 4 Data Movement and Migration services that are considered ONLINE?
1. Azure File Sync - SMB Synchronizing 2. Azure Storage Explorer - Visual Blob Interface 3. Az Copy - Automation + cross-cloud(aws) 4. Azure Migrate - assess/recommend migration advice FileSync StorageExplorer Copy Migrate
Describe Zero Trust (3 rules) plus solution?
1. Verify Explicitly - (always verify access) 2. Least Privilege - (only JUST enough permissions given) 3. Assume Breach - (minimize blast radius - assume anything you connect with could be compromised) Solutions: Conditional Access VeLpAb VELPAB
How can you connect multiple Virtual Networks?
2 options: VNet Peering or VPN Gateway (typically for tunneling to on-prem though)
Types of Data
3 types: Structured - Tables defined by a Schema (SQL/Relationable) Semi-Structured - Tables define by Keys (NOSQL/Non-relational) Unstructured - (png,exe,txt,mov) aka BLOBs
What are the IoT Services and what do they do?
Azure IoT Hub - A managed service that connects IoT devices that, Lets you BUILD IoT Apps. (PaaS) Azure IoT Central - A managed service that connects IoT devices that, provides already built Apps(Templates). (SaaS) Azure Sphere - An IoT Security solution. Provides a central hub for updates pushed to by devs & Microsoft. (Sphere is just Software, not a iaas/paas/saas service) Additionally, There is IoT Edge - Which is a solution for reducing data sent to the cloud and speeding up event responses.
What Azure service correlates Events from multiple resources into a centralized repository?
Azure Log Analytics
Describe Azure Monitor. What are Log Analytics, Alerts, and Application Insights?
Azure Monitor is a central hub for managing logs and alert rules, across multiple subscriptions. Log Analytics - correlates Events from multiple resources into a centralized repository Alerts - Alert rules can trigger Action rules which can send sms/email/etc alerts (action groups). App Insights - gives CURATED views about things you should care about.
What is ARM?
Azure Resource Manager - The centralized management layer for controlling access and management of all resources.
Where does Azure Advisor get its security recommendations from?
Azure Security Center / Microsoft Defender ALSO CALLED MICROSOFT DEFENDER. THEY ARE THE SAME THING (rebranded 2022)
What service is an example of on-prem site/disaster recovery?
Azure Site Recovery.
What is Azure Storage Account? List all 5 storage data types.
Azure Storage Account contains all of your Azure Storage data objects including: blobs, queues, file shares, tables, and disks. Blob Storage (container) Queue Storage (asynchronous / FIFO) File Storage (on-prem or Lift&Shift) [IS PaaS] !!! Table Storage (semi-structured) Disk Storage (Emulated Disk) BQFTD Bob Queued For The Disco EXTREMELY scalable, durable(11 to 16 nines), and cheap Storage Accounts are IaaS Data automatically has 3 copies in an Azure Storage Account.
What are the main Azure Management tools?
Azure portal - (it's the generic website for managing everything) simplest management tool, easiest to learn. Azure Powershell - CLI access, good for AUTOMATION *It is also CROSS-PLATFORM, so macOS can even run this... Azure CLI - Linux terminal(Bash) alternative to powershell, good for AUTOMATION, based on Python. CANNOT USE POWERSHELL Azure Cloud Shell - a VIRTUAL/Cloud-based environment alternative for accessing Azure Powershell and Azure CLI. (aka can use both Powershell AND Bash through cloud shell).
What is Blob storage
Binary Large OBject - any kind of file. aka unstructured data, but any file can be considered a Blob technically.
Azure DevOps main (5) services include:
Boards - track work/development Repos - version history with Git Artifacts - manage deliverables Pipelines - build CI/CD workflows Test Plans - testing service BRAPT = acronym
Describe Azure VMs VS VM Scale Sets
Both are IaaS VM Scale sets are a set of identical VMs that work together and automatically scale. VMs are best for custom software or Lift-and-Shift scenarios. VM Scale sets are best for processing web services, batch processing, etc.
Azure Table Storage VS Azure Cosmos DB
Both are: NoSQL, Non-relational, Semi-Structured Main difference: - Cosmos DB Replicates across many Geographies. - Azure Table Storage is for High Capacity in a single region. Cosmos DB is better at everything else (speed, latency, etc)
CapEx vs OpEx
Capitol Expenditure is the upfront, high maintenance acquisition of infrastructure (on-prem). Operation Expenditure has no upfront cost, has low maintenance, and cost is based on usage (cloud).
What is Serverless computing?
Cloud-hosted execution environment that allows you to run your apps in the cloud via their infrastructure (which they manage/scale/etc), not yours. In other words, Management of servers is ABSTRACTED from the customer.
Define Hybrid Cloud
Combines both public & private cloud. Flexible. Can use existing infrastructure and meet security compliance requirements. Can run legacy software(like private). Most Flexible option. Can be expensive. Is more complicated to manage than even Private cloud for IT personnel.
What is the primary service Azure AD uses for Authentication & Authorizations rules?
Conditional Access -- OR Microsoft Entra. (this is part of Entra now, is all)
What IS a container? (concept to understand)
Containers are a way to distribute an immutable(unchangeable) image of your app to a repository which distributes out to the world. This is a lightweight and stable solution for making sure your apps deploy the same way every time.
Azure DevTest Labs
PaaS A sandbox environment for devs/testers allowing quick setups of VMs with templates for testing via automation. Does NOT provide "continuous deployment" aka CI/CD, instead provides Quality through testing.
Describe AKS (Azure Kubernetes Service)
PaaS An Open-source container orchestration platform for running MULTIPLE CONTAINERS. Uses a Load Balancer
What is Azure App Service?
PaaS An enterprise grade WEB APPLICATION creating service that supports many languages.
What are Azure Container Instances?
PaaS Easiest way to run a container in Azure. It is a service for running Serverless Containers in Azure.
Azure Key Vault, what 3 things are stored.
PaaS For securing sensitive information (3 types) : Encryption Keys - for encrypting / decrypting drives in azure (that are encrypted by default) Secrets - store credentials for apps, so that they can access SQL(for example) Certificates - used to encrypt traffic from your app to users over the web, can also be used for authentication, and many more other uses. Highly Integrated, has Centralization, and has monitoring & logging.
What is Azure Functions (Function Apps)?
PaaS Great for tiny services (only a few lines of code) Serverless Function as a Service
What are Logic Apps?
PaaS Serverless A No-Code, visual interface, solution for automating business processes, integrating workflows for apps, data, services, etc. Over 200+ connectors(triggers) for popular services
Azure Firewall
PaaS or Firewall as a Service Supports FQDN (Fully Qualified Domain Name - microsoft.com, etc) High Availability, High Scalability Azure Monitor integration for logging & analytics Blocks ALL traffic by default
If you are migrating a web app to azure, but want minimal administrative effort, which type of service should you use to do this? (IaaS, PaaS, SaaS, or DBaaS)
PaaS. It is not SaaS, because SaaS is not for WEB apps, it is for regular Apps. Additionally, the keyword here is MIGRATION, which would not be suited to SaaS either.
Azure SQL Database is an example of? (IaaS VS PaaS VS SaaS)
PaaS. Microsoft manages the SQL platform, but you manage the database still. Explanation: Azure SQL or SQL Managed Instances are usually referred to as PaaS i.e. Platform as a Service, somewhere between IaaS (where you have access to the OS) and SaaS (where you only have access to the front-end). PaaS allows you access to the DB platform, without access to the underlying OS.
What IS Conditional Access?
Part of Azure AD Setting conditions via Policies to (Authorize) Block or Grant access to Apps. ex: require MFA, require password change, etc. Can set requirement to meet one or ALL conditions.
What are the different types of VPN gateways and their use-cases?
Point-to-Site - REMOTE access to vNet Site-to-Site - on-prem access to vNet, but encrypted over the internet. ExpressRoute - PRIVATE connection between your on-prem environment and Azure datacenters. (not over internet)
Azure Policy VS RBAC
Policies focus on RESOURCE PROPERTIES RBAC focuses on USER ACTIONS (user roles)
What 4 things manage Security and Governance within the Hierarchy of a Management Group?
Policy - (Rules and Actions) RBAC - (Roles and Assignments) Inheritance - (of policy, roles, etc) Budget - (Actual use vs Forecast) * PRIB = acronym
Enabling Azure Policy on an entire Azure Subscription is done by creating a new _____.
Policy Assignment
What are these examples of? - Predefined SKUs, behavior. - Using Templates. - Using Automation. - Using DevOps.
Predictability. * "Automation is key."
What are Spot VMs?
super cheap capacity for stop & resume projects. Takes advantage of spare capacity on Azure. [COST REDUCTION]
What characteristics of data would make it Big Data?
ANY one of 3 characteristics: Velocity - how fast is the data arriving(batches vs real time) Volume - how much data(mb vs tb) Variety - how structured is the data (tables=ez vs videos=hard)
What is the preferred way for provisioning Resources through ARM?
ARM JSON Templates - are declarative (say what you want and you get it). Bicep - is a more user friendly means of creating an ARM JSON Template, however.
ASG - Application Security Groups
ASG Logically GROUPS Resources in a vNet, allowing for policy to be applied to them without manually managing explicit IP addresses.
What are the 5 key benefits of the cloud? Plus the new ones for 2023?
Agility High Availability Disaster Recovery Scalability Elasticity Reliability Predictability Security & Governance Manageability
Region pairs are described as ___
a pair of (two) regions at least 300 miles apart, within the same Geography(except Brazil), and cannot be chosen(static). Updates roll out across pairs one at a time. ALL Regions have exactly ONE Region Pair.
Data Centers are described as ____
a physical facility that hosts groups of networked servers, with their own power, cooling, and networking infrastructure.
What is (the concept of) Cloud Adoption Framework? What is the Acronym?
a set of tools, best practices, guidelines, and documentation; for helping companies adopt the Cloud. Stupid People Really Anger GM's
What are the 3 Big-Data Services and their features? Plus a bonus one...
All are PaaS Azure Synapse Analytics - Uses MPP(Massively Parallel Processing). Data analytics platform with Apache Spark(data transformation), Synapse SQL(DB), and Pipelines(Visual workflows). Azure HDInsight - FLEXIBLE platform that provides OPEN-SOURCE analytic services. Uses CLUSTERS. Azure Databricks - Apache Spark based workspace Data Lake - Is also a thing... Can do Massive Parallel too...
What are the Basic features [FREE] provided for Microsoft Defender?
All resources get CSPM. Cloud Security and Posture Management. Which is a package containing, secure score, security policy and basic recommendations, and network security assessment
What is Time Series Insights?
An analytics, storage, and visualization Service for exploring and analyzing billions of IoT events simultaneously.
What are compute services?
Any service used to run a cloud-based Application.
What is Azure Arc?
Arc extends the control plane of Azure (ARM) to services outside of Azure. (to on-prem, or other clouds) Must be an Arc-Enabled Server to allow this extension of ARM. Can also be used for extending Arc-Enabled: Kubernetes Logic Apps Machine Learning etc Think Hybrid Cloud solution for extending Azure capabilities.
What are Artifacts?
Artifacts are anything you want to distribute. As they are related to Blueprints, they are pre-configured Azure Components that will deploy the same way every time. For Blueprints, these are: - Resource Groups - ARM Templates - Policy Assignments - Role Assignments
What is Economies of Scale?
As a company(or cloud) grows, it becomes more efficient & competitive in its pricing(cheaper).
At what level of a virtual network is an NSG applied?
At both the Subnet level and the vNIC level. NOT the entire vNet level.
How is Multi-Factor Authentication described?
Authentication using MORE THAN ONE factor(evidence) to prove IDENTITY. knowledge - "something you know"(password, pin) possession - "something you have"(phone, etc) physical characteristic - "something you are" (finger print) location - "someWHERE you are" (gps) Azure AD supports all of these. something you Know, Have, Are, and ...Where?
Azure Marketplace
Azure "Shop" or "Store" First and Third-party products IaaS, PaaS, SaaS services Templates available (unlike app source which doesn't have TEMPLATES for azure) Commercial marketplace for devs and IT pros, so not the same as Microsoft Appsource which has EVERYTHING, not just targeted items.
What is AAD Identity Protection?
Azure Active Directory Identity Protection - identifies risks (such as: unfamiliar IP addresses/sign-in properties, etc.), and prompts users (to change their password automatically, for example). Also, allows for conditional MFA requirements.
Azure Blueprints
Azure Blueprints itself(the service), is a Centralized repository of Blueprints. A blueprint is a reusable package containing Azure components (Artifacts), that are pre-configured, allowing you to DEPLOY APPS using a consistent environment. Package contains (these Artifacts) : - Resource Groups - ARM Templates - Policy Assignments - Role Assignments
What are the OFFLINE data movement & migration options for Azure?
Azure Data Box - for SHIPPING physical storage to the cloud (3 sub-options): disk - encrypted disks shipped to you & you send them back to Azure. box - a box is shipped to you (80 TB) box heavy - a box is shipped to you (770 TB)
What is an example of a CDN? (Content Delivery Network) / Global Load Balancer.
Azure Front Door (HTTP, global LOAD BALANCER) also, Azure Traffic Manager (For non-HTTP version of Front Door)
What are the 3 main Serverless services to remember?
Azure Functions - nano code Azure Logic Apps - No-Code visual automation Azure Event Grid - Event driven message routing
What are External Identities & Guest Access in Azure?
External Identities - Uses B2B to invite outside people(Guests) to your AAD environment. Additionally, allows for inviting Guests to AAD B2C (a separate environment from your AAD). Uses self-service signups.
Azure Cosmos DB
FAST and GLOBAL NoSQL table storage using replication! Semi-Structured (NoSQL)(Schema-less) aka Non-relational Cosmos DB's main benefit is being able to Replicate across many Geographies. Read AND Write Globally with low latency (under 10ms). Tables are called "Collections" Can also be offered as a SERVERLESS version too.
What is NSG? What are the 5 Rules NSG(Network Security Group)s filter by? What do NSG NOT offer (that Azure Firewall does)?
NSG FILTERS traffic to/from Resources in a vNet using Rules. Rules are created by specifying: Source/Destination -- (ip, etc) Protocol -- (tcp, udp, etc) Port -- (or port ranges) Direction -- (inbound or outbound) Priority -- (order of Rule prio) S/D PPDP = acronym Does not offer FQDN, use Azure Firewall for that. *Fully Qualified Domain Name
Can Subnets be nested on a VNet?
No, Virtual Subnets can't be nested.
Do all Azure regions have Availability Zones?
No, only certain Azure Regions have Availability Zones.
Can an Azure Subscription have multiple Account Administrators?
No, only one.
Service Trust Portal -VS- Azure Service Health
Service Trust Portal is the public website that provides compliance documentation and audit reports. Azure Service Health is a portal for displaying known service issues, planned maintenance, and advice + updates on health & security. Includes detailed logs. Allows for enabling alerts of these features.
What are SKUs in azure?
Stock Keeping Units (SKUs) are the various forms a service can come in; Basic, Standard, etc...
What is Azure Queue Storage?
Storage for small pieces of data "messages", for scalable asynchronous processing. When building apps, you can offload small tasks (messages) onto Azure Queue, to allow them to be processed asynchronously(one at a time) by other services. This frees up your front-end app, while letting you pick optimal background services for each task(message).
Azure SQL Database
Structured (Schemas + Relational) PaaS or DBaaS Main benefit: Rich query capabilities (SQL), but also fast, reliable, fully managed, secure.
What is Access Management? What is an example of an Access Management service?
The management of how Authorization is accomplished "The process of controlling, verifying, tracking, and managing access to authorized users and apps" ex: Azure AD - manages this for all Azure services
What is Authorization?
The process of requesting & granting ACCESS to services.
What are the Blob Storage Tiers?
There are 3: Hot - Frequently accessed data Cool - Infrequently Accessed data Archive - rarely(if-ever) Accessed data They are priced from high frequency to low.
What happens to the resources inside a Resource Group after you've deleted it?
They also get deleted.
What are public & private Endpoints?
They are a NIC (Network Interface) that connects you directly to an Azure PaaS SERVICE (powered by Azure Private Link). Public - from outside the network Private - from inside the network only Service Endpoints are made for authorizing a Service, allowing traffic to an Endpoint.
What is the purpose of Tags?
To provide metadata, for supplying additional identification to resources.
Tiers of DDoS Protection in Azure:
Two Tiers: Basic - Automatically enabled for entire Azure platform (BY DEFAULT, all azure services are already protected) (For Free) Standard - additional mitigation & monitoring capabilities for Azure VNet resources. Also, uses machine learning. (not free, obtained from marketplace)
Factors that influence (increase) cost. (lots, but generally think of as many as possible)
Type (of resource, vm/disk/etc) SKU (standard/premium/etc) Tier (hot/cool/archive/etc) Size Location (some regions are cheaper) Metered (aka accrued costs) costs such as: - Exist (is it provisioned) - Running (or is it off) - Instance (how many) - Work - Serverless(only paying for work) - Storage (how much used, vs how much provisioned.) - Interactions - Licensing
UDR - User-Defined Routes
UDR allow for the creation of Custom Routes (across VNet Subnets WITHIN a single VNet), complete with a ROUTE TABLE(resource for management). These can override Azure default routing(which is setup automatically) OR be added on top of it. This is useful if you want all traffic (for example) to route first through a specific, firewall enabled server, before rerouting elsewhere in the network.
Containers vs VM
VMs are about virtualizing hardware, Containers are about virtualizing Software. (Emulation) Containers virtualize the Host's OS across multiple containers, where as VMs emulate hardware and must install an additional OS onto each. (Lightweight) Containers are Lightweight (no OS), less maintenance, less requirements. PaaS vs IaaS
What is a vNIC?
Virtual Network Interface A virtual connection between a VM and a vNet. Required for VMs to establish connectivity
What is Local Network gateway?
When connecting on prem to Azure vNet, Local Network Gateway is used to tell the VPN gateway about its connection, also what the peer IP address ranges will be.
What is Identity?
Who you are. Azure AD - manages this for all Azure services
What platforms must you be on to join an AAD? How many managed domains does a single AAD support?
Windows 10 or 11. No mobile, no mac, etc. nada... Only ONE managed domain can be exist in a single AAD.
Can you enable Azure AD DS in an Azure Resource Manager vNet?
Yes. Azure vNets are no longer available after you create a managed domain, however.
Describe the consumption-based model
You only pay for resources as you use them. aka Pay-As-You-Go rate
What are the two service categories of Availability Zones?
Zonal & Zone-redundant. Zonal - SPECIFY multiple availability zones to work together. Zone-redundant - multiple availability zones replicate data, and work based on failure/redundancy
What does the Paid [Enhanced Security ON] Microsoft Defender option offer?
[Paid] Everything in Free plus: (JIT) Just in time VM access Adaptive application controls & network Hardening Regulatory compliance dashboard and reports Threat Protection for VMs and PaaS Services
Describe Application Gateway
a WEB TRAFFIC Load Balancer. reminder - Load Balancers evenly distributes traffic across multiple VMs within a vNet.
What services handles Security Tokens?
AAD. Security tokens(aka access tokens) are not "keys, secrets, or certificates". They generate and live for a short time only, so there is no reason to store them. That is why the answer is NOT key vault.
AI vs Machine Learning
AI is simulating human intelligence & capabilities via computer software. Machine learning is the use of AI, to actively "Teach" a machine to draw conclusions & make predictions from Data. The process of teaching a machine to do that, is called BUILDING A MODEL or DATA MODELING
Azure Security Center / Microsoft Defender
ALSO CALLED MICROSOFT DEFENDER. THEY ARE THE SAME THING (rebranded 2022) Centralized Security Management Service for Azure Integrated with Azure Advisor Natively in all Azure Services Two Tiers: Free [Enhanced Security OFF] Paid Paid tier is PER resource, so only pay for resource you want defender on.
What is Azure Backup? is it IaaS, PaaS, or SaaS?
A PaaS service for providing backups to protect against ransomware.
You need to ensure no one (including admins) can create additional resources in an Azure Resource Group. What should you implement?
A Resource Lock (Read-Only).
Describe the relationship between Location and Resources (also, Resource Groups). Can Resource groups be nested?
A Resource must be in EXACTLY one resource group. Resource groups have their own Location. Resources can have different locations (even inside the same group) Resources can be moved between Resource Groups, Subscriptions, and Regions. They CANNOT be COPIED though, which is different. Resource groups CANNOT be nested
What is Azure Virtual Desktop?
A VM, accessible from ANY platform(mobile, mac, etc), that provides a stateful/persistent experience for users even after multiple sessions(saves profiles after closing). TONS of customization/scalability options and Zero Trust controls, load balancing for multiple users on a single VM, etc...
What is Azure Reservations?
A billing mechanism to commit to yearly terms for HUGE discounts. [COST REDUCTION]
What is a Resource Group?
A grouping of resources, used to hold and manage LOGICALLY RELATED resources. Can be grouped by: Lifecycle, Billing, Resource Type, etc etc... Groups are free.
What is an Availability Set?
A logical grouping of VMs for providing REDUNDANCY and AVAILABILITY.
What is Azure Notifications Hub?
A massive push-notification engine that's easy to use and that scales out.
Describe Azure Service Health
A portal for displaying known Service issues, Planned Maintenance, and Health & Security advice & updates. You can view health history with detailed logs regarding how problems occurred & how they were solved. You can create alerts to be automatically informed about these features.
What is a Resource in Azure?
A representation of a Service, manageable within Azure. They are saved as a JSON file. containing: (Type, API Version, Name, and Location) Resources must be in exactly ONE Resource Group ex: VMs, vNets, storage accounts, etc...
What is Azure Sentinel?
A security service that uses Machine Learning. Automates responses (such as calling logic apps to respond). SIEM & SOAR service whatever that means
What is Azure ExpressRoute?
A service for creating a private connection between your on-prem environment and Azure datacenters. They DO NOT go over the public internet. It is a PRIVATE connection, that is better than typical internet (speed/reliability/latency/etc). PRIVATE PEERING is required to let an ExpressRoute reach a vNet
What is Azure Disk Storage?
A service for disk emulation in the cloud for attaching persistent storage to VMs. (C , D, E, etc....) 2types: Managed - you are responsible for drive data Unmanaged - Azure manages drive data
What is a Role?
A set of ACTIONS that the assigned IDENTITY will be able to perform. in Role Assignment it is: "What can be done"
What is Azure Active Directory Domain Service? (Azure AD DS)
A version of AAD where Azure MANAGES a pair of two Domain Controllers for you called Replica sets (but can pay to scale up).
What is VPN Gateway?
A virtual gateway for on-prem to Azure traffic, encrypted & sent over the public internet. Local Network Gateway is used to teach the VPN gateway who you want to connect and what is the peer IP address ranges.
What is used to synchronize users from an on-prem AD with Azure AD?
AAD Connect (Azure Active Directory Connect). + SSO (Seemless Sign On to make integration smooth)
What are the security layers? aka describe DEFENSE IN DEPTH, and how each layer adds protection.
Data - encrypted, etc Application - attacks (sql injections), etc Compute - patching, anti-virus, etc Network - NSG, implicit deny, etc Perimeter - firewalls, ddos, etc Identity/Access - passwords, MFA, etc Physical - datacenter * PIPNCAD (from bottom up) = acronym
Describe the shared responsibility model by listing ALL responsibilities for IaaS vs PaaS vs SaaS
Data/Access Application >-- SaaS Runtime OS >-- PaaS VMs Storage Networking >-- IaaS Compute *compute = servers/datacenters
Geographies are described as ___
Discrete markets. Typically contain two or more regions. Regions can only belong to ONE Geography.
Describe Content Delivery Network (CDN)
Distributes and caches specified web content all over the world to MINIMIZE LATENCY. More scalability + Less workload. POP (point of presence) with many locations.
What can Azure Information Protection encrypt?
Documents and Email messages
What is/are Edge computing, and Edge locations?
Edge computing allows you to run VMs, containers, and data services at edge locations. Edge locations (or edge sites) are local data-access points meant to alleviate cloud latency caused by commercial internet.
Define Public Cloud
Everything runs on cloud hardware. No local hardware. No CapEx. Fast, Reliable, less skill required to maintain. Most Agile option.
Define Private Cloud
Everything runs on your own data center. You maintain hardware. Total control over security and infrastructure. Can run legacy software(like hybrid) Requires CapEx. Limited agility. Requires more skilled IT expertise than public.
Describe the Resources required for Virtual Machines
Exists in: Subscription > Resource Group > Requires: Virtual Machine (is its own resource) Disk to host the OS, Data Disk, vNIC (virtual network interface), Public IP Address, NSG * VDD VPN = acronym for all 6 *All of these 6 Resources should be a part of the same Resource group for good practice / management (maybe not NSG though, but w/e)
What are the layers of the Geography model?
Geography(Outer Layer) Region Pairs Regions Availability Zones Data Centers(Inner Layer)
How does guest access work with AAD DS? Can you pause AAD DS?
Guest users invited to your AAD using B2B lose access after upgrading AAD to AAD Domain Services. No you cannot pause AAD DS
Sort by Scalability: App Service Functions Kubernetes Service VMs VM Scale Sets Container Instances
HIGH -- > Low VM Scale Sets Functions Kubernetes(AKS) App Service Container Instances VMs
Sort by Control / Maintenance: Container Instances App Service VMs Functions Kubernetes Service VM Scale Sets
HIGH -- > Low VMs VM Scale Sets Kubernetes(AKS) Container Instances App Service Functions
If you want to build a CUSTOM application, that requires multiple PREREQUISITE APPS to be installed/integrated into or ontop of it, would you use IaaS, PaaS, or SaaS?
IaaS. PaaS is an OK answer, but IaaS can guarantee the integration/installation of additional preexisting applications.
SQL Server installed on a VM is an example of? (IaaS VS PaaS VS SaaS)
IaaS. SQL Server installed on a VM is still a VM. Customers can only manage VMs in an IaaS model.
What are the 4 terms to remember for accessing services & verifying who users are?
Identity - Who you are (Managed by Azure AD) Authentication - Verifying Identity Authorization - requesting & granting access Access Management - The management of Authorization (Azure AD)
What is RACI matrix?
In a Cloud Adoption Framework, RACI matrix is a way to (ORGANIZE) ensure everyone knows what to do and when to do it.
IoT
Internet of Things - a network of internet connected devices, enabling sending & receiving data (settings and telemetry).
Main uses for Azure File Storage?
It is storage for files accessed via SMB File Shares. It is designed for extending on-premises file sharing, as well as Lift-and-Shift scenarios. Generally, it provides persistent replication of both physical and virtual storage. Is a PaaS offering, even though storage accounts are IaaS, because it bakes some stuff into overlaying the storage account or something.
What is Azure Table Storage?
It is table storage for NoSQL, Non-relational, semi-structured data.
High Availability is ___
It is the measure of system uptime. High = less downtime percentage. Availability = uptime / (uptime+downtime)
What is in Microsoft Entra? (& what is it?)
It's a new(2023) web portal that encompasses these Identity services: Azure AD (DS as well) Verified Identity(ID) Permissions Management Handles the lifecycle management of employees as well. (conditional, think Joiners --> Leavers. Emailing a new hire a welcome message for example)
What are the 4 Storage Redundancy options/tiers ?
LRS - Locally Redundant Storage: Lowest cost, for non-critical. GRS - Geo Redundant Storage: Intermediate option, uses a secondary region, for backup scenarios. ZRS - Zone Redundant Storage: Intermediate option, datacenter failure protection, for High Availability scenarios GZRS - Geo-Zone Redundant Storage: Optimal protection including everything above, for critical data scenarios. * LGZ GZ Redundant Storage = acronym
Describe Azure Load Balancer
Load Balancers evenly distribute (NON-WEB)traffic across multiple VMs within a vNet. (Both inbound & outbound) (Both TCP & UDP) Application Gateway is the WEB TRAFFIC equivalent. Allows High Availability (SLA) scenarios. Also High Scalability.
How many subscriptions can trust how many Azure AD directories?
MULTIPLE subscriptions can trust a SINGLE Azure AD directory. Each sub can ONLY trust a single AD.
What is the general hierarchy to remember when considering Scopes?
Management Groups > Subscriptions > Resource Groups > Resources
What Service would be used to identify unsanctioned (SaaS)apps that may be compromised (Shadow IT)?
Microsoft Defender for Cloud Apps
What happens if you pay for the Standard DDoS Protection plan in Azure?
Microsoft will return the cost (reimburse you) for any SCALING of resources that your infrastructure may undergo while attempting to accommodate an attack which passes through the service.
NSG vs ASG
NSG - FILTERS traffic to/from Resources in a vNet using Rules. ASG - logically GROUPS Resources in a vNet, allowing for policy to be applied to them without manually managing explicit IP addresses. NSG creates rules around: Source/Destination - (ip, etc) Protocol - (tcp, udp, etc) Port - (or port ranges. RDP, FTP, etc) Direction - (inbound or outbound) Priority - (order of Rule prio) (NETWORK security group) (APPLICATION security group)
What protects against "Region-Wide disasters" ?
Region Pairs and Geographies. Are the two outer layers of the model which protect against a failure in a single Region.
Structured vs Semi-Structured
Relational vs Non-Relational SQL vs NoSQL Schemas vs Keys NEITHER are considered BLOB which is its own 3rd kind of data, separate from the two.
What are these examples of? - Auto healing from failures. - Redundancy with duplicate storage. - Auto scaling. - SLA guarantees. - Design for failure (multi-region, etc). - Monitoring (Monitor, Insights, etc).
Reliability
When Assigning a Role, what are the 3 questions you must ask & assign?
Role - "What can be done" Identity (aka Security Principle) - "Who can do it" Scope - "Where it can be done"
What is RBAC?
Role-Based Access Control - is the Authorization system built into ARM (Azure Resource Manager) It is through which Role Assignment is carried out (Role, Identity, and Scope) Supports built-in and custom roles. Focuses on USER ACTIONS
Availability Zones are described as ___
a grouping of physically separate data centers. (with less than 2ms round trip latency) connected to each other.
What are Factors to REDUCE cost for each of these examples? SKU (standard/premium/etc) - ______ Tier (hot/cool/archive/etc) - ______ Metered (aka accrued costs) costs such as: - Exist (is it provisioned) - ______ - Running (or is it off) - ______ - Instance (how many) - ______ - Work - ______
SKU - optimize what type of resource is being used (cpu:memory) Tier - Use the correct hot/cool/etc Exist - Delete when not required Running - DEALLOCATE (auto shut down) Instances - AUTOSCALE Work - SERVERLESS Azure Advisor - "Cost Optimization" Tags help with identification which is also important.
Single Sign-On(SSO) vs MFA vs Passwordless
SSO - Authenticate ONCE, then subsequent authentications are automatic. MFA - Is the combinations of 2 or more of: something you KNOW, ARE, or HAVE. (requires AAD premium) Passwordless - Something you ARE OR KNOW (Biometric, PIN)
Azure Advisor
Scans your services and provides "Actional" recommendations which are easy to implement. Scans for: cost security reliability performance Operational Excellence All of this is Free PRO-ACTIVE is how this service works, so it WON'T help fix an existing data breach issue for example. CANNOT help with AAD environment or how to configure networks, etc. Only top level advice.
Azure Event Grid
Serverless Scalable event routing service for integration and near-real time applications. Basically it sends "messages" from events(triggers) to other services (like logic apps for example). It allows you to SUBSCRIBE to built-in events.
Define SLA
Service Level Agreement - the promise of a service's availability (uptime & connectivity) (think # of 9's) *calculated per month Free services DON'T have SLA usually Discounts/credit occur if SLA ever breaks
What is the Service Trust Portal?
Service Trust Portal is the public site Azure uses to provide customers with Azure's compliance documentation, and audit reports.
What does Azure Government always relate to?
The United States.
What is Authentication?
The Verification of Identity(Verify you are you). (asking for & providing a password, etc)
Define cloud computing and its 4 main services
The delivery of computing services over the internet. Services: Compute power, Storage, Networking, and Analytics. (main 4, but there are more)
AZ Enabled or Zone Enabled regions must have what?
at least 3 Availability Zones.
What is Hybrid Use Benefit?
bringing on-prem licensing to the cloud when merging [COST REDUCTION]
Resource Locks
designed to prevent accidental deletion or modification of resources 2 types: Read-Only(ReadOnly) Delete(CanNotDelete) Scopes are hierarchical(inherited) Used in conjunction with RBAC Cannot affect Management Groups Only available to Owner and User Access Admin roles
Can a Private cloud be extended by adding its own physical server to the Public cloud?
no
What are Scopes?
one or more Azure resources that ACCESS can be applied to. in Role Assignment it is: "Where it can be done" They are HIERARCHICAL - meaning applying scope to a higher level (ex: management group) will also apply it to a lower connected level (subscriptions > resource groups > resources)
Azure TCO calculator, Azure Pricing Calculator, and Azure Cost Management, are examples of what? Define all 3 (generally).
tools for determining ROI - return on investment. aka one of the STEPS in the 1st STAGE (the Strategy stage) of the Cloud Adoption Framework. definitions: TCO calc - Estimates savings from migrating to the Cloud. Pricing calc - Calculates hourly or monthly costs for using Azure. Cost Management - monitors and optimizes cloud costs.