D338: Cloud Platform Solutions
______ Query Language is used to query Azure Monitor logs.
Kusto
KQL
Kusto Query Language
Upgrading an AKS cluster upgrades one _____ at a time.
node
DNS Record types in Azure DNS: Maps IPv4 address
A
DNS Record types in Azure DNS: Maps IPv6 address
AAAA
_____ can be enabled on your VPN gateway if the on-premises gateway supports it. If used the VPN gateway and on-premises gateway can exchange routing information automatically. _____ enables high availability redundant connections.
BGP
An Azure__________ defines how often backups occur and how long the backups are retained
Backup Policy
VPN Gateway Pricing Tiers: _______- 10 Max site-to-site VPN connections. Throughput of 100 Mbps
Basic
SSPR License Requirements: Password ______ - Cloud-user only, included in all editions of Azure AD
Change
Blob Storage Access Levels ________ - With this option, blobs and their containers can be accessed anonymously.
Container
RBAC Resource Role Scopes: ___________- All blobs inside the container, the container properties, and the metadata will inherit the role assignment when this scope is selected
Container
Azure ExpressRoute supports connectivity to Azure platform services, such as _______ DB.
Cosmos
Azure Backup Server inherits much of its functionality from __________ (DPM). It does not backup to tape, and it does not integrate with system center.
Data Protection Manager
Step 1 for enabling AD DS Authentication to Azure Files?
Enable AD DS authentication on your storage account
ExpressRoute circuits are connected to an Azure virtual network using an __________________.
ExpressRoute gateway
Server-side Encryption Models: Define Customer-Managed Keys?
Gives you control over the keys, including bring your own key (BYOK) support, or allows you to generate new ones
________________ (adjective) unchanging over time or unable to be changed.
Immutable
Azure Container ________ - Easy to create containers. Point ACI to a repository and it creates the container for you. It doesn't require that you pay for a VM, ACI is serverless. You can access it using a public IP address or a DNS name label.
Instances
Default NSG Rules: o Virtual Network - Traffic originating and ending in a virtual network is allowed both inbound and outbound directions o ___________- Outbound traffic is allowed, but inbound traffic is blocked o Load Balancer - Allows the Azure Load Balancer to probe the health of your VMs and role instances. If you are not using a load balanced set, you can override this rule.
Internet
Next hop types supported for UDRs: ____________ - Used to route a specific IP address of prefix to the Internet
Internet
There are 3 options for updating a virtual machine scale set instance. Define Manual?
It is up to you to programmatically step through and update each instance using the PowerShell command.
Resource Group template is a ______ file that allows you to declaratively describe a set of resources. These resources can then be added to a new or existing resource group.
JSON
Azure Resource Manager templates are authored using ____________ and provide the ability to define the configuration of resources, such as virtual machines, storage accounts, and so on in a declarative manner.
JavaScript Object Notation (JSON)
Azure _______ is used to implement Azure App Service authentication to third party identity providers.
Key Vault
Azure ________ can be used to encrypt your Azure VM disks.
Key Vault
AKS cluster can be scaled with the ______ command line tool.
Kubectl
To manually scale an AKS cluster use the _______ command line tool.
Kubectl
AKS Networking Options _______- "Basic networking". Each node in the cluster gets an IP address from the VNet subnet where the cluster is deployed. Each pod within the cluster gets an internal IP address. Uses NAT to establish connections to other Azure resources.
Kubenet
AKS Options for networking: _______________ - Called basic networking. Each node in the cluster gets an IP address from the VNet subnet where the cluster is deployed. Each pod within the cluster gets an internal IP address from an address space explicitly set aside for the pods. Uses NAT to establish connections to other Azure resources. Means that other VMs in Azure or On-premises can't directly establish communication with those pods.
Kubenet
Alerts that are generated within Azure Monitor can invoke Azure Automation runbooks, ___________, Azure Functions, and even generate incidents in third-part IT service Management tools.
Logic Apps
DNS Record types in Azure DNS: Used for mail server configurations
MX
______________________ - Can be used to access blobs or queues from an Azure entity like Azure VM, virtual machine scale set, or an Azure Functions app.
Managed Service Identity (MSI)
______________ Peering - Provides connectivity over the Internet address space into Microsoft services such as Office 365, Dynamics 365, and Internet-facing endpoints of Azure platform (PaaS) services.
Microsoft
__________ Agent can be used to backup files and folders from on-premises VM. The agent is only supported on Windows agents, you will need to download the vault credentials file which is under the Recovery Services agent download ling.
Microsoft Azure Recovery Services (MARS)
ExpressRoute provides connectivity to all __________________, unlike a Site-to-Site VPN which only provides connectivity to your Azure VNet.
Microsoft Cloud Services
Properties of a virtual network: ________ - must be within the resource group, between 2 and 64 characters, and may contain letters (case insensitive), numbers, underscores, periods or hyphens. Must start with a letter or number and end with a letter, number, or underscore.
Name
Settings of a virtual network subnet: _______ - Must be unique within the VNet.
Name
Supported ways to connect Storage Explorer to Storage Accounts: Using a Storage Account ______ and ______- This option requires you to have access to the storage account name and key. These values can be accessed from the Azure portal under Access Keys.
Name, Key
What Azure Tag limitations apply to Resource Groups?
Not all resources support tags
App Services uses _____ authentication when configuring a third-party identity provider. Secrets that you provide to configure it are securely stored in Azure Key vault.
OAUTH
Azure AD returns an ________ token to security principal which can be used for authorization against Azure Storage (Blob or queue)
OAuth 2.0
-
Service key will need to be shared with the provider.
Blobs of all three types can share a single blob container. True or False?
True
Subnets supports _____________ with a route table.
association
IPv6 supports only the _______ tier and _______ allocation.
basic, dynamic
Benefits by using object replication: Compute workloads can now process the same sets of __________ in different regions using object replication.
block blobs
Azure Firewall supports _____________ based on the FQDN of the destination while NSGs do not.
blocking traffic
Owner roles are an example of a __________ role includes permissions that manage resources, security, and the application of role assignments
built-in
ExpressRoute _________ bandwidth can either be metered or unlimited.
circuit
ACI provides the ______ node scaling of AKS
fastest
Azure Load Balancer TCP Health Probes attempt to initiate a connection by completing a three-way TCP handshake. If successful, the connection is then closed with a ________________.
four-way handshake
Persistent volumes exist within the cluster, but _____ of a pod.
outside
Managed disks provide additional availability over unmanaged disks by aligning with availability sets and providing storage in ___________.
redundant storage units
When you configure an autoscale rule to scale out for a specific metric, you should also create another rule to _______ when that metric drops below your desired threshold.
scale in
The size of the VPN gateway should be chosen based on the ______________ required.
throughput
Each deployment slot is its own ______.
web page
Registered and joined devices in Azure AD can be managed in which two areas in the Azure portal?
-Browsing to your Azure AD tenant in the Azure portal and selecting Devices. All Devices is the default view, but you can also choose other views, such as Device Settings, BitLocker Keys, and so on). -Through the Devices blade for an individual user.
What are the two types of Azure Files identity-based authentication
-On-premises Active Directory Domain Services (AD DS) -Azure Active Directory Domain Services (Azure AD DS)
The first private IP to be allocated in network interface settings will be ___
.4
Azure reserves the first 4 and last IP address in each subnet. The first IP address allocated to VM is therefore typically the ___________ address.
.4 IP
VPN Gateway Pricing Tiers: VpnGW2 and VpnGw2Az - 30 maximum site-to-site VPN connections. Throughput of _______.
1 Gbps
VPN Gateway Pricing Tiers: VpnGw3 and VpnGw3Az - 30 maximum site-to-site VPN connections. Throughput of __________.
1.25 Gbps
Metrics can be one dimensional or multidimensional with up to ___ dimensions. A nondimensional metric can be thought of as the metric name, and the value of the metric output is collected by the Monitor services over time. A multidimensional metric (Both from an Azure resource or a custom metric) is the metric name and an additional name-value pair with additional data.
10
Non-hybrid Azure AD join is used for Windows _______ and Windows ____.
10 Pro, 10 Enterprise
Alerts and Metric alerts from Alert Rules do not generate alerts immediately and can take up to ________.
10 minutes
Azure Files is a fully managed file share services that offers endpoints for the Server Message Block (SMB) protocol. Default max size is 5 TiB per share but if you enable larger file shares then it can go up to 100 TiB per share. Also, if you use premium SKU, you get ____ TiB by default.
100
Data in the Archive storage blob tier is stored offline and must be rehydrated to the Cool or Hot tier before it can be accessed. This process can take up to ____ hours.
15
Largest image you can host in ACI is ___GB, you cannot create a container that uses more than 4 CPU cores and 16GB of memory.
15
Largest image you can host in ACI is ___GB. You cannot create a container that uses more than 4 CPU cores and 16GB of memory.
15
Azure Files support for SMB ___. When accessing an Azure File share from a computer running outside of Azure it is important to open the outbound TCP port 445 in your local network.
3.0
Cool access tier is used for storing data for at least ___ days.
30
VPN Gateway Pricing Tiers: VpnGW2 and VpnGw2Az - ___ maximum site-to-site VPN connections. Throughput of ! Gbps.
30
VPN Gateway Pricing Tiers: VpnGw1 and VpnGw1 - _____ Max site-to-site VPN connections. Throughput of 65Mbps.
30
VPN Gateway Pricing Tiers: VpnGw3 and VpnGw3Az - ___ maximum site-to-site VPN connections. Throughput of 1.25 Gbps
30
Conditions of large-scale sets "multiple placement groups" Basic SKU of the Azure Load Balancer can scale up to ___ instances
300
For longer term retention, metrics can optionally be sent to Azure storage for select resources and retained up to the configured retention policy or the storage limits of the account. They can also be sent to Log Analytics with a default retention period of ___ days.
31
Guest OS metrics collected by Log Analytics Agents: Collected by the Log Analytics agent and are sent to a Log Analytics workspace. Retention period of ___ days. This retention period can be extended for up to two years.
31
Maximum retention period for soft delete is ____days.
365
Largest image you can host in ACI is 15 GB. You cannot create a container that uses more than __ CPU cores and 16GB of memory.
4
Up to 50,000 blocks can be added to each Append Blob, and each block can be up to __MB in size, giving a maximum Append Blob size of slightly more than 195 GB. Page Blobs are most used for log files.
4
Largest image you can host in ACI is 15 GB, you cannot create a container that uses more than __ CPU cores and __GB of memory.
4, 16
Requirements and limitations of the Azure Import/Export Jobs tool: The tool requires a .NET Framework ______ or later and BitLocker
4.5.1
The maximum Block Blob size is slightly more than _____TB.
4.75
NSG rules are enforced based on their priority. Priority values start from 100 and go to ______.
4096
- Spreading Algorithm option for Health Monitoring decides how scale set instances will be placed in a fault domain. With max spreading, the instances are distributed in the maximum fault domains possible for each zone. Fixed Spreading restricts instances to exactly ____ fault domains. If a scale set is using a fixed spreading algorithm and if there are less than ___ fault domains available, the deployment will fail.
5
The minimum Azure Load Balancer Health Probe interval is ___ seconds, and the minimum consecutive prove failure threshold is ___ seconds.
5, 2
ExpressRoute circuits provide different levels of bandwidth, from ___Mbps to ____Gbps. They also provide redundant connections.
50, 10
Azure Application Gateway provides traffic routing for OSI layer __.
7
The maximum Page Blob size is __TB.
8
Containers can be access from the URL with port ___ or with the Public IP address.
80
A single move operation in the Resource Manager cannot move more than _____ resources.
800
Azure Monitor retains metrics for __ days.
93
____ provides the fastest node scaling of AKS
ACI
________records allow you to define the target of the DNS record implicitly by referencing another Azure resources.
Alias
Step 3 for enabling AD DS Authentication to Azure Files?
Assign directory/file-level permissions using Windows ACLs
Step 2 for enabling AD DS Authentication to Azure Files?
Assign share-level access permissions to an Azure AD identity
To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all ______.
AssignableScopes
How long will archive storage data remain?
At least 180 days.
Cluster ______- Scales your node clusters based on the number of pending pods.
Autoscaler
When VMs are created in three ____________, those will be automatically distributed across three fault domains and three update domains
Availability Zones
Command-line Utility ________ can also be used to copy between storage accounts.
AzCopy
DNS zone hosting is provided by _________.
Azure DNS
_________ provides a mechanism to express how the environment is governed for all users at a specified scope regardless of RBAC assignments.
Azure Policy
To restore a virtual machine that has encrypted disks, you also need to provide the Azure ___________ to the Key Vault holding the key.
Backup Service Access
Azure Load Balancer Tiers: ___________- Does not support Availability Zones, supports up to 300 backend servers, VMs must be in the same availability set or a single VM Scale Set, supports TCP and HTTP health probes. Supports Azure Monitor for public load balancer only, alerts and backend pool health count. Open by default, can optionally restrict flow using NSGs. Single outbound IP, not configurable. No provided SLA, free though
Basic
Azure _________ provides secure connections to Azure Virtual Machines using the SSL channel through a browser directly without using any external client. It uses port 443
Bastion
___________ roles can be cloned and then modified for small tweaks to permissions.
Built-in
Password ____/_____/_____ - Hybrid-users, Microsoft 365 Business Premium, Azure AD Premium P1, Azure AD Premium P2.
Change/Unlock/Reset
_________ is a feature of Azure AD which allows administrator to control access to cloud applications through additional checks such as user location, the device the user is accessing the cloud app from, and more.
Conditional access
RBAC ________ - Create and manage all of types of Azure resources. Cannot grant access to others. Applies to all resource types.
Contributor
Azure Storage Explorer is a cross-platform application designed to help you quickly manage one or more Storage Accounts. It can be used will all storage services as well as support for ___________ and Azure Data Lake Storage services.
Cosmos DB
Step 1 of creating a child zone resource (DNS)?
Create the child zone resource
_______________ can be used to execute arbitrary commands such as batch files, regular PowerShell scripts, or a bash script. Supported on Windows and Linux-based virtual machines and is ideal for bootstrapping a VM to an initial configuration. Your script must be accessible via a URI such as an Azure Storage Account to be used and must either be accessed anonymously or passed with a shared access signature (SAS URL).
Custom Script Extension
Comparing Metrics and Logs surfaces some key differentiators: __________________ - Metrics are gathered over time (ex: once a minute) and available for immediate query. Logs are often gathered after being triggered by an event and can take time to process before they are available for query. While both offer near real-time query capabilities, metrics will typically be used for fast alerts, and logs used for more complex analysis.
Data Availability
______ backup policy retains backups for 30 days and is performed at 5:30PM UTC.
Default
Azure ________ should be used to implement continuous deployment strategy
DevOps
Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure while maintaining performance and compatibility. Key features include: Fast _____________ - Restore file metadata immediately and recall as needed.
Disaster Recovery
Azure ______ can be used for storage with AKS. Azure ______ can only be used by a single pod, if you need to access storage across multiple pods, you should use Azure Files instead.
Disks
____________ lets users securely synchronize user and application settings data to the cloud. This means they'll have the same experience no matter which Windows device they sign into.
Enterprise State Roaming
Storage Explorer Operations: Table _______- Import, export, view, add, edit, delete, and query
Entities
Azure Application Gateways and Azure Load Balancers can be used to send logs to a storage account, streamed to an ___________, or integrated with an Azure Log Analytics workspace.
EventHub
Authenticating Azure Storage ____________ with Azure AD allows for access to all storage accounts in a subscription at once.
Explorer
Data protected by Azure Backup in encrypted using the supplied passphrase. If the passphrase is lost or forgotten, any data protected by Azure Backup is able to be recovered. True or false?
False
Factors when creating a resource group: A resource group can be nested in another resource group. True or false?
False
Factors when creating a resource group: A resource group cannot be used to scope access control. True or false?
False
______________ represent a group of servers which have shared power, cooling and networking.
Fault domains
_______ Storage - Supports file only service. No unmanaged disk support. Supports the premium performance tier. N/A access tiers. Supported replication options are LRS and ZRS.
File
Storage Explorer Operations: _________ - Create, rename, copy, delete, create and manage snapshots, connect a VM to a file share, and create and manage shared access signatures and access policies
File Shares
SAS ______ - Provides managed file shares that can be used by Azure VMs or on-premises servers.
Files
Azure AD _________ - User and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and SSO across Azure, Microsoft 365, and many popular SaaS.
Free
The _________________ is a special subnet that is only used for virtual network gateways.
GatewaySubnet
SAS tokens only use the ____ protocol.
HTTPS
__________ joined devices are joined to your on-premises Active Directory and are registered with your Azure AD tenant.
Hybrid AD
-
If you are using your own DNS servers, then you should not configure it within the VM itself because the platform is unaware of the settings you have chosen. Instead, you should configure the options within the virtual network settings.
___________ is the default mode for ARM deployments.
Incremental
________ controller provides the ability to distribute traffic to a set of pods based on the incoming URL
Ingress
Log Analytics uses _________ Language.
Kusto Query
Effective Security Rules are used at the _____ level for viewing rules applied to a VM
NIC
What are the 3 states of alerts?
New, Acknowledged, Closed
Kubernetes Service Types: ____________ - Provides a port mapping on the node, allowing network traffic to reach the node using the specified port.
NodePort
A container group that hosts a Windows container can contain _____ container.
One
DNS Record types in Azure DNS: Used for reverse DNS lookups in reverse lookup zones
PTR
Azure Kubernetes Services is a ____ offering of Kubernetes running in Azure. It reduces the configuration and operational overhead of the cluster
PaaS
____________ is a construct, such as an Azure Availability set, with its own fault domains and upgrade domains.
Placement group
Azure _____ can be used to automatically apply tags to resources.
Policy
Azure AD ___________ - Lets hybrid users' access both on-premises and cloud resources. Also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity manager, and cloud write-back capabilities, which allow self-service password to reset for your on-premises users.
Premium P1
Azure AD ___________ - Offers Azure Active directory identity protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
Premium P2
RBAC Resource Role Scopes: ______- All the messages inside the queue, as well as queue properties and metadata will inherit the role assignment when this scope is selected.
Queue
Values used with the Update-AzTag Command _______ - Replaces the specified tags in the listed resources
Replace
SSPR License Requirements: Password ________ - Cloud-user only, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Azure AD Premium P1, Azure AD Premium P2
Reset
_______ and available systems can be built using features like availability zones, availability sets, and load balancers.
Resilient
DNS Record types in Azure DNS: Used for service discovery for Kerberos to Minecraft to SIP.
SRV
__________ is an identity that gets permissions. It can be a user, group, or a service principal.
Security Principal
SSPR
Self Service Password Reset
__________________ of Azure Network Performance Monitor provides the ability to measure latency, response time, and packet loss of outbound network traffic from an on-premises environment to an external website.
Service Connectivity Monitor
______ control access to the service but not to a specific resource within that service.
Service Tags
Azure _________ is used to replicate physical and Azure VMs to a secondary Azure location for backup
Site Recovery
Azure ____________ service enables us to replicate, failover, and failback virtual machines as needed.
Site Recovery
App Service backup requires a minimum of the _______ pricing tier
Standard
Properties of a virtual network: ________ - The list of subnets configured for this VNet
Subnets
App Services Backups can be kept for an indefinite amount of time, and the backups only work for plans running the standard tier or higher. True or false?
True
Requirements and limitations of the Azure Import/Export Jobs tool: Block, Page, and Append blobs are supported for both import and export. True or false?
True
Resource Group and Subscription are two types of RBAC Resource Role Scopes. True or False?
True
Security groups with assigned membership can be used to set permissions on Azure resources and do not require additional licensing. True or false?
True
Storage accounts can be moved freely between LRS, GRS, and RA-GRS replication modes. Azure will replicate the data asynchronously in the background as required. True or False?
True
True or False: Global Administrator rights in Azure AD do not have permissions to create resources in Azure, but he or she can perform all the identity tasks for an Azure AD tenant.
True
RBAC - Manage user access to Azure resources.
User Access Administrator
VM Sizes: Define Compute Optimized ?
Uses for CPU intensive workloads in medium-scale environments. Ideal for network appliances or batch process in small environments.
VMSS
Virtual Machine Scale Set
-
With Basic WAN, you can only create Basic Hubs. Basic Hubs are only capable of creating site-to-site connections.
Changing access tier on a blob can either occur at the _______ level or at the ___________ level.
account, individual blob
By default, each VPN gateway is deployed as two VMs in an active-standby configuration. To reduce downtime in the event the active instance fails, an active-active configuration can also be used. In ____________ both gateways have their own public IP addresses, and two connections are made to the on-premises VPN endpoint.
active-active
Site-to-Site VPNs support BGP routing and ______________ gateways and connections to enable high availability.
active-active
You can't change the_______ of a resources already deployed to the subnet. If you want to change a subnet's __________, you first must delete all the objects in that subnet.
address range
Persistent volumes can use Azure Files or Azure Disks, and they can either be created by the AKS cluster ______ or by the Kubernetes ____.
admin, API
Azure AD ________ roles are used to allow or restrict admins to perform identity tasks, such as creating new users, resetting passwords, and so on.
administrative
Access to the account center and creation of a new Azure subscription and billing changes can only be performed by the Account ________.
administrator
The account that is signed up for an Azure subscription is automatically set as both the account _______ and the service ______.
administrator
Azure Storage blob object replication provides __________ replication of block blobs from one storage account to another. You can use this to enable blob versioning.
asynchronous
Limitations of Blob Object Replication: Because block blob data is replicated __________, there is no SLA on when accounts are in sync. However, you can check the replication status of a blob
asynchronously
The type of blob is set _______and cannot be changed after the fact. If you need to change a blob after the fact, then you must delete it and reupload as the appropriate blob type before it can be used.
at creation
Creating a DNS zone resource allocates _______ DNS name servers to host the DNS records for that zone. Azure DNS can then be used to manage those DNS records.
authoritative
Role definitions, or roles, can be either _______ or custom.
built-in
Azure VMs have a variety of ________________ that can enable configuration management.
built-in extensions
Azure DNS treats ______ zones as entirely separate zones
child
With Azure role assignments, there is no way to revoke access rights at a ______ scope through the application of a more restrictive role assignment/
child
Storage Account blobs can _____ between the three access tiers (Hot, cool, and archive) within the same account.
coexist
Azure Diagnostics agent can also be configured through resource manager templates and the _____________ by specifying a configuration file.
command line tools
When setting up two VNets to ___________ with an external network, only the first will be permitted by default. Allowing connectivity between a second VNet with an external network requires that both configured: Use Remote Gateways Allows Gateway transit
communicate
Available Backup Policy options in Azure Portal SQL servers allow SQL backup ______.
compression
Supported ways to connect Storage Explorer to Storage Accounts: Using a __________ string - This option requires you to have access to the __________ string of the storage account. The __________ string is retrievable by opening the storage account blade in the Azure portal and clicking Access Keys.
connection
A container runs inside of a _______ group.
container
Blob Storage Layout: Each storage account can have one or more blob containers and all blobs must be stored within a __________.
container
Blob Storage Access Levels - By default, no public read access is enabled for anonymous users, and only users with rights granted through RBAC or with the storage account name and key will have access to the stored blobs. To enable anonymous user access, you must change the ___________ level.
container access
Inside of a cluster you will find one or more __________. These ________ run inside of a pod. A pod can run a single __________, but it can also rune multiple __________.
container(s)
Inside of a cluster, you will find one or more ________.
containers
Properties that are required for ________: o OS type o CPU, memory, or GPU resources o Restart Policy o Network profile o Availability Zone
containers
When multiple __________ are running in a pod, they share storage and a single IP address.
containers
Storage Blob Data Reader is a built-in role which allows the assigned security principal to only read and list ________.
containers and blobs
AKS deployments run in a cluster and each computer in the cluster is referred to as a node. One single node is responsible for the other nodes in the cluster, it is commonly referred to as the ____________. The other computers in the cluster are most commonly referred to as nodes.
control plane
Migration to or from ZRS, GZRS, and RA-GZRS works differently and is best to simply ______________________________ with the desired replication mode using a tool like AzCopy or requesting a live data migration via Azure Support.
copy the data to a new storage account
The resource group you specify when __________ your disk is the resource group for the AKS cluster. If you don't know the resource group of your AKS cluster, you can use the az aks show.
creating
Configuring a dedicated load balancer health check page enables each backend server to implement _____________________ to decide whether it is healthy.
custom application logic
There are three ways you can create _______ in Azure portal: -Clone from the existing built-in roles available -Start from scratch -Start from a JSON file to define the custom permissions
custom roles
Application Insights provides significantly more value when your application is instrumented to emit custom ______ and ______ information.
custom, exception
VM's can be created with __________________ (CMK) while creating a new VM. Before creating the VM, you need to create disk encryption set first.
customer-managed encryption keys
Availability Zones provide high availability at the data center level, availability sets provide high availability within a __________.
data center
After a workspace has been provisioned you must enable ___________ and configure both resource and tenant logs to store their logs within the service.
data collection
Dataset CSV file and Driveset CSV file are the two files that are required to prepare disks that will contain data to be imported into Azure Storage. The first of of them contains the list of ______, while the second lists the disks and the corresponding drive letters.
data files
Policy _______ describes your desired behavior for Azure resources at the time resources are created or updated. Through a policy ______, you declare what resources and resource features are considered compliant within your Azure environment and what should happen when a resource is non-compliant.
definition
Role ______ contains the list of permissions or declared permissions and those permissions define what actions can or cannot be performed against a type of resource, such as read, write, or delete.
definition
Shared Access Signature token provides secure, _______ access to resources in your Azure storage account
delegated
Both resource logs and tenant logs are considered __)_______ logs.
diagnostic
Apps can be created with your own code, or you can run a ________ in your app service plan.
docker container
You can purchase _______ using the App Service Domains service.
domain names
Blob Storage Layout: Containers are similar in concept to a ___________ on your computer in that they provide a storage space for data in your storage account.
hard drive
Tags can be applied in both an ______ manner and _______through Resource Manager templates.
imperative, declaratively
ALB supports port forwarding, using ________________. This maps a specific frontend port to a specific backend port on a specific backend server.
inbound NAT rules
Application Insights - Is used for development and as a production monitoring solution. It works by ____________ into your app, which can provide a more internal view of what's going on with your code.
installing a package
Azure Import/Export tool creates a ______ file that contains the information necessary to restore the files on the drive to the Azure Storage account. Each drive used in the import job will have a unique journal file that is created by the tool.
journal
You cannot skip _____ versions when upgrading an AKS cluster
minor
AKS deployments run in a cluster. Each computer in the cluster is called a _____, one single _____is responsible for the other _____s in the cluster, it is commonly referred to as the control plane
node
Azure metrics are collected at ________ intervals and are identified by a metric name and a namespace (or category). Most are retained for 93 days.
one-minute
Azure Load Balancer HTTP Health Probes issue an HTTP GET with a specified ______.
path
Hub-and-spoke is the standard deployment model for Azure Firewall, where the Firewall is hosted on its own VNet, and other resources are placed in ____________ in the same region with one or more subnets.
peered VNets
VNet gateways are required by VNet _______. This avoids the cost, throughput limitations, additional latency, and additional incurred complexity associated with using VNet gateways, though you can use VNet gateways to connect to on-premises networks using gateway transit.
peering
Users and groups are also known as security ________.
principals
Cost Management Contributor and Cost Management Reader are two specialized roles that can be used to grant _________ to Cost Management data.
principals access
Each NSG includes a list of default rules, which can be overridden using user-defined rules. Rules are applied in ______________.
priority order
Each network interface must have one _________ IPv4 address assigned as the primary IP configuration. You can add one or more IPv4 address as secondary IP configurations.
private
The following are network interface ________ IP addresses uses: o Virtual machines that act as domain controllers or DNS servers o Resources that require firewall rules using IP addresses o Resources accessed by other apps/resources through an IP address explicitly, rather than a domain name.
private
Azure VNets are isolated networks using a ______________ space.
private IP address
SAS token is a ______________ that can be appended to the full URI of the blob or other storage resource for which the SAS token was created.
query string parameter
Azure Bastion service is provisioned within a VNet within a _____________.
separate subnet
IP address ranges can also be specified using application security groups (ASGs). ASGs allow NSG rules to be defined for groups of VMs without needing to allocate the VMs into ____________.
separate subnets
Network Watcher is enabled as a ______________ per Azure region. It is not deployed like a conventional resource, but it does appear as a resource in a resource group.
single instance
Public IP addresses are managed as a ______________ resource, which can be associated with a network interface IP configuration
standalone
Azure Load Balancer HTTPS Health Probes are like HTTP probes, except that a TLS/SSL wrapper is used. Only supported on the __________ load balancer.
standard tier
Moving resources between subscriptions requires both subscriptions to be associated with the same Azure AD _____. If the subscriptions do not belong to the same ______, then you can update the target subscription to use the source Azure AD ______ by transferring ownership of the subscription to another account.
tenant
You can peer VNets in different subscriptions, even if those subscriptions are under different Azure Active Directory ______.
tenants
By default, a peering connection will only accept traffic originating from _______________________________.
the VNet to which it is connected
When creating a custom role: You will have options to select specific permissions from Actions and Data Actions tabs. The Actions tab contains the operations that a role can perform, and the Data Actions tab contains the operations that a role can perform on _______.
the data within an object
Azure App Service plans map directly to a pricing ____.
tier
VNet peering is not ______. That means there is no automatic connectivity between spokes in a hub-and-spoke topology.
transitive
The name of a storage account must be globally ______.
unique
Azure Blobs allow _____________ data to be stored and accessed at a massive scale in block blobs, such as an enterprise data lake on Azure.
unstructured
Each NSG includes a list of default rules, which can be overridden using ____________. Rules are applied in priority order.
user-defined rules
The _______ is needed during the installation of the MARS agent. Its only valid for 48 hours from the time of download, so be sure to obtain them only when you are ready to install the MARS agent.
vault credentials file
Service Endpoints can be enabled on subnets, and you can also add service endpoints to multiple subnets from the _____________ settings.
virtual network
A _____________________ can be used to create VPN connections between virtual networks.
virtual network gateway
Availability sets should be deployed according to their ______ or _______ tier. If you have a three-tier solution of web servers, middle tier, and a database tier then each should have its own availability set. IE two data tier VMs in its own availability set, two web tier VMs in its own availability set and so on.
workload, application
Azure Monitor for Networks is an Azure Log Analytics solution, so it requires an Azure Log Analytics ____________.
workspace
To configure a ________, you will need to provide: o A name o The subscription it will be associated with o A resource groups o A location o A selection for pricing tier
workspace
In order to create a custom role you must have _______ permissions on all the items in a scope.
write
You must have ______ access (Contributor role or higher access) to apply tags to a subscription, resource group, or resource.
write
Self-service password resets can be combined with the password _______ features of Azure AD connect to allow users to reset their passwords from the cloud while adhering to on-premises password standards.
writeback
You can browse to your app service app using the provided Azure domain name or using _____ domain name.
your own
A container doesn't need an entire operating system because it uses the _____ of the host OS. For that reason, you can't run a Linux-based container on a Windows computer or vice versa.
kernel
Azure Monitor _______________ provides a jumping off point to configure other more specific monitoring services, such as Application Insights, Network Watcher, Log Analytics, Management solutions and so,
landing page
ExpressRoute Connectivity Models: If your network already has a presence at a co-location facility with a cloud exchange your co-location provider can establish a virtual cross-connection with the Microsoft Cloud. This provides either a _____________ or ___________connection
layer 2, a managed layer 3
Azure Storage has a _______________ capability, and it can be used to transition data to lower-access tiers automatically based on pre-configured rules. Can use if-then blocks to define the conditions of a blob lifecycle policy.
lifecycle-management
Within Network Interface Settings, the _________ of the resource must be the same as any virtual network or any virtual machine to which the network interface will be connected.
location
When creating a DNS zone, the ______ only specifies the resource group location. It does not apply to the DNS zone resource itself, which is global rather than regional.
location field
Premium storage accounts use solid state drives and offer consistent, ___________ performance. This type of account can only be used with Azure virtual machine disks and are best for I/O-intensive applications like databases
low-latency
Storage account names must be between 3 and 24 characters and can contain only _______ letters and numbers.
lowercase
Standard storage accounts use magnetic drives and provides the ________________. This type of account is best suited for applications that require bulk storage or where data is accessed infrequently.
lowest cost per GB
Ways to ______ Devices: -Browsing to your Azure AD tenant and selecting devices. -Through the devices blade for an individual user
manage
Availability sets and managed disks complement each other, when the VM uses ________ disks and is placed in an availability set (known as an aligned availability set), it ensures that the VM disks are placed in different storage fault domains. This alignment ensures that all the managed disks attached to a VM are within the same managed disk fault domain. Number of fault domains for an availability set depends on the region it belongs to, with either two or three fault domains per region.
managed
Health Monitoring for a VMSS is required when you plan to use _______ infrastructure and automatic OS upgrades.
managed
Azure Import/Export tool creates a journal file that can _____ a folder or file to a container, blob, or files. Each drive used in the import job will have a unique journal file that is created by the tool.
map
Ways to Mount an Azure File Share: Directly through file explorer with the _________ option and the full path
map network drive
It is possible to change the __________ type of a group after it has been created, which provides an opportunity to transition from a static (or assigned) ______________ to a dynamic membership model or vice-versa.
membership
Alert State is not the same as the ________________ of an alert. When the Azure platform generates an alert based on an alert rule, the alert's monitor condition is set to fired and when the underlying condition clears, the monitor condition is set to resolved.
monitor condition
Areas to consider when creating a __________________strategy: o Visibility into services and the Azure platform o Deeper insights into applications o Resource Optimization
monitoring
IN RBAC, if there are overlapping assignments, the _________ access right takes precedence.
most privileged
Ways to Mount an Azure File Share: Connect and mount from Linux with the ______ command
mount
To perform Azure Backup File Recovery, it is necessary to first _______ containing files to recover.
mount a disk
Metrics can be one dimensional or multidimensional with up to 10 dimensions. A nondimensional metric can be thought of as the metric name, and the value of the metric output is collected by the Monitor services over time. A ____________ metric (Both from an Azure resource or a custom metric) is the metric name and an additional name-value pair with additional data.
multidimensional
The _______ of a subnet must be unique within that VNet. You cannot change the subnet ________ after it has been created. Each subnet must also define a single network range (CIDR format)
name
DNS records in Azure DNS are managed using record sets, which are the collection of records with the same ______ and the same ______.
name, type
Azure Tag limitations Illegal Characters - Tag _____ cannot contain these characters, <, >, %, &, \, ?, /
names
Ways to Mount an Azure File Share: Connect and mount with the _____ command
net use
The prerequisite of deploying a virtual machine is a virtual _______.
network
NSGs are associated with a subnet or with a specific VMs _______________.
network interface
Steps to configure an ASG: o Create an application security group resource for each server group. This resource has no properties, other than its name, resource group, and location o Associate the __________________ from each VM with the appropriate ASG. This defines which group each VM belongs to o Finally, define your network security group rules using ASG names instead of explicit IP ranges. Like how rules are configured using named service tags
network interface
To add a public IP address to the virtual machine, you must make several modifications. The second modification is to update the __________________ resource that the public IP address is associated with. Network interface must now have a dependency on the public IP address to ensure it is created before the __________________.
network interface
Private IP address for a VM is assigned from a subnet and configured as settings on the IP configuration of a _________________.
network interface resource
Network Security in an AKS cluster is handled using NSGs and _____________. Azure creates NSG rules for you as you create resources. ____________ is a feature in Kubernetes that enables you to control network traffic between pods.
network policy
Standard SKU of an Azure Load Balancer requires that a _____________________ is assigned either to the subnet or the network interfaces of the Azure VMs in the backend pool
network security group
Steps to configure an ASG: o Create an application security group resource for each server group. This resource has no properties, other than its name, resource group, and location o Associate the network interface from each VM with the appropriate ASG. This defines which group each VM belongs to o Finally, define your ________________ rules using ASG names instead of explicit IP ranges. Like how rules are configured using named service tags
network security group
You can control the connectivity between peered virtual networks using ______________.
network security groups
AKS Networking Options Azure Container Networking Interface (CNI) - "Advanced Networking". Both the ____ and ____ receive an IP address from the subnet.
nodes, pods
For ________ Join, Windows 10 Professional and Windows 10 Enterprise devices can be joined to a directory.
non-hybrid Azure AD
To connect two VNet, they must have __________________ IP address spaces.
non-overlapping
VNet peering allows VMs to see each other as one network, but their relationships are ______________. If VNetA and VNetB are peered and VNetB and VNetC are peered VNetA and VNetC are not peered.
non-transitive
Metrics can be one dimensional or multidimensional with up to 10 dimensions. A _________________ metric can be thought of as the metric name, and the value of the metric output is collected by the Monitor services over time. A multidimensional metric (Both from an Azure resource or a custom metric) is the metric name and an additional name-value pair with additional data.
nondimensional
When routes are configured with a destination IP prefix of 0.0.0.0/0 then the route will control traffic destined for any IP address that is ________________________________.
not covered by any other rules
Azure Monitor stores Logs, which are comprised of _________ or ________.
numerical data, text
Data in the Archive storage blob tier is stored ______ and must be rehydrated to the Cool or Hot tier before it can be accessed. This process can take up to 15 hours.
offline
A local network connection is an Azure resource used to represent the __________________ VPN device and network in Azure.
on-premises
Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure while maintaining performance and compatibility. Key features include
on-premises
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and ____________ environments. Helps you understand how your applications are performing and proactively identifies issues affecting them and the resources on which they depend.
on-premises
By default, each VPN gateway is deployed as two VMs in an active-standby configuration. To reduce downtime in the event the active instance fails, an active-active configuration can also be used. In active-active both gateways have their own public IP addresses, and two connections are made to the _________________ VPN endpoint.
on-premises
Dual _______________ can be used but requires BGP to be enabled. Works in an active-standby or active-active VPN gateways. Active-active gateway with dual on-premises endpoints provides a fully redundant configuration, avoiding a single point of failure.
on-premises VPN endpoints
Each network interface can be assigned zero or a maximum of ____ private IPv6 address(es) as a secondary IP configuration.
one
There can only be _____ account administrator per account and ____ service administrator per subscription.
one
To monitor connections between subnets, an NPM Agent should be installed on at least ____ server(s) in each subnet.
one
You are required to define __ subnet(s) when creating a VNet using the Azure portal.
one
An ________________, or OMS, is a computer software system used in a number of industries for order entry and processing
order management system
One method of exporting a template from a deployment within a resource group is to export the template used for the _______ deployment.
original
There is no automatic __________ between peered VNets, and the VirtualNetwork service tag does not include the address space of the peered VNet.
outbound connectivity
App Services Networking Types: VNet Integration - Enables ______ communication from your app into your Azure virtual network
outgoing
VPN connection between an on-premises network and an Azure VNet can only be established if the network ranges do not __________. Network address ranges should be planned carefully to avoid restricting future connectivity options.
overlap
DNS Zones in Azure DNS must be delegated from the ________________. This is achieved by setting up appropriate NS records in the ________________, pointing to the name servers assigned by Azure DNS.
parent domain
Step 2 Configuring Service Endpoint: Configuring which virtual networks can access a ___________.
particular storage account
Virtual Networks can be connected using VNet __________. This is supported both within a region or across regions.
peering
To transit traffic from one spoke VNet to another spoke VNet via an NVA in the hub VNet, the VNet ________ must be configured correctly.
peerings
Azure Monitor stores Metrics, which contain numerical values such as ______________________.
performance counters
An NSG contains rules defining the ___________ flows between application tiers
permitted traffic
If you require that the lifecycle of your stored data, not be tied to the lifecycle of the pod, you should use ______ volumes instead. They can use Azure Files or Azure Disks, and they can either be created by the AKS cluster administrator or by the Kubernetes API.
persistent
Persistent Volume exists within the cluster, but outside of a ____.
pod
When upgrading an AKS cluster, a new node will be created running the newest Kubernetes version, and ______ will be transferred to it once it is ready. After this, the outdated node will be deleted.
pods
When upgrading an AKS cluster, it is important to first stop any ____ from being scheduled on the node that is about to upgrade.
pods
Recovery services vault stores the backup data, including the _______.
policies
Azure Storage has a lifecycle-management capability, and it can be used to transition data to lower-access tiers automatically based on ________________. Can use if-then blocks to define the conditions of a blob lifecycle policy.
pre-configured rules
If an IP address matches two routing rules, then the longest ___________ algorithm is used to select the route.
prefix match
By using _______ zones, you can use your own custom domains names. It provides an alternative approach to name resolution within and between virtual networks.
private DNS
By default, ExpressRoute provides connectivity to all Microsoft data centers in each geopolitical region. The ExpressRoute Premium Add-On extends coverage to all data centers, globally. It also increases the number of _____________________ routes and the number of virtual networks, which can be connected to a circuit.
private peering
Azure Baston requires a dedicated _______ IP address.
public
To add a ________ address to the virtual machine, you must make several modifications. The first is to define a parameter that the user will use to specify a unique DNS name for the _________. Second is to add the _______ resource itself.
public IP
Associating a _____________ with a network interface creates an Internet-facing endpoint, allowing your virtual machine to receive network traffic directly from the Internet.
public IP address
Azure DNS Alias records allow DNS records to reference other Azure resources, such as _____________.
public IP address
Both global VNet peering and VNet-to-VNet VPN connections route traffic between Azure regions over the Microsoft backbone network, not the ______________________.
public Internet
Among other options, access to Blob Storage can also be controlled using the ____________ level of the storage container.
public access
Blob Storage Access Levels - By default, no ____________ access is enabled for anonymous users, and only users with rights granted through RBAC or with the storage account name and key will have access to the stored blobs. To enable anonymous user access, you must change the container access level.
public read access
Benefits by using object replication: With replication, the users can ______ data from the replicated regions as well. Allows for reducing latency for _____ requests by giving them the flexibility to choose the nearest region to _____the data
read
Users must have at least _______ access to a subscription to view budgets and must have ______ (or higher) rights to create and manage budgets.
read, contributer
An update domain represents a group of servers that can be ________ at the same time.
rebooted
DNS Settings on a user's device points to a _______ DNS server, also sometimes known as local DNS service (or LDNS) or simply a DNS resolver. ________DNS service is typically hosted by your company or by your ISP.
recursive
If you don't see an existing App Service plan when creating a new web app, make sure you have selected the OS that matches the App Service plan's OS. You also need to ensure the region you select is the ________ where the App Service plan is deployed.
region
Only VMs being backed up in the same ______ as the Recovery Services Vault are available for backup.
region
Challenge of using your own DNS server is that you will need to _______________________. To do this, you can configure the DNS service to accept Dynamic DNS queries, which the VM will send when it boots.
register each VM in your DNS services
Limitations of Blob Object Replication: Once you create a ______ policy, the destination container is read-only, and you can no longer perform write operations against it.
replication
Storage accounts must specify a _______ mode. The options are locally redundant, zone-redundant, geo-redundant, read-access geo-redundant storage, geo zone-redundant, and read-access geo zone-redundant.
replication
Azure Backup ______ provide data visualizations across your Recovery Services Vaults and Azure subscriptions to provide insight into your backup activity.
reports
A DNS Zone is a ________ in Azure DNS.
resource
A _________ in Azure is a single service instance, which can be a virtual machine, a virtual network, a storage account or any other Azure service.
resource
Tags at the ______ level would be automatically included in the billing report available from the Azure portal, which includes per-resource cost.
resource
Azure Diagnostics agent can also be configured through _____________________ and the command line tools by specifying a configuration file.
resource manager templates
Log Analytics helps you collect, correlate, search, and act on log and performance data generated by operating systems, applications, and Azure services. It gives you operational insights using _________ and visualizations.
rich search
The combination of role and security principal is applied to a scope of a subscription, a resource group, or a specific resource through ________.
role assignment
In Azure, access can be granted to users, groups, service principals, and managed identities through ________, which are then applied at a scope, such as a subscription, a resource group, or even an individual resource
role assignments
The specific permissions that are applied to a resource with RBAC are defined in a ________.
role definition
Blob Storage Layout: Within each container you can store blobs, much as you would store files on a hard drive. Blobs can be placed at the _____ of the container or organized into a __________.
root, folder hierarchy
Do not apply a route table to a subnet if the route table contains a _____ with a next hop address within that subnet. This would create a routing loop.
rule
- Containers allow you to package an application and all its dependencies into a compressed package called an image. The image can then be uploaded to an image repository. A container _________ can then be installed on your computer (or VM) and point it to the image in the repository. Container _______ will download the image, extract it, and it will then create a container that hosts the application in an isolated environment.
runtime
Azure Kubernetes Service - A cloud-based implementation of the popular container orchestration service Kubernetes. Kubernetes runs on top of the container ______, and it can help you scale and manage a containerized deployment.
runtime
A __________ can be deployed to an availability zone to provide higher redundancy and resiliency. If the _________ is created within a single availability zone, then all the instances will be deployed within a single zone.
scale set
Azure Monitor for VMs is an offering that provides new capabilities for monitoring your virtual machines and virtual machine _________.
scale sets
Before a security principal such as a user or group can interact with Azure resources, they must be granted access at a _____through a role assignment
scope
Tags must be applied at the resource ______ to be visible in detailed usage exports. Tags applied the resource group ______ are not inherited by child resources.
scope
RBAC is configured by selecting a role and associating the role with a ____________________, such as a user, group, or service principal.
security principal
Role-based access control (RBAC) allows you to manage the entities, also referred to as _________.
security principals
An Azure Sync group can be used to define the topology for how your file synchronization will take place. Within a sync group, you will add _______________, which are file servers and paths within the file server you want the sync group to sync with each other.
server endpoints
Using VNet peering to provide access to a central VNet containing shared services, such as Active Directory domain controllers, is known as _______________.
service chaining
ExpressRoute circuit is an Azure resource used to represent the logical connection between your on-premises network and Microsoft. Each circuit is identified by GUID called a _________________, which is shared with your connectivity provider. Each circuit has a fixed bandwidth, and a specific peering location.
service key (s-key)
Tools to help identifying the required NSG rules include ______________ and NSG flow logs.
service map
A _________ is used in Kubernetes that sits between incoming network traffic and one or more identical pods. The ________ get an IP address from a specific IP address pool set aside for ________, and because the _______ is always running it's not affected by pod lifecycle.
service(s)
Custom Script Extension can be used to execute arbitrary commands such as batch files, regular PowerShell scripts, or a bash script. Supported on Windows and Linux-based virtual machines and is ideal for bootstrapping a VM to an initial configuration. Your script must be accessible via a URI such as an Azure Storage Account to be used and must either be accessed anonymously or passed with a _______________.
shared access signature (SAS URL)
By default, peered VNets appear and perform as a ______________. There is an option limit connectivity, in which case NSG rules must be used to define the permitted connections.
single network
Azure Monitor is a ____________________ for accessing Azure metrics, tenant, and resource diagnostic logs. Log analytics, service health, and alert.
single pane of glass
Each subnet can only be associated to a _____________. All VMs in a subnet use the route table associated to that subnet.
single route table
All VMs can be placed into a _____________ so they can have the same NSG to define network flows between application tiers.
single subnet
Accelerated networking can be enabled at the time of creation or after the virtual machine is created, if the following prerequisites are met: o VM must be a supported ____ for accelerated networking o VM must use a supported Azure Gallery Image o All VMs in an availability set or VMSS must be stopped/deallocated before enabling it on any NICs
size
Within Network Interface Settings, accelerated networking can be enabled, but it is only supported on certain VM ______.
sizes
Deployment _____ allow you to create another app with its own hostname in your App Service Plan. These can be used to test a new version of an app; you can even configure a percentage of live traffic to a deployment slot for testing.
slots
Limitations of Blob Object Replication: Blob _______ and immutable _______ are not supported with object replication.
snapshots
Azure Firewall allows you to create and configure application and network rules. Application rules are created with the list of fully qualified names that are allowed to be accessed from a subnet. Network rules are a combination of _________________ addresses along with their ports and protocols
source and destination IP
Network Interface is a __________ Azure resource. Typically provisioned and deleted with its corresponding virtual machine.
standalone
Network Security Groups (NSGs) - Allow you to control which network flows are permitted into and out of your virtual networks and virtual machines. It's a _____________ Azure resource, which acts as a networking filter. Each NSG contains a list of security rules that are used to allow or deny inbound or outbound traffic.
standalone
App Service backups are stored in Azure storage and each backup is a complete copy of the app and configuration. Backups are not incremental. Backups can be kept for an indefinite amount of time if you set the retention days to 0. Backups only work for plans running the _________ tier or higher.
standard
To evaluate an effective security rule for a network interface of an Azure VM, that Azure VM must be _________.
started
A wide variety of physical (and software) devices are supported as the on-premises Site-to-Site VPN endpoint. The device must have an Internet-facing ________________.
static IPv4 address
All VMs in an availability set must be _______ before changing the hardware cluster. All running VMs in an availability set must use the same physical hardware cluster.
stopped
Dynamic IP addresses are released when the VM is ___________.
stopped
Accelerated networking can be enabled at the time of creation or after the virtual machine is created, if the following prerequisites are met: o VM must be a supported size for accelerated networking o VM must use a supported Azure Gallery Image o All VMs in an availability set or VMSS must be ____________ before enabling it on any NICs
stopped/deallocated
Access Keys are used with the ______ account name and an access key.
storage
Requirements and limitations of the Azure Import/Export Jobs tool: All _______ account types are supported.
storage (General-Purpose V1 and V2, and Blob Storage)
During the troubleshooting process, logs are written to a _________________________. Account must be created before starting the troubleshooting process.
storage account
SAS can be used at the _____________-level as well. Allows management of all the resources belonging to a storage account.
storage account
There are unmanaged and managed disks and images. Key difference between the two is with unmanaged disks or images it is up to you to manage the __________. With managed disks, Azure takes care of this for you
storage account
You can change _____ access tiers without having to move data between accounts. All requests to change tier will take place immediately between Hot and Cool tiers.
storage account blob
Availability sets and managed disks complement each other, when the VM uses managed disks and is placed in an availability set (known as an aligned availability set), it ensures that the VM disks are placed in different ___________domains. This alignment ensures that all the managed disks attached to a VM are within the same managed disk fault domain. Number of fault domains for an availability set depends on the region it belongs to, with either two or three fault domains per region.
storage fault
You can use Azure DNS to add child DNS zones for your _______.
subdomains
A private endpoint is associated with a __________ of a virtual network.
subnet
Azure Application Gateway should be deployed into a dedicated _________ of an Azure virtual network.
subnet
Before creating a VPN gateway, you will need to first create the gateway _________.
subnet
Multiple service endpoints can be created for Azure services on a given _______.
subnet
Virtual Networks are divided into __________, which allow you to isolate workloads
subnets
Azure _______ have controls available that govern access to the resources within a subscription, govern cost through quotas and tagging, and govern the resources that are allowed in an environment with Azure Policy.
subscriptions
Submitting a request to increase a quota only requires submitting a _________ to Microsoft.
support request
SAS ______- Provides a NoSQL-style store for storing structured data. Unlike a relational database, tables in Azure storage do not require a fixed schema, so different entries in the same ______can have different fields
tables
Tags do not have inheritance, so if you need a tag to be applied to all resources in a resource group then each resource must be __________________.
tagged individually.
VPN gateways are virtual network gateways deployed with the gateway type VPN. They are used to ____________ site-to-site VPN connections.
terminate
Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure while maintaining performance and compatibility. Key features include: Azure Backup Integration - Backup in _______
the cloud
Alerts that are generated within Azure Monitor can invoke Azure Automation runbooks, Logic Apps, Azure Functions, and even generate incidents in ________________________.
third-part IT service Management tools.
An Azure Sync group can be used to define the _______ for how your file synchronization will take place. Within a sync group, you will add server endpoints, which are file servers and paths within the file server you want the sync group to sync with each other.
topology
Azure Load Balancer (ALB) - A fully managed, high-performance load-balancing service for TCP and UDP traffic. Operates at the ___________ layer (OSI Layer __). Unlike App Gateway it does not have visibility into application-level traffic.
transport, 4
Availability sets can be used to provide redundancy and high availability. To provide redundancy for your virtual machines, you must place at least ____ virtual machines in an availability set. This configuration ensures that at least one virtual machine is available in the event of a host update, or a problem.
two
Service Endpoints are configured in ____ steps
two
Although you can change group membership types after creation, you cannot change the group _______.
type (i.e. Security --> Office 365)
Storage account name must be ______ across all existing storage account names in Azure
unique
To specify a ____________ for a generalized VHD, you must specify the osType property (Windows or Linux) and the URL to the VHD itself, and the URL to where the disk will be created in Azure Storage (osDiskVhdName).
user image
Azure Storage creates a new _______ for a blob with each change. The blob change feed provides all the changes with the blobs and its metadata in form of transactional logs.
version ID
An availability set must be set at the creation time of a _________.
virtual machine
Step 1 Configuring Service Endpoint: From the _________. Creates the route from the subnet to the storage service but does not restrict which storage account the virtual network can use.
virtual network subnet
You can configure alerts based on metric alerts (Captured from Azure Metrics) to Activity Log alerts that can notify by email, ________, SMS, Logic Apps, or even an ________________.
webhook, Azure Automation Runbook
DNS records at the ___________ use the record name @. You cannot create records with the CNAME record type at the ___________.
zone apex
A scale set can be deployed to an availability zone to provide higher redundancy and resiliency. If the scale set is deployed in multiple availability zones (known as ________________), based on scaling rules, the instances can be deployed to multiple zones if needed.
zone-redundant scale set
Azure Firewall must be hosted in a subnet named AzureFirewallSubnet with a minimum _____ address space for the Azure Firewall to provision more VMs to accommodate scaling.
/26
_____ is the minimum size of the virtual network subnet required to create an Azure VPN gateway
/29
A singly import/export job can have a maximum of ___ HDDs and SSDs and a mix of HDDs and SSDs of any size.
10
Actions you can execute for action groups: IT Service Manager - You may have up to _____ ITSM actions with an ITSM connection.
10
App Service backups cannot exceed ___GB.
10
App services backups cannot exceed ___ GB.
10
A Virtual Machine Scale Set (VMSS) is a compute resource that you can use to deploy and manage a set of identical virtual machines. By default, supports up to ____ instances but can scale up to ____ instances by placing instances into multiple placement groups. Using multiple placement groups is commonly referred to as a "large scale set"
100, 1000
Placement groups allow for you to create a scale set up to ____ instances.
1000
Backup data is retained for ___ days after deletion by using Soft Delete feature
14
Guest OS Metrics: Collected through diagnostic extensions and sent to an Azure Storage account. Retention period of ___ days.
14
Soft Delete backup data is retained for ___ day(s) after deletion.
14
Soft delete automatically retains deleted blobs for up to ___ days.
14
Largest image you can host in ACI is 15 GB. You cannot create a container that uses more than 4 CPU cores and __GB of memory.
16
___GB is the largest amount of money that can be allocated to an ACI
16
Up to 50,000 blocks can be added to each Append Blob, and each block can be up to 4MB in size, giving a maximum Append Blob size of slightly more than ___ GB. Page Blobs are most used for log files.
195
ExpressRoute Circuits offer ___ peering options. Each circuit can use either one or both peerings.
2
Maximum log retention period supported by Azure Log Analytics is __ years.
2
There are __ ways to export a template from a deployment within a resource group.
2
Guest OS metrics collected by Log Analytics Agents: Collected by the Log Analytics agent and are sent to a Log Analytics workspace. Retention period of 31 days. This retention period can be extended for up to _______.
2 years
Availability sets and managed disks complement each other, when the VM uses managed disks and is placed in an availability set (known as an aligned availability set), it ensures that the VM disks are placed in different storage fault domains. This alignment ensures that all the managed disks attached to a VM are within the same managed disk fault domain. Number of fault domains for an availability set depends on the region it belongs to, with either ____ or ____ fault domains per region.
2, 3
Availability sets can be configured by assigning a fault domain and an update domain. Each availability set can have up to ___ update domains and 3 fault domains. This reduces the impact to VMs from physical hardware failures.
20
You can have up to ____ role assignments in each subscription, and you can have up to _____ role assignments per management group.
2000, 500
Azure Tag limitations Virtual Machine Tags - VMs cannot exceed ______ characters for all tag names and values combined.
2048
Lifecycle management policies can take up to 24 hours to go into effect, and then the action can take an additional ___ hours to run. Overall, it can take 48 hours for policy actions to complete once you set up lifecycle management.
24
Lifecycle management policies can take up to ___ hours to go into effect, and then the action can take an additional 24 hours to run. Overall, it can take 48 hours for policy actions to complete once you set up lifecycle management.
24
Azure Tag limitations Tag Values - Cannot exceed ____ characters
256
VPN Gateways can only be deployed to a dedicated gateway subnet within the VNet. VPN gateway is implemented using Azure virtual machine. While the minimum size for the gateway subnet is a CIDR /29. The Microsoft-recommended best practice is to use a CIDR /___ address block to allow for future expansion.
27
VPN Gateways can only be deployed to a dedicated gateway subnet within the VNet. VPN gateway is implemented using Azure virtual machine. While the minimum size for the gateway subnet is a CIDR /___. The Microsoft-recommended best practice is to use a CIDR /27 address block to allow for future expansion.
29
_______ Mbps is the minimum throughput that can be allocated to an Azure Virtual WAN hub gateway is a single scale unit, which represents gateway instances with _____ Mbps throughput each.
2x500
Availability sets can be configured by assigning a fault domain and an update domain. Each availability set can have up to 20 update domains and __ fault domains. This reduces the impact to VMs from physical hardware failures.
3
Storage account names must be between __ and __ characters and can contain only lowercase letters and numbers.
3, 24
Port ____ must be setup for all outbound communications as well as allowing the required URIs to the approved list to send log data.
443
Lifecycle management policies can take up to 24 hours to go into effect, and then the action can take an additional 24 hours to run. Overall, it can take ___ hours for policy actions to complete once you set up lifecycle management.
48
The vault credentials file is needed during the installation of the MARS agent. Its only valid for ___ hours from the time of download, so be sure to obtain them only when you are ready to install the MARS agent.
48
Maximum Number Of Devices Per User. This setting designates the maximum number of devices that an individual user can have in Azure AD. If the quota is reached, the user will not be able to add a device until one of their existing devices is removed. Valid values for this setting are __, __, __, __, ___, and Unlimited.
5, 10, 20, 50, 100
Azure Files is a fully managed file share services that offers endpoints for the Server Message Block (SMB) protocol. Default max size is ___ TiB per share but if you enable larger file shares then it can go up to ____TiB per share. Also, if you use premium SKU, you get 100 TiB by default.
5, 100
Azure Tag limitations Resources, resource groups, and subscriptions are limited to ________ tags. Each resource can have different tags.
50
Up to _______ blocks can be added to each Append Blob, and each block can be up to 4MB in size, giving a maximum Append Blob size of slightly more than 195 GB. Page Blobs are most used for log files.
50,000
There is a limit of ____ peering connections per VNet. This is a hard limit.
500
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of _____ custom roles per directory, though Azure Germany and Azure China 21Vianet can have up to _____ custom roles for each directory.
5000, 2000
Limit of ______ custom roles per directory, limit of ______ role assignments per subscription.
5000, 2000
Storage account access keys are ____-bit keys that can be used to authorize access to data in your storage account
512
Azure Tag limitations Tag names cannot exceed ___ characters. Storage account tag names are limited to ___ characters.
512, 128
The free tier workspace includes ____ of log storage per month, with per-GB pricing and per-GB charges for additional storage and retention.
5GB
Conditions of large-scale sets "multiple placement groups" If you are using a custom image, your scale set supports up to ____ instances instead of 1,000
600
VPN Gateway Pricing Tiers: VpnGw1 and VpnGw1Az - 30 Max site-to-site VPN connections. Throughput of ________.
650 Mbps
Installing an NPM agent on an on-premises server: o Download the OMS agent o You will need the Workspace ID and Primary key to install the agent. o Download a PowerShell Script to open the necessary firewall ports. o Default port used is TCP _______.
8084
Application Insights log-based metrics: Log-based metrics that are translated into log queries. Retention period of ____ days.
90
Guest OS metrics sent to Azure Monitor Metrics: Monitored by Windows diagnostic extensions of the InfluxData Telegraf agent and are routed to an Azure Monitor data sink. Retention period of ____ days.
93
Availability Zones provide a ______% SLA uptime when two or more VMs are deployed into two or more availability zones.
99.99%
Azure VMs deployed into different availability zones qualify for _____ SLA. VMs deployed into the same availability set qualify for ______ SLA.
99.99%, 99.95%
Management operations are authenticated and authorized using Azure ___ and RBAC.
AD
Azure Files provide shared storage for multiple pods on an ________.
AKS cluster
New-AzResourceGroup cmdlet performs a deployment of an _______ to a resource group
ARM template
One method to export a template from a deployment within a resource group is generating an _______________ is to use the Automation Script menu option for the resource group. It generates a template that represents the current state of the resource group. This if useful for redeploying to the same resource group as it likely has hard-coded values.
ARM template
__________ Networking enables single root I/O virtualization (SR-IOV) to a virtual machine, which improves it networking performance. Improves performance by bypassing the virtual switch between the host VM and the physical switch.
Accelerated
Server 2012, 2016, and 2019 Datacenter versions are supported for ________________.
Accelerated Networking
The ________ blade is available at any scope where role assignments can be made (management group, subscription, resource group, and resource). To find the________ blade, navigate to the resource or service where you want to manage role assignments.
Access Control (IAM)
____________ allow full access to all data in all services within the storage account. You can create, read, update, and delete container, blobs, tables, queues, and file shares. You have full administrative access to everything other than the storage account itself (Cannot delete storage account or change settings on the storage account)
Access Keys
_______ Groups are separate resources and are independent of the alert rule. This means that the same _______ Group can be used across multiple alert rules.
Action
_________ are a collection of notification preferences.
Action Groups
Settings of a virtual network subnet: ___________ - IP address range for a subnet, specified in CIDR notation. All subnets must sit within the VNet address space and cannot overlap
Address Range
Properties of a virtual network: ___________ - An array of IP address ranges is available for use by subnets.
Address Space
______________ Components o A Target resource (Or resource type) o Conditional Logic for the alert with criteria based on the available signals for the target resource o An Action Group, or what should happen when the condition is met o A name and description
Alert Rule
There are 3 options for updating a virtual machine scale set instance. Define Automatic?
All instances are updated in the random order when an update is available, which can cause downtime
For traffic to be forwarded between spoke VNets via an NVA in a hub VNet, the____________________ setting must be enabled for those VNet peerings.
Allow Forwarded Traffic
A VPN gateway can be peered VNets. The peering connections must enable the settings to (On the peering toward the gateway) and ______________________ (On the peering from the gateway)
Allow Gateway Transit
________________ - This option must be enabled on the peering connection from VNET-A to VNET-B. This permits traffic from VNET-B to use VNET-A's gateway to send traffic to the external network. Gateway transit can be used for S2S, P2S, and VNet to Vnet.
Allows Gateway transit
________ can be used to secure your apps with Azure Active Directory, as well as implementing other security using Facebook, Google, and Twitter so that users can authenticate to your app using their existing logins.
App Service
Allows purchasing of domain names, which can then be hosted in Azure DNS. This service is integrated with Azure App Service but can be used for any domain registration eve if App Service is not being used.
App Service Domains
Before creating a web app in App Service, you need to create an __________________. You can create it yourself or have Azure create it for you when you create your web app.
App Service Plan
________ offers computer resources to the web application for its execution. This ________ can be shared with multiple Web Apps as well
App Service Plan
If you don't see an existing App Service plan when creating a new web app, make sure you have selected the OS that matches the ____________________. You also need to ensure the region you select is the region where the App Service plan is deployed.
App Service plan's OS
_______ allows you to buy and configure a domain name. ______ domains are fully managed in Azure, and they are the easiest way to configure a custom domain.
App Services
__________ can be used to buy and configure a domain name. ________ domains are fully managed in Azure, and they are the easiest way to configure a custom domain.
App Services
App Services offers both shared workers (Shared with other ______________) or dedicated works that host only your app. These configurations choices are part of an App Service Plan that is used to host your apps.
App Services users
______ Blobs - Optimized for _______ operations. Updating or deleting existing blocks in the blob is not supported.
Append
Virtual _____________ represents a virtual machine running a network application, such as a load balancer or firewall, which requires specifying its IP address.
Appliance
______________ Rules - Created with the list of fully qualified names which allowed to be accessed from a subnet
Application
________________ supports monitoring performance of on-premises websites developed by using a wide range of development frameworks, including .NET core.
Application Insights
________________ - Enables you to define network security policies based on workloads with rules focused on applications instead of IP and network addresses. They allow you to group virtual machines with monikers and secure applications by filtering traffic from trusted segments of your network.
Application Security Groups (ASG)
_________________ allow you to configure network security as a natural extension of an application's structure, which allows you to group virtual machines and define network security policies based on those groups.
Application Security Groups (ASGs)
______________________________ - Offer an approach to network segmentation. They allow you to achieve the same goal of segmenting your application into separate tiers and they strictly control the permitted network flows between tiers. You explicitly define which application tier each VM belongs to rather than implicitly defining which application tier each VM belongs to.
Application Security Groups (ASGs)
Limitations of Blob Object Replication: Object replication doesn't work with the ______ tier.
Archive
______ Azure Blob Storage tier is not supported for ZRS, GZRS or RA-GZRS
Archive
Allows you to select one or more users and add them to the group. Adding and removing users is performed manually.
Assigned Membership Type
How long is cool data stored?
At least 30 days
____________________ are separate units - each with its own power, cooling, and networking which provide higher resiliency and protect applications and data from disruption in the data centers. To ensure resiliency a minimum of three separate zones in all enabled regions.
Availability Zones
To check which Kubernetes releases are available for your cluster, use the______________________ command.
Az aks get-updates
Command-line Utility _______ can be added to the system path so that you can run _______ from any of the folder from your system while using it in Windows PowerShell.
AzCopy
Command-line Utility _______ supports Azure login, service principal, SAS token, access key, managed identity, and so on as authentication types.
AzCopy
You can use _____ to copy files between storage accounts or from outside publicly accessible locations to your Azure Storage account.
AzCopy
______ supports Blob, File, and table storage copy services.
AzCopy
_________ is a command-line utility that you can use to perform large-scale bulk transfer of data to and from Azure Storage. ________ performs all the operations asynchronously and can run simultaneously. It's fault tolerant so if the operation is interrupted it can resume from where it left off once the issue is resolved.
AzCopy
___________ is a command-line tool that moves data into and out of Azure Storage. It supports Blob Storage and can be used for scripting.
AzCopy
Supported ways to connect Storage Explorer to Storage Accounts: Add an ______ account - This option allows you to sign in using a work or Microsoft account and access all your storage accounts via role-based access control.
Azure
Customers to sign in to applications using their social media accounts and ____ automatically extends to business partners.
Azure AD B2B (Business to Business)
Allows customers to sign in to applications using their social media accounts, such as a Facebook ID
Azure AD B2C (Business-to-Customer)
________ is an extension of device registration that changes the local state of the device. When a device is ___________ed, users can sign into the device using an organizational account instead of a personal account.
Azure AD Join
______________ has been recently added as an authorization mechanism for Azure Storage. Azure Blobs and Queues are supported for _________.
Azure AD authentication
SAS signatures can be signed by ______________ to provide access to storage accounts.
Azure AD credentials
When a device is _______, users can sign in to the device using an organizational account instead of a personal account.
Azure AD-Joined
AAD
Azure Active Directory
_________________ surfaces data at the subscription level and can be useful for understanding actions that occur within your environment against the Resource Manager APIs. Events in the activity log are retained for 90 days, you can retain them for a longer period by sending them to Azure Storage and/or a Log Analytics Workspace.
Azure Activity Log
Azure Key Vault is used to implement ___________ authentication to third party identity providers are stored here.
Azure App Service
_______________ is a PaaS offering that makes it easy to host a web app in the cloud. Any app that is designed to process HTTP requests can benefit from App Service.
Azure App Service
Conditions of large-scale sets "multiple placement groups" For a large-scale set (>100 instances), you should use the Standard SKU (Supports up to 1,000 instances) or the ______________.
Azure Application Gateway
___________ can be used to protect files and folders, applications, and IaaS virtual machines. This cloud-based data protection service helps organizations by providing offsite backups of on-premises servers and protection of VM workloads they have already moved to the cloud,
Azure Backup
___________ is a service that allows you to backup on-premises servers, cloud-based virtual machines and virtualized workloads. Also supports the backup of Azure Storage file shares.
Azure Backup
_______ is a standalone service that you install on a Windows Server operating system that stores the backed-up data in a Recovery Services Vault.
Azure Backup Server
There are two versions of the WAImportExport tool. Version 1 is recommended for ___________ and Version 2 is recommended for ____________.
Azure Blob Storage, Azure Files
The Deny Assignments tab of the Access Control (IAM) blade cannot be used to make or alter deny assignments. Deny assignments are set and controlled by applying a resource lock for resources created through _________
Azure Blueprints.
AKS Options for networking: ________________ - Called advanced networking. When you use CNI networking, both the nodes and the pods receive an IP address from the subnet
Azure Container Networking Interface (CNI)
Allows you to host your DNS domains in Azure. Provides the ability to create and manage the DNS records for you domain and provides name servers, which answer DNS queries for your domain from other users on the Internet.
Azure DNS
Azure Storage Explorer is a cross-platform application designed to help you quickly manage one or more Storage Accounts. It can be used will all storage services as well as support for Cosmos DB and _____________services.
Azure Data Lake Storage
Available Backup Policy options in Azure Portal ___________ allows you to schedule a daily backup for an Azure file share.
Azure File Share
_________ provide shared storage for multiple pods on an AKS cluster
Azure Files
______________ - A managed service that provides out-of-the-box network security for Azure resources. Its highly available and scalable. Provides an ability to limit the outbound IP addresses and ports that are allowed to communicate within an Azure subnet. Provides outbound SNAT support, Inbound DNAT support, and Azure Monitor logging.
Azure Firewall
________________ is a managed service which provides out of the box network security to secure Azure resources. ________________ allows us to create and configure application and network rules.
Azure Firewall
___________ helps safeguard storage account access keys as well as cryptographic keys and secrets used by cloud applications and services, such as authentication keys, storage account keys, data encryption keys, and certificate private keys.
Azure Key Vault
____________ (AKS) allows for orchestration that can help you to manage the complexity of a multi-container deployment.
Azure Kubernetes Service
Azure Disks can be used for storage with _____.
Azure Kubernetes Service (AKS)
_______________ can be deployed with either a public (Internet) or private (Intranet) frontend IP address.
Azure Load Balancer (ALB)
_________________ comes in two pricing tiers - Standard supports availability zones and more flexible backend pools and several other features. Basic is free of charge.
Azure Load Balancer (ALB)
____________________-load-balancing configuration comprises frontend IP configuration, backend pool, health proves, and load-balancing rule.
Azure Load Balancer (ALB)
Machines need to be running the______________ agent to report logs to Log Analytics. The agent binds to a workspace to collect the data defined in the workspace settings or in installed solutions.
Azure Log Analytics (OMS)
Alert Rules in ____________ are not the same as alerts. They are the criteria used to evaluate when an alert should be generated. An alert is generated based on the rule, and then the alerts themselves are acted upon separately, even maintaining their own state.
Azure Monitor
Alerts that are generated within ____________ can invoke Azure Automation runbooks, Logic Apps, Azure Functions, and even generate incidents in third-part IT service Management tools.
Azure Monitor
_____________ helps you track performance, maintain security, and identify trends by ingesting metrics and telemetry from multiple areas, including applications and the operating systems of virtual machines. It also allows you to query resources, subscriptions, tenants, and event custom sources.
Azure Monitor
________________________ provides the ability to view events representing network traffic being blocked by multiple NSGs.
Azure Monitor for Networks
_______________ is a networking monitoring solution for hybrid networks that enables you to monitor network connectivity and performance between various points in your network, both in Azure and On-premises.
Azure Network Performance Monitor (NPM)
_________________ provides a central hub for a wide range of network monitoring and diagnostic tools. These tools are valuable across a wide range of network troubleshooting scenarios and provide access to other tools like Network Performance Monitor and Connection Monitor.
Azure Network Watcher
Service Endpoints are a mechanism to integrate __________ into your virtual network and access them through a Microsoft Azure backbone network instead of over the Internet. Service Endpoints prevent the exposure of data and services to the Internet.
Azure PaaS services
_________ includes the application of rules that allow or deny a given resource type, apply tags automatically, and even enforce data sovereignty.
Azure Policy
___________ is an Azure service that can be used to create, assign, and manage policies that enforce governance in your Azure environment.
Azure Policy
Older circuits can use a third peering model called _________________, which provides connectivity to Azure PaaS services only. This is deprecated for new circuits.
Azure Public Peering
Automation Scripts link in the left pane of a resource group page provides the ability to generate an ________________ template that represents the current state of that resource group
Azure Resource Manager
Storage Accounts are managed through ___________.
Azure Resource Manager
Storage Accounts that are created with the ____________deployment model only support Azure AD authorization.
Azure Resource Manager
Azure RBAC is applicable to the management of resources created in the ________________ model.
Azure Resource Manager (ARM) deployment
_______________ enables us to replicate, failover, and failback virtual machines as needed.
Azure Site Recovery Services
______________ can be managed through several tools directly from Microsoft - Azure Portal, PowerShell, CLI, Storage Explorer, and AzCopy.
Azure Storage
An intelligent DNS service that uses DNS to implement global traffic management. Where Azure DNS always provides the same DNS response to a given DNS query, in Azure Traffic Manager the same query may result in one of several responses.
Azure Traffic Manager
To implement connection monitoring for Azure Monitor, it is necessary to have at least one Azure VM ___________, which will host the Network Watcher agent installation.
Azure VM
-
Azure Virtual WAN is a combination of many networking, security, and routing functionalities together to provide a single operational interface for various networking solutions. Azure Virtual WAN facilitates Point-to-site, Site-to-site, ExpressRoute connectivity, and Azure Firewall configuration all at one place.
Public IP address is a standalone __________. Associating a VM with a public IP requires you to update the IP configuration of the network interface to reference to the public IP address resource.
Azure resource
Metrics includes platform metrics, which are created by ___________________ and made available in Azure Monitor for querying and alerting. You can also query application metrics from Application Insights if the service is enabled and you have instrumented your applications. Regardless of whether that application is hosted on a virtual machine or even in a PaaS service.
Azure resources
For longer term retention, metrics can optionally be sent to ______________ for select resources and retained up to the configured retention policy or the storage limits of the account. They can also be sent to Log Analytics with a default retention period of 31 days.
Azure storage
Azure Load Balancer is a fully managed load-balancing service, which is used to distribute inbound traffic across a pool of back-end servers running in an ______________________. Can receive traffic on either Internet-facing or Intranet-facing endpoints and supports both UDP and TCP traffic. Operates at the transport layer (OSI Layer 4) to route inbound and outbound connections at the packet level.
Azure virtual network
Sometimes called Internal DNS, it allows the VMs in your virtual network to find each other, using DNS queries based on the hostname of each VM. The DNS queries are internal (Private) to the virtual network.
Azure-provided DNS
Azure Bastion is provisioned within a Virtual Network within a separate subnet called "_________________".
AzureBastionSubnet
Azure Firewall must be hosted in a subnet named _________________ with a minimum /26 address space for the Azure Firewall to provision more VMs to accommodate scaling.
AzureFirewallSubnet
-
Billing for the ExpressRoute circuit begins immediately upon resource creation and does not depend upon completing the configuration with the ExpressRoute provider.
Export service is only available for Blob storage. After receiving the disks from Microsoft, you will need to retrieve the ___________ from the Azure portal to unlock the disks.
Bit Locker keys
Azure Disk Encryption uses _________ to provide volume encryption for the OS and data disks of Azure VMs.
BitLocker
Azure ____ Storage is used for large-scale storage of arbitrary data objects, such as media files, log files, and so on.
Blob
Blob Storage Access Levels ____ - With this option, only blobs within the container can be accessed anonymously
Blob
Export service is only available for _______ storage. After receiving the disks from Microsoft, you will need to retrieve the Bit Locker keys from the Azure portal to unlock the disks.
Blob
Storage Explorer Operations: _______ Containers - Create, rename, copy, delete, control public access level, manage leases and create and manage shared access signatures and access policies
Blob
_____ Storage - Supports Blob, block and append blobs only. No unmanaged disk support. Standard performance tier. Supports Hot, Cool, and Archive access tiers. Replication options are LRS, GRS, and RA-GRS.
Blob
_________ Storage - Supports Blob, block and append blobs only. No unmanaged disk support. Premium performance tier. N/A for access tiers. Replication options are LRS and ZRS.
Blob Block
Command-line Utility AzCopy can be used to upload data to an Azure _________. Only condition is that the storage account and destination container should already exist.
Blob Storage
_______________ account is a specialized storage account used to store Block Blobs and Append Blobs. You can't store Page Blobs in these accounts.
Blob storage
Import service is available for _________ and _________.
Blob storage and Azure Files
Prerequisites for implementing object replication for Azure Blob Storage o ______Versioning o _______ Feed
Blob, Change
Storage Explorer Operations: _______ - Upload, download, manage folders, rename and delete blobs, copy blobs, create and manage blob snapshots, change blob access tier, and create and manage shared access signatures and access policies
Blobs
______- Provides a highly scalable service for storing arbitrary data objects such as text or binary data.
Blobs
________ Blobs - Optimized for efficient uploads and downloads for videos, images, and other general-purpose file storage.
Block
Azure _______ and resource locks can be used to make deny assignments at a child scope.
Blueprints
________ can be created at the subscription, management group, and resource group scope if necessary.
Budgets
Function Apps in the alert groups responses provides the ability to invoke custom code written in ___.
C#
DNS Record types in Azure DNS: Used to specify which certificate authorities can issues certificates for a domain. Must be configured using CLI or PowerShell
CAA
Source and destination IP address ranges in NSG rules can be specified explicitly using ____________.
CIDR ranges
Any subscription containing a virtual network resource will automatically have Network Watcher enabled. Network Watcher can also be deployed in Azure Portal or the _____.
CLI
If the virtual machine is deployed into an availability zone, the disk is automatically placed into the same zone as the virtual machine using Azure _________.
CLI
DNS Record types in Azure DNS: Provides a mapping from one DNS name to another. The DNS standards do not allow CNAME records at the zone apex.
CNAME
___________ - Locks prevent the deletion of a resource. A ________ lock only prevents deletion of a resource and does not impede the modification of a resource
CanNotDelete
VM Sizes: Define High Performance Compute?
Capable of handling batch processing, molecular modeling, and fluid dynamics. This type offers substantial CPU power and diverse options for low-latency RDMA networking using FDR InfiniBand and several memory configurations to support memory-intensive computational requirements.
Azure Tag limitations Tags are not inherited by _____ resources. Tags applied to a resource group are not applied to resources in that resource group.
Child
ExpressRoute _____________Bandwidth Options - 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps. Bandwidth can either be metered or unlimited.
Circuit
______ subscription Administrators have full access to an Azure subscription. They can manage resources through the Azure Portal, Resource Manager API's (including PowerShell and the CLI).
Classic
Azure _____ Shell is a convenient way to create a container for ACI.
Cloud
Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure while maintaining performance and compatibility. Key features include: _________ - Storage only recently accessed data on local servers. The rest of the data gets tiered to Azure in a storage account.
Cloud Tiering
________ are created and managed exclusively in Azure AD, and their attributes can be updated directly in Azure AD. Can be created through the Azure portal, Azure PowerShell, and the Azure command-line interface (CLI).
Cloud-only users
Autoscaler components of AKS: ____________ - Scales your node clusters based on the number of pending pods.
Cluster Autoscaler
Kubernetes Service Types: ____________ - Provides an internal IP address that can only be used within the AKS cluster
Cluster IP
________ - Provides an internal IP address that can only be used within the AKS cluster
Cluster IP
_________ have the same level of access as the service administrator but cannot change the association of subscriptions to Azure directories. Can be up to 200________ per subscription.
Co-Administrators
________________ deployment mode: ARM will delete resources that exist in the resource group that are not in the template. Helpful if you need to remove a resource from Azure and you want to make sure your template matches the deployment.
Complete
ARM supports two different deployment modes - _____________ and ______________.
Complete, Incremental
______________________ - Similar to connection troubleshoot in that it uses the same mechanism to test the connection between an Azure VM or App Gateway and another endpoint. The difference is that Connection Monitor provides ongoing connection monitoring, whereas Connection Troubleshoot provides a point-in-time test.
Connection Monitor
Connection Monitor enables long-term connection monitoring, using similar diagnostics as used by ___________________.
Connection Troubleshoot
__________________________ - Is a Network Watcher feature designed to allow you to test the connectivity between an Azure VM or an App Gateway and another endpoint, either another Azure VM or an arbitrary Internet or Intranet endpoint.
Connection Troubleshoot
_________ is the top-level object in ACI, and it represents all the containers running on a particular computer. Multiple containers being used in a container group share the same URL, so you will need to specify a separate port for each container.
Container Group
_________ allow you to package an application and all its dependencies into a compressed package called an image. The image can then be uploaded to an image repository. A container runtime can then be installed on your computer (or VM) and point it to the image in the repository. Container runtime will download the image, extract it, and it will then create a container that hosts the application in an isolated environment.
Containers
__________ includes features for performing cost analysis, setting per-subscription budgets and alerts, setting recommendations for optimization, and exporting cost management data to perform deeper analysis.
Cost Management
Step 3 of creating a child zone resource (DNS)?
Create NS records in the parent zone to delegate the child zone. The name of the NS records should be the child zone name and the RDATA in the NS records should be the child zone name servers
Supported sizes for accelerated networking: Supported on most general-purpose and compute-optimized instance sizes with two or more vCPUs. ____ and ____ series are supported
D/DSv2, F/Fs
Supported sizes for accelerated networking: On instances that support hyperthreading, supported on VM instances with four or more vCPUs. The following series are supported - ______, E/ESv3, Fsv2, and Ms/Mms.
D/DSv3
A container group can have its properties updated like its ____ label. Not all properties of a container group can be modified, some require that you delete and redeploy container groups in order to change them.
DNS
______ Records needed at your domain registrar - A Record - Root domain record that maps a host to the IP address TXT Record -Verify ownership of your root domain, create a TXT record named asuid with a value of the custom domain verification ID shown in the Azure portal. CNAME Record - Used to map a subdomain.
DNS
Properties of a virtual network: ________________ - Contains an array of DNS servers. If specified, these DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers
DNS Settings
_____________ is the representation of a domain name in an authoritative DNS server. It contains the collection of DNS records for a given domain name.
DNS Zone
Ways to configure a ____________________________________________: o By specifying the DNS name label property of the public IP address resource o By creating a DNS, A record in Azure DNS or a third-part DNS service hosting a DNS domain o By creating a DNS CNAME record in Azure DNS or a third-party service hosting a DNS domain o By creating an alias record in Azure DNS
DNS label for an Azure public IP address
-
DNS server settings at the virtual network level apply to all VMs in the virtual network. You can apply VM-specific DNS server settings within each network interface. Where multiple VMs are deployed in an availability set, setting DNS servers at the network interface, all VMs in the availability set are updated.
_______ CSV file and Driveset CSV file are the two files that are required to prepare disks that will contain data to be imported into Azure Storage. The first of of them contains the list of data files, while the second lists the disks and the corresponding drive letters.
Dataset
Settings of a virtual network subnet: ___________________ - An array of references to delegations on the subnet. Delegations allow subnets to be used by certain Azure services, which will then deploy managed resources into the subnet.
Delegations
Values used with the Update-AzTag Command ______ - Deletes the specified tags from the listed resources.
Delete
______ assignments are evaluated before role assignments and can be used to exclude service principals from accessing child scopes.
Deny
___________________ allow you to create another app with its own hostname in your App Service Plan. These can be used to test a new version of an app, and once you are satisfied with the new version, you can easily swap the test deployment slot into production. You can even configure a percentage of live traffic to a deployment slot for testing.
Deployment slots
Additional Local Administrators On Azure AD Joined Devices. With Azure AD Premium or with the Enterprise Mobility Suite, you can choose which users are granted Local Administrator rights to the device. Global Administrators and the device owner are granted Local Administrator rights by default. The default value is None and can be changed to Selected. If the value is set to Selected, any users added here are also added to the ___________________ in Azure AD.
Device Administrators role
________ identity can be managed independently of a _____'s identity.
Device, user
______________________ element in Azure Monitor for Networks interface in the Azure portal provides access to the Network Watcher tools, including packet capture.
Diagnostic Toolkit
Azure ________ agents can be enabled on Windows and Linux virtual Machines to capture diagnostic, performance, logs, and boot diagnostic data.
Diagnostics
Azure _________ agent can be enabled on Windows and Linux virtual machines to capture diagnostic, performance, logs, and boot diagnostic data.
Diagnostics
Azure ______ can only be used by a single pod. If you need to access storage across multiple pods, you should use Azure Files instead.
Disks
SAS ______- Provides a persistent storage volume for Azure VM which can be attached as a virtual hard disk.
Disks
Azure Backup vaults support backup of _____ and _____.
Disks, Blobs
_______ is the most popular container runtime.
Docker
______________________ can be used to create a mapping from a domain name to an IP address. This allows you to reference IP address endpoints using a domain name, rather than using the assigned IP address directly.
Domain Name System (DNS)
Dataset CSV file and ________ CSV file are the two files that are required to prepare disks that will contain data to be imported into Azure Storage. The first of of them contains the list of data files, while the second lists the disks and the corresponding drive letters.
Driveset
Allows you use dynamic group rules to automatically add and remove devices based on attributes.
Dynamic Device Membership Type
Allows you to use dynamic group rules to automatically add and remove members based on attributes.
Dynamic User Membership Type
Supported sizes for accelerated networking: On instances that support hyperthreading, supported on VM instances with four or more vCPUs. The following series are supported - D/DSv3, ______, Fsv2, and Ms/Mms.
E/ESv3
-
Each ExpressRoute circuit has two connections from your network edge to Microsoft edge routers, configured using BGP. Microsoft requires dual BGP connections from your edge to each Microsoft edge router.
________________ view is designed to provide insight to drill into each NSG rule and see the exact list of source and destination IP prefixes that have been applied, regardless of how the NSG rule was defined.
Effective Security Rules
_______________________ can be reviewed for each network interface. This allows you to see the exact IP ranges used by each service tag and ASG
Effective Security Rules
Supported ways to connect Storage Explorer to Storage Accounts: Attach to a Local _______ - Allows you to connect to the local Azure Storage ________ as part of the Microsoft Azure SDK.
Emulator
Server-side Encryption Models: Define Service-managed keys in customer-controlled hardware?
Enables you to manage keys in your proprietary repository, outside of Microsoft control. This is called host your own key (HYOK), it's a complex setup and most Azure services don't support it.
What are the two ways to export a template?
Export from resource group or resource Save from history
________________________ - Allows monitoring of end-to-end network connectivity and performance between on-premises and Azure endpoints over ExpressRoute connections. It can auto-detect ExpressRoute circuits and your network topology, and track bandwidth utilization, packet loss, and network latency. Reports are available for circuits and peering. Takes 30-60 minutes for the first ExpressRoute reporting data to become available.
Express Route Monitor
A virtual network subnet is required for an Azure _________ Gateway.
ExpressRoute
Network Performance Monitor provides three services: _______________ - Used to monitor end-to-end connectivity between your on-premises network and Azure over ExpressRoute. Can use auto-discover for your ExpressRoute network topology. It can then then track your ExpressRoute bandwidth utilization, packet loss, and latency. These are measured at the circuit, peering and Azure virtual network level.
ExpressRoute
_____________ supports four models that you can use to connect your on-premises network to the Microsoft cloud: -CloudExchange colocation -Point-to-point Ethernet connection -Any-to-any connection -Directly from ExpressRoute sites
ExpressRoute
________________ provides Microsoft Peering (Connectivity to Azure PaaS endpoints, and other Microsoft services) or Private Peering (Connectivity to Azure virtual networks). The former uses Internet address, and the latter uses Intranet addresses. Azure Public Peering, for Azure PaaS services only, is deprecated for new ExpressRoute circuits.
ExpressRoute
_________________ is a secure and reliable private connection between your on-premises network and the Microsoft cloud. The connection is provided mostly by a third-party network provider who has partnered with Microsoft to offer this service.
ExpressRoute
-
ExpressRoute Premium add-on allows to extend connectivity to all Microsoft data centers worldwide. This add-on also raises the number of routes permitted for the Azure Private Peering 4,000 to 10,000. It also increases the number of virtual networks that can be connected to each ExpressRoute circuit from 10 to between 20 and 100 (depending on the bandwidth of the circuit)
Kubernetes Service Types: ____________- Provides a DNS entry for AKS nodes.
ExternalName
________ provides a DNS entry for AKS nodes.
ExternalName
A DNS label is a suffix of the _____. DNS label you provide is concatenated with this suffix to form the ______, which can be used to look up the IP address via a DNS query.
FQDN
App Service also supports deployments using _____.
FTPS
Factors when creating a resource group: Microsoft does not recommend that all resources in a resource group share the same lifecycle. True or false?
False
Storage Explorer Operations: ________ - Upload folders or files, download folders or files, manage folders, copy, rename, and delete files.
Files
Storage _______ allows you to limit access to specific IP addresses or an IP address range. Applies to all storage account services.
Firewall
- Spreading Algorithm option for Health Monitoring decides how scale set instances will be placed in a fault domain. With max spreading, the instances are distributed in the maximum fault domains possible for each zone_______________ restricts instances to exactly five fault domains. If a scale set is using a _____________ algorithm and if there are less than five fault domains available, the deployment will fail.
Fixed Spreading
Supported sizes for accelerated networking: On instances that support hyperthreading, supported on VM instances with four or more vCPUs. The following series are supported - D/DSv3, E/ESv3, ____, and Ms/Mms.
Fsv2
Actions you can execute for action groups _____________ is a set of code that runs "serverless" that can respond to alerts. This functionality requires Version 2 of __________, and the value of the AzureWebJobsSecretStorageType app setting must be set to files.
Function Apps
Storage Explorer is a _____ which uses AzCopy to perform all its data transfer operations in the backed.
GUI
Accelerated networking can be enabled at the time of creation or after the virtual machine is created, if the following prerequisites are met: o VM must be a supported size for accelerated networking o VM must use a supported Azure ______ Image o All VMs in an availability set or VMSS must be stopped/deallocated before enabling it on any NICs
Gallery
ExpressRoute Circuit Bandwidth Options - 50/100/200/500 Mbps 1, 2, 5, 10 ____
Gbps
Only ___________ and ______Storage accounts support the Hot, Cool, and Archive access tiers.
General-Purpose V2, Blob
It is best practice to choose _________ storage or Read Access _______storage to be associated with the Recovery Services Vault. This ensures that if a regional outage affects VM access, there is a replicated copy of the backup in another region.
Geo-Redundant
____________________ - Same as LRS (three local copies), plus three additional asynchronous copies to a second datacenter hundreds of miles away from the primary region. Data replication typically occurs within 15 minutes, although no SLA is provided. Available for General-purpose or Blob storage accounts, at the Standard Performance tier only.
Geographically Redundant Storage (GRS)
Storage Account Replication ___________________ - The same as ZRS (Three synchronous copies across multiple availability zones), plus three additional asynchronous copies to a second datacenter hundreds of miles away from the primary region. Data replication typically occurs within 15 minutes, although no SLA is provided. Available for General-purpose v2 storage accounts only, at the standard performance tier only.
Geographically Zone Redundant Storage (GZRS)
One of the most common deployment options is to use continuous integration and continuous deployment (CI/CD). With this you can use a source repository like _________, or a local Git repository.
GitHub
Peering between VNets in different regions is called ________ VNet peering.
Global
To create new users you must be assigned a ____ or _____ role.
Global Admin, User Admin
Similarly to users, _______ can be created through the Azure portal, Azure PowerShell, and the Azure command-line interface (CLI).
Groups
___________ metrics collected by Log Analytics Agents: Collected by the Log Analytics agent and are sent to a Log Analytics workspace. Retention period of 31 days. This retention period can be extended for up to two years.
Guest OS
Spreading Algorithm option for ____________ decides how scale set instances will be placed in a fault domain. With max spreading, the instances are distributed in the maximum fault domains possible for each zone. Fixed Spreading restricts instances to exactly five fault domains. If a scale set is using a fixed spreading algorithm and if there are less than five fault domains available, the deployment will fail.
Health Monitoring
Autoscaler components of AKS: _________ Pod Autoscaler - Scales to a maximum of five pods and minimum of two pods.
Horizontal
_______ Pod Autoscaler - Scales to a maximum of five pods and minimum of two pods
Horizontal
What are the 3 Azure Blob Storage Tiers?
Hot, Cool, and Archive
______________ network architecture is a common approach where a separate spoke VNets are used by each application, peered to a hub VNet containing a network virtual appliance (NVA). The peering connections must enable Allow Forwarded traffic.
Hub-and-spoke
_________ can use Windows 10, Windows 2016, Windows 7, Windows 8.1, Windows 2008, Windows 2008 R2, Windows 2012, and Windows 2012 R2.
Hybrid Azure AD Join
App Services Networking Features: ______________________ - Enables outgoing communication from your app to an endpoint using a TCP connection. The host can be located practically anywhere. Rely on the installation of the Hybrid Connection Manager (HCM) on the host you're attempting to access. HCM handles communication between the remote host and the web app and because this communication happens over standard ports it doesn't usually require any ports to be opened on a firewall. Typically connects to the endpoint host with the NetBIOS name. Uses Service Bus for communication.
Hybrid Connection
Hybrid Connection provides communication from Azure App Service to an on-premises databases server via TCP
Hybrid Connection provides communication from Azure App Service to an on-premises databases server via TCP
Premium storage accounts use solid state drives and offer consistent, low-latency performance. This type of account can only be used with Azure virtual machine disks and are best for ___________ applications like databases
I/O-intensive
________________ is a Network Watcher feature used to test if a given network flow is allowed in or out of an Azure VM.
IP Flow Verify
_________________ tests whether a given network flow will be allowed to or from an Azure VM, including the ability to identify a network security group rule that is blocking network communication.
IP Flow Verify
__________________ provides a quick and easy way to test whether a given network flow will be allowed into or out of an Azure virtual machine. It will report whether the requested traffic is allowed or blocked and in the latter case, which NSG rule is blocking the flow. Useful tool for verifying that NSGs are correctly configured. Works by simulating the requested packet flow through the NSGs applied to the VM. For this reason, the VM must be in a running state.
IP Flow Verify tool
Within Network Interface Settings, you must enable __________ on this network interface. It allows the VM using the interface to receive traffic is not sent to one of the IPs in the IP configurations. Also, it allows the VM to send traffic using an IP address that is not in the IP configurations.
IP Forwarding
Inside a cluster, containers run inside of a pod. A pod can run a single container, but it can also run multiple containers. When multiple containers are running in a pod, they share storage and a single ____________.
IP address
A VM can be associated with one or more network interfaces, and each network interface can contain multiple ________________________.
IP configurations
Private IP addresses are configured within the _____________ of a network interface.
IP configurations
Within Network Interface Settings, there is a list of ______________ for the network interface. These are the most important settings, it contains the public and private IP addresses.
IP configurations
For a VM to accept a network packet addressed to a different to be passed into a virtual appliance it will require you to enable ___________ on the network interface of the virtual machine.
IP forwarding
When creating an _________, you must specify the prefix resource name, subnet size, and the Azure region where the IP addresses will be allocated.
IP prefix
Your existing ________ provider may be able to integrate ExpressRoute into your WAN, if they are registered as an ExpressRoute provider.
IPVPN WAN
You can connect to ExpressRoute either via your co-location facility provider, via a point-to-point ethernet connection, or by extending your _______________.
IPVPN WAN.
NSGs are used to define the rules of how traffic is filtered for your ______ deployments in Azure.
IaaS
When used with _______, each load balancer can support multiple frontend IP configurations.
IaaS VMs
Step 2 of creating a child zone resource (DNS)?
Identify the name servers for the child zone. These will be different to the name servers assigned to the parent zone.
Azure ________/________service allows you to ship data into or out of an Azure Storage account by physically shipping disks to an Azure datacenter.
Import/Export
________________ deployment mode: ARM leaves unchanged resources that exist in the resource group but aren't in the template. It will update the resources in the resource group if the settings in the template differ from what is deployed.
Incremental
Guest OS metrics sent to Azure Monitor Metrics: Monitored by Windows diagnostic extensions of the ________________ agent and are routed to an Azure Monitor data sink. Retention period of 93 days.
InfluxData Telegraf
Virtual Machines in Azure can also push custom metrics to the monitor service using the Windows Diagnostic extension on Windows servers and with the ________________ on Linux VMs.
InfluxData Telegraf Agent
Hybrid networks are commonly used for ___________ applications, which may be hosted in Azure but only accessed from the on-premises network.
Intranet
Underlying network topology data can be downloaded in ______ format via Azure PowerShell or Azure CLI.
JSON
Network policy is a feature in _______ that enables you to control network traffic between pods.
Kubernetes
_________ is an open-source container management and orchestration system.
Kubernetes
_________ runs on top of the container runtime, and it can help you scale and manage a containerized deployment.
Kubernetes
Benefits by using object replication: You can reduce the costs by moving your replicated data to the archive tiers using ___________________ policies.
Lifecycle Management
Resource ______ can stop resources from being created.
Limits
Default NSG Rules: o Virtual Network - Traffic originating and ending in a virtual network is allowed both inbound and outbound directions o Internet - Outbound traffic is allowed, but inbound traffic is blocked o __________ - Allows the Azure Load Balancer to probe the health of your VMs and role instances. If you are not using a load balanced set, you can override this rule.
Load Balancer
Kubernetes Service Types: ____________- Provides an Azure Load Balancer and an external IP address to allow access to the node as per load balancing rules that are created. (Internal load balancers can be created to restrict access from the internet)
LoadBalancer
_______ provides an Azure Load Balancer and an external IP address to allow access to the node as per load balancing rules that are created.
LoadBalancer
Storage Account Replication _____________________ - Three synchronous copies of your data within a single datacenter. Available for general-purpose or Blob storage accounts at both the standard and performance tiers.
Locally Redundant Storage (LRS)
Properties of a virtual network: _________ - Each VNet is tied to a single Azure region and can only be used by resources in the same region
Location
Azure Resource ______ (Sometimes called management ______) are used to prevent the accidental deletion or modification of resources.
Locks
Resource _______ can be applied to a subscription, resource group, and resource scopes.
Locks
Azure _________ workspace is required to store backup reporting data.
Log Analytics
Azure ____________ has many management solutions that can help administrators gain value out of complex machine data. These solutions contain pre-built visualizations and queries that help surface insights quickly.
Log Analytics
Azure _______________ can consolidate machine data from on-premises and cloud-based workloads and this data is indexed and categorized for quick searching. Data can be collected from both Windows and Linux machines.
Log Analytics
___________ must be enabled and configured before insights can be extracted or visualizations can be created that are dependent on that data.
Log Analytics
Data stored in Log Analytics can also be queried directly through a _____________________, where you will have access to the same query interfaces as you have through Azure Monitor, but you also can make customizations to the configuration of the workspace and access workspace-specific solutions including visualizations and queries.
Log Analytics Workspace
______________________ is where logs are collected and aggregated. The logs can also be queried and visualized through Log Analytics or through Azure Monitor. A workspace is an Azure resource, meaning that RBAC can be applied for granular access to the service and the data stored within it.
Log Analytics Workspace
_________________ can serve as the destination for Azure Load Balancer diagnostics and provides the ability to run Kusto Query Language (KQL) queries directly from the Azure portal.
Log Analytics workspace
Actions you can execute for action groups: ___________ - Provides a visual designer to model and automate your process as a series of steps known as a workflow. There are many connectors across the cloud and on-premises to quickly integrate across services and protocols. When an alert is triggered it can take the notification data and use it with any of the connectors to remediate the alert or start other services.
Logic Apps
Benefits of _______ groups o Reduce overhead o Enforcement o Reporting
Management
_________ groups allow you to apply governance across subscriptions, including the application of common RBAC controls and the application of Azure policy.
Management
What are the four scopes at which RBAC can be applied?
Management, Subscription, Resource Group, Resource
ExpressRoute Circuit Bandwidth Options - 50/100/200/500 _____ 1, 2, 5, 10 Gbps
Mbps
Values used with the Update-AzTag Command _______ - Merges the newly specified tags with the existing ones and overrides the conflicts for the listed resources.
Merge
Storage Explorer Operations: _____________ - Add, view, dequeue, and clear all messages.
Messages
Each _______ has the following properties: o The time the value was collected o The type of measurement that value represents o The resource with which the value is associated o The value itself
Metric
Azure Monitor stores and surfaces which two types of data?
Metrics, Logs
User Access Administrator is the least privileged role that includes the ___________ permission
Microsft.Authorization/roleAssignment/*
Users May Register Their Devices with Azure AD. Allow users to register their devices with Azure AD (Workplace Join). Enrollment with ______ or ______ for Office 365 requires Device Registration. If you have configured either of these services, ALL will be selected, and the button associated with the setting will be disabled.
Microsoft Intune or Mobile Device Management
Traffic between peered VNets travels over the _____________ infrastructure, not the public Internet.
Microsoft backbone
To create and remove role assignments, you must have Microsoft.Authorization/role Assignments/* permission at the necessary scope.
Microsoft.Authorization/role Assignments/*
Alert Rules can be managed through Azure _______.
Monitor
Azure ___________________ is an offering for monitoring your Managed Kubernetes clusters (AKS) and Azure Container Instances (ACI).
Monitor for Containers
Step 4 for enabling AD DS Authentication to Azure Files?
Mount the Azure File Share
Supported sizes for accelerated networking: On instances that support hyperthreading, supported on VM instances with four or more vCPUs. The following series are supported - D/DSv3, E/ESv3, Fsv2, and _____.
Ms/Mms
_________ container groups are currently only supported on Linux.
Multi-container
____________ container groups are currently only supported on Linux. A container group that hosts a Windows container can only contain that single container. Microsoft is working on feature parity between Linux and Windows containers, so this will likely change.
Multi-container
Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure while maintaining performance and compatibility. Key features include: ________ access - The ability to write files across Windows and Azure Files
Multi-site
____________ requires you to create a Log Analytics workspace or select an existing workspace to use.
NPM
To monitor a given network link, ____________________ should be installed on servers at both ends of that link
NPM Agents
DNS Record types in Azure DNS: A record set at the zone apex containing the name servers for the DNS zone is required by the DNS standards.
NS
Setting up __________________ is called delegating a DNS domain.
NS Records
__________________ tell clients on the Internet where to find the name servers for a given DNS zone. __________________ for a DNS zone are configured in the parent zone, and a copy of the records is also present in the child zone. Setting up these __________________ is called delegating a DNS domain.
NS records
Each NIC or subnet can only be associated with one ____.
NSG
Network Security in an AKS cluster is handled using ____ and network policy. Azure creates ____ rules for you as you create resources. Network policy is a feature in Kubernetes that enables you to control network traffic between pods.
NSG
Tools to help identifying the required NSG rules include service map and _______________.
NSG flow logs
When configuring ______ for backend servers, it is important to allow both inbound traffic and probe traffic.
NSGs
Network Interface Settings: o __________ o Location o DNS Setting o IP Forwarding o IP Configurations o Network Security Groups o Accelerated Networking
Name
______________ Rules - Are combination of source and destination IP addresses along with their ports and protocols.
Network
Next hop types supported for UDRs: Virtual ___________ - Used to route traffic to a VPN gateway.
Network Gateway
__________________ can be installed from the Azure Marketplace. It is also available from Network Watcher, an Azure Service that acts as a hub for a wide range of network monitoring and diagnostic tools.
Network Performance Monitor (NPM)
_____________________is a Log Analytics solution. Log Analytics agents are installed on each node used to measure network connectivity and performance. These agents perform synthetic transactions over TCP or ICMP to measure network performance. Data gathered from these agents is channeled into a Log Analytics workspace.
Network Performance Monitor (NPM)
_______________ in an AKS cluster is handled using NSGs and network policy. Azure creates NSG rules for you as you create resources. Network policy is a feature in Kubernetes that enables you to control network traffic between pods.
Network Security
Settings of a virtual network subnet: ____________________ - NSGs can be associated to a subnet and are used to control which inbound and outbound traffic flows are permitted.
Network Security Group
_______________________ - Is a networking filter containing a list of security rules which control network traffic when applied. These rules can manage both inbound and outbound traffic. A _______________ can be associated to a network interface, the subnet the network interface is in, or both.
Network Security Group (NSG)
Within Network Interface Settings, the ______________ setting will display the name of any NSGs associated with this interface.
Network Security Groups
________________ provides a diagrammatic view of the resources in your virtual network. It is not a diagnostic or alerting tool. It is a quick and easy way to review your network resources and manually check for misconfiguration. Limitation is that is only shows the topology within a single virtual network. All common network resource types are supported, although for application gateways, only the backend pool connected to the network interface is shown.
Network Topology
___________________ creates a diagrammatic representation of the resources in your virtual network.
Network Topology
A _______________ can be used into a hub through user-defined routes (UDRs) to route inter-spoke traffic through the _______. This is known as service chaining, and it enables spoke-to-spoke communication without requiring additional VNet peerings.
Network Virtual Appliance (NVA)
Network Performance Monitor (NPM) can be installed from the Azure Marketplace. It is also available from ________________, an Azure Service that acts as a hub for a wide range of network monitoring and diagnostic tools.
Network Watcher
______________ is a central hub providing access to a wide range of networking tools.
Network Watcher
Some of the Network Watcher tools require the ________________ extension to be installed on the VM being monitored. Its available for both Windows and Linux VMs. It is installed automatically when using Network Watcher via the Azure portal.
Network Watcher VM
Use cases for having multiple network interfaces: ______________ Functions - Multiple network interfaces enable virtual network appliances, such as load balancers, firewalls, and proxy servers
Network and Security
Use cases for having multiple network interfaces: Ability to use ________ and _______ isolation.
Network, Bandwidth
The following list consists of all __________ types: o Internet o VirtualAppliance o VirtualNetworkGateway o VirtualNetwork o VirtualNetworkPeering o VirtualNetworkServiceEndpoint o None (Used for user-defined routes)
Next Hop
___________ is used to determine the next hope address and routing rule for a given network flow.
Next Hop
____________ provides the ability to troubleshoot routing in Azure virtual networks.
Next Hop
______________ provides a useful way to understand how a VMs outbound traffic is being directed. For a given outbound flow, it shows the next hop IP address and type and the route table ID of any user-defined route in effect.
Next Hop Tool
________ provides a port mapping on the node, allowing network traffic to reach the node using the specified port.
NodePort
Next hop types supported for UDRs: _________ - Used to drop all traffic send to a given IP address or prefix
None
Source Types for creating a new managed disk _________- If selected, a new empty VHD is created.
None
Installing an NPM agent on an on-premises server: o Download the _____ agent o You will need the Workspace ID and Primary key to install the agent. o Download a PowerShell Script to open the necessary firewall ports. o Default port used is TCP 8084
OMS
_________ replication can only be used when blob versioning is enabled for both the source and destination storage accounts and the blob change feed is enabled for the source storage account.
Object
VM Sizes: Define Storage Optimized?
Offers high disk throughput and IO, good for large transactional databases like Cassandra, MongoDB, and so on. It can be used for Big Data and data warehousing.
If you are creating groups in an Azure AD tenant that is not associated with an ________ subscription, you will still see the option to create an __________ group.
Office 365
_______ groups allow access to a shared mailbox, calendar, SharePoint site, and so on.
Office 365
Each resource in Azure can only exist in _____ resource group(s) and resource groups cannot be renamed.
One
_____________________ (OMS) Log Analytics is a monitoring service for Microsoft Azure.
Operations Management Suite
RBAC ______ - Full access to all resources. Delegate access to others. The Service Administrator and Co-Administrators are assigned the _______role at the subscription scope. Applies to all resource types.
Owner
_______________ allows you to capture network packets entering or leaving your virtual machines. It is a powerful tool for deep network diagnostics. You can capture all packets, or a filtered subset based on the protocol and local and remote IP addresses and ports. Packet Captures are stored as a file on the VM or in an Azure storage account, in which case NSGs must allow access from the VM to Azure Storage.
Packet Capture tool
_________________ enables network traffic on a given VM to be captured, either locally or to an Azure storage account.
Packet Captures
Blob storage account is a specialized storage account used to store Block Blobs and Append Blobs. You can't store _____ Blobs in these accounts.
Page
_____ Blobs - Optimized for random-access read and write operations. Page _____ are used to store VHD files which use unmanaged disks with Azure virtual machines.
Page
What are the 3 blob types?
Page Blobs Block Blobs Append Blobs
______ VNets must have non-overlapping IP address spaces.
Peered
Properties of a virtual network: ________________ - The list of peerings configured for this VNet. Peerings are used to create network connectivity between separate VNets.
Peerings
Network Performance Monitor provides three services: __________________ - Used to monitor connectivity between various points in your network, both in Azure and on premises. You can monitor nodes at both ends, and you can gather data about connectivity, packet loss, latency, and available network paths.
Performance Monitor
____________ enables you to monitor packet loss and latency between your endpoints, both in Azure and on-premises. A VM or server running the Log Analytics agent is required at both ends of each monitored connection. Can be setup with TCP or ICMP-based monitoring.
Performance Monitor
Azure _______ Scope types: o Management Groups o Subscriptions o Resource Groups
Policy
Resource consumption within a subscription against a resource quota can be viewed using _________.
PowerShell
Windows PowerShell DSC Extension allows you to define the state of a virtual machine using the ______________________ Language. Allows for continuous updates when integrated with Azure Automation DSC service.
PowerShell Desired State Configuration
Installing an NPM agent on an on-premises server: o Download the OMS agent o You will need the Workspace ID and Primary key to install the agent. o Download a ______________ to open the necessary firewall ports. o Default port used is TCP 8084
PowerShell Script
Storage Performance Tiers ___________ - Designed to support workloads with greater demands on I/O and is backed by high-performance SSD disks. Only supports General Purpose accounts with Disk Blobs and Page Blobs. It also supports Block Blobs or Append Blobs with BlockBlobStorage accounts and files with FileStorage accounts. Only supports LRS for general-purpose storage accounts. Supports LRS and ZRS for both BlockBlobStorage and FileStorage accounts.
Premium
You can only create a dynamic group if you have a _______. Otherwise, the Membership Type option is unavailable and is set to Assigned.
Premium AD license
Installing an NPM agent on an on-premises server: o Download the OMS agent o You will need the Workspace ID and ______ to install the agent. o Download a PowerShell Script to open the necessary firewall ports. o Default port used is TCP 8084
Primary Key
Security ______ do not have access to Azure resources until a role assignment is made.
Principals
Route _____________: o User-defined routes o System routes for traffic in a virtual network, across a virtual network peering, or to a virtual network service endpoint o BGP routes o Other system routes
Priorities
Azure ______ Peering - Provides connectivity over the Intranet address space into your Azure virtual network. This peering is considered a trusted extension of your core network into Azure
Private
Blob Storage Access Levels _______ - With this option, only the storage account owner can access the container and its blobs.
Private
App Services Networking Features: _________________ - Enables connectivity to your app from private endpoints using Azure Private Link. Enables you to connect securely to resources running in Azure VNet or on-premises resources using either VPN or ExpressRoute.
Private Endpoint Connections
Comparing Metrics and Logs surfaces some key differentiators: ________________ - Metrics have a fixed set of properties (or attributes). These are time, type, resource, value, and dimensions (optional). Logs have different properties for each log type and even support rich data types, such as date and time.
Properties
VM Sizes: Define GPU Optimized?
Provides VMs with one or many NVIDIA GPUs. It provides high compute and graphics, which are ideal for visualization workloads.
Server-side Encryption Models: Define Service-managed keys?
Provides a combination of control and convenience with low overhead
_______________ group is a logical grouping of VMs to reduce the latency by keeping them closer to each other. If the VMs are placed in the same __________________ group, they will be physically located closer to each other.
Proximity placement
_____ IP address resources can use either IPv4 or IPv6 (but not both).
Public
Containers can be accessed from the URL with port 80 or with the _______________.
Public IP address
Logs stored in Log Analytics are immutable and are only removed from a workspace based on the retention configuration. ________ are authored in plain-text and the schema used by Log Analytics is like SQL with databases and tables composed of columns and rows.
Queries
_______ in Log Analytics can be saved for quick access and visualized and shared using Azure Dashboards. To analyze data outside of Log Analytics you can export the data to Excel and Power BI
Queries
SAS ______- Provides a reliable messaging queueing between application components.
Queues
Storage Explorer Operations: _________- Create. Delete, create and manage shared access signatures and access policies
Queues
Resource ______ (Limits) - Azure administrators can view the current consumption and usage of resources within an Azure subscription and understand how that consumption can be affected by Azure resource limits. You can also request _____ increases for certain resource types.
Quota
Users with Service Administrator and Co-Administrator roles have the same access as a user who is assigned the Azure ______ owner role at the subscription scope.
RBAC
Azure _____ is a default deny mechanism with an explicit allow mechanism, whereas Azure _________is a default allow mechanism with an explicit deny system.
RBAC, Policy
To access Azure Files by using SAS, you must use the _____ method.
REST
Storage Account Replication _____________________ - This has the same capabilities as GRS, plus you have read-only access to the data in the secondary datacenter. Available for General-purpose or Blob storage accounts, at the Standard Performance tier only.
Read Access Geographically Redundant Storage (RA-GRS)
Azure Resource Lock __________ - Locks prevent users from modifying a resource, which includes updating or deleting a resource.
ReadOnly
RBAC ______ - View Azure resources. Applies to all resource types.
Reader
A single resource is provisioned for either Azure Backup or Azure Site Recovery, this resource is called a __________.
Recovery Services Vault
To view your current backup policies in the Azure portal, open the__________ blade, and then click backup policies.
Recovery Services Vault
A service provided by Azure for DNS name resolution from your Azure VMs or other Azure services. You can also configure your VMs to use your own DNS server instead. This is sometimes informally called bring your own DNS. This is common when joining your VMs to a domain controller.
Recursive DNS
_____________ a VM might help with troubleshooting issues, such as RDP or SSH connectivity or application access.
Redeploying
Azure Tag limitations Classic Resources are only available for resources created in the Azure ______ model.
Resource Manager
__________ are logical groupings of resource or those single-service instances.
Resource groups
Comparing Metrics and Logs surfaces some key differentiators: _____________________ - Most metrics are retained for 93 days within the Azure service, while logs stored in Log Analytics can be retained for up to 2 years. There are opportunities to do long term retention of metrics by storing metrics in Log Analytics as well.
Retention
______ provides the ability to configure the reverse DNS lookup for an Azure-assigned public IP address.
Reverse DNS
Settings of a virtual network subnet: _______________ - Applied to a subnet and used to override the default system routes. These are used to send traffic to destination networks that are different than the routes that Azure uses by default.
Route Table
Actions you can execute for action groups: ________- A set of PowerShell code that runs in the Azure Automation Service.
Runbook
Available Backup Policy options in Azure Portal _________ and _______ are database as a service options that can be used for backup policies in Azure Portal. This allows specific backup technology such as fully, differential, and log backup with an associated schedule for each option.
SAP HANA, SQL
Rolling a storage account access key will invalidate any ________ that were generated using that key
SAS tokens
Public IP addresses support two pricing tiers (aka ________)- Basic tier supports dynamic and static assignment and provides open connectivity (Can be restricted using NSGs). The standard tier supports zone-redundant deployments, use static allocation only, and is closed by default (Access is enabled using NSGs)
SKUs
____ protocol is used when mounting an Azure File share from Windows computers.
SMB
DNS Record types in Azure DNS: Required at the apex of every zone. This is created and deleted with DNS zone resource.
SOA
The last setting, Floating IP (direct server return), is only recommended when load-balancing traffic for a ________________ Availability Group listener. For other scenarios, the Floating IP setting should be left disabled.
SQL Server Always On
VM ___________ provide the unique ability to scale out certain types of workloads to handle large processing problems, and they optimize cost by only running instances when needed.
Scale Sets
The ________ element of an Azure Resource Manager templated determines whether the template supports deployment to subscriptions
Schema
_______ groups allow you to share Azure resources access to a group of users, devices, or service principals.
Security
Feature of Azure AD that allows users to change or reset their password, or unlock their account without an admin or help desk. Authentication methods available include: mobile app notification, mobile app code, email, mobile phone, office phone, security questions User must be assigned an Azure AD license and registered with at least 1 authentication method
Self Service Password Reset
Azure Files is a fully managed file share services that offers endpoints for the ____________ protocol. Default max size is 5 TiB per share but if you enable larger file shares then it can go up to 100 TiB per share. Also, if you use premium SKU, you get 100 TiB by default.
Server Message Block (SMB)
Network Performance Monitor provides three services: _____________________ - Used to monitor outbound connectivity from nodes on your network to any external service with an open TCP port, such as websites, applications, or databases. This measures latency, response time, and packet loss, enabling you to determine whether poor performance is caused by network or application issues.
Service Connectivity Monitor
______________________ - Used to test outbound connectivity from your network to open TCP port, such as a website, application, or database. It supports pre-configured endpoints for Microsoft Office 365 and Dynamics. You can also configure custom tests to arbitrary endpoints. Once configured, Service Connectivity Monitor will generate packet loss and network performance charts (Showing latency and response times) for each tested endpoint
Service Connectivity Monitor
________________ create a direct network route from the virtual network to the storage service. By using this you can use direct route to the storage account instead of the on-premises route, so no additional latency is incurred.
Service Endpoints
Settings of a virtual network subnet: ___________________________ - An Array of Service Endpoints for this subnet. Service Endpoints provide a direct route to various Azure PaaS services, without requiring an Internet-facing endpoint. Service Endpoint Policies provide further control over which instances of those services may be accessed.
Service Endpoints (and Policies)
___________ - Platform-defined shortcuts that map to the IP ranges of various Azure services. The IP ranges associated with each service tag are updated automatically whenever the IP addresses used by the service change.
Service tags
___________ are used in NSG rules as a quick and reliable way of creating rules that control traffic to each service.
Service tags
Supported ways to connect Storage Explorer to Storage Accounts: Use a ______________________URI - A shared Access signature provides access to a storage account without requiring an account key to be shared. Access can be restricted for example, to read-only access for Blob Storage for one week only.
Shared Access Signature
___________________ generates a URL that provides secure access to an Azure Storage blob containing the script used by the Azure custom script extension.
Shared Access Signature (SAS)
_________ are used to read and write the data to user's storage account. SAS tokens are widely used to copy blobs or files to another storage account.
Shared Access Signature token (SAS Token)
____________ can grant access to resources for a specific period, and with a specified set of permissions.
Shared Access Signature token (SAS Token)
_____________________ is a URI query string parameter that grants access to specific containers, blobs, queues, and tables. Use an _____ token to grant access to a client that should not have access to the entire contents of the storage account, but still requires secure authentication.
Shared Access Signature token (SAS Token)
Azure Virtual WAN Basic supports only ___________ VPN.
Site-to-Site
VM Sizes: Define General Purpose?
Small to medium scale development environments. Has a balanced CPU-to-memory ratio.
Source Types for creating a new managed disk ______________ - If selected, you can browse for snapshots in the current subscription and location.
Snapshot
________________________ - Used for when the traffic leaves a virtual machine via the private IP address and used ______to map the outbound traffic from the private IP address to the public IP address.
Source Network Adress Translation (SNAT)
_______ Quotas - Spending quotas allow administrators to set alerts within an Azure subscription by configuring budgets to inform the business when their Azure ________ has hit a certain threshold. An alerting mechanism and does not stop resources from being created or consumed.
Spending
____________ option for Health Monitoring decides how scale set instances will be placed in a fault domain. With max spreading, the instances are distributed in the maximum fault domains possible for each zone. Fixed Spreading restricts instances to exactly five fault domains. If a scale set is using a fixed spreading algorithm and if there are less than five fault domains available, the deployment will fail.
Spreading Algorithm
Azure Load Balancer Tiers: ________________- Supports Zone-specific or zone-redundant deployments, including cross-zone load-balancing. Up to 1,000 servers any mix of VMs, availability sets, and VM scale sets in the same VNet. Supports TCP, HTTP, and HTTPS health probes. Rich metrics provide via Azure Monitor. Inbound flows closed by default; access less-permitted inbound flows using NSGs. Supports multiple outbound IP addresses that are configurable via outbound rules. Supports HA ports, TCP reset on idle timeout, and faster management operations. Based on the number of rules and data processes. 99.99% availability for a data path with two healthy VMs.
Standard
Storage Performance Tiers ________- Supports all storage services. Blobs, tables, files, queues, and unmanaged Azure virtual machine disks. It uses magnetic disks to provide cost-efficient and reliable storage.
Standard
______________ IP addresses should only be configured in the Azure network interface resource. They will be assigned to the virtual machine using DHCP, just like with dynamic private IP addresses.
Static private
Azure ________ Explorer can be used to create a Blob container.
Storage
RBAC Resource Role Scopes: ____________ - Under this scope, the role assignment will be applicable at the storage account level. All the containers, blobs, queues, and messages within the storage account will inherit the role assignment when this scope is selected.
Storage Account
Source Types for creating a new managed disk ______________ - If selected, you can browse storage accounts in all subscriptions you have access to, so you can select the VHD.
Storage Blob
Azure ___________ can be used to perform a storage blob copy. Allows for copying between storage accounts.
Storage Explorer
Azure ___________ is a cross-platform application designed to help you quickly manage one or more Storage Accounts. It can be used will all storage services as well as support for Cosmos DB and Azure Data Lake Storage services.
Storage Explorer
_______________ allow you to change the access parameters (start and end time, permissions) as part of the token. Allows for modifying of access of existing tokens without having to reissue them.
Stored Access Policies
______ can only be deleted from VNets if they are empty.
Subnets
Define the Basic Public IP addresses tier?
Supports both static and dynamic allocation methods. Open by default for inbound traffic. Use NSGs to restrict inbound or outbound traffic. Not zone redundant and doesn't support availability zone. Does not support public IP prefixes.
Define the Standard Public IP addresses tier?
Supports static allocation only. Closed by default for inbound traffic. Use NSG's to allow inbound traffic and restrict outbound traffic. Zone redundant by default allows you to use availability zones. Supports public IP prefixes.
Default ___________________ by Azure: o Within the same subnet o From one subnet to another within VNet o VMs to the Internet o A VNet to another VNet through a VPN gateway o A VNet to another VNet through VNet peering o A VNet to your on-premises network through a VPN gateway or ExpressRoute (Optional) o VirtualNetworkServiceEndpoint (Optional)
System Routes
App Services Networking Types: Hybrid Connection - Enables outgoing communication from your app to an endpoint using a ____ connection.
TCP
Azure Load Balancer supports which 3 health probes?
TCP, HTTP, HTTPS
DNS Record types in Azure DNS: Used for a wide range of applications, including email Sender Policy Framework (SPF). SPF records are used to identify legitimate mail servers for a domain and help prevent spam.
TXT
Storage Explorer Operations: _______- Create, rename, copy, delete, and create and manage shared access signatures and access policies.
Tables
Resource ______ allow you to apply custom metadata to your Azure resources to logically organize them and to build out custom taxonomies. _____ are a name and value pair. Commonly include the environment with which a resource is associated, a cost center or billing code, and resource owner
Tags
______ are crucial for tracking consumption logically and used to implement chargebacks within an Azure subscription.
Tags
Azure Resource Manager ______________ can be deployed using the Azure Portal, the command line tools, or directly using the REST API.
Templates
VM Sizes: Define Memory optimized ?
This size type provides higher memory compared to CPU and is ideal for medium-scale database servers. With high memory, these sizes can be used for caches, or it can be used in memory analytics.
-
To set up DNS delegation for the DNS zone, these name servers must be listed in the corresponding NS records in the parent zone. If the domain was purchased using the Azure App Service Domains service, this will be done automatically.
App Services backups are stored in Azure Storage and each backup is a complete copy of the app and configuration. True or false?
True
Common use cases for Azure File shares: Replace an existing fileserver. True or False?
True
Data in Azure Storage account is durable and highly available, secure, massively scalable, and accessible from anywhere in the world over HTTP or HTTPS. True or false?
True
Factors when creating a resource group: A resource group can be used to scope Policy. True or false?
True
Factors when creating a resource group: A resource group is created in a location. The location of a resource group specifies where the metadata for the resource group is stored. True or false?
True
Factors when creating a resource group: A resource in a resource group can interact with resources in another resource group. True or false?
True
Factors when creating a resource group: It is not mandatory to have all Azure resources belong to a resource group. Resources are deployed to a subscription, tenant, or management group exist outside of resource groups. True or false?
True
Factors when creating a resource group: You can add or remove a resource from a resource group at any time. True or false?
True
Factors when creating a resource group: You can move a resource from one resource group to another. True or false?
True
General-Purpose V1 and V2 support Blob, File, Table, and Queue, Supports Unmanaged disk (Page Blob). Standard and performance tiers. True or false?
True
General-Purpose V2 storage accounts support hot, cool, and archive access tiers while General-Purpose V1 does not. True or false?
True
Metrics are available for several Azure resources, but not all resources support metrics currently. True or false?
True
Once a customer-managed key is used, you cannot change the selection back to platform-managed key. True or false?
True
Persistent volumes allow data to be stored past the lifecycle of a pod. True or false?
True
True or False? Azure Site Recovery solutions allows us to address below major scenarios: o Azure VMs from one region to another o On-Premises VMs (VMWare, Hyper-V, and physical servers) to Azure o On-Premises VMs to another site
True
True or false? Azure Backup Server should be used for these workloads: o Windows Client o Windows Server o Linux Servers o VMWare VMs o Exchange o SharePoint o SQL Server o System State and Bare Metal Recovery
True
VMs can be moved to a different resource group, subscription, availability zone, and another region. True or false?
True
While moving resources from one resource group to another, the resources will be locked. Both write and delete operations to the Azure resource will be blocked, but the underlying service will continue to function. True or false?
True
Limitations of Blob Object Replication: The source account can only have a maximum of ____destination accounts
Two
Step 5 for enabling AD DS Authentication to Azure Files?
Update the password of your storage account identity in AD DS
There are 3 options for updating a virtual machine scale set instance. Define Rolling?
Updates VMs in multiple batches, and you can set a pause time between two batches, which can avoid total downtime.
A VPN gateway can be peered VNets. The peering connections must enable the settings to ________________ (On the peering toward the gateway) and Allow Gateway Transit (On the peering from the gateway)
Use Remote Gateway
_______________ - This setting must be enabled on the peering connection from VNET-B to VNET-A. This informs VNET-B of the availability of the gateway in VNET-A. Note that to enable this setting, VNET-B cannot have its own virtual network gateway.
Use Remote Gateways
_________________ SAS allows you to provide secure access to blob storage and uses Azure Active Directory credentials to secure access to it.
User Delegation
_______________ SAS using Azure AD credentials is also possible. The ______________ is only supported by Blob Storage, and it can grant access to containers and blobs.
User delegation
If a _______________ is used to send traffic to a virtual appliance, IP forwarding must be enabled on the NIC of the virtual appliance VM.
User-Defined Route
_____________________ - Change the default behavior of subnets allowing you to direct outbound traffic to other locations. Typically, traffic is sent through a virtual appliance such as a firewall.
User-Defined Routes (UDRs)
___________ routes - Useful for when you want to send traffic through a network virtual appliance, such as load balancers, firewall, or routed deployed into your VNet from the Azure marketplace.
User-defined
General-Purpose ___- N/A for supported access tiers. Supports LRS, GRS, and RA-GRS replication options
V1
Premium storage performance tier supports General-Purpose __ and __, _________, and _________.
V1 and V2, BlockBlobStorage, and FileStorage.
Standard storage performance tier supports General-Purpose ___ and ___, and ___________.
V1, V2, and BlobStorage.
General-Purpose ___- Support for Hot, Cool, and Archive access tiers. Replication options at LRS, ZRS, GRS, RA-GRS, GZRS, and RA-GZRS.
V2
What are page blobs used to store?
VHD files when deploying unmanaged disks
Azure DNS also supports private DNS zones, which can also be used to enable __________ DNS lookups.
VM-to-VM
All instances of a _____ will use the same operating system disk image
VMSS
You can connect to Azure ____ using a public IP address or a Private IP address with RDP, SSH, or even PowerShell. A VPN must be setup to connect using a private IP like a site-to-site, point-to-site, or ExpressRoute
VMs
-
VMs are configured to use Azure's recursive DNS servers. These provide name resolution for Internet-hosted domains, plus private VM-to-VM name resolution within a virtual network.
Azure VMs that are in the same ______ can communicate automatically with each and with the Internet without any explicit configuration changes, even when they are in different subnets.
VNet
App Services Networking Features: __________________ - Enables outgoing communication from your app into your Azure virtual network
VNet Integration
Custom DNS settings can be configured at the _______ level and the _______ level, but not at the subnet level.
VNet, network interface
Within Network Interface Settings, DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers. This setting will override the _________ DNS settings, if both are specified.
VNet-level
Global Peering cannot be used to access the front-end IP of a basic internal Azure load-balancer in the remote virtual network. In these cases, a____________________ should be used instead. This limitation doesn't apply with the standard tier load balancer.
VNet-to-VNet VPN
_______ can be connected using either VNet peering or VNet-to-VNet VPN connections
VNets
Virtual networks can be connected using a VNet-to-VNet ____ connection.
VPN
________________ provides automated, in-depth troubleshooting of VPN connections.
VPN Troubleshoot
_______________________ - Provides automated diagnostics of Azure VPN gateways and connections. The results provide a detailed report on gateway health and connection health, providing accurate pointers regarding common issues that might occur when enabling informed remediations. VPN troubleshoot only supports route-based VPN gates so Site-to-Site VPNs and VNet-to-VNet connections. Does not support ExpressRoute connections or Point-to-Site connections.
VPN Troubleshoot tool
App Services Networking Types: Private Endpoint Connections - Uses private endpoints. Enables you to connect securely to resources running in Azure VNet or on-premises resources using either ____ or ____.
VPN, ExpressRoute
Recovery Services ______ is used for configuration and management of both Backup and Site recovery.
Vault
Next hop types supported for UDRs: _________________________ - A VM running a network application such as a load-balancer or firewall. You would have to specify the IP address of the appliance which can be a VM or internal load-balancer for high availability virtual appliances.
Virtual Appliance
A ___________________ is a compute resource that you can use to deploy and manage a set of identical virtual machines. By default, supports up to 100 instances but can scale up to 1,000 instances by placing instances into multiple placement groups. Using multiple placement groups is commonly referred to as a "large scale set"
Virtual Machine Scale Set (VMSS)
________________ allow for the groupings of VMs to scale up/down and in/out depending on demand with load balancers, availability sets, etc.
Virtual Machine Scale Sets
Available Backup Policy options in Azure Portal Azure _________ - Allows you to specify the backup frequency, retention period, and the backup point on a weekly, monthly, and yearly schedule.
Virtual Machines
Default NSG Rules: o ___________ - Traffic originating and ending in a virtual network is allowed both inbound and outbound directions o Internet - Outbound traffic is allowed, but inbound traffic is blocked o Load Balancer - Allows the Azure Load Balancer to probe the health of your VMs and role instances. If you are not using a load balanced set, you can override this rule.
Virtual Network
Next hop types supported for UDRs: _________________ - Used to route traffic within the Virtual Network
Virtual Network
___________________ - Allows you to create connections from your virtual network to other networks. When creating a gateway, you must specify if it will be used for VPN connections or ExpressRoute connections. Virtual Network Gateway used for VPN connections are called a VPN gateway, while those used for ExpressRoute connections are called ExpressRoute gateways.
Virtual Network Gateway
_____________________ provide the foundations of the Azure networking infrastructure. Each one allows you to define a network space, comprising one or more IP address ranges. This network space is then carved into subnets. Each subnet allows you to define which network flows are permitted (Using NSGs) and what network routes should be taken (Using user-defined routes).
Virtual Networks (VNets)
-
Virtual WAN leverages hub-and-spoke topology. The hubs are nothing, but an Azure regions and spokes are considered as individual endpoints.
-
Virtual networks are connected to ExpressRoute circuits using an ExpressRoute gateway. An ExpressRoute gateway is a virtual network gateway, created with the ExpressRoute option. Must be created in the gateway subnet of the virtual network.
You must use the Microsoft Azure Import/Export tool known as ____________ tool to setup import of data.
WAImportExport
Actions you can execute for action groups: __________ allows you to route an Azure alert notification to other systems for post-processing or custom actions. For example, you can use a _________ on an alert to route it to services that send text messages, log bugs, notify a team via chat/messaging services, or do any number of other actions.
Webhook
-
When creating an ExpressRoute circuit, you must specify both the peering location and the location of the ExpressRoute circuit resource. There are independent settings, although Microsoft suggests the best practice to be nearby.
Users May Join Devices To Azure AD. This setting allows you to select the users and groups that can join devices to Azure AD. This setting only applies to Azure AD Join on _______ devices. The default value is All and can be changed to Selected or None.
Windows 10
Requirements and limitations of the Azure Import/Export Jobs tool: Windows ____, Windows Server _______, or a later OS version is required. This tool only works with 64-bit operating systems and might not work with 32-bit operating systems.
Windows 7, Windows Server 2008 R2
________ are responsible for processing of incoming HTTP requests.
Workers
Storage Account Replication ______________________ - Makes three synchronous copies to three separate availability zones within a single region. Available for General-Purpose V2 storage accounts only, at the Standard Performance tier only. Also available for BlockBlobStorage and FileStorage
Zone Redundant Storage (ZRS)
Benefits by using object replication: For large data processing jobs, you can analyze the data in ____ region(s), and you can distribute results to additional regions as needed. This saves processing time and compute resources to perform the same in all regions.
a single
A singly import/export job can have a maximum of 10 HDDs and SSDs and a mix of HDDs and SSDs of ____ size.
any
Azure application gateway is a type of load balancer that can manage traffic for web applications. The web traffic routing occurs at the ______________________. Azure Application Gateway offers additional features such as SSL/TLS termination, autoscaling, URL-based routing, redirection, and the like
application layer (OSI Layer 7)
To filter outbound web traffic, you will need to create an ____________.
application rule
Steps to configure an ASG: o Create an ___________________ for each server group. This resource has no properties, other than its name, resource group, and location o Associate the network interface from each VM with the appropriate ASG. This defines which group each VM belongs to o Finally, define your network security group rules using ASG names instead of explicit IP ranges. Like how rules are configured using named service tags
application security group resource
Connection Troubleshoot allows you to test the connectivity between two Azure VMs or between a VM and an _________________________.
arbitrary external endpoint
Azure DNS provides an ________________ service for hosting Internet-facing domains
authoritative DNS
Application Gateway routes application web traffic to defined resources in a ______________.
back-end pool
Azure Application Gateway routes application web traffic to defined resources in a _______________.
backend pool
ExpressRoute Circuit __________ is metered. All inbound data transfer is free of charge, and all outbound data transfer is charged based on a predetermined rate. Users are also charged a fixed monthly port fee (Based on high-availability dual ports)
bandwidth
Global Peering cannot be used to access the front-end IP of a _____________________ in the remote virtual network. In these cases, a VNet-to-VNet VPN should be used instead. This limitation doesn't apply with the standard tier load balancer.
basic internal Azure load-balancer
You can resize a gateway between the VpnGw1, VpnGw2, and VpnGw3 tiers. You cannot however resize a ________ gateway.
basic tier
Command-line Utility AzCopy sync command can be used to do synchronization between two ______ containers. Synchronizes the contents of a destination container with a source container.
blob
Custom Script Extension can be used to execute arbitrary commands such as batch files, regular PowerShell scripts, or a bash script. Supported on Windows and Linux-based virtual machines and is ideal for ________________ a VM to an initial configuration. Your script must be accessible via a URI such as an Azure Storage Account to be used and must either be accessed anonymously or passed with a shared access signature (SAS URL).
bootstrapping
By default, infrastructure FQDNs are allowed by Azure Firewall with a _________ collection. You can override this by creating a deny all applications rule collection.
built-in rule
Both ReadOnly and CanNotDelete locks are inherited by _____ resources.
child
Azure Storage has a lifecycle-management capability, and it can be used to transition data to lower-access tiers automatically based on preconfigured rules. You can also delete the data at the end of its lifecycle. These rules can be executed against the storage account once per _____. Specific blobs and containers can be targeted using filter sets.
day
ExpressRoute connection provides connectivity between an on-premises network an Azure virtual network, using a _________________ from a connectivity provider.
dedicated connection
Azure Storage also provides blob object replication capabilities that provide asynchronous replication of Block Blobs from one storage account to another. The blobs are replicated based on the _______________.
defined replication rules
Properties that require container __________: o OS Type o CPU, memory, or GPU resources o Restart Policy o Network Profile o Availability Zone
delete
Accessing and unencrypting the stored keys is done by a _________, although keys from Key Vault can also be accessed from ARM templates during deployment.
developer
Standard tier load balancer supports routing ____________ automatically to Azure Monitor.
diagnostics
When you export a template used for resource group deployment, you can download the template locally or you can re-deploy the template using ______________.
different parameters
Availability sets can only be set at provisioning time, but data _____ can be added at any time.
disks
Dataset CSV file and Driveset CSV file are the two files that are required to prepare disks that will contain data to be imported into Azure Storage. The first of of them contains the list of data files, while the second lists the _____ and the corresponding __________.
disks, drive letters
By default, when you change to static, Azure will assign the previously assigned ________ IP address.
dynamic
Private IPv4 address assignments can be either dynamic or static. Private IPv6 address can only be assigned __________.
dynamically
Site-to-Site VPN connections provide connectivity between an on-premises network and an Azure virtual network, using an _____________ tunnel over the public Internet.
encrypted
Each Storage Account service exposes its own _____ used to manage the data in that storage service. These service-specific ______ are not exposed through Azure Resource Managed, instead they are (by default) Internet-facing ______.
endpoints
Azure Blobs allow unstructured data to be stored and accessed at a massive scale in block blobs, such as an __________________ on Azure.
enterprise data lake
ExpressRoute Connectivity Models: Your connectivity provider may be able to provide a point-to-point __________ connection from their network to your on-premises network. Again, this approach offers either a layer 2 or managed layer 3 connection.
ethernet
When creating policy scopes, it is possible to configure _______ scopes.
excluded
A managed identity (identity which supports Azure AD authentication) can create new resource groups or access resources in other resource groups if an ________ is made.
explicit role assignment
Azure Virtual Machine _________ are small applications that can be used to perform post-deployment configuration and automation tasks on Azure Virtual Machines
extensions
Azure Load balancer supports automatic _________ between back-end servers based on health probes and enables high availability applications.
failover
Common use cases for Azure File shares: Migration of existing applications that require a ____ share for storage
file
Azure Backup service can backup and restore an entire virtual machine and you can also use it for ________ to restore files from a recovery point without recreating the entire virtual machine
file recovery
Persistent volumes can use Azure _____ or Azure _____, and they can either be created by the AKS cluster administrator or by the Kubernetes API.
files, disks
A default route table will need to be created to route the outbound requests through a ___________.
firewall
Network Security Groups are used to create _______ rules to control network flows.
firewall
When creating a storage ______ q, you must use public Internet IP address space. You cannot use IPs in the private IP address space.
firewall
You can only have a max of ____ stored access policies on a container, table, queue, or file share.
five
Routing Outbound Internet traffic via a VPN connection to a network security device is known as ________________.
forced tunneling
Allow __________ should be enabled on the peering connection for it to support service chaining.
forwarded traffic
ExpressRoute Circuit Bandwidth: All inbound and outbound data transfer is ________. Users are charged a single fixed monthly port fee (Based on high-availability dual ports)
free of charge
Enable cloud tiering to only store _________ files locally on the server while all your other files are stored in Azure Files.
frequently accessed
Azure App Service is a PaaS offering that makes it easy to host a web app in the cloud. Consists of a _____________ that uses a round robin algorithm to distribute requests to web servers. These web servers are called workers and they are responsible for HTTP requests.
front-end load balancer
Azure Firewall allows you to create and configure application and network rules. Application rules are created with the list of ______________ that are allowed to be accessed from a subnet. Network rules are a combination of source and destination IP addresses along with their ports and protocols.
fully qualified names
A _______ is a DNS server record that is not authoritative for the zone and is used to avoid a condition of impossible dependencies for a DNS zone. These IP addresses might change in the future.
glue record
SAS token is a way to _____________ how a client can access data in Azure storage account. You can also use an account-level SAS to access the account itself. You can control many things such as what services and resources the client has access to, how long the token is valid for, and more.
granularly control
Diagnostic logs that you configure for a tenant service, or a resource, are separate from the Azure Activity Log and _____________ obtained with diagnostic agents.
guest telemetry
By default, all users and admins can invite ______, but this can be restricted under Manage External Collaboration Settings.
guests
One method to export a template from a deployment within a resource group is generating an ARM template is to use the Automation Script menu option for the resource group. It generates a template that represents the current state of the resource group. This if useful for redeploying to the same resource group as it likely has ____________ values.
hard-coded
Azure VMs are relatively easy to change the size even after it has been deployed. The new size must be supported in the current _______________ in which your VM is deployed.
hardware cluster
Keys in Azure Key Vault can be protected in software or by using ______________. These keys can be generated in place or imported. Importing keys is often referred to as bring your own key or BYOK.
hardware security modules (HSMs)
Limitations of Blob Object Replication: Object replication doesn't work with accounts with a ________ namespace (Azure Data Lake Storage Gen2)
hierarchical
Multi factor authentication and maximum number of devices per user settings are not applicable to ______ AD joined devices.
hybrid
For ________ Join scenarios, you can join current Windows devices, such as Windows 10 and Windows Server 2016. Also, there is support for a hybrid join with down-level devices, including Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
hybrid Azure AD
Network Performance Monitor provides monitoring for ____________________. It supports performance monitor, connectivity monitor, and ExpressRoute monitor to monitor ExpressRoute connections.
hybrid networks
Azure Storage has a lifecycle-management capability, and it can be used to transition data to lower-access tiers automatically based on pre-configured rules. Can use____________ to define the conditions of a blob lifecycle policy.
if-then blocks
Logs stored in Log Analytics are _______ and are only removed from a workspace based on the retention configuration. Queries are authored in plain-text and the schema used by Log Analytics is like SQL with databases and tables composed of columns and rows.
immutable
Requirements and limitations of the Azure Import/Export Jobs tool: Azure File service is supported for only for _____ jobs.
import
When preparing drives for an _______ job you must specify the destination storage account key, the BitLocker key, and the log directory.
import
Default behavior of an Azure network security group is to block _______ traffic from the internet, but _______ traffic to the Internet is allowed.
inbound, outbound
AKS Service Types - Services sit between _________________ and one or more identical pods.
incoming network traffic
App Service backups are stored in Azure storage and each backup is a complete copy of the app and configuration. Backups are not __________. Backups can be kept for an indefinite amount of time if you set the retention days to 0. Backups only work for plans running the standard tier or higher.
incremental
NSGs can be applied at the subnet level, or on____________ interfaces.
individual VM network
Azure AD authentication enables customers to leverage Azure's RBAC for granting the required permissions to a security principal (users, groups, and applications) down to the scope of an ______________ or _______.
individual blob container or queue
If a storage account blob does not have an assigned tier then it _______the access tier from the account access tier setting by default.
infers
Common use cases for Azure File shares: Shared storage of files, such as web content, log files, application configuration files, or even ______media.
installation
By default, if a managed identity (identity which supports Azure AD authentication) is granted contributor rights for a single resource group, that security principal can ________ with that resource group and its child resources.
interact
General-Purpose V1 and Blob Storage accounts can both be upgraded to General-Purpose V2. This operation is __________.
irreversible