Azure AZ-900 Certification
What are the two types of locks in Azure?
"Delete" and "Read-only"
Azure AD provides services such as:
-Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. -Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts. -Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. -Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data -Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services. -Device Management. Manage how your cloud or on-premises devices access your corporate data.
Benefits of Azure Key Vault:
-Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked. -Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization. -Monitor access and use. Using Key Vault, you can monitor and control access to company secrets. -Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools. -Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services.
Compliance Manager Features:
-Combines the following three items: 1) Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft 's cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST). 2) Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR). 3) An organization's self-assessment of their own compliance with these standards and regulations. -Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization's compliance goals. Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization's exposure to risk. -Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities. -Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.
Benefits of using Azure Application Gateway over a simple load balancer:
-Cookie affinity. Useful when you want to keep a user session on the same backend server. -SSL termination. It can manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that. -Web application firewall. It supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure. -URL rule-based routes. It allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network. -Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.
Steps to Create an Azure Policy
-Create a policy definition -Assign a definition to a scope of resources -View policy evaluation results
What Microsoft Trust Center Provides:
-In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products. -Recommended resources in the form of a curated list of the most applicable and widely-used resources for each topic. -Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams. -Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal. -Direct guidance and support for when you can't find what you're looking for.
Advisor makes cost recommendations in the following areas:
-Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits. This identifies ExpressRoute circuits that have been in the provider status of Not Provisioned for more than one month and recommends deleting the circuit if you aren't planning to provision the circuit with your connectivity provider. -Buy reserved instances to save money over pay-as-you-go. This will review your virtual machine usage over the last 30 days and determine if you could save money in the future by purchasing reserved instances. -Right-size or shutdown underutilized virtual machines. This monitors your virtual machine usage for 14 days and then identifies underutilized virtual machines. Virtual machines whose average CPU utilization is 5 percent or less and network usage is 7 MB or less for four or more days are considered underutilized virtual machines.
Factors affecting Azure Costs
-Resource Type -Services (Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include usage allowances, which affect costs.) -Location -Azure Billing Zone: A Zone is a geographical grouping of Azure Regions for billing purposes.
Azure Key Vault Use Cases:
-Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets. -Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data. -Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily. -Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
Best Practices for RBAC:
-Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope. -When planning your access control strategy, grant users the lowest privilege level that they need to do their work. -Use Resource Locks to ensure critical resources aren't modified or deleted
What types of attacks does Azure DDos Protection: Standard Tier protect against?
-Volumetric attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. -Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. -Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Azure Key Vault Features with Certificates:
-You can create certificates, or import existing certificates -You can securely store and manage certificates without interaction with private key material. -You can create a policy that directs it to manage the life cycle of a certificate. -You can provide contact information for notification about life-cycle events of expiration and renewal of certificate. -You can automatically renew certificates with selected issuers - Key Vault partner x509 certificate providers / certificate authorities.
Three steps to take in order to fully utilize Azure Security Center?
1) Define Security Policies that Azure can use to monitor your infrastructure (a policy is a set of rules used to evaluate a resource). 2) Protect Resources. You still need to monitor your policies and their outcomes. 3) Respond to a security incident.
What elements to Azure Blueprints include?
1) Resource Templates, 2) Role Based Access Control <RBAC>, 3) Policies, 4) Samples for Common Regulations
Three Elements to RBAC role assignments:
1) Security Principal, an object representing an entity that can get access to the Azure resource...for example, can be a user or a group of users 2) Role Definition, lists the operations that can be performed, such as Read, Write and Delete 3) Scope, is the set of resources that the access applies to
What is included with all support plans?
24 x 7 support for billing and subscription; online self-help; support forums (ask other users what they use and how they do things); best practice recommendations from Azure Advisor; Access to Service Health status to know how Azure is doing. This is also the full range of support for the 'Basic' plan. Can sign up online for all levels except Premier and the support starts immediately.
Service Level Agreement
A contract between you and Azure documenting Microsoft's commitment for uptime & connectivity.
What are availability sets?
A logical grouping of two or more VMs that help keep your application available during planned or unplanned maintenance. With them you get: -Up to three fault domains that each have a server rack with dedicated power and network resources -Five logical update domains which then can be increased to a maximum of 20 Your VMs are then sequentially placed across the fault and update domains.
What is the best explanation for an address space on a Virtual Network?
A range of IP addresses that are available to the Virtual Network for connected services.
What are security policies used for in Azure?
A set of rules that Azure can use to evaluate if your configuration of a service is secure and complies with your organization's security guidelines.
What web app languages does the App Service support?
ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.
Serverless Computing encompasses these three ideas:
Abstraction of servers: It abstracts the servers you run on. You never explicitly reserve server instances; the platform manages that for you. Each function execution can run on a different compute instance, and this execution context is transparent to the code. With this architecture, you simply deploy your code, which then runs with high availability. Event-driven scale: this type of computing is an excellent fit for workloads that respond to incoming events. Micro-billing: With this type of computing, they pay only for the time their code runs. If no active function executions occur, they're not charged.
You realise that there have been several attempts to compromise user credentials for your Azure account using brute force. What is an Azure service than can warn you about this?
Advanced Threat Protection
What is special about the China region in Azure?
All customer data is guaranteed to be geographically within China. You are guaranteed to be compliant with all Chinese data and IT regulations. All Azure services are physically located within China.
Management Certificates
Allow you to authenticate with the classic deployment model. Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. However, these types of certificates are not related to cloud services.
Network Security Groups (NSGs)
Allow you to filter network traffic to and from Azure resources in an Azure virtual network. It can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets, and are fully customizable.
Azure Data Lake Storage
Allows you to perform analytics via parallel processing on your data usage and prepare reports. It is a large repository that stores both structured and unstructured data. It combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities. It uses analytic engines like Hadoop & Spark.
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. It provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. It is considered a core service and is included with all subscription levels at no cost. With it you can: -Allow one user to manage VMs in a subscription, and another user to manage virtual networks. -Allow a database administrator (DBA) group to manage SQL databases in a subscription. -Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets. -Allow an application to access all resources in a resource group.
App Services allows you to create web, mobile, API and logic apps. In the shared responsibility model, what model is App Services aligned to?
App Services aligns to the Platform as a Service Model as App Services provides a development and deployment environment, with Infrastructure components, development tools, business intelligence and database management systems all ready to go without you having to provision the individual components.
Azure Monitor Data Sources:
Application monitoring data; Guest OS monitoring data; Azure resource monitoring data; Azure subscription monitoring data; Azure tenant monitoring data https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/7-monitoring
You are looking to restrict internet traffic to a Windows virtual machine - what Azure functionality would you choose to accomplish this?
Appropriately configured Network Security groups allow you to control all inbound and outbound traffic for your virtual machines.
Virtual private network (VPN) Connections
Are a common way of establishing secure communication channels between networks. Connections between Azure Virtual Network and an on-premises VPN device are a great way to provide secure communication between your network and your VNet on Azure.
Resource Locks
Are a setting that can be applied to any resource to block modification or deletion. They can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. They can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
Service Certificates
Are attached to cloud services and enable secure communication to and from the service. For example, if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint.
Azure Management Groups
Are containers for managing access, policies, and compliance across multiple Azure subscriptions. They allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within one of these will automatically inherit the conditions applied to the larger group.
Network virtual appliances (NVAs)
Are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Azure ATP Sensors
Are installed directly on your domain controllers. They monitor domain controller traffic without requiring a dedicated server or configuring port mirroring.
Locks
Assigning: Can be assigned to a subscription, resource group or resource. Type: Delete, where you can't delete the locked object, or Read-Only, where you can't make any changes to the object Permanence: it must be removed completely before Changes or Delete can be performed again
Benefits of using Azure to store data?
Automated backup and recovery: mitigates the risk of losing your data if there is any unforeseen failure or interruption. Replication across the globe: copies your data to protect it against any planned or unplanned events, such as scheduled maintenance or hardware failures. You can choose to replicate your data at multiple locations across the globe. Support for data analytics: supports performing analytics on your data consumption. Encryption capabilities: data is encrypted to make it highly secure; you also have tight control over who can access the data. Multiple data types: Azure can store almost any type of data you need. It can handle video files, text files, and even large binary files like virtual hard disks. It also has many options for your relational and NoSQL data. Data storage in virtual disks: Azure also has the capability of storing up to 32 TB of data in its virtual disks. This capability is significant when you're storing heavy data such as videos and simulations. Storage tiers: storage tiers to prioritize access to data based on frequently used versus rarely used information.
Azure ATP Components:
Azure ATP portal. Azure ATP sensor. Azure ATP cloud service.
What does Azure Advanced Threat Protection do?
Azure Advanced Threat Protection monitors and analyzes user activities, events and related information across your network. This information is used to create a baseline for each user, which future activities are compared with to identify suspicious behaviour.
You are in a client meeting with a customer and learn that the customer would like to run their website from their own vNET and subnets, but due to staff constraints they would like the least amount of overhead on the team as possible. Which Azure service would you recommend to the client?
Azure App Service Environment is a deployment of Azure App Service into a subnet in a customer's Azure virtual network. It provides a fully isolated and dedicated environment for security running App service apps at high scale. Azure App Service Environment is a Platform-as-a-Service offering which enables teams to focus on building the application instead of managing the underlying hardware and operating systems.
Which Azure DevOps tool would you use to share applications and code libraries?
Azure Artifacts is a service in Azure DevOps, which can host code libraries and applications for you to share internally or externally. Azure Boards is for project managers. Azure Repos holds your source code. Azure Test Plans is used to create manual and automatic test scenarios for your application. Azure Pipelines is the process that builds and deploys your application.
You are developing a web application which will be used to stream videos. Which of the following Azure storage types are best suited to this use case?
Azure Blob storage is an object-based storage service ideal for storing large amounts of unstructured data, including video streams. It can be accessed via HTTP and HTTPS or via a variety of client libraries.
What are two ways to manage containers in Azure?
Azure Container Instances (ACI) and Azure Kubernetes Service (AKS).
Which of the following solutions describes Azure Cosmos DB?
Azure Cosmos DB is a globally distributed multi-model database offering designed to guarantee low latency and high availability. It is compatible with Cassandra, MongoDB and other NoSQL workloads.
What kind of service architecture is Azure DevOps?
Azure DevOps is a PaaS solution, where you manage the platform and the services on it, but not the infrastructure.
Name 3 Additional Support Channels for Azure.
Azure Documentation. Forums. Social Media.
Which of the following Azure storage types is most suitable for sharing files using the Server Message Block (SMB) protocol?
Azure Files provides highly available network file shares using the SMB protocol. This allows multiple VMs to read and write the files, and files may be accessed remotely using a URL. Disk Storage allows data to be stored persistently and attached as a virtual hard disk. Blob Storage is designed for storing large amounts of unstructured data but can not be accessed via SMB. Azure Storage Explorer is a standalone app for Windows, Mac and Linux which enables you to work visually with your storage data.
Two implementations of Azure serverless compute:
Azure Functions (can execute code in almost any modern language). Azure Functions can be either stateless (the default) where they behave as if they're restarted every time they respond to an event), or stateful (called "Durable Functions") where a context is passed through the function to track prior activity. Azure Logic Apps (designed in a web-based designer and can execute logic triggered by Azure services without writing any code). Where Functions execute code, Logic Apps execute workflows designed to automate business scenarios and built from predefined logic blocks.
Which are considered serverless services on Azure?
Azure Functions: provides a single function to do a single task Logic Apps: a way to connect systems within and outside Azure, including apps, data flows, services and entire systems, it can schedule, automate and orchestrate task, business processes and workflows. No coding needed. When an order above $100 occurs an email can be sent to customer service asking them to thank the customer. Event Grid: a routing service for connected applications that ensure events are sent and received fast and accurately. Makes complex cloud architectures much simpler. They are all serverless services on Azure.
You have a need to create a new IoT solution quickly with minimal setup and development time. Which Azure product or solution can best help with these requirements?
Azure IoT Central is a Software-as-a-Service solution that can help ease the costs and effort of developing a whole IoT solution from scratch.
Your company wants to use Azure to manage all of their IoT devices. They are going to create the infrastructure themselves, but need a backend in Azure to manage the flow of data, and to ensure security as well as ease of deployment of new devices. Which Azure product or solution would be suitable?
Azure IoT Hub is a PaaS solution that provides a managed and secure backend for millions of IoT devices. Azure IoT Hub is a solution for providing managed services for large IoT projects. It provides secure and reliable communication from devices to the Azure backend.
ou have been asked to automate part of a business process into Azure. You do not have a scripting background but need to automate the movement of files uploaded to an SFTP server to a storage account. Which service provides you with an easy way to do this using a graphical interface?
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.
Which is the best Azure tool for managing your models, projects, data sets and more for Machine Learning?
Azure Machine Learning Studio.
You want to get started in Artificial Intelligence on Azure using a visual workspace. Which service should you use?
Azure Machine Learning Studio. Azure Machine Learning Studio provides a drag-and-drop visual interface for machine learning using preconfigured algorithms.
What types of data does Azure Monitor collect?
Azure Monitor collects two broad types of data: metrics and logs. Within these data types sits subscription monitoring data.
Alerts
Azure Monitor proactively notifies you of critical conditions using these, and can potentially attempt to take corrective actions.
Autoscale
Azure Monitor uses this to ensure that you have the right amount of resources running to manage the load on your application effectively.
Azure Encryption Options for Storage
Azure Storage Service Encryption (SSE) for data at rest helps you secure your data to meet the organization's security and regulatory compliance. It encrypts the data before storing it and decrypts the data before retrieving it. The encryption and decryption are transparent to the user. Client-side encryption is where the data is already encrypted by the client libraries. Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.
Which of the following are valid Azure storage redundancy types?
Azure has many redundancy options to choose from when identifying which storage option to select. The following are all valid Azure Storage redundancy options - Locally redundant storage, Zone-redundant storage, Geo-redundant storage, Read-access geo-redundant storage, Geo-zone-redundant storage and Read-access geo-zone-redundant storage.
Which of the following is true in relation to Azure Management Groups?
Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called 'management groups' and apply your governance conditions to the management groups. For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation.
Azure Databricks
Based on Apache Spark, which is an open source, distributed cluster-computing framework. It runs and processes a data set on many computers simultaneously. This Azure service provides all the necessary compute (so you don't need to buy & maintain computers) and integrates with Azure Storage Services (storage, analytics, data lake storage and also Hadoop storage). You use data from all these data sources to insights and analyze the data this Azure service (based on Apache Spark).
Developer Level Support Elements?
Basic Level plus, business hour email support for technical issues; unlimited support cases; guidance and troubleshooting for Azure configurations; Minimal Business Impact (Severity C) Response of < 8 hours; General Guidance Architectural Support
What are the 5 support levels for Azure?
Basic, Developer, Standard, Professional Direct and Premier.
What are some of the main aims of collecting and processing Big Data?
Big Data is a technology that enables speed and efficiency when analyzing the data, cost reduction for storing the enormous amounts of data, faster and better decision making for companies based on the data and analysis of it and development of new processes and services based on customers needs and satisfaction through analytics.
Which services can feed the Azure Monitor?
Both Azure services and on-premise services.
Managed identities for Azure
Can be instantly created for any Azure service that supports it—and the list is constantly growing. When you create this for a service, you are creating an account on your organization's Active Directory (a specific organization's Active Directory instance is known as an "Active Directory Tenant"). The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources.
Azure Knowledge Center
Central location for common Azure knowledge. You can't add a new question or add to an existing one. You can search the Knowledge Center by category, product and free text.
Which companies must comply with General Data Protection Regulation (GDPR)?
Companies of any country must adhere with this guideline if their users and customers are located in the European Union.
Azure Data Storage vs On-Premise Storage
Cost effectiveness, Reliability, Storage types, Agility,
Semi-structured data
Data doesn't fit neatly into tables, rows, and columns. Instead, it uses tags or keys that organize and provide a hierarchy for the data. It is also referred to as non-relational or NoSQL data.
Structured Data
Data that adheres to a schema, so all of the data has the same fields or properties. It can be stored in a database table with rows and columns. It relies on keys to indicate how one row in a table relates to data in another row of another table. It is also referred to as relational data.
What are two features of role-based action controls?
Define which actions users can take on as a resource. Define which users have access to specific Azure resources.
Azure Boards
DevOps tool for project managers. Keeps track of work tasks, timelines, issues, planning, etc.
Standard Level Support Elements?
Developer Level plus, Moderate Business Impact (Severity B) Response of < 4 hours and Critical Business Impact (Severity A) Response of < 1 hour
What is a Load Balancer?
Distributes traffic evenly among each system in a pool. It can help you achieve both high availability and resiliency.
Azure Blueprint
Enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. They make it possible for development teams to rapidly build and stand up new environments with trust they're building within organizational compliance with a set of built-in components
Unstructured data
Encompasses data that has no designated structure to it. This also means that there are no restrictions on the kinds of data it can hold. For example, a blob can hold a PDF document, a JPG image, a JSON file, video content, etc. As such, it is becoming more prominent as businesses try to tap into new data sources.
Policy Definition
Expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used.
Azure DevTest Labs
Focuses on the environment that DevOps processes run on. Three Elements: Environment Management (allow developers & engineers to create environments for test & development); Cost Management (won't incur unexpected costs & minimize the inefficient use of resources, can use automation); Templates (can tailor your dev & test environments and reuse them w/ templated deployments)
Azure Storage Service Encryption
For data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management is transparent to applications using the services.
Azure Security Center Tiers:
Free: Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only. Standard: This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Transparent Data Encryption (TDE)
Helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Database instances.
Blob Storage Tiers
Hot storage tier: optimized for storing data that is accessed frequently. Cool storage tier: optimized for data that are infrequently accessed and stored for at least 30 days. Archive storage tier: for data that are rarely accessed and stored for at least 180 days with flexible latency requirements.
Total Cost of Ownership (TCO) calculator
If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings
Telemetry
Information about how services or devices are performing. This information is passed to a central point for further analysis. In Azure, it all goes into Azure Monitor.
Azure Pipelines
Is a DevOps process that builds and deploys your application.
Azure Repos
Is a DevOps tool that stores sourcecode for your application securely in a managed way
Azure Test Plans
Is a DevOps tool used to create manual and automatic test scenarios for your application.
Azure Disk Encryption
Is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. It leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Azure Key Vault
Is a centralized cloud service for storing your application secrets. It helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
What is Azure Active Directory?
Is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured using this.
Azure Advanced Threat Protection (Azure ATP)
Is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Azure Information Protection (AIP)
Is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
What is a Content Delivery Network (CDN)?
Is a distributed network of servers that can efficiently deliver web content to users. It is a way to get content to users in their local region to minimize latency. You can cache content at strategically placed physical nodes across the world and provide better performance to end users.
Azure Cosmos DB
Is a globally distributed database service. It supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data. You can use this feature to store data that is updated and maintained by users around the world.
What is a Virtual Network?
Is a logically isolated network on Azure. It allows Azure resources to securely communicate with each other, the internet, and on-premises networks. It is scoped to a single region; however, multiple virtual networks from different regions can be connected together using virtual network peering. They can be segmented into one or more subnets. Subnets help you organize and secure your resources in discrete sections. The web, application, and data tiers each have a single VM. All three VMs are in the same <blank> but are in separate subnets.
Azure Firewall
Is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Azure SQL Database
Is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine. You can migrate your existing SQL Server databases with minimal downtime using the Azure Database Migration Service.
Initiative Definition
Is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using them if you anticipate increasing the number of policies over time.
What is DNS?
Is a way to map user-friendly names to their IP addresses. You can think of it as the phonebook of the internet.
Compliance Manager
Is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services. It provides recommendations for ensuring compliance with GDPR, ISO, NIST and others. It allows you to assign compliance tasks to your team and track progress. It provides you with a compliance score. You can also upload documentation to prove compliance and store them securely. It can provide you with reports of compliance data to provide to auditors and managers.
Azure AD Privileged Identity Management (PIM)
Is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
A Principal
Is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and this separately, but think of using 'sudo' on a Bash prompt in Linux or on Windows using "run as Administrator." In both those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing. Groups are often also considered this because they can have rights assigned.
Service Principal
Is an identity that is used by a service or application. And like other identities, it can be assigned roles.
Initiative Assignment
Is an initiative definition assigned to a specific scope. They reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group.
Azure DDos Protection: Basic Tier
Is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft's online services use. Azure's global network is used to distribute and mitigate attack traffic across regions.
Identity
Is just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates.
Authentication (AuthN)
Is the process of establishing the identity of a person or service looking to access a resource.
Authorization (AuthZ)
Is the process of establishing what level of access an authenticated person or service has.
Azure Advisor for Security Assistance
Is the same as the Azure Security Center
Azure Blob storage
Is unstructured, meaning that there are no restrictions on the kinds of data it can hold. It is highly scalable and apps work with it in much the same way as they would work with files on a disk, such as reading and writing data. It can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection. It lets you stream large video or audio files directly to the user's browser from anywhere in the world. It is also used to store data for backup, disaster recovery, and archiving. It has the ability to store up to 8 TB of data for virtual machines.
What is a Network Security Group (NSG)?
It allows or denies inbound network traffic to your Azure resources. Think of it as a cloud-level firewall for your network. You can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust.
RBAC Allow Model
It allows you to perform specific actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have both read and write permissions on that resource group.
What is Azure Batch?
It enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs. When you're ready to run a job, it does the following: -Starts a pool of compute VMs for you -Installs applications and staging data -Runs jobs with as many tasks as you have -Identifies failures -Requeues work -Scales down the pool as work completes There may be situations in which you need raw computing power or supercomputer level compute power. Azure provides these capabilities.
Azure ATP Portal
It enables you to monitor and respond to suspicious activity. It allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use it monitor, manage, and investigate threats in your network environment.
What is an unplanned maintenance event?
It involves a hardware failure in the data center, such as a power outage or disk failure. VMs that are part of an availability set automatically switch to a working physical server so the VM continues to run. The group of virtual machines that share common hardware are in the same fault domain. A fault domain is essentially a rack of servers. It provides the physical separation of your workload across different power, cooling, and network hardware that support the physical servers in the data center server racks. In the event the hardware that supports a server rack becomes unavailable, only that rack of servers is affected by the outage.
What is Serverless Computing?
It is a cloud-hosted execution environment that runs your code but completely abstracts the underlying hosting environment. You create an instance of the service, and you add your code; no infrastructure configuration or maintenance is required, or even allowed.
Azure Application Gateway
It is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios. This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message. It includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.
What is Azure Load Balancer?
It is a load balancer service that Microsoft provides that helps take care of the maintenance for you. It supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use it with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.
Azure Security Center
It is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. It can: -Provide security recommendations based on your configurations, resources, and networks. -Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online. -Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited. -Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute. -Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred. -Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require. It works by leveraging an agent that is installed on each VM that sends data.
What is Azure App Service?
It is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance.
Can virtual networks span across multiple regions?
It is not possible for a vNET to span multiple regions however the subnets that you create within the vNET are aligned to availability zones (where this service is available). Availability zones provide an additional level of redundancy within a region as each availability zone is made up of one or more datacenters.
Azure DDoS Protection Service
It leverages the scale and elasticity of Microsoft's global network to bring DDoS mitigation capacity to every Azure region. It protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service's availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.
What is Azure Traffic Manager?
It uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint. You can connect it to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud. It monitors the health of your endpoints.When it finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.
Azure ExpressRoute
Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. It improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the public internet. You don't need to allow access to these services for your end users over the public internet, and you can send this traffic through appliances for further traffic inspection.
Ways to save on licensing?
Linux vs. Windows; Azure Hybrid Benefit for Windows Server; Azure Hybrid Benefit for SQL Server; Use Dev/Test subscription offers; Bring your own SQL Server license; Use SQL Server Developer Edition; Use constrained instance sizes for database workloads
What are the main elements of Machine Learning / AI?
Model (the way you define what you want your machine learning implementation to learn...it is a set of rules); Knowledge Mining (use Azure Search to find insights in your data); Built-in Apps (like cognitive learning and bots <assistants that are ready to answer your questions>)
Azure Files
Offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. Its file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Applications running in Azure virtual machines or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share. Any number of Azure virtual machines or roles can mount and access the file storage share simultaneously. Typical usage scenarios would be to share files anywhere in the world, diagnostic data, or application data sharing.
What is an Azure Region?
One or more Azure data centers within a specific geographic location. East US, West US, and North Europe are examples.
Life Cycle Grouping
Organizing resources this way can be useful in non-production environments, where you might try an experiment, but then dispose of it when done. Resource groups make it easy to remove a set of resources at once.
What does Azure Security Center highlight?
Policy & Compliance Metrics; A Secure Score to enhance security hygiene; Security information from other cloud providers via a SIEM (Security Information and Event Management) tool; Alerts for resources that aren't secure
What are the three stages to the Azure service lifecycle?
Preview (can be private or public). General Availability (can gradually roll-out across regions). Can find out when a feature is going into preview or general availability via the Azure updates feed.
Premier Level Support Elements?
Professional Level but with Customer Specific Architecture Support (e.g., Design Reviews, Performance Tuning, Implementation Assistance, etc); Technical Reviews & Reporting and a Technical Account Manager; On-Demand for Training; Can't Sign Up Online for this Level of Support
Application Security Group
Protects an application rather than an IP endpoint. Allows you to configure security as a natural extension of an applications structure. You can group VMs and network security policies based on your application and its components instead of an explicit IP address
Cyber-Attack Kill-Chain
Provides
Disk Storage
Provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. It allows data to be persistently stored and accessed from an attached virtual hard disk. Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to traditional spinning hard disk drives (HDDs), with varying performance abilities.
What can you do with Azure App Service Mobile app back-ends?
Quickly build a back-end for iOS and Android apps. With just a few clicks you can: -Store mobile app data in a cloud-based SQL database -Authenticate customers against common social providers such as MSA, Google, Twitter, and Facebook -Send push notifications -Execute custom back-end logic in C# or Node.js On the mobile app side, there is SDK support for native iOS & Android, Xamarin, and React native apps.
High Availability
Refers to a service that's up and running for a long period of time.
Resiliency
Refers to a system's ability to stay operational during abnormal conditions. These conditions include: -Natural disasters -System maintenance, both planned and unplanned, including software updates and security patches. -Spikes in traffic to your site -Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks
Availability
Refers to how long your service is up and running without interruption
Authorization Grouping
Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.
Logical Grouping
Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure.
Azure ATP Cloud Service
Runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. It is connected to Microsoft's intelligent security graph.
What Azure service can you use to automatically add or remove virtual machines to your environment in response to demand on your applications?
Scale Sets will allow automatic scaling of virtual machines residing behind a load balancer, based on metrics which you specify.
To access the Azure Cloud Shell (>_), what do you need to do?
Select the icon (>_) in the top menu of the Azure Portal
Your security team is hesitant to permit access to the Azure Public Cloud - to help reassure them of the compliance certifications awarded to Azure what service can you direct them to?
Service Trust Portal. The Service Trust Portal is the central location for all published audit reports of the Azure platform as well as risk assessments and security best practices.
Two primary purposes for Certificates in Azure:
Service certificates are used for cloud services. Management certificates are used for authenticating with the management API.
HDInsight
Similar to Azure Data Lake Analytics but uses an all open source framework. It includes Apache Hadoop (allows several computers to work together to solve problems), Apache Spark (interface to allow parallel program between clusters of computers) and Apache Kafka (allows processing of real-time data feeds).
What are virtual machines (VMs)?
Software emulations of physical computers. hey include a virtual processor, memory, storage, and networking resources. They host an operating system (OS), and you're able to install and run software just like a physical computer. And by using a remote desktop client, you can use and control the virtual machine as if you were sitting in front of it. They are an ideal choice when you need: -Total control over the operating system (OS) -The ability to run custom software, or -To use custom hosting configurations https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-compute/3-virtual-machines
Professional Direct Level Support Elements?
Standard Level but with Minimal Business Impact (Severity C) Response of < 4 hours; Moderate Business Impact (Severity B) Response of < 2 hours and Critical Business Impact (Severity A) Response of < 1 hour; In Depth Architecture Support; Onboarding Services & Reviews; Webinars for Training
Types of data?
Structured. Semi-structured. Unstructured.
What are some of the advantages of using a subnet with your Azure Virtual Network? (Choose 3)
Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. This makes address allocation more efficient, you can have a separate network security group for the subnet, and you can logically group services as well. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
What are two top-level types of encryption?
Symmetric encryption and Asymmetric encryption.
What command-line environments are available for use in the Azure Cloud Shell?
The Azure Cloud Shell supports the Bash and PowerShell command-line environments.
Machine Learning Service
The Azure service that provides an end-to-end machine learning service. It is also a collection of tools that help you build AI applications. It also automatically recognizes your trends and creates machine learning models that you can use.
Which Azure Support Plan can offer the lowest possible response time for the most critical incidents?
The Premier support plan includes up to a 15 minute response time with Azure Rapid Response, a special annual program for customers requiring extremely fast response times, or Azure Event Management services, a special short term service for when new critical workloads are being launched in Azure. This is the lowest possible response time for Azure support. Standard, Professional Direct, and Premier all offer 1 hour response times without these special programs, which can be enough for most businesses
Which Azure Support Plan offers a response time for critical business impact events of less than 1 hour, at the lowest cost?
The Standard support plan includes 24x7 access to Support Engineers via email and phone. The Standard support plan is recommended for customers running Production workloads (meaning, things that are in use by the business as part of their daily processes). When these workloads are critically impacted, it's often important that Azure Support is engaged as soon as possible.
What are characteristics of Azure Paired Regions?
The ability to failover from one region to the other in the event of an outage. Only one region in a pair is patched or updated at any one time. Provides the capability for some services to replicate.
What services does Azure App Service provide?
The main features of Azure App Service are to provide Web Apps, Web Apps for Containers and API Apps. In addition, Mobile Apps can be created through the Web App service. Web Apps can be built using popular frameworks such as .NET, .NET Core, Java, Node.js, Python, PHP and Ruby which then runs on either Windows or Linux.
What methods are available to connect to the Azure Public Cloud?
The methods to connect to the Azure Public Cloud are over the internet to public endpoints, via site or client VPN's to devices you configure in the Cloud environment or through a dedicated connection such as Express Route.
You have been asked to migrate a Windows-based legacy on-premise application to Azure with the minimal effort possible, which compute service should you choose?
The simplest migration approach would be to use Azure Migrate and target Virtual Machines - virtual machines have the closest similarity to the on-premise platform where the application resides. Containers and serverless would require transformations to the application before it could be migrated.
What does Azure Kubernetes Service provide?
The task of automating, managing, and interacting with a large number of containers is known as orchestration. <Blank> is a complete orchestration service for containers with distributed architectures with multiple containers.
What do App Service WebJobs allow you to do?
They allow you to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled, or run by a trigger. They are often used to run background tasks as part of your application logic.
What are containers?
They are a virtualization environment for running applications. Just like virtual machines, they run on top of a host operating system. But unlike VMs, they don't include an operating system for the apps running inside of them. Instead, they bundle the libraries and components needed to run the application and use the existing host OS. For example, if five of them are running on a server with a specific Linux kernel, all five and the apps within them share that same Linux kernel. It doesn't use virtualization, so it doesn't waste resources simulating virtual hardware with a redundant OS. This environment typically makes them more lightweight than VMs. This design allows you to respond quickly to changes in demand or failure. Another benefit is you can run multiple isolated applications on a single host. Since they are secured and isolated, you don't need separate servers for each app.
What are virtual machine scale sets?
They let you create and manage a group of identical, load balanced VMs. With these, you can build large-scale services for areas such as compute, big data, and container workloads.
What do Azure Container Instances (ACI) provide?
They offer the fastest and simplest way to run a container in Azure. You don't have to manage any virtual machines or configure any additional services. It is a PaaS offering that allows you to upload your containers and execute them directly with automatic elastic scale.
What is a microservice architecture?
This architecture is where you break solutions into smaller, independent pieces. For example, you may split a website into a container hosting your front end, another hosting your back end, and a third for storage. This split allows you to separate portions of your app into logical sections that can be maintained, scaled, or updated independently.
Azure DDos Protection: Standard Tier
This service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
Azure Queue (Storage)
This storage is a service for storing large numbers of messages that can be accessed from anywhere in the world. It can be used to help build flexible applications and separate functions for better durability across large workloads. When application components are decoupled, they can scale independently. It provides asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices. You can use it to: -Create a backlog of work and to pass messages between different Azure web servers. -Distribute load among different web servers/infrastructure and to manage bursts of traffic. -Build resilience against component failure when multiple users access your data at the same time.
Azure Service Health Use Cases?
To set up custom alerts to notify you of any outages, planned or otherwise. To track incidents with your services in real time and get a report afterwards. This is a free service.
What are the Microsoft services that can tell you more about trust in the Azure platform?
Trust Center and Service Trust Portal.
Your company has a large amount of documents that are both sensitive and important to a large number of people. How would you secure these documents so you can still share them, but track where they are?
Use Azure Information Protection to secure and track any document or email. Azure Information Protection (AIP) is a cloud-based solution that helps your organization to classify and protect its documents and emails by applying labels.
Ways to save on infrastructure costs?
Use Azure credits; Use spending limits; Used reserved instances (and Azure Hybrid benefit: helps you maximize the value of your existing on-premises Windows Server and/or SQL Server license investment while you're migrating to Azure.); Choose low-cost locations and regions; Research available cost-saving offers; right-sized underutilized VMs; Deallocate VMs in off hours; Delete unused VMs; Migrate to PaaS or SaaS services
Asymmetric Encryption
Uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key. This is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Symmetric Encryption
Uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted.
What are the four common techniques for performing compute on Azure?
Virtual Machines. Containers. Azure App Service. Serverless Computing.
Azure Cognitive Services
Vision (provides information on visual content), Decision (can make informed decisions based on an app), Speech (takes audio and converts it to a transcript)
With Azure App Service (a PaaS service), what common web app styles can you host?
Web Apps, API Apps, WebJobs and Mobile Apps
What is a planned maintenance event?
When the underlying Azure fabric that hosts VMs is updated by Microsoft. It is done to patch security vulnerabilities, improve performance, and add or update features. Most of the time they are done without any impact to the guest VMs. But sometimes VMs require a reboot to complete an update. When the VM is part of an availability set, the Azure fabric updates are sequenced so not all of the associated VMs are rebooted at the same time. VMs are put into different update domains. Update domains indicate groups of VMs and underlying physical hardware that can be rebooted at the same time. Update domains are a logical part of each data center and are implemented with software and logic.
Microsoft Privacy Statement
explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
Resource Health
helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you with details about the current and past state of your resources. It also provides technical support to help you mitigate problems. In contrast to Azure Status, which informs you about service problems that affect a broad set of Azure customers, this gives you a personalized dashboard of your resources' health (and can be used to determine SLA violations).
Service Trust Portal (STP)
hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services. Its users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services. It allows you to: -Access audit reports across Microsoft cloud services on a single page. -Access compliance guides to help you understand how you can use Microsoft cloud service features to manage compliance with various regulations. -Access trust documents to help you understand how Microsoft cloud services help protect your data.
Microsoft Security Development Lifecycle (SDL)
introduces security and privacy considerations throughout all phases of the development process.
Azure Advisor
is a free service built into Azure that provides recommendations on high availability, security, performance, and cost. It analyzes your deployed services and looks for ways to improve your environment across those four areas.
Azure pricing calculator
is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.
Azure Cost Management
is a free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.
Azure Resource Group
is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances. All resources must be in a one of these and a resource can only be a member of a single one of these. Many resources can be moved between these with some services having specific limitations or requirements to move. These can't be nested. Before any resource can be provisioned, you need this for it to be placed in.
Azure Monitor for containers
is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API.
Application Insights
is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application's operations.
Azure Monitor for VMs
is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). It includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.
Azure Service Health
is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you.
Microsoft Trust Center
is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
Azure Policy
is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements.
Azure Monitor
maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
Azure Status
provides a global view of the health state of Azure services. With this, you can get up-to-the-minute information on service availability. Everyone has access to this and can view all services that report their health state.
Service Health
provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.
Azure Monitor Activity Logs:
record when resources are created or modified
Azure Monitor Metrics:
tell you how the resource is performing and the resources that it's consuming.