305 Flashcards
Describe what an Azure Tenant is?
An Azure Tenant is a container for managing identity and security for an organization. It refers to the instance of Azure Active Directory (Azure AD) that is specific to an organization and allows them to manage users, groups, roles, and applications, as well as integrate with external service.
A tenant in Azure is a container for management groups, subscriptions, resource groups, and resources.
Describe what an Azure Subscription is?
- An Azure Subscription is a container for Resource Groups and Resources and is a container for RBAC and Costs
- An Azure Subscription is a container for resources, and it is linked to an Azure account for billing purposes. Subscriptions define the boundaries for billing, resource allocation, and administrative control. It is also where policies and role-based access control (RBAC) are applied to manage resource access and governance.
Is it possible to associate a subscription with two Azure Tenants?
No, an Azure Subscription can only be associated with a single Tenant.
- Is it possible to associate three Azure Subscriptions with one Azure Tenants?
Yes, an Azure Tennant can have many subscriptions associated with it.
List all the Azure Identity types available in Azure Entra Id?
Users
Managed Identity
Service Principles
Groups
Device Identities
When would you use Managed identity?
When you wnat a service in Azure to access another service in Azure.
Describe a use case where you would use an Azure Entra ID Service Principle?
Where you have an Application that wants to access Azure Resources.
You create an Azure Service Principle by registering the application with Azure Entra ID and then making the Azure Entra ID Service principle assocated with the application. The service principle is then used by using the Service principle with RBAC to assign privileges to access Azure resources.
Describe what an Azure Entra ID User is?
An Azyre Entra ID User is either an internal or external user. Internal users are users thet are Members, and external users are Guests. Internal users belong to the Azure Entra Id domain or part pf the on-prem domain thet is synced with Azure Entra ID.
What is an Azure dynamic group?
An Azure Entra ID Group is a container for Users and Devices; this container can be assigned roles for both Azure Entra ID and Azure resources.
Describe what an Azure Entra ID Group is used for?
An Azure Entra ID Group is a container for both Devices and users to manage these Users and Devices as groups, where roles for both Azure Entra ID and Azure Resources can be assigned. This type of group is what we call an assigned group, meaning its manually managed by an administrator.
I require a way to manage groups of users automatically. When a user is created in Azure Entra ID, the user is automatically assigned to one of several groups. Each group represents an organization’s departments; we have accountancy, manufacturing, and HR. The user should be assigned to the relevant group based on properties like department. How can we achieve this?
We can set up dynamic groups for the departments in our organization and have the
Can I use dynamic groups on a standard subscription?
No. Azure Active Directory (Azure AD) Premium P1 or Premium P2 subscription.
What is the topmost level in Azure?
Azure teanant?
Can I assign a subscription to more than a single tenant?
No, a subscription can only be assigned to a single tenant.
How cna I have Azure SQL prefrom multi-master writes?
You can’t, but you could opt for CosmoDB.
Can I associate two subscriptions with a single tenant?
Yes, 100%
I want to create a group of users to whom I can assign permissions. How can I do this?
Use Azure Group under Entra ID.
I have an application, and I wnat to ab able to access Azure services; what do I require to access the Azyre service?
Register the application with Azure Entra ID and set up a service principle.
What is an assigned group in Azure
Admin or owner decides on membership; you manually control the member shop
I have added groups of users, and I want an easy way to automatically sign off on permissions for these groups; how can I do this?
Use dynamic groups and set up the attributes to automatically add new users to the dynamic group, then assign permission to the group.
What is a security group?
It depends. There are two types of security groups in Azure: an Azure network security group and an Azure ID security group.
What is a hybrid environment?
A hybrid environment consists of one or more Azure accounts and one or more on-prem data centers or locations.
What is a hybrid identity?
Is an identity that is used in both in Azure and on-prem
What is Azure AD B2B Connect (Entra ID B2B Connect)
It enables you toy use external identities by connecting with
What is Azure Domain Services (Entra Domain Services)
You need to establish a trust relationship with another Microsoft Entra External ID what services would you use?
B2B direct connect
What is Entra ID B2B direct connect?
Azure B2B (Business-to-Business) is a feature within Azure Active Directory (Azure AD) that allows organizations to securely share their applications and services with guest users from any other organization
Where would you use Entra ID B2B direct connect?
What are external identities in the context of Entra ID B2B direct connect?
An external identity in the context of Entra ID B2B direct connect is an identity thet gets invited from an external Microsoft Entra ID, and will be added to Azure Entra ID as a guest. And as they are a guest, they do not automatically have any rights to access resources, they will have to be explicitly granted access to resources.
List the types of identity groups types in Azure?
Internal identity, external identity, hybrid identity
What is a hybrid identity?
A hybrid identity services both on-prem and Azure Entra ID and enables the identity to be shared between on-prem and Azure of a seamless login experience.
What is an internal identity?
An internal Azure identity is an identity thet is part of Azure Entra ID and is one of three identities: a user, a service principle, and a managed identity.
What is an external identity?
An external identity can be a B2B identity or B2C
What is a service principle used for?
What is a managed identity?
What is a managed identity used for?
For external Azure identities, what types of external identitiesare supported?
Microsoft accounts, like Outlook, Hotmail or live
I have an individual contractor, and what to give them access to resources in my Azure tenant; how can I do this without setting up a new internal account?
You can invite them using their Microsoft account, outlook, life, or Hotmail.
How can I allow an external school to access resources in my Azure tenant?
If the school already has a Microsoft account for students, they can be added as an external identity.
I wnat to provide an external user with temporary access to an internal application; how can I do this?
You can use B2B Email one-time password OTP. This sends the user a one-time password in their email to sue, and when they log in, they get access; the password is time-limited.
How can I enable users in another organization with an Entra ID to access resources in my Azure Tennant?
You can use Azure B2B direct connect to allow access by creating a cross-tenant.
I wnat to use external B2B to invite users to access resources in my Azure tenant; what types of users can I ask?
Any email using the time-limited OTP. Entra ID, Facebook, Google, Microsoft
I wnat to ass en external orgnization team to access resources in my Azure Tennant; how can I do this?
You can use B2B Connect and cross-tenant access. You add an organization by using the domain name or tenant ID. Azure search will find the tenant for you to add.
I want my team in my orgnization, who has an Azure Entra ID set up and is using it already, to access resources in another organization’s Azure account; what do I need to have the other organizations do to give me?
You will wnat another orgnization to give your organization access to resources by inviting you to access using the B2B connect using the cross-tenant setup, using your domain name or tenant ID; they will ten have to assign permissions to access resources
When external users are added to your Azure Entra ID, what type of user are they?
The users are of type HUEST.
When external users are added to your Azure Entra ID, what access do they have as default?
They have no access to any resources. If RBAC has been used to allow guests access to a resource, then the newly added guests will have access to this resource.
Is it possible to give tenant access in both directions for Azure Entra ID in two tenants?
Yes
I am intending giving access to external identities using B2B external identities, but I wnat to ensure they have been authenticated using MFA; how can I accomplish this?
You can use ‘Conditional Access Policies’ to require an external user to use MFA; this can be configured
When using Azure Entra ID external cross-tenant settings, what are inbound settings?
They are the settings thet control how
Where in Azure are the settings for external identities located?
In Azure Entra ID
What are Azure Entra ID external cross-tenant settings?
There are several settings in the Azure Entra ID external identities under cross-tenant settings that enable you to control both incoming and outgoing access.
What are the default settings for outbound for Azure Entra ID external cross-tenant?
- By default, there is no restriction on which users can be invited to collaborate with external tenants. However, specific configurations can be applied later.
The default setting allows all applications to be used in cross-tenant scenarios. This means your users can access apps in other tenants unless specific restrictions are configured.
I want to ensure that the orgnization users do not collaborate with other Azure tenants; how can I do this?
What are the default settings for inbound Azure Entra ID external cross-tenant?
- B2B Collaboration - External Users and Groups: All allowed: External users from other Azure Entra tenants can collaborate with your users without any restrictions. This allows external users to be invited into your tenant as guests and access resources like SharePoint, Teams, or other applications that support B2B collaboration.
B2B Collaboration—Applications: All allowed: Explanation: External users from other tenants can use your organization’s applications if they are given appropriate permissions. This setting enables applications within your tenant to be accessed by users from external tenants.
-B2B Direct Connect - Applications: All blocked: Applications within your tenant cannot be accessed via B2B Direct Connect by users from external tenants. This blocks real-time direct connections for specific applications, enhancing security by limiting access to only internal users or specifically allowed external users.
Trust Settings: N/A (Disabled): This indicates that no special trust settings are applied to external tenants by default. For instance, your tenant does not automatically trust other tenants’ Multi-Factor Authentication (MFA) or compliant device settings. Any trust configurations must be set up explicitly in the organizational settings tab.
What is Azure Entra ID cross-tenant sync?
Azure Azure Entra ID cross-sync will enable you to add an external Azure Entra ID so they you can push
Your orgnization is acquiring an org called JetPack; they have an Azure tenant; how best to merge this tenant from an Azure Entra ID perspective to allow their users access resources in your organization’s current Azure tenant?
Use Azure Cross-Tenant Sync to enable users to be synced across tenants.
What service would you use in Azure to enable external individual users to get access to my resources
Azure B2B connect.
I have an organization called Koke, which purchased a company called Kepsi. I want Koke users to access Azure resources in Koke. How can I do this using Azure Entra ID, and what are the steps to set it up?
You can use Azure Entra ID Sync to sync the users in Kepsi into Koke. You must configure Azure Entra ID cross-tenant setting and cross-tennant sync to set this up.
Cross-tenant settings for Kepsi: set koke.com and set outbound access with Trust-suppress user consent.
Cross-tenant settings for Koke: set kepsi.com and set inbound access with Trust-suppress user consent, cross-tenant sync-> allowed
Cross-tenant sync for Kepsi: provisioned automatic, perform mapping of attributes
I have an organization called Koke, which purchased a company called Kepsi. I want Koke users to access Azure resources in Koke. How can I do this using Azure Entra ID?
You cna use Azure Entra ID Sync to sync the users in Kepsi into Koke.
Azure Entra ID cross-tenant sync: are syncs real-time?
No, it is every 40 minutes by default, but you can change this. But you can create a group and have users mapped as thet are created or altered.
Azure Entra ID cross-tenant sync, what are mappings?
When configuring Azure Entra ID cross-tenant sync, you map the attributes between tenants.
Azure Entra ID cross-tenant sync, can you see the sync logs?
Ues they are availab in the browser, API, CLI.
What is the hierarchy for RBAC in Azure?
Management group -> Subscriptions -> Resource groups -> Resources
Why use a resource group?
To group resources with the same life cycle.
If I create a policy to limit resource groups to regions, have I limited the resources to the same area?
No, because resources are separate from the resource group and do not have to be in the same region as the resource group.
Can you follow resource groups?
No, they are a single-flast structure
When we need to control access to resource based on conditions like locations, what can we be using?
Azure Entra ID Conditional Access Policy
What is a scope?
A management group, subscriptions, resource group, resource
Can you use tags with policy?
Yes
How can you limit the location for resources to be deployed?
Azure policy
What is Azure identity protection?
Azure Identity Protection service that detects and mitigates identity-related risks using machine learning and threat intelligence. It helps protect user accounts by monitoring for suspicious activities and enforcing risk-based conditional access policies. The service provides automated responses, detailed security insights, and integrates with other Azure security tools.
Can I use Azure identity protection by subscribing to a P1 license?
No, it is a P2 feature.
I want to enforce when a user is outside the local network and tries to login in, thet they get asked to use MFA but not on the local network; how can I achieve this?
Use conditional access policies thet are part of Azure Entra ID.
I want to detect and understand risky users on my Azure Entra ID; I want to be able to report and view on a dashboard the risky users across the enterprise; how can I achieve this
Use Identity protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky users across the enterprise.
I want to detect and understand risky logins on my Azure Entra ID, and I want to be able to report on and view risky users across the enterprise on a dashboard.
Use Identity Protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky logins across the enterprise.
What are the four pillars associated with identity protection?
- Identify risk (Reporting)
- Enforcement (Enforce on risk) (conditional access)
- Investigate risk (Logs and information)
- Remediate risk (automatic, administrator)
Explain Azure Entra ID Identity Protection in the context of risk.
In the context of risk for Azure EntraID Identity Protection, it is when sign-in occurs, credential compromise,
I need a machine-learning solution to identify risky behaviors in users signing in to Azure Entra ID. What solution could I use?
Azure Entra ID Identity Protection uses machine learning to understand what is typical for a user sign-in and uses it to detect what is not regular sign-in.
I am concerned about identity compromise, such as users’ passwords being sold on the fast web. How could I protect my users in Azure Entra ID?
Azure Entra ID Identity Protection leverages Microsoft’s Threat Intelligence network, which continuously monitors and collects data from various sources, including the dark web. This data is used to identify compromised credentials and other security threats.
What happens when Azure Entra ID Identity Protection detects compromised credentials from the dark web?
When Azure Entra ID Identity Protection detects compromised credentials from the dark web, it flags the affected user accounts. It can automatically trigger responses such as requiring a password change, enforcing multi-factor authentication (MFA), or blocking access until the issue is resolved.
Does Azure Entra ID Identity Protection proactively scan the dark web for specific user credentials?
No, Azure Entra ID Identity Protection does not proactively scan the dark web for specific user credentials.
Instead, it relies on data collected by Microsoft’s Threat Intelligence network, which includes compromised credentials found on the dark web.
How does Azure Entra ID Identity Protection use dark web information to protect identities?
Azure Entra ID Identity Protection uses information from the dark web to identify when user credentials have been compromised. It then applies risk-based policies to protect the affected accounts, such as requiring additional verification or blocking access to prevent unauthorized use.
Is it correct to say that Azure Entra ID Identity Protection only protects users when their information is on the dark web?
o, this is not correct. While Azure Entra ID Identity Protection uses information from the dark web as one source of threat intelligence, it also protects users by analyzing various other risk signals, such as unusual sign-in activity, and implementing risk-based policies.
What is the role of Microsoft’s Threat Intelligence network in Azure Entra ID Identity Protection?
Microsoft’s Threat Intelligence network plays a crucial role in Azure Entra ID Identity Protection. It gathers and analyzes data from numerous sources, including the dark web, to detect potential security threats and help protect user identities.
Can Azure Entra ID Identity Protection take automated actions based on dark web information?
Yes, Azure Entra ID Identity Protection can take automated actions, such as enforcing password resets, blocking access, or requiring MFA, based on detecting compromised credentials from the dark web or other risk indicators.
What type of risks is Azure Entra ID Identity Protection looking for when a user signs in?
- Anomily Detection (Sign in, user activities) (Sign-in)(real-time)
- Known attack patterns
- Leaked credentials (User)
- Anonymous IP address
- Atypical travel (Sign-in) (Offline)
- Malware-linked IP address
- Unfamiliar sign-in property (Sign-in) (Realtime))
What are the types of detection periods for Azure Entra ID Identity Protection?
- Real-time (Signin risk)
- Offline (24hrs) (User risk)
What time frame is used for user risk for Aure Entra ID Identity Protection?
Offline (24hs): Like user risk being leaked creds
What time frame is used for sign-in risk for Aure Entra ID Identity Protection?
Real-time: When the user tries to sign in, the risk is evaluated, and if action is required, like denying, it will be taken.
Azure Azure Entra ID
How do we take enforcement actions?
We use conditional access
I wnat to have the ability to review users’ access for Azure; I also want the ability to take action if there are issues found; how can I achieve this?
Use Azure Entyra ID and access reviews
What is the service called thet we can use to protect our identities?
Azure Identity Protection
What license do I need for identity protection?
L2
What is the core of what identity protection provides?
-Sign-in protection
–Has creds been leaked
–Is the user using anonymous IP
–Impossible travel
–Sign-in from an infected device
–Sign-in from IP with suspicious traffic
–Sign-in from an unfamiliar location
-User action protection
What can you use when you get an even from Identity Protection?
You can use risk policies to block, or you can ask the user to use MFA
What are the two policy types associated with identity protection?
Sign-in risk policy
Users risk policy
Are Azure Entra ID Identity Protection Users risk policies in real-time?
No, there are 24hrs
Are Azure Entra ID Identity Protection Sign-in risk policies in real-time?
Yes
What can we do when we find an Azure Entra ID Identity Protection risk policy has been activated?
Block sign-in
Endorce users change password
MFA
I have a group of users, and I want to ensure that if they attempt to sign in from a location thet would not be typical, they are blocked; how can I do this?
Use conditional address.
I wnat to have a situation where if users’ activities are identified as a risk by Microsoft thet, they are reported to me; how can I do this?
I can use Azure Entra ID Identity Protection and its reporting capabilities.
I wnat to have a situation where if users sign in and are identified as a risk by Microsoft thet, they are reported to me; how can I do this?
I can use Azure Entra ID Identity Protection and its reporting capabilities.
I wnat to have a user use MFA when they log in for a location other than the office; how can I do this?
Conditional access policy
I wnat external users always to use MFA to access my resources; how can I do this?
Conditional access policy
I wnat to prevent access from untrusted or high-risk geographical regions by blocking?
Conditional access policy
I wnat to block access when blocking a user’s access or require step-up authentication (MFA) if they are flagged for risky behavior.
Conditional access policy
How cna i, Allow personal devices to access corporate email or data but enforce conditions like MFA or limited app access (e.g., blocking the download of files from SharePoint)?
Conditional access policy
When using conditional access, what signal types are they?
Location
Country
Device
Browser
Risk
I wnat to add several countries where I can have users use MFA and another set of countries thet are blocked users if accessed from; how can I do this?
Add the countries in Azure Entra ID Conditional access and then use them in the conditional access policy.
I wnat to add a IP range and have users blocked if access comes from this range; how can I do this?
Add the ip range in Azure Entra ID Conditional access and then use them in the conditional access policy.
How do I create an Azure Entyra ID conditional access policy?
Name, All Users, Group of users (Guests (as in external), Directory roles, users and groups),
When creating an Azure Entyra ID conditional access policy, I want to exclude users from it. Is this possible?
Under the Exclude Users tab, you can select users and groups to be excluded from the policy.
I wnat to ensure that my most privileged users have to request access when using these privileges; how can I do this?
Setup Privilege Identity management (PIM)
How cna I have it thet when Jim who has global admin privileges, is not working, he does not have their privileges?
Setup Privilege Identity management (PIM)
I wnat to get notified when a user with global admin is using these privileges; how can I do this?
Setup Privilege Identity management (PIM)
How can I remove privileges when they are not needed?
Access reviews
How can I schedule a review of users, roles, apps, and guests who have unneeded privileges and automatically remove them?
Access reviews
If i wnat to use Access reviews, what license do I need?
P2
I wnat users to review their access every month; how can I do this?
Access reviews
After users perform a review, what options do you have for those who did not respond?
No change
Remove access
Approve access
Take recommendations
I want a solution where I can have groups of users prefrom their security review each month; how can I do this?
Azure Entra ID Identity Governanence Access Reviews
What types of services has Azure for containers?
Container instance
Kubernetes
Cloud apps
How do we create a container?
Usine DOCKERFILE
What is a dockerfile?
FROM nginx:alpine
WORKDIR /usr/share/nginx/html
COPY ./index.html ./
How do I create a docker image?
Using a docker file?
Where do i store a docker image?
Azure image registry
Why use a docker image?
Because it an easy way to package content for docker or kubernetes
Why use container instances?
Fast and straightforward to get running and easy to manage small, simple individual running container instances.
When using container instances, can you persist files?
You would have to use Azure file share and mount a volume.
When using container instances, are containers isolated?
Yes, but you can use a container group thet will share resources if required.
How can two containers share resources and run on the same host when using a container instance?
Use a container group, and this will schedule the containers on the same host and share resources.
What types of networking have container instances available?
None (batch), private( private network), public(public network)
What container registry types are available in container instances?
Quick images
Axure container registry
Docker Huv or other registry
I wnat to use managed disks with my container images; what options do I have?
Azure kubernetes service, it supports managed disks
Can I use Azure Files with Azure Kubernetes?
Yes
I wnat to have a job run periodically; what options do I have?
Azure Batch
Azure APP service using WebJobs
What is required to allocate how much cost and size to app services?
App service plan
I require both Windows and Linux containers. Can I use app services?
Yes, app services provide for Windsows and Linux containers.
What types of pricing is available for app services?
Shared: Container runs on same compute as other customers
Dedicated: Runs on dedicated compute
Isolated: Deployted to customers’ own network
What types of functionality do you get with Azure App Service?
Scale-out
Scale-up
Private networking
Public networking
File storage
Database
Redis (cache)
What databases are supported with app service?
Postgres
MySql
MsSql
CosmoDB
I require different environments for dev, test, and prod. I want to use containers; what are my options? I also wish for fully managed services.
You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers.
I require different environments for dev, test, and prod. I want to use containers; what are my options? I also wish for fully managed services. I must have each environment with its own configuration.
You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot.
I require different environments for dev, test, and prod. I want to use containers; what are my options? I also wish for fully managed services. I must have each environment with its configuration. I must also be able to switch slots and automatically have the scale of the system to the production size?
You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot. App services have slots, also called staging, thet can be switched and will automatically scaled out to the required size.
I am using containers and wnat to bleed over traffic from staging to production. What services in Azure should I run my containers on?
App services enable splitting traffic between staging and production.
When using the Apop service, how are the staging site rules added?
A -staging as in -<name> is used</name>
What is Azure Batch?
Fully managed HPC cluster and scheduling infrastructure.
There is no need to schedule an installation and manage
Devs can
When using Azure Batch, what do we get as a virtual construct?
Batch account
What are the elements that make up the batch account?
Account
Scheduler
Nodes/Node Pool
What storage can you access with Azure Batch?
Azure Blob
Azure Files
Azure Disks
Azure Auto Storage
What is Azure Batch Auto Storage
Azure Batch can automatically provision blob storage containers associated with your batch account. It’s often used to manage job input/output data for batch jobs automatically.
How do I deliver an application to Azure batch?
Through the API, using one of the supported application types, python, node, C#, PowerShell
What is the first thing you create when using Azure batch?
An Azure batch account
I wnat to access my batch account from my private network, my private network is connected to azure v rt using express route, how can I do this?
Use a service endpoint, service endpoint enables a private connection from a private vNET to a service, including Azure Batch
When setting up an Azure Batch, what constructs would you use?
Application
Pools
Jobs
Job schedules
What do you pay for with Azure jobs?
Time
What is Azure Cycle Cloud?
Azure CycleCloud helps manage High-Performance Computing (HPC) clusters in Azure, enabling users to easily create, configure easily, and scale resources. It supports popular HPC schedulers like SLURM and PBS Pro, offering autoscaling based on workload demand. The tool simplifies cloud HPC management, integrates with Azure services like Monitor and Cost Management, and is ideal for data-heavy fields like genomics(MS Learn)(Microsoft Azure.
Where can I find conditional access policies?
Entra ID -> Security -> Protect - > Conditional access
I wnat to use conditional access policies; what license do I need?
P1
What do Azure functions, web jobs, apps, and websites run on?
App service plan
I want to have isolated hosts; what do I need to create?
App Service Environment is a single-tenant environment.
What is an isolated host for Azure app service
It is a single-tenant App Service Environment.
I wnat to access to my Azure storage from my VM on a private vNET; how can I do this?
Use the Service endpoint to access all Azure Storage Accounts
Use a private endpoint to access only a single account
I wnat to access my Azure storage from my VM using a private IP; how can I do this?
Use a private service endpoint. The private service endpoint will connect to a single Azure storage account and get an IP and NIC in the vNET to access it.
I wnat my application in a private vNET with no public network access, to access all my Azure storage accounts; how can I do this?
Use Azure service endpoint; Azure service endpoint gives access to all Azure storage accounts.
What am I connecting from and to when I create an Azure Service EndPoint?
From a vNET to a whole service like an Azure Storage account
When I create an Azure Service Endpoint, is the IPO address of the service private?
No, it uses the Azure public IP, but traffic is over the Azure network.
When I create an Azure Private Endpoint, is the IP address of the service private?
Yes, the endpoint is private, and it appears to be a NIC in your vNET
When I create an Azure Private Endpoint, can you access all storage accounts, for example?
No, it is a one-to-one relationship; you can only access a single account.
When I create and use Azure Private Endpoint, are they free?
No, you pay per hour and GB
When I create and use Azure Service Endpoint, are they free?
Yes
I have an on-prem local network application called the Kola app that I would like to make available to my users who work from home. How can I do this without using a VPN or having a user connect to the local network?
Azure Entra ID App Proxy enables me to expose any application but use Azure Entra ID to secure it.
I am using Azure App service but do not have a VPN or Expressroute connection to Azure; I want to present an endpoint on my on-prem network from an application running on Azure App Service. How can I do this
Azure App Service Hybrid Connections enables you to install the software locally and create an endpoint for your app service locally on-prem.
I have an on-prem local network application called the Kola app that I would like to make available to my users who work from home. I will use Azure AD App Proxy; what do I need to install on-prem?
Several proxies for scale and availability.
I have an on-prem local network application called the Kola app that I would like to make available to my users who work from home. The Kola app requires Kerberos. Also, I do not have a VPN or Expressroute to Azure. I want to expose this application to my remote users behind a secure Azure login. How can I do this?
You can use Azure Enbtra AD App Proxy, which is installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and ensure that the users have logged in using their Azure Entra ID credentials.
I have an on-prem local network application called the Kola app that I would like to make available to my users who work from home. The Kola app has its identity management. Also, I do not have a VPN or Expressroute to Azure. I want to expose this application to my remote users behind a secure Azure login. How can I do this?
You can use Azure Enbtra AD App Proxy, installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and provide passthrough for auth.
When using Azure Enbtra AD App Proxy, what is my first step?
Install the agent connector on-prem for Azure Enbtra AD App Proxy; you create a group of connectors.
What is a connector group in Azure App Proxy?
Agent connectors groups enable me to separate different apps on my on-prem network.
I wnat to deploy a single container and use the least resources and the least management, but I require deploying the instance so it is available in a vNET; what is my best portion?
Azure container instance, this is the least resources and lowest cost and is least management, and you can configure it for PRIVATE networking using a vNET.
Can I use a container register with container instances?
Yes
Can I use public networking with container instances
Yes
When using app services, what are the three types of pricing?
Shared
dedicated
Isolated
I require a way to deploy containers, and I want simple management of containers in a PaaS service. What is the best solution?
App Container Services
What types of plans have we for azure functions?
Consumption (Pay-As-You-Go)
Flex Consumption
Function premium
App Service (Both Functions and Web Apps on same plan)
Container App Environment
What is the name of pay as you go plan?
Consumption
I am going to be using Azure functions, and I require the use of vNET. Can I use the consumption plan?
- No, the consumption plan does not support vNETS.
- But we now have a new plan called Flex Consumption thet will support events
- Or you can use a premium plan
I intend to use Azure Function and Web Apps on the same project in the UK to help control a power station; what is the best plan to keep the cost to a minimum?
With both Functina and Web Apps on the same project, it may be best to use the app service plan thet enables the same plan to be used for both.
I am using a consumption plan for my Azure function. I am concerned about the timeout. What is the default timeout?
5min default, 10min max.
I am using a premium plan for my Azure function and am concerned about the timeout. What is the default timeout?
30min default, unlimited with configuration.
I want to make sure thet when using Azure Functions, I have pre-warmed instances. I intend to use the consumption plan; do I need to make any changes to my approach?
Yes, you will need to switch plans. The consumption plan does not support pre-warming, so you will need to use premium or flex consumption.
I am using Azure functions and wnat to use vNET; I intend to use a consumption plan; do I need to change my approach?
Yes, you will need to switch plans. The consumption plan does not support vNET, so you must use premium or flex consumption.
Are dedicated plans for App Services and Functions dedicated for your use only, meaning you are on an isolated host?
No, dedicated means you are on a shared host with dedicated resources not shared with any one else.
When using App Services and Functions, what plan is the most cost-effective for production?
use a non-dedicated plan
When should you choose a Consumption Plan for Azure Functions?
Choose a Consumption Plan when you have sporadic workloads, want to pay only for actual usage, and don’t need constant running of your functions.
In Azure Appservice and Functions; What is the main advantage of using a Dedicated (App Service) Plan for Azure Functions?
The main advantage is having dedicated VM instances, which provide better performance, more features, and the ability to run functions continuously.
In Azure Appservice and Functions, which scenario would you opt for an Isolated (App Service Environment)
Choose an Isolated Plan when you need the highest level of security, network isolation, and dedicated infrastructure for mission-critical applications with high compliance requirements.
In Azure Appservice and Functions, Which plan should you choose if you have an application with unpredictable traffic patterns and want to minimize costs?
The Consumption Plan is ideal for this scenario, as it automatically scales based on demand, and you only pay for the resources you use.
In Azure Appservice and Functions: When would you consider upgrading from a Consumption Plan to a Dedicated Plan for Azure Functions?
In Azure Appservice and Functions; Which plan would be most suitable for a high-traffic e-commerce website that requires consistent performance?
A Dedicated (App Service) Plan would be suitable, as it provides dedicated resources and consistent performance for high-traffic applications.
In Azure Appservice and Functions; Your application needs to comply with strict data residency requirements and must be completely isolated from other customers; which plan should you choose
The Isolated (App Service Environment) Plan is the best choice for strict compliance and complete isolation requirements.
In Azure Appservice and Functions; hich plan would you recommend for a small business website with moderate, consistent traffic?
Dedicated (App Service) Plan with a Basic or Standard tier would be suitable for a small business website with moderate, consistent traffic.
In Azure Appservice and Functions; When is it most cost-effective to use a Consumption Plan for Azure Functions?
It’s most cost-effective for applications with intermittent usage, where functions don’t need to run continuously, and when you want to pay only for actual execution time.
In Azure Appservice and Functions, If you need to run background processing tasks continuously alongside your web application, which plan should you choose?
Choose a Dedicated (App Service) Plan, as it allows you to run continuous WebJobs and background tasks alongside your web application on the same VM instances.
In Azure Appservice and Functions, what type of plans do we have?
Non-dedicated
Dedicated
Isolated
In Azure Appservice and Functions, what is a non-dedicated plan?
The plan is using shared resources, best suited
In Azure Appservice and Functions, what type of plans do we have?
In Azure Appservice and Functions, what type of plans do we have?
In Azure Appservice and Functions, what is a non-dedicated plan best suited to?
Sporadic or unpredictable workloads
Event-driven application
Small-scale or low-traffic applications
Development and testing
Cost optimization:
I wnat to use Azure Appservice and Functions in a dev environment. What plan should I use?
non -dedicated
In Azure Appservice and Function, what is the Azure name for a non-dedicated plan?
Consumption plan
In Azure Appservice and Function, what is the Azure name for a dedicated plan?
Basic
Standard
Premium
PremiumV2
PremiumV3
In Azure Appservice and Function, what is an isolated plan giving you?
App Service Environment
You are using the Azure app service. Recently, a newly pushed app to production caused outages; what could you do to fix this?
Use Azure app service deployment slots
I wnat to route all traffic through an appliance; How do I do this for a whole vNET?
Create a single route table and associate it with each the of the subnets.
Do I create a routing table and associate it with a vNET?
No, rout tables are associated with a subnet
I want to route all traffic to the internet from a subnet; how can I do this?
Create a routing table and set the next hop to the internet
I want to route all traffic to the GW from a subnet; how can I do this?
Create a routing table and set the next hop to the GW
I want to route all traffic to the Firewall appliance from a subnet; how can I do this?
Create a routing table and set the next hop to the IP of the appliance
I want to have no routing outside a subnet; how can I do this?
Create a route table and associated with a subnet and set it to none.
When using route tables, what can you route to?
Service (Using service tag)
Internet
IP (Appliance)
Virtual network
Virtual GW
What are the route types I can have and the order?
Custom routes
BGP routes
System Routes
What are Custom routes?
Routes you create in a custom route table3 and associated with a vNET subnet.
What are BGP roputes?
Routes from BGP
What are System routes?
Routes generated by Azure
What types of routes do you have?
Custom routes
BGP Routes
System routes
I want to block inbound traffic to just a single VM. How to do this?
Create a Network security security group, set it to block all traffic, and associate it with the single vNET Subnet.
I want to block inbound traffic to just a single subnet. How to do this?
Using a network security group, how can I block the URL www.keith.tobin.com?
You can not block a URL with an NSG; NSG are layer four only and block layer 4-only traffic. To
What layers 4, 5, 6, etc, dose network security groups work on?
Azure network security groups are layer four-only firewalls
I have VM 1 and VM2 in the same subnet with an NSG blocking all HTTP on post 80. Can VM1 request HTTP traffic on port 80 from VM2?
No, because an NSG on a subnet is the same as having it on the NIC of the VMs
What types of public IPs are available to use with VM’s
Basic and Standard
What is the difference between primary and standard public IP’s
Basic allows internet traffic with no NSG attached; standard blocks the IP traffic by default; you must enable it with an NSG.
I just created a standard IP for my VM, and I can’t see traffic to post 80 of my VM. Why?
Standard IP blocks all traffic; you must use an NSG to allow it.
Are NSG rules stateless?
No, NSG rules are stateful. Once a connection is made, it is tracked, and you do not have to create an outbound rule.
By default, does a VM have access to outbound internet?
Yes, but this is changing.
I have 10 VMs in a vNET with no public IP. I want to provide safe internet access. How can I achieve this?
You can use a Virtual network NAT
I am using a NET and running out of space on the single IP prefix; what can I do?
You cna add a pool of IP addresses.
Can I transit a vnet by default using vnet peering?
No
using vnet peering, how can I transit a vNET,
using VPN GW with vnet perering
I need a fast, low-latency connection between my vents; what is the best option?
vNET peering is low cost and fast with low latency
I have VNET 1 in subscription 1 and vNET 2 in subscription 2. How can I easily connect them with low latency and high throughput?
vNET peering can be across subscriptions.
I have VNET 1 in subscription 1 in tenant 1 and vNET 2 in subscription 2 in tenant 2. How can I easily connect them with low latency and high throughput?
Global vNET peering can be across subscriptions and tenants
What is global vnet peering
Global vNET peering is the ability to use vNET peering across tenants to connect vNETS, it also when you cross regions.
I have VNET 1 in Subscription 1 in Region 1 and vNET 2 in Subscription 2 in Region 2. How can I easily connect them with low latency and high throughput?
Global vNET peering can be across subscriptions and regions.
Using vNET peering, how can I have overlapping IP address spaces?
You can; overlapping will not work.
How can we make our Azure Application thet is behind a load balancer available privately to Azure client VM in their Azure subscription?
Use Private Link to set up conectivity to make available the app endpoint.
Are private links and private endpoints the same thing?
No, private link exposed service and proof of the exposed service.
Is private link more secure? If so, why?
With a private link, you can lock down to a single resource.
Can you use private links across subscriptions?
Yes
Can you use private links across regions?
No, it can only be consumed using endpoints in the same region.
Where are private link endpoints created?
In a subnet of a vNET.
We need an encrypted connection from your on-prem network to the Azyre vNET. We do not want to use the express route, as it is too expensive. What options do we have?
Use a VPN (sit-to-site)
Is vNET peering encrypted?
No, vNET peering is not encrypted.
Is site-to-site VPN encrypted?
Yes 100%
What is the primary difference between Azure VPN and ExpressRoute?
Azure VPN uses the public internet to securely connect your on-premises network to Azure through encrypted VPN tunnels. ExpressRoute, on the other hand, establishes a private connection between your on-premises infrastructure and Azure, bypassing the public internet entirely. This makes ExpressRoute more reliable, faster, and secure compared to Azure VPN.
Scenario: You are a startup setting up a small hybrid cloud environment with basic workloads. You want a quick and cost-effective solution to connect your on-premises network to Azure. Which option should you choose?
You should choose Azure VPN. It’s ideal for small environments where cost is a concern, and the public internet is sufficient for your connectivity needs. Azure VPN allows you to quickly establish a secure connection without the complexity and cost of a dedicated line.
Your enterprise runs a mission-critical application that demands constant, high-throughput data transfers between your on-premises data center and Azure with very low latency. Reliability and uptime are essential. Which solution do you select?
You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.
You need to quickly set up a secure connection for remote employees accessing Azure resources from various locations. The data traffic is relatively small, and minimal latency is acceptable. What should you use?
You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.
You need to quickly set up a secure connection for remote employees accessing Azure resources from various locations. The data traffic is relatively small, and minimal latency is acceptable. What should you use?
You should use Azure VPN. Its point-to-site functionality allows secure, encrypted access for remote users over the public internet, making it perfect for distributed workforces with moderate data traffic needs.
Scenario: Your company handles sensitive financial data and regulatory requirements mandate that all data transmission between your on-premises network and Azure be isolated from the public internet. What solution would you implement?
You should implement ExpressRoute. Since it avoids the public internet and uses a private connection, ExpressRoute ensures that sensitive data is transmitted in compliance with strict security and regulatory requirements.
Scenario: You are planning a massive data migration project to move terabytes of data from your on-premises data center to Azure. This migration will require high bandwidth and consistent network performance over several weeks. What should you choose?
You should choose ExpressRoute. The high bandwidth (up to 100 Gbps) and consistent performance of a private connection make ExpressRoute the ideal choice for large-scale data migrations.
Your organization is running a small non-critical application in Azure, and you need a quick and inexpensive way to connect your on-premises data center to Azure for occasional data exchanges. Latency is not a major concern. Which solution do you go for?
You should go for Azure VPN. It’s a cost-effective solution for smaller, non-critical applications where high performance is not necessary, and you don’t need the guaranteed uptime or bandwidth provided by ExpressRoute.
Scenario: You need to securely connect Azure PaaS services like Azure Storage or Azure SQL Database to resources in a Virtual Network. The PaaS services should be accessible only through the Virtual Network, preventing public access. Should you use Azure Private Link or Azure Service Endpoint in this scenario?
Azure Service Endpoint. Service Endpoints secure PaaS resources by extending VNet identity to the service, allowing access over Azure’s backbone network. Public IP addresses can be blocked.
Scenario: You want to expose your internal API, hosted on Azure, to specific customers over a private connection without exposing it to the internet.
Question: How should you present the API to clients?
Use Azure Private Link. It provides private access to your services by mapping the service to a Private IP within the consumer’s VNet.
Scenario: An enterprise needs to connect to Azure SQL databases from multiple VNets located in different subscriptions. They want to avoid using the public internet.Question: Should you use Private Link or Service Endpoints?
Answer: Use Azure Private Link. It supports cross-subscription connectivity via private IPs within the consumer’s VNet, keeping traffic within Azure’s backbone.
Scenario: You need to connect resources in a VNet to Azure Storage in a different region without exposing the storage account to the public internet.
What should you use?
Answer: Use Azure Service Endpoint. Service Endpoints allow cross-region connections to Azure services, extending VNet identity without exposing the service to the internet.
Scenario: A business must share an Azure service, such as an Azure SQL Database, with its partner organization across different regions.
Question: Which networking option is most appropriate in this case?
Use Azure Private Link. Private Link allows private access to your services across regions and subscriptions without traversing the public internet.
A service provider wants to offer multiple clients a managed service like a database, ensuring private network access for each client with no data leakage between them.
How should the service provider present their service to clients?
Question: You are deploying a mission-critical application in an Azure region. How can you ensure data redundancy and disaster recovery using Azure Paired Regions?
Use paired regions to replicate your application and data. Azure automatically replicates resources between region pairs, ensuring data durability in the event of a regional failure. Always deploy to both regions in the pair for geographic redundancy.
If Region A in an Azure pair goes down for planned maintenance, how does Azure Paired Regions ensure continuity for your services?
Azure Paired Regions ensure that planned updates (e.g., maintenance) only occur in one pair region at a time. This minimizes downtime and allows services in the secondary region to continue running during the maintenance window.
In what scenario would using paired regions be more beneficial than non-paired regions for disaster recovery?
Paired regions provide higher reliability because Azure guarantees data replication and failover capabilities between them, with a direct focus on minimizing latency and ensuring recovery in the event of a disaster. This is especially critical in high availability/disaster recovery setups where business continuity is essential.
How can you benefit from Azure Paired Regions when designing applications that need data sovereignty compliance across regions?
Azure Paired Regions are often located in the same geopolitical zone, helping organizations comply with data sovereignty regulations. Data replication across regions within the same pair ensures that data remains within the required jurisdiction for compliance purposes.
Your company operates an e-commerce platform that requires low-latency, cross-region failover. How do Azure Paired Regions optimize performance for such scenarios?
Azure Paired Regions are designed to minimize latency between regions while supporting cross-region failover. By deploying your services to paired areas, you can achieve low-latency replication and quick recovery, ensuring your platform remains responsive during regional disruptions.
What does an Azure region consist of?
Several data centers are connected via low-latency connectivity and form several availability zones; an availability zone is not a data center but a fault domain with separate power, cooling, and network.
What is a paired region?
It is a second region in the same geopolitical space as the primary region, ensuring data sovereignty. It is used as a failover or backup region for the primary region for some Azure services.
What is an availability zone?
An availability zone is a fault domain that consists of a zone with separate network, cooling, and power; services use availability zones to be fault-tolerant.
What is a zonal service?
A Zonel service is a service where you get to select the zone to be used by the service.
Do you have fault domains in availability zones?
Yes, these are the core of how an availability set works. It means they if you set the fault domain to three, you have three separate fault domains thet are independent of each other
What are updated domains, and where may you see them?
They ensure thet only one updated domain is updated at a time, and we will see them in an availability set.
We are using an availability set and have three fault domains and three update domains; in each fault domain, we have a single VM. From a disk perspective, what must we do?
Set the aligned managed disks in the availability set to make the disk in the same fault domain as the VM
In Azure is the load balancer; what layer is the load balancer working on?
It is a layer four balancer, which means it works on the IP and transport layer layers of the TCP stack
I need a layer seven load balancer; what should I use?
App Gateway its a layer seven load balancer
When you create an Azure load balancer, what must you select it to be?
Internal or external?
What is an Azure internal load balancer?
This layer four load balancer has an internal IP for external traffic.
What is an Azure external load balancer?
This is a layer four load balancer with an external IP for external traffic
What do we call the back end in an Azure Load Balancer?
Backend pool
What types of rules have you on an Azure Load Balancer?
- Nat
-LBRule
What is a NAT-rule?
This is where, on Azure Loadbalancer, you will map the input IP to a backend IP
I need to ensure thet my Loadbalancer does not send traffic to a dead backend VM; how can I do this?
Use health probes.
How many backends can a VM be in when using the Azure load Balancer?
One (and two, read on), it can be in one backend for external and one backend for internal, but it can be in both internal and external
Is an Azure Load Balancer a Global resource across the regions?
No, a Azure load balancer is a regional resource.
What types of SKU are available for Azure Load Balancer?
Baseic, Standard
How can backend VMs do you have for a basic Azure Load Balancer?
300
How many backend you have for a standard Load Balancer?
2, One for internal and one for external.
When using Azure Load Blancer with bare SKU can you have HTTPS health probes?
Not only with standard,
Does a vNET span availability zones?
Yes
I need to load balance TCP; what options do I have?
Azure load balancer.
I need to load balance TCP on my internal network; what can I use?
The Azure load balancer can use internal IP on its front end to load balance, so Azure load balancer is an option.
Do I need a separate NAT to provide outbound network access when using Azure Loadbalancer with a public IP?
No, a public load balancer enables outbound internet access.
Is the application gateway a layer four load balancer?
No, its layer 7 LB
Can Azure Application Gateway be used across regions, explain?
No across regions is not supported by the Azure Application Gateway. Azure Application Gateway is a regional service; there may be other options depending on requirements:
- Azure front door
- Azure traffic manager
- Azure global load balancer
What is Azure Traffic Manager?
It is a DNS load balancer
What is the azure front door?
What is an origan group?
It’s like a back group for a load balancer
When using the Azure Load Balancer service, what tuple data is used to direct traffic to the backend
Source Port
Destination Port
Source IP
Destination IP
Protocol (TCP, UDP)
Does the Azure Load Balancer support routing of HTTP and HTTPS?
No, it is a layer four load balancer and only supports TCP and UDP.
Can you pin an Azure Load Balancer and explain what you can or can not ping the load balancer?
No, you can not ping the Azure Load Balancer because it’s a layer four load balancer that only supports TCP and UDP for ping and not ICMP(Layer 3).
What do you set to direct traffic when using an Azure Load Balancer?
Azure Load Balancer Rule
I have the follwing load balancing requirements; select an Azure service to meet these requirements:
1. Require layer four load balancing
2. Regional load balancing only
3. Require three IP addresses
4. Must keep working in the event of a single-zone failure
To meet the requirements, use an Azure regional and layer four load balancer and add three front-end IPs. The regional load balancer is only in a single region. When creating the load balancer, you can select to use no-zone, zone-redundant, or zonal to meet requirement 4.
I have the follwing load balancing requirements; select an Azure service to meet these requirements:
1. Require layer four load balancing
2. IPv6 support
To meet the requirements, use an Azure regional and layer four load balancer and, at configuration time, select to use IPv6 front-end IP.
What must you add when creating an Azure Load Balancer after the LB is created when using the portal??
Use a load-balancing rule.
When using Azure Load Balancer, how cna I make the sessions sticky?
You have the options to use:
- None
- Client IP (Use just the hash of the client IP to select the backend)
- Client IP and Protocol (Use the hash of the client IP and protocol used to select the backend)
Can a device be assigned to Azure Entra ID Group?
Yes, 100%. You can assign Devices to the group, which can be assigned to Roiles for both Azure Entra ID and Azure Resources.
Can an Azure Entra ID Group be assigned to an Azure Entra ID Role?
Yes, 100%.
Can an Azure Entra ID Group be assigned to an Azure Resource Role?
Yes, 100%.
I have three Azure Subscriptions, and I want to have a way to apply the same RBAC controls and Budgets Controls to all three subscriptions. How can I apply the same RBAC controls using the least amount of effort?
To apply the same RBAC controls and Cost management to all three subscriptions, you would use Azure Management Groups, place all three Azure Subscriptions under a management group node, and apply Budget and RBAC controls to the node.
When using Azure Management Groups, list what can be managed.
- RBAC (Access control)
- Cost Budgets
- Cost analysis
- Policies (Complience and governanence)
I have to migrate an on-prem MS SQL database to Azure; I wnat to look at all possible options, including modifying the database if required. List Azure MS SQL options?
- Azure database instance
- Azure Elastic Pools
- SQL running on VM
Describe the features of Azure Database Instance?
- Managed database service
- Dedicated environment
- SQL Server, PostgreSQL, MySQL, or MariaDB.
- Patching
- Backups
- Scaling while offering high availability
- Security features
- Single databases or elastic pools
- Automated backups
- Monitoring, and
- performance tuning
I have several databases with varying spiky workloads; select the correct SQL architecture to keep the price to a minimum?
Azure SQL Database with Elastic Pools: Using Azure SQL Database with Elastic Pools enables several databases to share a single pool of resources, such as CPU, Memory, and Storage.
How can I share a pool across servers in the Azure SQL Database?
You can not share an elastic pool with more than a single server. An elastic pool is only allocated to a single Azure SQL Database Server.
What is the purpose of the server in Azure SQL Database when using elastic pools
- Central Management Point: Centralized management for all databases in the pool (configurations, settings).
- Authentication and Security: Handles user authentication, access control, firewall settings, and security policies.
- Resource Allocation: Governs the allocation of compute (vCores or DTUs), memory, and storage across databases in the pool.
- Billing: Associated with the cost of the elastic pool and provides a single billing entity.
- Backup and Disaster Recovery: Manages backups, point-in-time restore, and geo-replication across databases in the pool.
- Endpoint Management: Provides a single connection string/endpoint for accessing all databases in the elastic pool.
I am migrating several SQL server databases from my on-premise to Azure SQL Services using elastic pools; I have modified my database to work with Azure SQL Database service. I have a vNET and a VM in the vNET thet want to access the database securely. I do not wish to use passwords and user names to log in to databases, nor do I want the application to access the database over the Internet. How should I architect this solution?
- Use Azure SQL Database service with elastic pools.
- Use Azure Managed Identities to authenticate for the databases without using passwords and username
- Use Azure Service endpoint to access the databases without using the internet
I want to migrate a single SQL server database from my on-premise to Azure. The databases should have dedicated resources. If possible, I do not want to manage the resources. What Azyre services would you use and why?
- Use Azure SQL Instance, which gives you a single database instance with no shared resources.
- Azure Sql Instance is a fully managed instance, so you do not have to manage the resources
- All resources are dedicated and not shared.
I want to migrate a single SQL server database from my on-premise datacenter to Azure. I need access to the migrated database from my application using a vNET; direct vNET access is required. If possible, I do not want to manage database resources. What Azure services should I use, and why?
- Use Azure SQL Instance, which gives you a single database instance thet can be deployed into a vNET
- Azure Sql Instance is a fully managed instance, so you do not have to manage the resources
You are a contractor and have been asked to recommend an Azure solution for new SQL development in Azure. The database code to access the database will be new. What service would you recommend and why?
As this is a new development, we can ensure compatibility with the SQL app code. We should select Azure SQL Database, which offers complete automated management and shared elastic pools.
You are a contractor who has been asked to recommend an Azure solution for moving an existing SQL database to Azure. The database has many bespoke scripts, modifications, and tuning at the OS and SQL service layers. You need to select an Azure service and explain why?
SQL running on Azure VM, as it gives the best compatibility for the bespoke services and modifications to the OS and SQL layers.
migrate
You can use Azure SQL on a VM or Azure SQL Managed Instance; select Azure Managed Instance as it is managed and has less input.
Explain what SQL FILESTREAM?
SQL FILESTREAM is a feature in Microsoft SQL Server that allows you to store and manage unstructured data, such as documents, images, and videos, directly in the file system while still maintaining transactional consistency through SQL Server. It provides an efficient way to store large binary objects (BLOBs) like files that need access or manipulation in combination with relational data.
You are a contractor asked to recommend an Azure solution for migrating an existing SQL database to Azure. DCT is added as part of the overall application. What Azure service will you be required to use, and why?
Because DCT has been used, this is a Windows component, and we will need to use SQL on a VM as DCT is not supported in Azure Managed Instance or Azure SQL Database.
Explain what DTC in Azure SQL Instance or Azure SQL Database?
DCT is the distributed transaction coordinator, which can be used with SQL to perform operations like distributed commit and rollback.
You are a contractor asked to recommend an Azure solution for migrating an existing SQL database to Azure. The SQL database is currently running on a VMWare VM, and the Azure target is a VM in Azure due to modifications to the OS and SQL. What migration service/tool would you recommend, and what steps are required?
Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.
You are a contractor asked to recommend an Azure solution for migrating an existing SQL database to Azure. The SQL is currently running on a Hyper-V VM, and due to modifications to the OS and SQL, we want to run it on a VM in Azure. What migration service/tool would you recommend, and what steps are required?
Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.
You are advising an orgnization on the type of virtual disk to use for a VM. The VM is a test VM, and none of the data on the disk is cared about. Alos, they want the least management of the disk. What recommendations will you make for the disk for the VM?
- It’s a test VM, thet no one cares about the data, so the disk should be an LRS type managed disk.
Describe an Azure LRS Virtual Disk?
- 3 copies of the data
- Srtored in a single datacenter of Zone
- 99.9
- Lowest cost of the tiers
Describe an Azure ZRS Virtual Disk?
- 3 copies of the data
- Srtored in separate zones
- 99.99
- Second lowest cost of the tiers
Describe an Azure GRS Virtual Disk?
- 3 copies of the data + one in the secondary region
- Srtored in separate zones + one in secondary region
- 99.99
- Second lowest cost of the tiers
What features has Azure Managed Virtual Disk?
- Snapshots
- RBAC
- Availability zones
- Images
- Availability sets (When virtual managed disks are used with availability sets, you can configure the availability set to ensure the virtual disks are aligned.
When using Azure Managed Virtual Disks, do you pay for the used amount of data or provisioned capacity?
The provisioned capacity is what you pay for.
You are deploying a mission-critical database with high IOPS and low-latency requirements. The application needs sustained performance and durability for high transaction rates.
Which Azure-managed disk type and size should you choose for optimal performance?
Use Premium SSD with a P30 (1024 GiB) or higher. Premium SSDs offer low latency and high IOPS for mission-critical workloads.
What are the available Azure Managed Virtual Disk types?
- Ultra Disks
- Premium SSD v2
- Premium SSDs (solid-state drives)
- Standard SSDs
- Standard HDDs (hard disk drives)
Describe the performance of Ultra Disks?
Performance: Ultra Disks provide the highest performance and lowest latency among all Azure-managed disk types. You can configure performance (IOPS and throughput) independently from the disk size.
- OPS: Up to 160,000 IOPS per disk.
- Throughput: Up to 4,000 MBps per disk.
- Latency: As low as sub-millisecond latency.
- Use Case: Ideal for mission-critical workloads such as high-performance databases (e.g., SQL Server, Oracle), large-scale transaction systems, SAP HANA, and NoSQL databases.
- Scaling: Ultra Disks allow dynamic scaling of performance without downtime.
I require a Managed Virtual Disk for deploying SAP. What Azure Managed Disk Tiiel should I use, and why?
Ulta Disk because of its high IOPS, Throughput, and latency
Describe the performance of Prenium SSD Disks?
Premium SSDs (Solid-State Drives)
Performance: Premium SSDs provide high performance with consistent low latency, ideal for applications requiring fast data access.
IOPS: Up to 20,000 IOPS.
Throughput: Up to 900 MBps.
Latency: Typically 1-2 milliseconds.
Use Case: Common for production workloads such as databases, OLTP applications, and data-intensive applications needing higher IOPS and low latency.
Cost: Less expensive than Ultra Disks but still premium.
Describe the performance of Standard SSD Disks?
Performance: Standard SSDs are a more cost-effective alternative to Premium SSDs, with better performance and lower latency compared to Standard HDDs.
IOPS: Up to 6,000 IOPS.
Throughput: Up to 750 MBps.
Latency: Typically 4-10 milliseconds.
Use Case: Suitable for web servers, small databases, and development/test environments where cost is a concern but moderate performance is still required.
Describe the performance of Standard HDD Disks?
Performance: Standard HDDs provide the least performance but are the most cost-effective option. They use magnetic spinning disks.
IOPS: Up to 2,000 IOPS.
Throughput: Up to 500 MBps.
Latency: Typically 10 milliseconds or higher.
Use Case: Best for backup storage, archival, cold storage, or workloads with infrequent access to data. Also suitable for development and low-priority workloads that are not performance-sensitive.
What Azure Managed Virtual Disks tiers do we have available?
- Ultra Disks: Maximum performance for critical, low-latency apps.
- Premium SSD v2: Balanced high-performance at a flexible cost.
- Premium SSDs: Reliable performance for high-transaction applications.
- Standard SSDs: Cost-efficient with moderate performance for typical workloads.
- Standard HDDs: Low-cost storage for backups and less frequent use.
Scenario: You are setting up a disaster recovery solution for your organization’s critical data. This solution will store backup files that need to be retained for long-term storage but will only be accessed infrequently.
Question: Which Azure managed disk type should you use to minimize costs while storing backups that are not frequently accessed?
Standard HDD Disks. They are the most cost-effective option for scenarios where data is accessed infrequently, such as backup storage or disaster recovery.
Scenario: Your team is developing a prototype of a new application. You need to provision some virtual machines (VMs) for development and testing purposes. Performance is not a priority for this phase, but keeping costs low is important.
Question: What Azure disk type is best for VMs in this development and testing environment where performance is not critical?
Answer: Standard HDD Disks. They are the most economical option, ideal for low-performance needs such as development, testing, and prototypes where minimizing costs is more important than disk speed.
Scenario: Your company runs a file archiving system where documents are stored for legal compliance purposes. The documents are rarely accessed after being archived, but they must be kept for several years.
Question: What virtual disk type should you choose to store these archived documents efficiently while minimizing storage costs?
Answer: Standard HDD Disks. These are well-suited for cold storage, where data is infrequently accessed but needs to be kept for a long duration, and keeping costs low is a priority.
Scenario: You are deploying a high-performance, mission-critical database system for your company, which handles millions of transactions per second. The database requires sub-millisecond latency and extremely high throughput to meet strict service-level agreements (SLAs).
Question: Which Azure managed disk type should you use to meet the high-performance and low-latency requirements of this database system?
Answer: Ultra Disks. They provide the highest performance with ultra-low latency and are ideal for mission-critical databases that demand maximum throughput and minimal latency.
Scenario: Your organization runs a real-time analytics platform that processes massive amounts of data from multiple sources. The platform requires high disk performance for continuous data ingestion and real-time querying to deliver insights instantly.
Question: What Azure disk type should you choose for this real-time analytics platform, where low latency and high throughput are essential for processing and querying data?
Answer: Ultra Disks. These are ideal for real-time analytics scenarios requiring high IOPS and low-latency storage to ensure fast data ingestion and processing.
What is the difference between Azure Managed Virtual Disk the Premium SSD and Premium SSD v2?
- Higher maximum throughput and IOPS compared to Premium SSD.
IOPS: Supports up to 80,000 IOPS. - Throughput: Can provide up to 1,200 MB/s.
- Allows more granular control over performance settings, offering
greater flexibility in scaling disk performance. - Pricing is more flexible, as you can scale IOPS and throughput independently of capacity. This means you can pay only for the performance you need, potentially saving costs.
- Charges are typically based on the disk capacity, IOPS, and throughput.
Scenario:
You are designing a web application that handles thousands of requests per second with low-latency requirements. The application database has high transaction rates, and response times are critical. You are considering using Azure Managed Disks to meet performance needs.
Question:
Which Azure Managed Disk type would be the best option for your web application database to meet high transaction rates and low-latency requirements?
Answer:
Premium SSD.
Premium SSDs offer low latency and high throughput, making them ideal for mission-critical production applications with high transaction rates and low-latency requirements, such as databases.
Scenario:
Your organization runs an online analytics platform that processes large datasets during peak hours. The platform experiences occasional spikes in I/O performance requirements, and the application must handle these spikes without performance degradation. You need an Azure Managed Disk solution with flexibility in disk performance.
Question:
Which Azure Managed Disk type should you choose to handle the occasional I/O performance spikes while ensuring stable performance during normal operations?
Answer:
Premium SSD v2.
Premium SSD v2 offers flexible performance with scalable IOPS and throughput, allowing for dynamic adjustment to handle workload spikes efficiently without sacrificing performance during normal operations.
Scenario:
You are developing a real-time online transaction processing (OLTP) system for an e-commerce website. The system needs consistent, high IOPS and throughput to process customer transactions quickly, ensuring a smooth and responsive user experience.
Question:
Which Azure Managed Disk type would be most suitable for ensuring high IOPS and throughput for your OLTP system?
Answer:
Premium SSD.
Premium SSDs are designed for production workloads that require high IOPS and throughput, making them ideal for OLTP systems and other performance-sensitive applications.
When should you use Ultra disk types in Azure?
- For extreme performance
- Mission-critical databases (e.g., SQL Server, Oracle, high-end NoSQL databases).
- High-performance, latency-sensitive applications such as financial systems.
- Workloads requiring predictable, high throughput (e.g., large-scale OLTP).
When should you use premium disks in Azure?
high throughput and low latency,
You are running a mission-critical application that requires high transaction throughput and low latency. The application database handles up to 25,000 IOPS and 750 MBps of throughput. Which Azure Managed Disk type should you choose to meet these performance requirements?
Answer:
Premium SSD is the best option for this scenario. Premium SSDs provide high performance with up to 20,000 IOPS and 900 MBps of throughput, making them ideal for mission-critical applications requiring high transaction throughput and low latency.
What are the IOPS ranges for different Azure Managed Disk Types?
Ultra Disk (1 - 160,999 IOPS) Extreme performance.
Premium Disk v2 (1 - 80,000 IOPS) Enterprise performance.
Premium Disk (1 - 20,000 IOPS) CRM.
Standard SSD Disk (1 - 6000 IOPS) Test/Dev .
Standard HDD Disk (1 - 2000 IOPS) Archive, backup.
For Azure Premium Managed Sisk, describe how the performance and size affect each other.
Disks range from P1 - P40 and range from 120 - 2,048 GB and 120 - 7500 IOPS, and so does the throughput 25 - 250Mb/sec
If P1 - P40 are for Premium, what is the equivalent for Standard disk?
E1 - E40
If P1 - P40 are for Premium, what is the equivalent for Standard disk?
S1 to S40
I want to archive data on a Managed Disk; what SSD type should I use?
Standard HDD
Is Standard SSD more expensive than Standard HDD, if os shy?
Yes, because Standard HDD is lower preformance.
What is the cheapest storage type for managed disk?
Standard HDD
What is the latency for a Standard HDD?
10ms write, 20ms Read
Do you get credit-based bursting on Standard HDD?
No
Do you get credit-based bursting on Uktra Disks?
No
Do you get credit-based bursting on Premium v2?
No
Do you get credit-based bursting on Premium SSD v1?
Yes
What is the latency for Standard SSD Disk?
Single digit ms
What Managed Disk type should i be using for OS disk?
Premium Disk.
I want to create a public IP, which will be used by a VNET. How can I add DDOS protection?
It will inherit DDOS protection from the vNET
I must have VM failover between Azure zones; what are my options?
Option A: You cna create the VM in an availability set across three zones and have the virtual disks as zone redundant; you can restart the VM if a zone fault occurs or use an automated script.
Option B: You can use site-to-site recovery and failover between zones.
I require the ability to block the www.keithtobin.cloud domain for VMs in a vNET with a configured Azure firewall. Given that we are using an Azure Firewall, can we deny access to the domain?
Yes, Azure Firewall allows inspection of layer seven traffic and can block it.
Can I use trusted Launch VM’s with Siste for Site recovery?
No, it’s currently not supported.
How would I use Azure site-to-site (RD) recovery?
You can configure it on a VM and have the VM disks replicated to another zone or region.
You have an Azure VM deployed in the East US region, and you want to ensure it can failover to another region if East US becomes unavailable. What service will you use for regional failover?
Use Azure Site Recovery (ASR) to configure regional failover, replicating the VM from East US to another region, such as West US. This ensures business continuity during regional outages.
You are using an on-premises VMware environment and want to configure disaster recovery for critical VMs by replicating them to Azure. What tool will you use?
Use Azure Site Recovery with VMware as the source to replicate your on-premises VMs to Azure. ASR provides automated failover and failback between on-premises VMware VMs and Azure.
Your company is running a mix of Hyper-V VMs on-premises, and you want to implement disaster recovery to Azure. How can you achieve this?
Use Azure Site Recovery to replicate Hyper-V VMs from your on-premises environment to Azure, enabling disaster recovery for Hyper-V workloads with seamless failover and failback.
During a regional outage, your Azure VMs failed over to a secondary region using Azure Site Recovery. How do you ensure that your applications stay operational with minimal downtime?
Ensure application consistency by using Application Consistent Snapshots in Azure Site Recovery. This ensures that data is consistent across application tiers during the failover process.
Your organization requires near-instantaneous failover for mission-critical workloads in case of a disaster. Which type of managed disk replication would you use?
Use Azure Ultra Disk or Premium SSD with ZRS (Zone-Redundant Storage) replication. This ensures that the disks are replicated across multiple zones within the same region, providing high durability and availability for critical workloads.
You want to minimize the cost of disaster recovery for a less critical workload running on a Standard HDD in Azure. What is the most cost-effective disaster recovery strategy?
Use Standard HDD and configure Azure Site Recovery for less critical VMs, setting up asynchronous replication to another region with longer recovery point objectives (RPO) to reduce costs.
You need to test the failover process of your Azure VMs without affecting the production environment. How can you safely conduct this test?
Use Azure Site Recovery’s Test Failover feature to simulate a failover scenario without impacting your production environment. This creates a temporary failover to a different network for testing purposes.
You need to ensure a consistent recovery plan across multiple VMs and services in a disaster recovery scenario. What Azure Site Recovery feature would you use?
Use Recovery Plans in Azure Site Recovery to orchestrate the failover of multiple VMs, configure dependencies, and define the recovery sequence for services across VMs and applications.
Your Azure VM is running in a region that supports ZRS but not GRS (Geo-Redundant Storage). How can you ensure disaster recovery is configured for zone failure?
Use Zone-Redundant Storage (ZRS) for the VM’s managed disks. This ensures that data is replicated across multiple zones within the same region, providing protection against zone-level failures.
How does ASR (DR) work?
It installs an agent and replicates data from one VM to another. This could be from one of the supported vm environments like hyper-v or VMware to Azure.
Is frontdoor a regional or global service?
Global service
Is traffic manager a regional or global service?
Global service
Is Azure Enmntra ID a regional or global service?
Global service
What is RTO?
Recovery Time Objective: The amount it takes to recover the solution.
What is RPO?
Recovery Point Objective: RPO is the amount of data one could lose in a replication situation.
In Azure Firewall, I wnat to have a Global Policy. Is this possible?
Yes, you can have parent child policies, like a global policy and then children policies for each region.
I require a firewall solution for my vNET and intrusion protection. What firewall options do I have?
Azure Firewall supports IDS
I require a firewall solution for my vNET and TLS inspection. What firewall options do I have?
Azure Firewall supports TLS inspections
I require a firewall solution for my vNET and Threat intelligence. What firewall options do I have?
Azure Firewall supports Threat intelligence
I am using Azure WAN Hub and require a firewall solution for all traffic passing through it. What solution could I use?
Azure Firewall supports integration with the Azure WAN Hub.
I am using Azure Firewall and have a regional policy for West EU and West US that allows post 80; how can I deny post 80 on every child policy like the regional policies?
Use the parent (Global policies)
I need direct routing to two public-facing instances in two regions; what service should I use?
Front door, as it uses direct access
I need Proxy based routing to two public-facing instances in two regions; what service should I use?
Traffic Manager
Why would you use an Application Gateway instead of an Azure Load Balancer?
You need to enable multi-site or path-based routing.
What is a Traffic Manager?
DNS queries redirect
What is path-based routing?
It’s used in layer seven when you route based on the URL path.
What is an azure application gateway?
It is a layer seven LB and provides path based routing
Can Azure Firewall policy can only be associated with a single Azure Firewall instance.
No, multiple instances
Can a Firewall policies can be used by Azure Firewall across regions?
Yes
Which statement below best describes a zonal service?
A. A zonal service is one that is automatically replicated across multiple regions (e.g., a virtual machine).
B. A zonal service, like storage accounts, is a service that uses replication across availability zones.
C. A zonal service is a service that can be deployed to a specific availability zone (AZ) within a given region.
D. A zonal service is a service that works across multiple regions within a geography (e.g., a virtual machine scale set).
C. A zonal service is a service that can be deployed to a specific availability zone (AZ) within a given region.
Which of the following statements is NOT true regarding Traffic Manager?
A. When using Traffic Manager, client traffic is proxied through Microsoft’s edge network.
B. When using Traffic Manager, clients connect directly to backend resources.
C. Traffic Manager load balances solutions at a global scale using DNS.
D. Traffic Manager supports geographic routing, which routes users to endpoints based on where their DNS queries originate.
A. When using Traffic Manager, client traffic is proxied through Microsoft’s edge network.
What is true about the functionality and support of Web Application Firewalls (WAF)?
A. The Application Gateway Standard SKU supports Web Application Firewalls.
B. Web Application Firewalls can only protect against specific web vulnerabilities and exploits.
C. A single Web Application Firewall policy can be used by an Application Gateway and Front Door service simultaneously.
D. WAFs protect against common web application vulnerabilities and exploits, such as SQL injection, cross-site scripting, and more. WAF can be deployed with Application Gateways, Azure Front Door, or even Azure CDN.
D. WAFs protect against common web application vulnerabilities and exploits, such as SQL injection, cross-site scripting, and more. WAF can be deployed with Application Gateways, Azure Front Door, or even Azure CDN.
What are the messaging services available in Azure
- Azure Service Bus
- Azure Storage Queues
- Azurre Event Hub
- Azure Event Grid
- Azure Relay
- Azurre SignalR
- Azure Notification Hub
I require a solution to send notifications to Mobile device applications; how would you select a service to meet this requirement?
Azure Notification Hub is a good choice; it sends messages using the broadcast feature of Android, iOS, and Desktop apps.
You are developing an e-commerce application that handles customer orders. When a customer places an order, it triggers a series of backend processes, such as inventory management, payment processing, and shipping preparation. These tasks need to be executed asynchronously in the background so the customer doesn’t experience delays while checking out. However, the tasks don’t need to be processed immediately or in a specific order, and the solution must be simple, scalable, and cost-effective.
Given this requirement, which Azure messaging service would you use, and why?
In this scenario, Azure Queue Storage would be the best choice for the following reasons:
Asynchronous Processing: Since the backend tasks (inventory management, payment processing, shipping preparation) don’t need to happen in real-time and can be processed asynchronously, Azure Queue Storage is ideal. It allows for tasks to be queued and processed at a later time by backend services without blocking the customer’s checkout experience.
Decoupling Services: Azure Queue Storage helps decouple your e-commerce application from backend systems. This way, the main application doesn’t wait for the backend tasks to complete, allowing it to handle customer orders more efficiently.
No Complex Workflow or Ordering Requirements: There is no specific requirement for task ordering or advanced workflow capabilities in this scenario, which makes the simplicity of Azure Queue Storage a good fit compared to more complex services like Azure Service Bus.
Scalability and Cost-Effectiveness: Azure Queue Storage is highly scalable and cost-effective, especially for simple scenarios where tasks just need to be queued and processed later. It supports large volumes of messages at a low cost, which is suitable for handling the potentially high number of orders in an e-commerce platform.
Simplicity: Since there are no complex messaging patterns like pub/sub or guaranteed message ordering, Azure Queue Storage’s simplicity makes it easier to implement and manage for this type of application.
Would you like further clarification or more detailed information on how to implement this solution?
Question:
You are designing an application for a logistics company that manages a fleet of delivery trucks. Each truck is equipped with IoT sensors that report events such as location updates, engine status, fuel level, and maintenance needs in real-time. The system needs to handle millions of events daily, and different components of the system should respond to these events:
A real-time dashboard should update with the latest truck locations and statuses.
A notification service should send alerts when maintenance is needed or if any critical event, such as a fuel shortage, occurs.
An analytics service should capture these events for long-term storage and analysis to optimize future deliveries.
These events need to be distributed to multiple services in real-time, and the system should be able to scale with growing event volume. You also want to avoid complex polling mechanisms and ensure that each service can subscribe to relevant events without tightly coupling the services together.
Which Azure messaging service would you choose, and why?
In this scenario, Azure Event Grid is the ideal choice for the following reasons:
- Event-Driven Architecture:
Azure Event Grid is designed for event-driven architectures where events need to trigger responses in multiple services. In this case, events from the IoT sensors (such as location updates, engine status, or fuel levels) need to notify multiple subscribers (real-time dashboard, notification service, analytics service).
Event Grid allows each component to subscribe to specific types of events without being tightly coupled to the event producers (the IoT devices), creating a scalable and flexible event-driven system. - Fan-out to Multiple Services:
In this scenario, multiple systems need to react to the same event (location updates, engine status). Azure Event Grid supports the fan-out pattern, which allows a single event (e.g., truck location update) to trigger actions across multiple systems, such as:
Updating the real-time dashboard.
Sending notifications through the notification service if a critical event is detected.
Storing the event in the analytics service for further processing and optimization.
This ability to broadcast an event to many services simultaneously makes Event Grid a perfect fit. - Real-Time Event Handling:
Azure Event Grid is designed to handle real-time event distribution with low latency, ensuring that the dashboard, notification service, and analytics receive and process events almost instantaneously.
This is critical for a logistics system where real-time tracking and monitoring are essential for operational efficiency and quick decision-making. - Dynamic Event Subscription:
Different components of the system may be interested in different events (e.g., the real-time dashboard may only care about location updates, while the notification service is interested in critical events like maintenance alerts). Azure Event Grid allows for dynamic filtering and routing of events based on event types, ensuring that each service only processes the events that matter to it.
This flexibility simplifies the architecture and reduces unnecessary event handling by unrelated services. - Scalability:
Azure Event Grid is highly scalable and can handle millions of events per second, making it ideal for this scenario where thousands of trucks with IoT sensors generate a high volume of events. As the number of trucks grows, the system can scale automatically without any significant changes to the architecture. - Serverless Integration:
Event Grid integrates seamlessly with other Azure services such as Azure Functions, Logic Apps, and Azure Stream Analytics, enabling the company to build serverless workflows and analytics pipelines. For example:
Azure Functions can be triggered by events from Event Grid to handle real-time notifications or data transformation.
Logic Apps can be used to automate workflows based on events.
Why Not Use Other Services?
Azure Queue Storage: This service is better suited for simple message queuing and asynchronous task processing but does not support event fan-out or real-time event handling. It also requires polling to retrieve messages, which adds unnecessary complexity to a real-time system.
Azure Service Bus: While Service Bus supports more complex messaging workflows and guarantees message delivery, it is more suited for scenarios where messages must be processed in a specific order or transactionally. It’s not ideal for high-volume, real-time event broadcasting as required in this scenario.
Azure Event Hubs: Event Hubs is primarily designed for ingesting large streams of telemetry or log data but does not provide the event routing and subscription capabilities of Event Grid. Event Hubs would be better for scenarios focused purely on high-throughput data ingestion and processing, rather than multi-subscriber event handling.
Scenario: Your company wants to implement an event-driven architecture where multiple services in Azure need to be notified of changes occurring in a shared Azure Blob Storage. The services need to automatically respond to events such as the creation, deletion, or modification of blobs in real-time.
Question:
What Azure service should you use to manage and route these events efficiently?
Use Azure Event Grid to subscribe to Blob Storage events and route them to the appropriate services. Event Grid enables event-driven architecture with high scalability, ensuring that multiple services can respond to events without polling.
Scenario:
You are developing a set of serverless microservices in Azure Functions. These functions must communicate with each other and respond to specific events, like when a new order is placed in the system. You need to ensure that all relevant services receive notifications about these events in a decoupled manner.
Question:
What Azure service can help you decouple these services and provide reliable event routing?
Azure Event Grid is the ideal Azure service to help you decouple these services and provide reliable event routing.
Azure Event Grid is designed for event-based architectures and supports a highly scalable, serverless event routing mechanism. It enables you to connect and decouple your microservices by:
- Allowing each function to subscribe to events (like when a new order is placed).
- Routing events to all relevant services in a reliable and scalable manner.
- Ensuring services can respond to the events without being tightly coupled to the event source, which enhances flexibility and maintainability.
In your use case, Azure Event Grid would publish the event (new order) and route it to all subscribed Azure Functions, ensuring that each service is notified and can process the event independently.
Scenario:
You are tasked with automating the provisioning of resources in Azure whenever a new subscription is created in your organization. This involves automatically triggering specific actions such as assigning policies, setting up monitoring, and provisioning resources based on the new subscription creation event.
Question:
Which Azure service should you use to trigger these automated workflows?
Use Azure Event Grid to monitor Azure Resource Manager (ARM) events, such as the creation of a new subscription. Event Grid triggers workflows in response to these events, allowing for automated provisioning and resource management.
What are the Azure Event Hubs?
- Azure Event Hubs is a native data-streaming service
- Can stream millions of events per second, with low latency
- From any source to any destination
- Compatible with Apache Kafka, no need to change any code.
Describe the Azure Event Hubs architecture from left to right.
- Data producers
- Azure Event Hubs EndPoint (HTTPs API, AMQP, Kafka)
- Namespace
- Shards
4, Consumers
You are a contractor who has been asked to recommend an architecture for a web application running on Azure Web Apps that enables a user to use their Azure credentials to have the web app access the Microsoft Graph API and modify the user’s address.
Register the application with Azure Entra ID and have the application use OAUTH to have the user login
What is OAuth in the context of Azure Entra ID?
OAuth (Open Authorization) is a standard for granting access to resources without sharing credentials. In Azure Entra ID, it allows apps to access resources on behalf of users through access tokens, while protecting user credentials.
What are delegated permissions in OAuth with Azure Entra ID?
Delegated permissions allow an application to act on behalf of a signed-in user. The app uses the user’s credentials and accesses resources with the permissions granted to the user, subject to the consent of the user or an administrator.
How does OAuth consent work in Azure Entra ID for delegated permissions?
In Azure Entra ID, when an application requests delegated permissions, the user or admin must provide consent, allowing the app to access resources on their behalf. The user is presented with a consent prompt outlining what data the app will access.
What are the two main OAuth token types in Azure Entra ID?
The two main OAuth token types are Access Tokens, which are used to access APIs or resources, and Refresh Tokens, which allow the app to obtain a new access token without requiring the user to log in again.
In which scenarios should you use OAuth and delegated permissions in Azure Entra ID?
OAuth with delegated permissions is typically used when an application needs to access APIs or resources on behalf of a user, such as accessing their mail, calendar, or files in Microsoft Graph, while respecting the user’s consent and security settings.
Scenario: A developer is building a web app that needs to read emails from a user’s Microsoft 365 account. The app will act on behalf of the user after they log in using their Entra ID.
Question: What type of OAuth flow should the developer use, and which permission type is most appropriate?
Answer: The developer should use the Authorization Code flow with Delegated permissions. Delegated permissions allow the app to act on behalf of the user after they sign in.
Explanation: The Authorization Code flow is the standard OAuth 2.0 flow for apps that need access to resources on behalf of a user. Delegated permissions are used when the app requires access to user-specific resources while the user is actively involved.
Scenario: A background service needs to periodically access user calendars in Microsoft 365 without user interaction. This service is a daemon app with no user context.
Question: What OAuth flow and permission type should be implemented?
Answer: The app should use the Client Credentials flow with Application permissions, as it doesn’t rely on user interaction and acts independently.
Explanation: The Client Credentials flow is ideal for server-to-server communication where no user is involved. Application permissions allow the app to act as itself, not on behalf of a user, making it suitable for background services.
Scenario: A company has an internal application that requires users to grant access to their OneDrive files. The users need to stay in control over what the app can access.
Question: What permissions should the application request, and how will the access be controlled?
Answer: The app should request Delegated permissions through OAuth. The user’s consent will determine the access, and the app will only have permissions as long as the user grants them.
Explanation: Delegated permissions are used when the user is actively involved in granting access, ensuring that the app only accesses resources within the user’s consent scope.
Scenario: A third-party SaaS platform integrates with Microsoft 365 to send emails on behalf of a user, but it only needs access during user activity in the app.
Question: Which OAuth flow and permissions should be used in this scenario?
Answer: The platform should implement the Authorization Code flow with Delegated permissions. Access is granted only while the user is actively using the app.
Explanation: The Authorization Code flow is ideal when an app acts on behalf of a user. Delegated permissions ensure that access is limited to the user’s consent and is active only when the user is involved in the app.
Scenario: An admin wants to grant a reporting tool permanent access to all employee data in Entra ID, including reading user profiles, without requiring user consent each time.
Question: What type of permission should the admin grant the tool, and why?
Answer: The admin should grant Application permissions. This allows the tool to act independently of any user context and access data for all users across the organization.
Explanation: Application permissions are used when apps need wide-reaching access to data that is not user-specific. This allows the app to operate autonomously without requiring user consent for each access.
In Azure Entra ID for a registered App, what are the API permissions used for?
They are used when an your application accesses API and form part of the permissions thet need to be granted on behalf of the user.
In Entra ID IPI Applications permissions, what is the difference between API Delegated and application permissions?
Delegated permissions are when a user consents to the requested permissions required by the application as part of the OAutrth process.
Application permissions are applied to the application
Describe the Entra ID API Application permissions?
These are permissions given by an admin to the application to call the API
What is the primary purpose of Azure Key Vault?
Securely store and manage sensitive information like secrets, encryption keys, and certificates.
What types of secrets can be stored in Azure Key Vault?
Azure Key Vault stores API keys, passwords, connection strings, and other sensitive information.
What is the difference between Azure Key Vault secrets, keys, and certificates?
Secrets: Store sensitive information like passwords and API keys.
Keys: Store encryption keys used for cryptographic operations like encryption and decryption.
Certificates: Manage SSL/TLS certificates used for secure communications.
What are the two types of encryption keys supported in Azure Key Vault?
Azure Key Vault supports software-protected keys and hardware security module (HSM)-protected keys.
What is Azure Key Vault’s integration with Azure Active Directory (AAD)?
Azure Key Vault integrates with Azure AD to authenticate users and applications using role-based access control (RBAC) to manage permissions.
How does Azure Key Vault ensure the security of stored data?
Azure Key Vault encrypts stored data using keys that can be either software-protected or HSM-protected, ensuring compliance with security standards.
What is the primary use case of Azure Key Vault in cloud applications?
Azure Key Vault is used in cloud applications to securely store sensitive configuration data, such as connection strings, API keys, and credentials, keeping them out of source code.
How does Azure Key Vault help with compliance and auditing?
Azure Key Vault provides activity logs for all operations, helping organizations meet compliance requirements and perform security audits.
How do developers use Azure Key Vault with Azure-managed identities?
Azure-managed identities allow applications to authenticate to Azure Key Vault without storing credentials, improving security.
What are the primary advantages of using HSM-backed keys in Azure Key Vault?
A: HSM-backed keys provide a higher level of security, ensuring that encryption keys are stored in hardware, which meets strict compliance requirements for some industries.
How can Azure Key Vault assist with SSL/TLS certificate management?
Azure Key Vault can store and manage SSL/TLS certificates, automatically renewing them and ensuring secure communication for applications and services.
What is the purpose of the Azure Key Vault Secrets Client Library?
The Secrets Client Library provides a programmatic interface for accessing, storing, and managing secrets in Azure Key Vault from applications.
In what scenario would you use Azure Key Vault to manage application secrets?
You would use Azure Key Vault to securely store and retrieve API keys, database connection strings, or other sensitive data needed by cloud applications.
What is the benefit of integrating Azure Key Vault with Azure DevOps?
Integrating Azure Key Vault with Azure DevOps enables secure storage and access to secrets during the CI/CD pipeline without hardcoding sensitive data into build scripts.
How does Azure Key Vault reduce the risk of secret exposure in applications?
By centralizing secret storage and using RBAC and Azure AD for authentication, Azure Key Vault reduces the risk of application secret exposure by avoiding hardcoded secrets.
What types of Key Vault data can we store ?
Secrets
key
Certs
What is software-protected storage?
It is how keys are encrypted and stored in memory and on disk rather than an HSM.
For Azure Key Vault, is the software protected storage FIPS compliant?
Azure Key Vault offers two tiers with different levels of FIPS (Federal Information Processing Standards) compliance:
- Standard Tier: This tier provides software-protected keys and is compliant with FIPS 140-2 Level 1.
- Premium Tier: This tier offers hardware security module (HSM)-protected keys, achieving FIPS 140-2 Level 3 compliance.
Therefore, the software-protected storage in Azure Key Vault’s Standard Tier is FIPS 140-2 Level 1 compliant.
Does the standard plan give you access to HSM?
No, only software-protected storage.
To get access to FIPS compliance, what plan do you need?
Premium plan, as it used HSM and is FIPS compliant.
How does Key Vault simplify Cert management?
Certificate Storage: Azure Key Vault can securely store SSL/TLS certificates, along with their private keys, ensuring that they are protected and easily accessible when needed.
Lifecycle Management: Azure Key Vault simplifies managing the entire lifecycle of a certificate, including creation, renewal, and expiration notifications. You can automate much of this process to reduce the manual effort required for managing certificates.
Issuance and Renewal: Key Vault integrates with trusted certificate authorities (CAs) such as DigiCert, GlobalSign, or your own custom CA, enabling the issuance and renewal of certificates directly within Key Vault.
Access Control: Role-based access control (RBAC) is applied to manage who can read, create, delete, or update certificates, ensuring only authorized users or applications can access the certificates.
Policy Enforcement: You can define policies for certificate management, such as renewal periods and notifications before expiration. Key Vault will follow these policies and can send alerts before a certificate expires.
When using the Azure Key Vault, how can I control access to secrets and certs?
Azure Key Vault has RBAC on the data plane.
Is Key Vault a regional service?
Yes, 100% it is a regional service.
I wnat to make sure that any data deleted is soft deleted. Do I have to implement myself in software?
No, the critical vault has the option to retail deleted items for a period.
What are the two types of access methods supported by Keu Vault?
Vault access policy
Azure RBAC
What is the difference between Azure Vault Access Policies and Azure RBAC?
Vault access policies enforce access at the vault level, compared to Azure RBAC, which has tighter control and can lock things to individual keys, certs or passwords
True or false?
Secure access to Key Vault secrets is enabled by granting an application identity access to the management plane.
False
True or False
Key Vault supports third-party identity providers, such as Facebook and Google.
False
True or False?
Secure access to Key Vault secrets can be enabled by granting a managed identity access to the data plane.
True
True or False
Delegated permissions are assigned to an application and will provide that application full permissions to perform the given operation.
False
True or False
Delegated permissions cannot provide more access to a resource than a user has actually been assigned.
True
What are the possible types of managed identities?
User-assigned and System-assigned
True or False
Delegated permissions will provide an application with the ability to carry out tasks on behalf of the user.
True
Which one of the following statements is true regarding managed identities?
Managed identities are assigned to Azure resources, and the platform manages authentication.
Describe the’ Always Encrypt’ feature for SQL (including on-prem SQL, Azure SQL Managed Instance, and Azure SQL Database).
This is where the SQL client encrypts the data, and it’s encrypted for transit and also at rest.
I need the latest SQL database engine and am writing code to tailor the code to the database; what is my best option and why?
Azure SQL Database uses the latest SQL engine, and since you can tailor your code to the database’s requirements, this is your best option.
How is Azure SQL Database deployed when using the standard tier?
For the standard tier, the datbase is deployed in a single data center (AZ) in a given region; availability is achieved through local redundancy within the same data center. It does not span availability zones.
When using Azure SQL Database with the standard tier, do I want to be able to recover if a disaster occurs?
Select to use ge-redundancy backup storage
For Azure Storage Accounts, list the services available.
Azure Blob Storage
Azure File Storage
Azure Tables and Queues
What types of redundancy do we get for Azure Storage Accounts?
- Local Redundant storage (LRS)
- Zone Redundant Storage (ZRS)
- Global Redundant Storage (GRS)
- Geo Zone Redundant Storage (GZRS)
I am setting up a new Azure Storage account and require cost-effective blob storage; how would I set up storage?
LRS with Blob storage.
I am setting up a new Azure Storage account and require to be able to survive a zone and regional outage for the storage account, what is the best architecture?
GZRS storage is Geo Zone Redundant Storage, offering both zone redundant and geo-replicated storage.
In Azure Storage, what type of blob is suited to large files, such as media files, and they support uploading data blocks in chunks?
Block Blob Storage
In Azure Storage, what type of blob is suited for scenarios like Azure VMs where frequent storage updates are required?
Azure Page
In Azure Storage, what type of blob is great for logging operations, allowing data to be appended to the end of the blob?
Append Blob
In Azure Storage, what are the different types of blog storage?
Block Blob (Suited for large files such as media)
I require the best Azure Storage option for uploading large files. What type of blob storage should I select, and why?
For uploading large files, block blob allows uploading chunks of data.
I am required to choose Azure Storage for logs; which Azure storage type and why?
Azure Append Storage is great for logging operations, allowing data to be appended to the end of the blob.
Name the Azure Blob storage types.
Blob Block (Uploading large files)
Blob Append (Good for logs)
Blob Page (Good for frequent updates)
What is Azure Data Lake Storage?
- Built on top of Azure Blob Storage.
- Designed for big data analytics and hierarchical data management.
- Hierarchical namespace: Allows directories and file structures similar to a file system, making file organization and data analytics more efficient.
- Optimized for Hadoop Distributed File System (HDFS): Seamless integration with analytics frameworks like Hadoop, Spark, and Azure Synapse Analytics.
- Performance: Lower-cost operations for file-based workloads and higher throughput for batch processing or massive file ingestion.
For Azure Storage, what is the minimum number of copies of your data?
A minimum of three copies of data is stored within a single data center (Zone)
Regarding DNS and Azure Storage, how has DNS been used?
In Azure, DNS is used as follows:
- Blob service name is account name + the Microsoft domain HTTPS://myacc/blob.core.qwindows.net
- Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.blob.core.qwindows.net
- Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting/blob.core.qwindows.net
And you also get secondary endpoints.
And for file
- Blob service name is account name + the Microsoft domain HTTPS://myacc/file.core.qwindows.net
- Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.file.core.qwindows.net
- Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.file.core.qwindows.net
and for table
And for table
- Blob service name is account name + the Microsoft domain HTTPS://myacc/table.core.qwindows.net
- Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.table.core.qwindows.net
- Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.table.core.qwindows.net
, and for table
And for queue
- Blob service name is account name + the Microsoft domain HTTPS://myacc/queue.core.qwindows.net
- Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.queue.core.qwindows.net
- Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.queue.core.qwindows.net
, and for table
List the different types of storage available in Azure Storage?
Blob
Table
Queue
File
What are the two ways data is replicated?
Synchronous (within a region) (stream layer)
Async (To another region) (partition layer)
How many copies are created when Azure storage is replicated to another region?
Three copies are created in the secondary regions.
Is Azure Storage global, local, or regional?
It is regional, but it will depend on the configuration if it is LRS or ZRS. You can also have GRS make an async copy of the data to another region, where three copies will be created.
If I wnat storage to be high-performance, standard the standard Azure Storage. What options and limitations do I have?
- Premium storage
- Limited to Page Blob, File Share, Page Blob.
For Azure Storage, what are the types of storage supported?
1, Azure Blob
2. Azure File
3. Azure Page
What is the durability of the Azure Storage?
The durability is :
11x9 for LRS
12 x 9 for ZRS
16 x 9 for GRS
What is the availability of the Azure Storage?
It is four nines
Where is Azure Storage LRS stored?
Three copies of the data in a single availability zone in a region
Where is Azure Storage ZRS stored?
In three separate availability zones in a single region
Where is Azure Storage GRS stored?
Three copies in a single availability zone in a single region + three copies in a separate zone.
Where is Azure Storage GZRS stored?
In three separate availability zones in a single region + In three in single availability zones in a secondary region
In Azure Storage GRS, at what level are the replications?
The replication is at the Storage account level. Meaning Blob, Table and Queues are all replicated. But you can also replicate Blob Block Objects individually
In Azure Storage GRS (Files), at what level is the replications?
GRS for Azure Files replicates the entire storage account’s file shares
How are individual Blob Block Objects geo-replicated?
Using Azure Storage Block Blob Replication Policies (container and prefixes)
In Azure Storage, what are we referring to when we say there are two planes?
- Data plan.
- Management plane.
How can I interact with the Azure Storage Account data plane?
- Two account keys
- Azure Entra ID
- Shared Access Signature (SAS)
What are Azure Storage ASccount access blob tiers?
- Hot (Access data often) (More to store, less to access)
- Cold (Store data and access infrequent) (less to store and more to access)
- Archive (archive data and do not access it seldom) (a lot less to store and expensive to access)
Are Blob Storage on the blob or the storage account?
Blob
For Azure Storage Account standard, do you pay for the performance?
No, it is the cost of the storage
For the Azure Storage Account standard, explain how performance is provisioned.
Performance is based on storage size; more storage capacity, more performance.
When using GRS with Azure Storage, are you paying for the transfer?
Yes, you are paying intr region transfer per GB of data.
What is the purpose of Azure Table storage in a Storage Account?
Azure Table storage is a NoSQL datastore that allows you to store large amounts of structured, non-relational data, which can be accessed quickly and affordably using key/attribute pairs.
Can you store structured data in an Azure Storage Table?
Yes, but no-relation.
What is the typical use case for Azure Table Storage?
Azure Table Storage is typically used for scenarios requiring:
- Highly scalable.
- Structured data storage.
- Such as logging dat.
- User information storage.
- Applications needing fast access.
In Azure Storage Tables, what is an entity?
Entity is made up of:
- Partation Key : value (you supply the value)
- Row key: value (you supply the value)
3: and any numbers of properties thet are key and value and you provide both key and value
How is data organized in Azure Table storage?
Data is organized into tables
Each table contains entities.
Entities comprise key/value, pairs (properties) with a primary key, consisting of a PartitionKey and a RowKey to ensure uniqueness.
In Azure Storage Table, what are the two key properties that define the uniqueness of an entity in Azure Table storage?
The two key properties are PartitionKey and RowKey. Together, these properties uniquely identify an entity within a table.
How does Azure Table Storage ensure high availability?
Azure Table storage uses geo-redundant storage (GRS) to replicate data to a secondary region, ensuring availability in case of a regional failure.
In Azure Storage Table, How do you query data in Azure Table Storage?
Data in Azure Table storage can be queried using OData (Open Data Protocol) with LINQ or REST API calls, filtering on PartitionKey and RowKey for efficient lookups.
What are the limitations of Azure Table storage in terms of transaction consistency?
Azure Table storage provides strong consistency within a partition but only eventual consistency across partitions. This means updates within a partition are immediately visible, but updates across partitions may take time to propagate.
What is the maximum size limit for a single entity in Azure Table storage?
The maximum size of a single entity (row) in Azure Table storage is 1 MB.
How are transactions handled in Azure Table storage?
Azure Table storage supports batch transactions, but only within the same partition (same PartitionKey). This allows multiple operations to be executed atomically.
What are the data replication options available for Azure Table storage?
Azure Table storage offers the following replication options: Locally Redundant Storage (LRS), Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), and Read-Access Geo-Redundant Storage (RA-GRS).
When we wnat to use DataLake or NFS or SMB with an Azure Storage account, what must we enable?
Hierarchical Namespace
I require an SFTP storage, what could I use?
Azure Storage with SFTP enabled and alos hierarchical namespace
What is an Administrative Unit in Azure Entra ID?
It is a administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. It can contain
What resources can an Azure Entra ID Administrative Unit Contain?
- Users
- Groups
- Devices.
What is Azure Data Factory?
- Azure Data Factory is a cloud-based data integration service.
- It enables you to create data-driven workflows to orchestrate and automate data movement and transformation.
Can Azure Data Factory combine data sources from multiple sources?
Yes, this is one of its use cases.
Can Azure Data Factory be used to move on-premise data to the cloud?
Yes, ADF has many connectors that can be used with on-prem systems.
Can What is Azure Data Factory,Automate loading and processing of data into Azure Synapse Analytics
Yes, this is one of its use cases.
Collect and process data from IoT devices at scaleCan What is Azure Data Factory,
Yes, this is one of its use cases.
Incorporate machine learning models into data pipelines for predictive analyticsCan What is Azure Data Factory,Can What is Azure Data Factory,
Yes, this is one of its use cases.
Implement data quality rules and monitor data lineage
Yes, this is one of its use cases.
Incorporate machine learning models into data pipelines for predictive analytics
Yes, this is one of its use cases.
