AZ-103T1
What is a storage account key?
It is a shared key for a storage account, giving access to everything in the account. Azure creates a primary and secondary key for each account created.
What is de-allocating a VM?
It's similar to turning off your physical computer. the VM is not assigned to a CPU or network in a datacenter. However, your persistent disks remain, and the resource is present in your subscription.
What are Resource Manager templates?
JSON files that define the resources you need to deploy for your solution.
What is in a Resource Manager template?
JavaScript Object Notation (JSON) defining the schema, content version, parameters (configurable values), variables (defined values), functions (repeated procedures), resources (what's in your deployment) and outputs (info when the template runs)
How do you refresh storage account keys in case of compliance or compromise?
Change each trusted app to use the secondary key then refresh the primary key in the Azure portal. The refreshed primary key is now the new secondary key.
What is a Vnet Service Endpoint?
resource that isolates Azure services to only allow communication from virtual networks
What is Azure Backup?
service offering that protects physical or virtual machines
What is Azure Traffic Manager?
service offering that uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.
What is Azure Site Recovery?
service that replicates workloads from a primary site to a secondary location
What VM Vm sizes can use premium SSD?
sizes that include an "s" in the series name, for example Dsv3 series can use premium SSD while Dv3 series cannot
What are Conditional Access Policies?
support for access based on group, location, or device state.
What is the Service Trust Portal?
the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services.
What is throughput?
the amount of data that your application is sending to the storage disks in a specified interval (typically per second). Also called bandwidth.
What is Azure Resource Manager?
the interface for managing and organizing cloud resources.
What is availability?
the percentage of time a service is available for use.
What is latency?
the time it takes your app to send a request to the disk and get a response.
What are the maximum tags per resource?
15
What is a Storage account's IOPS rate limit
20,000 IOPS
What is the character limit for tags?
512, except for storage which is 128
What is Azure AD?
A cloud-based, modern identity provider that supports multiple authentication protocols to secure applications and services in the cloud. It can be used standalone or synchronized with on-premise AD.
What is Azure AD Application Proxy?
A service offering that can quickly, easily, and securely allow an on-premise application to be accessed remotely without any code changes.
What is a load balancer?
A service offering that distributes traffic evenly among each system in a pool. A load balancer can help you achieve both high availability and resiliency.
How do you encrypt VM's?
Azure Disk Encryption (ADE)
What are examples of firewalls?
Azure Firewall (managed service, fully stateful, http and non-http traffic), Azure Application Gateway (comes with Web Application Firewall), Network Virtual Appliances (non-http and http services, advanced configuration)
How do you encrypt secrets?
Azure Key Vault
How can you create and administer resources in Azure outside the portal?
Azure Resource Manager (templates), Azure PowerShell (scripts), Azure CLI (scripts), Azure REST API (programmatically), Azure Client SDK (programmatically), Azure VM Extensions (feature), Azure Automation Services (feature)
How do I write a Resource Manager template?
Azure portal, start with a template you previously built, start with an Azure Quickstart template, Azure Resource Manager Tools extension for VS Code
What are the two types of disk caching that concern disk storage?
Azure storage caching and Azure VM caching
Why use Azure Key vault?
Because it allows users to store connection strings, secrets, passwords, certificates, access policies, file locks (making items in Azure read-only), and automation scripts while logging access and activity and providing troubleshooting tools to ensure you have access you need.
Why should you only use stroage account keys with trusted in-house applications that you control completely?
Because there are only two keys and they provide full access to the account
What are roles?
Collections of access permissions
What are the common principles to security posture?
Confidentiality (least privilege), Integrity (prevent unauthorized usage), Availability (make sure services are there for people)
What are the benefits of Azure Application Gateway?
Cookie affinity (keep a user session on the same backend server), SSL termination to manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead or full end-to-end encryption for applications that require that. Web application firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure. URL rule-based routes. (route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network). Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.
What do you need to do before encrypting VM disks?
Create a key vault, Set the key vault access policy to support disk encryption, Use the key vault to store the encryption keys for ADE.
What resources can be backed up by Azure Backup?
Files and folders on Windows OS machines (physical or virtual, local or cloud), Application-aware snapshots (Volume Shadow Copy Service), Popular Microsoft server workloads such as Microsoft SQL Server, Microsoft SharePoint, and Microsoft Exchange, Azure virtual machines (windows and linux), client machines (Windows 10 and Linux)
What is Application Gateway?
Layer 7 load balancer that also includes a web application firewall (WAF) to provide advanced security for your HTTP-based services.
What are the three key characteristics of SLAs for Azure products and services?
Performance Targets, Uptime and Connectivity Guarantees, and Service credits
What are virtual machine scale sets?
a feature that lets you create and manage a group of identical, load balanced VMs.
What is a billing zone?
a geographical grouping of Azure Regions for billing purposes.
What is Vnet Peering?
Resource to integrate multiple VNets in Azure, establishing a direct connection between designated VNets.
What is a Network Virtual Appliance?
Resource used for protection of non-HTTP-based services or increased customization to secure network resources
What is an identity?
Something that can be authenticated
What are the elements of Multi-factor authentication?
Something you know (a password or the answer to a security question), Something you possess (a mobile app that receives a notification or a token-generating device), Something you are (biometric property, such as a fingerprint or face scan)
What's a basic checklist for creating VM?
Start with the network, then Name, location, size, pricing model, storage and operating system for the VM
What does Azure Batch do for you?
Starts a pool of compute VMs for you, Installs applications and staging data, Runs jobs with as many tasks as you have, Identifies failures, Requeues work, Scales down the pool as work completes
What roles can upgrade Azure Security Center to the Standard tier?
Subscription Owner, Subscription Contributor, or Security Admin
What is encryption at rest?
The act of making stored data unreadable without the keys and secrets
How do you encrypt databases?
Transparent Data Encryption (TDE)
What is a Region Pair?
Two regions within the same geography (such as US, Europe, or Asia) at least 300 miles away, used to avoid availability zone outage
What are resource groups?
a logical container for resources deployed on Azure.
What is Azure Key Vault?
a centralized cloud service for storing application secrets
What is Microsoft Azure Information Protection?
a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
What is Serverless Computing?
a cloud-hosted execution environment that runs your code but completely abstracts the underlying hosting environment.
What is the Azure CLI?
a cross-platform command-line program to connect to Azure and execute administrative commands on Azure resources.
What is a dashboard?
a customizable collection of UI tiles displayed in the Azure portal.
What is Azure Disk Encryption?
a feature managed by a VM owner that controls the encryption of Windows and Linux VM-controlled disks, using BitLocker on Windows VMs and DM-Crypt on Linux VMs
What is an availability set?
a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter.
What is a fault domain?
a logical group of hardware that shares a common power source and network switch, like a rack within an on-premises datacenter.
What are availability sets?
a logical grouping of two or more VMs that help keep your application available during planned or unplanned maintenance.
What is Azure Container Registry?
a managed Docker registry service based on the open-source Docker Registry 2.0
What are managed identities for Azure Resources?
a method of assigning an identity to services using a managed service principal in Azure AD
What is Azure PowerShell?
a module that you add to Windows PowerShell or PowerShell Core to let you connect to your Azure subscription and manage resources
What is Azure Security Center?
a monitoring service that provides threat protection across all of your services both in Azure, and on-premises
What is Azure App Service?
a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications
What is Privileged Identity Management?
a service offering that provides ongoing auditing of role members as their organization changes and evolves.
What is a firewall?
a service that grants server access based on the originating IP address of each request
What is Azure Policy?
a service that you use to define, assign, and, manage standards for resources in your environment
What's a network security group?
a set of rules used to filter network traffic to and from Azure resources in an Azure virtual network
What is a blade?
a slide-out panel in the Azure Portal containing the UI for a single level in a navigation sequence
What is Disk caching?
a specialized component that stores data, typically in memory so that it can be accessed more quickly
What is an image?
a template that's used to create a VM. These templates include an OS and often other software, such as development tools or web hosting environments.
What are containers?
a virtualization environment for running applications.
What is the Azure portal?
a website that lets you create, configure, and alter the resources in your Azure subscription
What is Compliance Manager?
a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
What is Multi-Factor Authentication?
additional security for your identities by requiring two or more elements for full authentication.
What is N-tier architecture?
an application architecture that divides an application into two or more logical tiers. A higher tier can access services from a lower tier, but a lower tier should never access a higher tier.
What's a Custom Script Extension?
an easy way to download and run scripts on your Azure VM's
What is Storage Service Encryption?
an encryption service built into Azure used to protect data at rest.
What is a principal?
an identity acting with certain roles or claims
What is Azure AD B2C?
an identity management service built on Azure Active Directory that enables you to customize and control how customers sign up, sign in, and manage their profiles when using your applications
What is a Service Principal?
an identity that is used by a service or application
What is a service principal?
an identity that is used by a service or application
What is Azure compute?
an on-demand computing service for running cloud-based applications.
How do I get Get the status of a VM in Azure CLI?
az vm get-instance-view -n <vmname> -g <resource-group-guid> --query "instanceView.statuses[?starts_with(code, 'PowerState/')].displayStatus" -o tsv
What is Azure DDoS protection?
blocks attack traffic, notifying using Azure Monitor metrics, and forwards the remaining traffic to its intended destination
What is network security?
protecting the communication of resources within and outside of your network
What is a Content Delivery Network?
distributed network of servers that can get content to users in their local region to minimize latency
What is encryption in transit?
encrypting the data prior to sending it over a network, or setting up a secure channel to transmit unencrypted data between two systems.
What is asymmetric encryption?
encryption that uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. Examples include TLS and data signing.
What is symmetric encryption?
encryption that uses the same key to encrypt and decrypt the data (e.g. a desktop password manager application)
What is an Azure Blueprint?
feature that allows you to define a repeatable set of Azure resources that implement and adhere to your organization's standards, patterns, and requirements.
What is Role-Based Access Control?
granular access management for resources that allows you to grant users the specific rights they need to perform their jobs.
What is an update domain?
groups of VMs and underlying physical hardware that can be rebooted at the same time.
What is Azure Batch?
large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.
What are Network Security Groups?
list of rules that allow or deny communication to and from network interfaces and subnets.
What is Azure Application Gateway?
load balancer designed for web applications
What are tags?
name/value pairs of text data that you can apply to resources and resource groups
What is IOPS?
number of requests that can be processed by the disk in one second. A single request is a read or write operation
How are VHD files stored in Azure?
page blobs in an Azure storage account
What is an Availability Zone?
physically separate datacenters within an Azure region, made up of one or more datacenters equipped with independent power, cooling, and networking. It is set up to be an isolation boundary.