305 Flashcards

Question

What is Azure Domain Services (Entra Domain Services)

Answer 1

B2B direct connect

Answer 2

Azure B2B (Business-to-Business) is a feature within Azure Active Directory (Azure AD) that allows organizations to securely share their applications and services with guest users from any other organization

Answer 3

An external identity in the context of Entra ID B2B direct connect is an identity thet gets invited from an external Microsoft Entra ID, and will be added to Azure Entra ID as a guest. And as they are a guest, they do not automatically have any rights to access resources, they will have to be explicitly granted access to resources.

Answer 4

Internal identity, external identity, hybrid identity

Answer 5

A hybrid identity services both on-prem and Azure Entra ID and enables the identity to be shared between on-prem and Azure of a seamless login experience.

Answer 6

An internal Azure identity is an identity thet is part of Azure Entra ID and is one of three identities: a user, a service principle, and a managed identity.

Answer 7

An external identity can be a B2B identity or B2C

Answer 8

Microsoft accounts, like Outlook, Hotmail or live

Answer 9

You can invite them using their Microsoft account, outlook, life, or Hotmail.

Answer 10

If the school already has a Microsoft account for students, they can be added as an external identity.

Answer 11

You can use B2B Email one-time password OTP. This sends the user a one-time password in their email to sue, and when they log in, they get access; the password is time-limited.

Answer 12

You can use Azure B2B direct connect to allow access by creating a cross-tenant.

Answer 13

Any email using the time-limited OTP. Entra ID, Facebook, Google, Microsoft

Answer 14

You can use B2B Connect and cross-tenant access. You add an organization by using the domain name or tenant ID. Azure search will find the tenant for you to add.

Answer 15

You will wnat another orgnization to give your organization access to resources by inviting you to access using the B2B connect using the cross-tenant setup, using your domain name or tenant ID; they will ten have to assign permissions to access resources

Answer 16

The users are of type HUEST.

Answer 17

They have no access to any resources. If RBAC has been used to allow guests access to a resource, then the newly added guests will have access to this resource.

Answer 18

You can use 'Conditional Access Policies' to require an external user to use MFA; this can be configured

Answer 19

They are the settings thet control how

Answer 20

In Azure Entra ID

Answer 21

There are several settings in the Azure Entra ID external identities under cross-tenant settings that enable you to control both incoming and outgoing access.

Answer 22

- By default, there is no restriction on which users can be invited to collaborate with external tenants. However, specific configurations can be applied later. The default setting allows all applications to be used in cross-tenant scenarios. This means your users can access apps in other tenants unless specific restrictions are configured.

Answer 23

- B2B Collaboration - External Users and Groups: All allowed: External users from other Azure Entra tenants can collaborate with your users without any restrictions. This allows external users to be invited into your tenant as guests and access resources like SharePoint, Teams, or other applications that support B2B collaboration. B2B Collaboration—Applications: All allowed: Explanation: External users from other tenants can use your organization's applications if they are given appropriate permissions. This setting enables applications within your tenant to be accessed by users from external tenants. -B2B Direct Connect - Applications: All blocked: Applications within your tenant cannot be accessed via B2B Direct Connect by users from external tenants. This blocks real-time direct connections for specific applications, enhancing security by limiting access to only internal users or specifically allowed external users. Trust Settings: N/A (Disabled): This indicates that no special trust settings are applied to external tenants by default. For instance, your tenant does not automatically trust other tenants' Multi-Factor Authentication (MFA) or compliant device settings. Any trust configurations must be set up explicitly in the organizational settings tab.

Answer 24

Azure Azure Entra ID cross-sync will enable you to add an external Azure Entra ID so they you can push

Answer 25

Use Azure Cross-Tenant Sync to enable users to be synced across tenants.

Answer 26

Azure B2B connect.

Answer 27

You can use Azure Entra ID Sync to sync the users in Kepsi into Koke. You must configure Azure Entra ID cross-tenant setting and cross-tennant sync to set this up. Cross-tenant settings for Kepsi: set koke.com and set outbound access with Trust-suppress user consent. Cross-tenant settings for Koke: set kepsi.com and set inbound access with Trust-suppress user consent, cross-tenant sync-> allowed Cross-tenant sync for Kepsi: provisioned automatic, perform mapping of attributes

Answer 28

You cna use Azure Entra ID Sync to sync the users in Kepsi into Koke.

Answer 29

No, it is every 40 minutes by default, but you can change this. But you can create a group and have users mapped as thet are created or altered.

Answer 30

When configuring Azure Entra ID cross-tenant sync, you map the attributes between tenants.

Answer 31

Ues they are availab in the browser, API, CLI.

Answer 32

Management group -> Subscriptions -> Resource groups -> Resources

Answer 33

To group resources with the same life cycle.

Answer 34

No, because resources are separate from the resource group and do not have to be in the same region as the resource group.

Answer 35

No, they are a single-flast structure

Answer 36

Azure Entra ID Conditional Access Policy

Answer 37

A management group, subscriptions, resource group, resource

Answer 38

Azure policy

Answer 39

Azure Identity Protection service that detects and mitigates identity-related risks using machine learning and threat intelligence. It helps protect user accounts by monitoring for suspicious activities and enforcing risk-based conditional access policies. The service provides automated responses, detailed security insights, and integrates with other Azure security tools.

Answer 40

No, it is a P2 feature.

Answer 41

Use conditional access policies thet are part of Azure Entra ID.

Answer 42

Use Identity protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky users across the enterprise.

Answer 43

Use Identity Protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky logins across the enterprise.

Answer 44

- Identify risk (Reporting) - Enforcement (Enforce on risk) (conditional access) - Investigate risk (Logs and information) - Remediate risk (automatic, administrator)

Answer 45

In the context of risk for Azure EntraID Identity Protection, it is when sign-in occurs, credential compromise,

Answer 46

Azure Entra ID Identity Protection uses machine learning to understand what is typical for a user sign-in and uses it to detect what is not regular sign-in.

Answer 47

Azure Entra ID Identity Protection leverages Microsoft's Threat Intelligence network, which continuously monitors and collects data from various sources, including the dark web. This data is used to identify compromised credentials and other security threats.

Answer 48

When Azure Entra ID Identity Protection detects compromised credentials from the dark web, it flags the affected user accounts. It can automatically trigger responses such as requiring a password change, enforcing multi-factor authentication (MFA), or blocking access until the issue is resolved.

Answer 49

No, Azure Entra ID Identity Protection does not proactively scan the dark web for specific user credentials. Instead, it relies on data collected by Microsoft's Threat Intelligence network, which includes compromised credentials found on the dark web.

Answer 50

Azure Entra ID Identity Protection uses information from the dark web to identify when user credentials have been compromised. It then applies risk-based policies to protect the affected accounts, such as requiring additional verification or blocking access to prevent unauthorized use.

Answer 51

o, this is not correct. While Azure Entra ID Identity Protection uses information from the dark web as one source of threat intelligence, it also protects users by analyzing various other risk signals, such as unusual sign-in activity, and implementing risk-based policies.

Answer 52

Microsoft's Threat Intelligence network plays a crucial role in Azure Entra ID Identity Protection. It gathers and analyzes data from numerous sources, including the dark web, to detect potential security threats and help protect user identities.

Answer 53

Yes, Azure Entra ID Identity Protection can take automated actions, such as enforcing password resets, blocking access, or requiring MFA, based on detecting compromised credentials from the dark web or other risk indicators.

Answer 54

- Anomily Detection (Sign in, user activities) (Sign-in)(real-time) - Known attack patterns - Leaked credentials (User) - Anonymous IP address - Atypical travel (Sign-in) (Offline) - Malware-linked IP address - Unfamiliar sign-in property (Sign-in) (Realtime))

Answer 55

- Real-time (Signin risk) - Offline (24hrs) (User risk)

Answer 56

Offline (24hs): Like user risk being leaked creds

Answer 57

Real-time: When the user tries to sign in, the risk is evaluated, and if action is required, like denying, it will be taken.

Answer 58

We use conditional access

Answer 59

Use Azure Entyra ID and access reviews

Answer 60

Azure Identity Protection

Answer 61

-Sign-in protection --Has creds been leaked --Is the user using anonymous IP --Impossible travel --Sign-in from an infected device --Sign-in from IP with suspicious traffic --Sign-in from an unfamiliar location -User action protection

Answer 62

You can use risk policies to block, or you can ask the user to use MFA

Answer 63

Sign-in risk policy Users risk policy

Answer 64

No, there are 24hrs

Answer 65

Block sign-in Endorce users change password MFA

Answer 66

Use conditional address.

Answer 67

I can use Azure Entra ID Identity Protection and its reporting capabilities.

Answer 68

I can use Azure Entra ID Identity Protection and its reporting capabilities.

Answer 69

Conditional access policy

Answer 70

Conditional access policy

Answer 71

Conditional access policy

Answer 72

Conditional access policy

Answer 73

Conditional access policy

Answer 74

Location Country Device Browser Risk

Answer 75

Add the countries in Azure Entra ID Conditional access and then use them in the conditional access policy.

Answer 76

Add the ip range in Azure Entra ID Conditional access and then use them in the conditional access policy.

Answer 77

Name, All Users, Group of users (Guests (as in external), Directory roles, users and groups),

Answer 78

Under the Exclude Users tab, you can select users and groups to be excluded from the policy.

Answer 79

Setup Privilege Identity management (PIM)

Answer 80

Setup Privilege Identity management (PIM)

Answer 81

Setup Privilege Identity management (PIM)

Answer 82

Access reviews

Answer 83

Access reviews

Answer 84

Access reviews

Answer 85

No change Remove access Approve access Take recommendations

Answer 86

Azure Entra ID Identity Governanence Access Reviews

Answer 87

Container instance Kubernetes Cloud apps

Answer 88

Usine DOCKERFILE

Answer 89

FROM nginx:alpine WORKDIR /usr/share/nginx/html COPY ./index.html ./

Answer 90

Using a docker file?

Answer 91

Azure image registry

Answer 92

Because it an easy way to package content for docker or kubernetes

Answer 93

Fast and straightforward to get running and easy to manage small, simple individual running container instances.

Answer 94

You would have to use Azure file share and mount a volume.

Answer 95

Yes, but you can use a container group thet will share resources if required.

Answer 96

Use a container group, and this will schedule the containers on the same host and share resources.

Answer 97

None (batch), private( private network), public(public network)

Answer 98

Quick images Axure container registry Docker Huv or other registry

Answer 99

Azure kubernetes service, it supports managed disks

Answer 100

Azure Batch Azure APP service using WebJobs

Answer 101

App service plan

Answer 102

Yes, app services provide for Windsows and Linux containers.

Answer 103

Shared: Container runs on same compute as other customers Dedicated: Runs on dedicated compute Isolated: Deployted to customers' own network

Answer 104

Scale-out Scale-up Private networking Public networking File storage Database Redis (cache)

Answer 105

Postgres MySql MsSql CosmoDB

Answer 106

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers.

Answer 107

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot.

Answer 108

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot. App services have slots, also called staging, thet can be switched and will automatically scaled out to the required size.

Answer 109

App services enable splitting traffic between staging and production.

Answer 110

A -staging as in - is used

Answer 111

Fully managed HPC cluster and scheduling infrastructure. There is no need to schedule an installation and manage Devs can

Answer 112

Batch account

Answer 113

Account Scheduler Nodes/Node Pool

Answer 114

Azure Blob Azure Files Azure Disks Azure Auto Storage

Answer 115

Azure Batch can automatically provision blob storage containers associated with your batch account. It’s often used to manage job input/output data for batch jobs automatically.

Answer 116

Through the API, using one of the supported application types, python, node, C#, PowerShell

Answer 117

An Azure batch account

Answer 118

Use a service endpoint, service endpoint enables a private connection from a private vNET to a service, including Azure Batch

Answer 119

Application Pools Jobs Job schedules

Answer 120

Azure CycleCloud helps manage High-Performance Computing (HPC) clusters in Azure, enabling users to easily create, configure easily, and scale resources. It supports popular HPC schedulers like SLURM and PBS Pro, offering autoscaling based on workload demand. The tool simplifies cloud HPC management, integrates with Azure services like Monitor and Cost Management, and is ideal for data-heavy fields like genomics(MS Learn)(Microsoft Azure.

Answer 121

Entra ID -> Security -> Protect - > Conditional access

Answer 122

App service plan

Answer 123

App Service Environment is a single-tenant environment.

Answer 124

It is a single-tenant App Service Environment.

Answer 125

Use the Service endpoint to access all Azure Storage Accounts Use a private endpoint to access only a single account

Answer 126

Use a private service endpoint. The private service endpoint will connect to a single Azure storage account and get an IP and NIC in the vNET to access it.

Answer 127

Use Azure service endpoint; Azure service endpoint gives access to all Azure storage accounts.

Answer 128

From a vNET to a whole service like an Azure Storage account

Answer 129

No, it uses the Azure public IP, but traffic is over the Azure network.

Answer 130

Yes, the endpoint is private, and it appears to be a NIC in your vNET

Answer 131

No, it is a one-to-one relationship; you can only access a single account.

Answer 132

No, you pay per hour and GB

Answer 133

Azure Entra ID App Proxy enables me to expose any application but use Azure Entra ID to secure it.

Answer 134

Azure App Service Hybrid Connections enables you to install the software locally and create an endpoint for your app service locally on-prem.

Answer 135

Several proxies for scale and availability.

Answer 136

You can use Azure Enbtra AD App Proxy, which is installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and ensure that the users have logged in using their Azure Entra ID credentials.

Answer 137

You can use Azure Enbtra AD App Proxy, installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and provide passthrough for auth.

Answer 138

Install the agent connector on-prem for Azure Enbtra AD App Proxy; you create a group of connectors.

Answer 139

Agent connectors groups enable me to separate different apps on my on-prem network.

Answer 140

Azure container instance, this is the least resources and lowest cost and is least management, and you can configure it for PRIVATE networking using a vNET.

Answer 141

Shared dedicated Isolated

Answer 142

App Container Services

Answer 143

Consumption (Pay-As-You-Go) Flex Consumption Function premium App Service (Both Functions and Web Apps on same plan) Container App Environment

Answer 144

Consumption

Answer 145

- No, the consumption plan does not support vNETS. - But we now have a new plan called Flex Consumption thet will support events - Or you can use a premium plan

Answer 146

With both Functina and Web Apps on the same project, it may be best to use the app service plan thet enables the same plan to be used for both.

Answer 147

5min default, 10min max.

Answer 148

30min default, unlimited with configuration.

Answer 149

Yes, you will need to switch plans. The consumption plan does not support pre-warming, so you will need to use premium or flex consumption.

Answer 150

Yes, you will need to switch plans. The consumption plan does not support vNET, so you must use premium or flex consumption.

Answer 151

No, dedicated means you are on a shared host with dedicated resources not shared with any one else.

Answer 152

use a non-dedicated plan

Answer 153

Choose a Consumption Plan when you have sporadic workloads, want to pay only for actual usage, and don't need constant running of your functions.

Answer 154

The main advantage is having dedicated VM instances, which provide better performance, more features, and the ability to run functions continuously.

Answer 155

Choose an Isolated Plan when you need the highest level of security, network isolation, and dedicated infrastructure for mission-critical applications with high compliance requirements.

Answer 156

The Consumption Plan is ideal for this scenario, as it automatically scales based on demand, and you only pay for the resources you use.

Answer 157

A Dedicated (App Service) Plan would be suitable, as it provides dedicated resources and consistent performance for high-traffic applications.

Answer 158

The Isolated (App Service Environment) Plan is the best choice for strict compliance and complete isolation requirements.

Answer 159

Dedicated (App Service) Plan with a Basic or Standard tier would be suitable for a small business website with moderate, consistent traffic.

Answer 160

It's most cost-effective for applications with intermittent usage, where functions don't need to run continuously, and when you want to pay only for actual execution time.

Answer 161

Choose a Dedicated (App Service) Plan, as it allows you to run continuous WebJobs and background tasks alongside your web application on the same VM instances.

Answer 162

Non-dedicated Dedicated Isolated

Answer 163

The plan is using shared resources, best suited

Answer 164

Sporadic or unpredictable workloads Event-driven application Small-scale or low-traffic applications Development and testing Cost optimization:

Answer 165

non -dedicated

Answer 166

Consumption plan

Answer 167

Basic Standard Premium PremiumV2 PremiumV3

Answer 168

App Service Environment

Answer 169

Use Azure app service deployment slots

Answer 170

Create a single route table and associate it with each the of the subnets.

Answer 171

No, rout tables are associated with a subnet

Answer 172

Create a routing table and set the next hop to the internet

Answer 173

Create a routing table and set the next hop to the GW

Answer 174

Create a routing table and set the next hop to the IP of the appliance

Answer 175

Create a route table and associated with a subnet and set it to none.

Answer 176

Service (Using service tag) Internet IP (Appliance) Virtual network Virtual GW

Answer 177

Custom routes BGP routes System Routes

Answer 178

Routes you create in a custom route table3 and associated with a vNET subnet.

Answer 179

Routes from BGP

Answer 180

Routes generated by Azure

Answer 181

Custom routes BGP Routes System routes

Answer 182

Create a Network security security group, set it to block all traffic, and associate it with the single vNET Subnet.

Answer 183

You can not block a URL with an NSG; NSG are layer four only and block layer 4-only traffic. To

Answer 184

Azure network security groups are layer four-only firewalls

Answer 185

No, because an NSG on a subnet is the same as having it on the NIC of the VMs

Answer 186

Basic and Standard

Answer 187

Basic allows internet traffic with no NSG attached; standard blocks the IP traffic by default; you must enable it with an NSG.

Answer 188

Standard IP blocks all traffic; you must use an NSG to allow it.

Answer 189

No, NSG rules are stateful. Once a connection is made, it is tracked, and you do not have to create an outbound rule.

Answer 190

Yes, but this is changing.

Answer 191

You can use a Virtual network NAT

Answer 192

You cna add a pool of IP addresses.

Answer 193

using VPN GW with vnet perering

Answer 194

vNET peering is low cost and fast with low latency

Answer 195

vNET peering can be across subscriptions.

Answer 196

Global vNET peering can be across subscriptions and tenants

Answer 197

Global vNET peering is the ability to use vNET peering across tenants to connect vNETS, it also when you cross regions.

Answer 198

Global vNET peering can be across subscriptions and regions.

Answer 199

You can; overlapping will not work.

Answer 200

Use Private Link to set up conectivity to make available the app endpoint.

Answer 201

No, private link exposed service and proof of the exposed service.

Answer 202

With a private link, you can lock down to a single resource.

Answer 203

No, it can only be consumed using endpoints in the same region.

Answer 204

In a subnet of a vNET.

Answer 205

Use a VPN (sit-to-site)

Answer 206

No, vNET peering is not encrypted.

Answer 207

Azure VPN uses the public internet to securely connect your on-premises network to Azure through encrypted VPN tunnels. ExpressRoute, on the other hand, establishes a private connection between your on-premises infrastructure and Azure, bypassing the public internet entirely. This makes ExpressRoute more reliable, faster, and secure compared to Azure VPN.

Answer 208

You should choose Azure VPN. It's ideal for small environments where cost is a concern, and the public internet is sufficient for your connectivity needs. Azure VPN allows you to quickly establish a secure connection without the complexity and cost of a dedicated line.

Answer 209

You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.

Answer 210

You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.

Answer 211

You should use Azure VPN. Its point-to-site functionality allows secure, encrypted access for remote users over the public internet, making it perfect for distributed workforces with moderate data traffic needs.

Answer 212

You should implement ExpressRoute. Since it avoids the public internet and uses a private connection, ExpressRoute ensures that sensitive data is transmitted in compliance with strict security and regulatory requirements.

Answer 213

You should choose ExpressRoute. The high bandwidth (up to 100 Gbps) and consistent performance of a private connection make ExpressRoute the ideal choice for large-scale data migrations.

Answer 214

You should go for Azure VPN. It's a cost-effective solution for smaller, non-critical applications where high performance is not necessary, and you don’t need the guaranteed uptime or bandwidth provided by ExpressRoute.

Answer 215

Azure Service Endpoint. Service Endpoints secure PaaS resources by extending VNet identity to the service, allowing access over Azure’s backbone network. Public IP addresses can be blocked.

Answer 216

Use Azure Private Link. It provides private access to your services by mapping the service to a Private IP within the consumer’s VNet.

Answer 217

Answer: Use Azure Private Link. It supports cross-subscription connectivity via private IPs within the consumer's VNet, keeping traffic within Azure’s backbone.

Answer 218

Answer: Use Azure Service Endpoint. Service Endpoints allow cross-region connections to Azure services, extending VNet identity without exposing the service to the internet.

Answer 219

Use Azure Private Link. Private Link allows private access to your services across regions and subscriptions without traversing the public internet.

Answer 220

How should the service provider present their service to clients?

Answer 221

Use paired regions to replicate your application and data. Azure automatically replicates resources between region pairs, ensuring data durability in the event of a regional failure. Always deploy to both regions in the pair for geographic redundancy.

Answer 222

Azure Paired Regions ensure that planned updates (e.g., maintenance) only occur in one pair region at a time. This minimizes downtime and allows services in the secondary region to continue running during the maintenance window.

Answer 223

Paired regions provide higher reliability because Azure guarantees data replication and failover capabilities between them, with a direct focus on minimizing latency and ensuring recovery in the event of a disaster. This is especially critical in high availability/disaster recovery setups where business continuity is essential.

Answer 224

Azure Paired Regions are often located in the same geopolitical zone, helping organizations comply with data sovereignty regulations. Data replication across regions within the same pair ensures that data remains within the required jurisdiction for compliance purposes.

Answer 225

Azure Paired Regions are designed to minimize latency between regions while supporting cross-region failover. By deploying your services to paired areas, you can achieve low-latency replication and quick recovery, ensuring your platform remains responsive during regional disruptions.

Answer 226

Several data centers are connected via low-latency connectivity and form several availability zones; an availability zone is not a data center but a fault domain with separate power, cooling, and network.

Answer 227

It is a second region in the same geopolitical space as the primary region, ensuring data sovereignty. It is used as a failover or backup region for the primary region for some Azure services.

Answer 228

An availability zone is a fault domain that consists of a zone with separate network, cooling, and power; services use availability zones to be fault-tolerant.

Answer 229

A Zonel service is a service where you get to select the zone to be used by the service.

Answer 230

Yes, these are the core of how an availability set works. It means they if you set the fault domain to three, you have three separate fault domains thet are independent of each other

Answer 231

They ensure thet only one updated domain is updated at a time, and we will see them in an availability set.

Answer 232

Set the aligned managed disks in the availability set to make the disk in the same fault domain as the VM

Answer 233

It is a layer four balancer, which means it works on the IP and transport layer layers of the TCP stack

Answer 234

App Gateway its a layer seven load balancer

Answer 235

Internal or external?

Answer 236

This layer four load balancer has an internal IP for external traffic.

Answer 237

This is a layer four load balancer with an external IP for external traffic

Answer 238

Backend pool

Answer 239

- Nat -LBRule

Answer 240

This is where, on Azure Loadbalancer, you will map the input IP to a backend IP

Answer 241

Use health probes.

Answer 242

One (and two, read on), it can be in one backend for external and one backend for internal, but it can be in both internal and external

Answer 243

No, a Azure load balancer is a regional resource.

Answer 244

Baseic, Standard

Answer 245

2, One for internal and one for external.

Answer 246

Not only with standard,

Answer 247

Azure load balancer.

Answer 248

The Azure load balancer can use internal IP on its front end to load balance, so Azure load balancer is an option.

Answer 249

No, a public load balancer enables outbound internet access.

Answer 250

No, its layer 7 LB

Answer 251

No across regions is not supported by the Azure Application Gateway. Azure Application Gateway is a regional service; there may be other options depending on requirements: - Azure front door - Azure traffic manager - Azure global load balancer

Answer 252

It is a DNS load balancer

Answer 253

It's like a back group for a load balancer

Answer 254

Source Port Destination Port Source IP Destination IP Protocol (TCP, UDP)

Answer 255

No, it is a layer four load balancer and only supports TCP and UDP.

Answer 256

No, you can not ping the Azure Load Balancer because it's a layer four load balancer that only supports TCP and UDP for ping and not ICMP(Layer 3).

Answer 257

Azure Load Balancer Rule

Answer 258

To meet the requirements, use an Azure regional and layer four load balancer and add three front-end IPs. The regional load balancer is only in a single region. When creating the load balancer, you can select to use no-zone, zone-redundant, or zonal to meet requirement 4.

Answer 259

To meet the requirements, use an Azure regional and layer four load balancer and, at configuration time, select to use IPv6 front-end IP.

Answer 260

Use a load-balancing rule.

Answer 261

You have the options to use: - None - Client IP (Use just the hash of the client IP to select the backend) - Client IP and Protocol (Use the hash of the client IP and protocol used to select the backend)

Answer 262

Yes, 100%. You can assign Devices to the group, which can be assigned to Roiles for both Azure Entra ID and Azure Resources.

Answer 263

Yes, 100%.

Answer 264

Yes, 100%.

Answer 265

To apply the same RBAC controls and Cost management to all three subscriptions, you would use Azure Management Groups, place all three Azure Subscriptions under a management group node, and apply Budget and RBAC controls to the node.

Answer 266

1. RBAC (Access control) 2. Cost Budgets 3. Cost analysis 4. Policies (Complience and governanence)

Answer 267

1. Azure database instance 2. Azure Elastic Pools 3. SQL running on VM

Answer 268

1. Managed database service 2. Dedicated environment 3. SQL Server, PostgreSQL, MySQL, or MariaDB. 4. Patching 5. Backups 6. Scaling while offering high availability 7. Security features 8. Single databases or elastic pools 9. Automated backups 10. Monitoring, and 11. performance tuning

Answer 269

Azure SQL Database with Elastic Pools: Using Azure SQL Database with Elastic Pools enables several databases to share a single pool of resources, such as CPU, Memory, and Storage.

Answer 270

You can not share an elastic pool with more than a single server. An elastic pool is only allocated to a single Azure SQL Database Server.

Answer 271

1. Central Management Point: Centralized management for all databases in the pool (configurations, settings). 2. Authentication and Security: Handles user authentication, access control, firewall settings, and security policies. 3. Resource Allocation: Governs the allocation of compute (vCores or DTUs), memory, and storage across databases in the pool. 4. Billing: Associated with the cost of the elastic pool and provides a single billing entity. 5. Backup and Disaster Recovery: Manages backups, point-in-time restore, and geo-replication across databases in the pool. 6. Endpoint Management: Provides a single connection string/endpoint for accessing all databases in the elastic pool.

Answer 272

1. Use Azure SQL Database service with elastic pools. 2. Use Azure Managed Identities to authenticate for the databases without using passwords and username 3. Use Azure Service endpoint to access the databases without using the internet

Answer 273

1. Use Azure SQL Instance, which gives you a single database instance with no shared resources. 2. Azure Sql Instance is a fully managed instance, so you do not have to manage the resources 3. All resources are dedicated and not shared.

Answer 274

1. Use Azure SQL Instance, which gives you a single database instance thet can be deployed into a vNET 2. Azure Sql Instance is a fully managed instance, so you do not have to manage the resources

Answer 275

As this is a new development, we can ensure compatibility with the SQL app code. We should select Azure SQL Database, which offers complete automated management and shared elastic pools.

Answer 276

SQL running on Azure VM, as it gives the best compatibility for the bespoke services and modifications to the OS and SQL layers.

Answer 277

You can use Azure SQL on a VM or Azure SQL Managed Instance; select Azure Managed Instance as it is managed and has less input.

Answer 278

SQL FILESTREAM is a feature in Microsoft SQL Server that allows you to store and manage unstructured data, such as documents, images, and videos, directly in the file system while still maintaining transactional consistency through SQL Server. It provides an efficient way to store large binary objects (BLOBs) like files that need access or manipulation in combination with relational data.

Answer 279

Because DCT has been used, this is a Windows component, and we will need to use SQL on a VM as DCT is not supported in Azure Managed Instance or Azure SQL Database.

Answer 280

DCT is the distributed transaction coordinator, which can be used with SQL to perform operations like distributed commit and rollback.

Answer 281

Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.

Answer 282

Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.

Answer 283

1. It's a test VM, thet no one cares about the data, so the disk should be an LRS type managed disk.

Answer 284

1. 3 copies of the data 2. Srtored in a single datacenter of Zone 3. 99.9 4. Lowest cost of the tiers

Answer 285

1. 3 copies of the data 2. Srtored in separate zones 3. 99.99 4. Second lowest cost of the tiers

Answer 286

1. 3 copies of the data + one in the secondary region 2. Srtored in separate zones + one in secondary region 3. 99.99 4. Second lowest cost of the tiers

Answer 287

1. Snapshots 2. RBAC 3. Availability zones 4. Images 5. Availability sets (When virtual managed disks are used with availability sets, you can configure the availability set to ensure the virtual disks are aligned.

Answer 288

The provisioned capacity is what you pay for.

Answer 289

Use Premium SSD with a P30 (1024 GiB) or higher. Premium SSDs offer low latency and high IOPS for mission-critical workloads.

Answer 290

1. Ultra Disks 2. Premium SSD v2 3. Premium SSDs (solid-state drives) 4. Standard SSDs 5. Standard HDDs (hard disk drives)

Answer 291

Performance: Ultra Disks provide the highest performance and lowest latency among all Azure-managed disk types. You can configure performance (IOPS and throughput) independently from the disk size. 1. OPS: Up to 160,000 IOPS per disk. 2. Throughput: Up to 4,000 MBps per disk. 3. Latency: As low as sub-millisecond latency. 4. Use Case: Ideal for mission-critical workloads such as high-performance databases (e.g., SQL Server, Oracle), large-scale transaction systems, SAP HANA, and NoSQL databases. 5. Scaling: Ultra Disks allow dynamic scaling of performance without downtime.

Answer 292

Ulta Disk because of its high IOPS, Throughput, and latency

Answer 293

Premium SSDs (Solid-State Drives) Performance: Premium SSDs provide high performance with consistent low latency, ideal for applications requiring fast data access. IOPS: Up to 20,000 IOPS. Throughput: Up to 900 MBps. Latency: Typically 1-2 milliseconds. Use Case: Common for production workloads such as databases, OLTP applications, and data-intensive applications needing higher IOPS and low latency. Cost: Less expensive than Ultra Disks but still premium.

Answer 294

Performance: Standard SSDs are a more cost-effective alternative to Premium SSDs, with better performance and lower latency compared to Standard HDDs. IOPS: Up to 6,000 IOPS. Throughput: Up to 750 MBps. Latency: Typically 4-10 milliseconds. Use Case: Suitable for web servers, small databases, and development/test environments where cost is a concern but moderate performance is still required.

Answer 295

Performance: Standard HDDs provide the least performance but are the most cost-effective option. They use magnetic spinning disks. IOPS: Up to 2,000 IOPS. Throughput: Up to 500 MBps. Latency: Typically 10 milliseconds or higher. Use Case: Best for backup storage, archival, cold storage, or workloads with infrequent access to data. Also suitable for development and low-priority workloads that are not performance-sensitive.

Answer 296

1. Ultra Disks: Maximum performance for critical, low-latency apps. 2. Premium SSD v2: Balanced high-performance at a flexible cost. 3. Premium SSDs: Reliable performance for high-transaction applications. 4. Standard SSDs: Cost-efficient with moderate performance for typical workloads. 5. Standard HDDs: Low-cost storage for backups and less frequent use.

Answer 297

Standard HDD Disks. They are the most cost-effective option for scenarios where data is accessed infrequently, such as backup storage or disaster recovery.

Answer 298

Answer: Standard HDD Disks. They are the most economical option, ideal for low-performance needs such as development, testing, and prototypes where minimizing costs is more important than disk speed.

Answer 299

Answer: Standard HDD Disks. These are well-suited for cold storage, where data is infrequently accessed but needs to be kept for a long duration, and keeping costs low is a priority.

Answer 300

Answer: Ultra Disks. They provide the highest performance with ultra-low latency and are ideal for mission-critical databases that demand maximum throughput and minimal latency.

Answer 301

Answer: Ultra Disks. These are ideal for real-time analytics scenarios requiring high IOPS and low-latency storage to ensure fast data ingestion and processing.

Answer 302

1. Higher maximum throughput and IOPS compared to Premium SSD. IOPS: Supports up to 80,000 IOPS. 2. Throughput: Can provide up to 1,200 MB/s. 3. Allows more granular control over performance settings, offering greater flexibility in scaling disk performance. 4. Pricing is more flexible, as you can scale IOPS and throughput independently of capacity. This means you can pay only for the performance you need, potentially saving costs. 5. Charges are typically based on the disk capacity, IOPS, and throughput.

Answer 303

Answer: Premium SSD. Premium SSDs offer low latency and high throughput, making them ideal for mission-critical production applications with high transaction rates and low-latency requirements, such as databases.

Answer 304

Answer: Premium SSD v2. Premium SSD v2 offers flexible performance with scalable IOPS and throughput, allowing for dynamic adjustment to handle workload spikes efficiently without sacrificing performance during normal operations.

Answer 305

Answer: Premium SSD. Premium SSDs are designed for production workloads that require high IOPS and throughput, making them ideal for OLTP systems and other performance-sensitive applications.

Answer 306

1. For extreme performance 2. Mission-critical databases (e.g., SQL Server, Oracle, high-end NoSQL databases). 4. High-performance, latency-sensitive applications such as financial systems. 5. Workloads requiring predictable, high throughput (e.g., large-scale OLTP).

Answer 307

high throughput and low latency,

Answer 308

Answer: Premium SSD is the best option for this scenario. Premium SSDs provide high performance with up to 20,000 IOPS and 900 MBps of throughput, making them ideal for mission-critical applications requiring high transaction throughput and low latency.

Answer 309

Ultra Disk (1 - 160,999 IOPS) Extreme performance. Premium Disk v2 (1 - 80,000 IOPS) Enterprise performance. Premium Disk (1 - 20,000 IOPS) CRM. Standard SSD Disk (1 - 6000 IOPS) Test/Dev . Standard HDD Disk (1 - 2000 IOPS) Archive, backup.

Answer 310

Disks range from P1 - P40 and range from 120 - 2,048 GB and 120 - 7500 IOPS, and so does the throughput 25 - 250Mb/sec

Answer 311

Standard HDD

Answer 312

Yes, because Standard HDD is lower preformance.

Answer 313

Standard HDD

Answer 314

10ms write, 20ms Read

Answer 315

Single digit ms

Answer 316

Premium Disk.

Answer 317

It will inherit DDOS protection from the vNET

Answer 318

Option A: You cna create the VM in an availability set across three zones and have the virtual disks as zone redundant; you can restart the VM if a zone fault occurs or use an automated script. Option B: You can use site-to-site recovery and failover between zones.

Answer 319

Yes, Azure Firewall allows inspection of layer seven traffic and can block it.

Answer 320

No, it's currently not supported.

Answer 321

You can configure it on a VM and have the VM disks replicated to another zone or region.

Answer 322

Use Azure Site Recovery (ASR) to configure regional failover, replicating the VM from East US to another region, such as West US. This ensures business continuity during regional outages.

Answer 323

Use Azure Site Recovery with VMware as the source to replicate your on-premises VMs to Azure. ASR provides automated failover and failback between on-premises VMware VMs and Azure.

Answer 324

Use Azure Site Recovery to replicate Hyper-V VMs from your on-premises environment to Azure, enabling disaster recovery for Hyper-V workloads with seamless failover and failback.

Answer 325

Ensure application consistency by using Application Consistent Snapshots in Azure Site Recovery. This ensures that data is consistent across application tiers during the failover process.

Answer 326

Use Azure Ultra Disk or Premium SSD with ZRS (Zone-Redundant Storage) replication. This ensures that the disks are replicated across multiple zones within the same region, providing high durability and availability for critical workloads.

Answer 327

Use Standard HDD and configure Azure Site Recovery for less critical VMs, setting up asynchronous replication to another region with longer recovery point objectives (RPO) to reduce costs.

Answer 328

Use Azure Site Recovery's Test Failover feature to simulate a failover scenario without impacting your production environment. This creates a temporary failover to a different network for testing purposes.

Answer 329

Use Recovery Plans in Azure Site Recovery to orchestrate the failover of multiple VMs, configure dependencies, and define the recovery sequence for services across VMs and applications.

Answer 330

Use Zone-Redundant Storage (ZRS) for the VM's managed disks. This ensures that data is replicated across multiple zones within the same region, providing protection against zone-level failures.

Answer 331

It installs an agent and replicates data from one VM to another. This could be from one of the supported vm environments like hyper-v or VMware to Azure.

Answer 332

Global service

Answer 333

Global service

Answer 334

Global service

Answer 335

Recovery Time Objective: The amount it takes to recover the solution.

Answer 336

Recovery Point Objective: RPO is the amount of data one could lose in a replication situation.

Answer 337

Yes, you can have parent child policies, like a global policy and then children policies for each region.

Answer 338

Azure Firewall supports IDS

Answer 339

Azure Firewall supports TLS inspections

Answer 340

Azure Firewall supports Threat intelligence

Answer 341

Azure Firewall supports integration with the Azure WAN Hub.

Answer 342

Use the parent (Global policies)

Answer 343

Front door, as it uses direct access

Answer 344

Traffic Manager

Answer 345

You need to enable multi-site or path-based routing.

Answer 346

DNS queries redirect

Answer 347

It's used in layer seven when you route based on the URL path.

Answer 348

It is a layer seven LB and provides path based routing

Answer 349

No, multiple instances

Answer 350

C. A zonal service is a service that can be deployed to a specific availability zone (AZ) within a given region.

Answer 351

A. When using Traffic Manager, client traffic is proxied through Microsoft's edge network.

Answer 352

D. WAFs protect against common web application vulnerabilities and exploits, such as SQL injection, cross-site scripting, and more. WAF can be deployed with Application Gateways, Azure Front Door, or even Azure CDN.

Answer 353

1. Azure Service Bus 2. Azure Storage Queues 3. Azurre Event Hub 4. Azure Event Grid 5. Azure Relay 6. Azurre SignalR 7. Azure Notification Hub

Answer 354

Azure Notification Hub is a good choice; it sends messages using the broadcast feature of Android, iOS, and Desktop apps.

Answer 355

In this scenario, Azure Queue Storage would be the best choice for the following reasons: Asynchronous Processing: Since the backend tasks (inventory management, payment processing, shipping preparation) don't need to happen in real-time and can be processed asynchronously, Azure Queue Storage is ideal. It allows for tasks to be queued and processed at a later time by backend services without blocking the customer’s checkout experience. Decoupling Services: Azure Queue Storage helps decouple your e-commerce application from backend systems. This way, the main application doesn’t wait for the backend tasks to complete, allowing it to handle customer orders more efficiently. No Complex Workflow or Ordering Requirements: There is no specific requirement for task ordering or advanced workflow capabilities in this scenario, which makes the simplicity of Azure Queue Storage a good fit compared to more complex services like Azure Service Bus. Scalability and Cost-Effectiveness: Azure Queue Storage is highly scalable and cost-effective, especially for simple scenarios where tasks just need to be queued and processed later. It supports large volumes of messages at a low cost, which is suitable for handling the potentially high number of orders in an e-commerce platform. Simplicity: Since there are no complex messaging patterns like pub/sub or guaranteed message ordering, Azure Queue Storage’s simplicity makes it easier to implement and manage for this type of application. Would you like further clarification or more detailed information on how to implement this solution?

Answer 356

In this scenario, Azure Event Grid is the ideal choice for the following reasons: 1. Event-Driven Architecture: Azure Event Grid is designed for event-driven architectures where events need to trigger responses in multiple services. In this case, events from the IoT sensors (such as location updates, engine status, or fuel levels) need to notify multiple subscribers (real-time dashboard, notification service, analytics service). Event Grid allows each component to subscribe to specific types of events without being tightly coupled to the event producers (the IoT devices), creating a scalable and flexible event-driven system. 2. Fan-out to Multiple Services: In this scenario, multiple systems need to react to the same event (location updates, engine status). Azure Event Grid supports the fan-out pattern, which allows a single event (e.g., truck location update) to trigger actions across multiple systems, such as: Updating the real-time dashboard. Sending notifications through the notification service if a critical event is detected. Storing the event in the analytics service for further processing and optimization. This ability to broadcast an event to many services simultaneously makes Event Grid a perfect fit. 3. Real-Time Event Handling: Azure Event Grid is designed to handle real-time event distribution with low latency, ensuring that the dashboard, notification service, and analytics receive and process events almost instantaneously. This is critical for a logistics system where real-time tracking and monitoring are essential for operational efficiency and quick decision-making. 4. Dynamic Event Subscription: Different components of the system may be interested in different events (e.g., the real-time dashboard may only care about location updates, while the notification service is interested in critical events like maintenance alerts). Azure Event Grid allows for dynamic filtering and routing of events based on event types, ensuring that each service only processes the events that matter to it. This flexibility simplifies the architecture and reduces unnecessary event handling by unrelated services. 5. Scalability: Azure Event Grid is highly scalable and can handle millions of events per second, making it ideal for this scenario where thousands of trucks with IoT sensors generate a high volume of events. As the number of trucks grows, the system can scale automatically without any significant changes to the architecture. 6. Serverless Integration: Event Grid integrates seamlessly with other Azure services such as Azure Functions, Logic Apps, and Azure Stream Analytics, enabling the company to build serverless workflows and analytics pipelines. For example: Azure Functions can be triggered by events from Event Grid to handle real-time notifications or data transformation. Logic Apps can be used to automate workflows based on events. Why Not Use Other Services? Azure Queue Storage: This service is better suited for simple message queuing and asynchronous task processing but does not support event fan-out or real-time event handling. It also requires polling to retrieve messages, which adds unnecessary complexity to a real-time system. Azure Service Bus: While Service Bus supports more complex messaging workflows and guarantees message delivery, it is more suited for scenarios where messages must be processed in a specific order or transactionally. It’s not ideal for high-volume, real-time event broadcasting as required in this scenario. Azure Event Hubs: Event Hubs is primarily designed for ingesting large streams of telemetry or log data but does not provide the event routing and subscription capabilities of Event Grid. Event Hubs would be better for scenarios focused purely on high-throughput data ingestion and processing, rather than multi-subscriber event handling.

Answer 357

Use Azure Event Grid to subscribe to Blob Storage events and route them to the appropriate services. Event Grid enables event-driven architecture with high scalability, ensuring that multiple services can respond to events without polling.

Answer 358

Azure Event Grid is the ideal Azure service to help you decouple these services and provide reliable event routing. **Azure Event Grid** is designed for event-based architectures and supports a highly scalable, serverless event routing mechanism. It enables you to connect and decouple your microservices by: - Allowing each function to subscribe to events (like when a new order is placed). - Routing events to all relevant services in a reliable and scalable manner. - Ensuring services can respond to the events without being tightly coupled to the event source, which enhances flexibility and maintainability. In your use case, **Azure Event Grid** would publish the event (new order) and route it to all subscribed Azure Functions, ensuring that each service is notified and can process the event independently.

Answer 359

Use Azure Event Grid to monitor Azure Resource Manager (ARM) events, such as the creation of a new subscription. Event Grid triggers workflows in response to these events, allowing for automated provisioning and resource management.

Answer 360

1. Azure Event Hubs is a native data-streaming service 2. Can stream millions of events per second, with low latency 3. From any source to any destination 4. Compatible with Apache Kafka, no need to change any code.

Answer 361

1. Data producers 2. Azure Event Hubs EndPoint (HTTPs API, AMQP, Kafka) 3. Namespace 4. Shards 4, Consumers

Answer 362

Register the application with Azure Entra ID and have the application use OAUTH to have the user login

Answer 363

OAuth (Open Authorization) is a standard for granting access to resources without sharing credentials. In Azure Entra ID, it allows apps to access resources on behalf of users through access tokens, while protecting user credentials.

Answer 364

Delegated permissions allow an application to act on behalf of a signed-in user. The app uses the user's credentials and accesses resources with the permissions granted to the user, subject to the consent of the user or an administrator.

Answer 365

In Azure Entra ID, when an application requests delegated permissions, the user or admin must provide consent, allowing the app to access resources on their behalf. The user is presented with a consent prompt outlining what data the app will access.

Answer 366

The two main OAuth token types are Access Tokens, which are used to access APIs or resources, and Refresh Tokens, which allow the app to obtain a new access token without requiring the user to log in again.

Answer 367

OAuth with delegated permissions is typically used when an application needs to access APIs or resources on behalf of a user, such as accessing their mail, calendar, or files in Microsoft Graph, while respecting the user's consent and security settings.

Answer 368

Answer: The developer should use the Authorization Code flow with Delegated permissions. Delegated permissions allow the app to act on behalf of the user after they sign in. Explanation: The Authorization Code flow is the standard OAuth 2.0 flow for apps that need access to resources on behalf of a user. Delegated permissions are used when the app requires access to user-specific resources while the user is actively involved.

Answer 369

Answer: The app should use the Client Credentials flow with Application permissions, as it doesn’t rely on user interaction and acts independently. Explanation: The Client Credentials flow is ideal for server-to-server communication where no user is involved. Application permissions allow the app to act as itself, not on behalf of a user, making it suitable for background services.

Answer 370

Answer: The app should request Delegated permissions through OAuth. The user's consent will determine the access, and the app will only have permissions as long as the user grants them. Explanation: Delegated permissions are used when the user is actively involved in granting access, ensuring that the app only accesses resources within the user’s consent scope.

Answer 371

Answer: The platform should implement the Authorization Code flow with Delegated permissions. Access is granted only while the user is actively using the app. Explanation: The Authorization Code flow is ideal when an app acts on behalf of a user. Delegated permissions ensure that access is limited to the user’s consent and is active only when the user is involved in the app.

Answer 372

Answer: The admin should grant Application permissions. This allows the tool to act independently of any user context and access data for all users across the organization. Explanation: Application permissions are used when apps need wide-reaching access to data that is not user-specific. This allows the app to operate autonomously without requiring user consent for each access.

Answer 373

They are used when an your application accesses API and form part of the permissions thet need to be granted on behalf of the user.

Answer 374

Delegated permissions are when a user consents to the requested permissions required by the application as part of the OAutrth process. Application permissions are applied to the application

Answer 375

These are permissions given by an admin to the application to call the API

Answer 376

Securely store and manage sensitive information like secrets, encryption keys, and certificates.

Answer 377

Azure Key Vault stores API keys, passwords, connection strings, and other sensitive information.

Answer 378

Secrets: Store sensitive information like passwords and API keys. Keys: Store encryption keys used for cryptographic operations like encryption and decryption. Certificates: Manage SSL/TLS certificates used for secure communications.

Answer 379

Azure Key Vault supports software-protected keys and hardware security module (HSM)-protected keys.

Answer 380

Azure Key Vault integrates with Azure AD to authenticate users and applications using role-based access control (RBAC) to manage permissions.

Answer 381

Azure Key Vault encrypts stored data using keys that can be either software-protected or HSM-protected, ensuring compliance with security standards.

Answer 382

Azure Key Vault is used in cloud applications to securely store sensitive configuration data, such as connection strings, API keys, and credentials, keeping them out of source code.

Answer 383

Azure Key Vault provides activity logs for all operations, helping organizations meet compliance requirements and perform security audits.

Answer 384

Azure-managed identities allow applications to authenticate to Azure Key Vault without storing credentials, improving security.

Answer 385

A: HSM-backed keys provide a higher level of security, ensuring that encryption keys are stored in hardware, which meets strict compliance requirements for some industries.

Answer 386

Azure Key Vault can store and manage SSL/TLS certificates, automatically renewing them and ensuring secure communication for applications and services.

Answer 387

The Secrets Client Library provides a programmatic interface for accessing, storing, and managing secrets in Azure Key Vault from applications.

Answer 388

You would use Azure Key Vault to securely store and retrieve API keys, database connection strings, or other sensitive data needed by cloud applications.

Answer 389

Integrating Azure Key Vault with Azure DevOps enables secure storage and access to secrets during the CI/CD pipeline without hardcoding sensitive data into build scripts.

Answer 390

By centralizing secret storage and using RBAC and Azure AD for authentication, Azure Key Vault reduces the risk of application secret exposure by avoiding hardcoded secrets.

Answer 391

Secrets key Certs

Answer 392

It is how keys are encrypted and stored in memory and on disk rather than an HSM.

Answer 393

Azure Key Vault offers two tiers with different levels of FIPS (Federal Information Processing Standards) compliance: - Standard Tier: This tier provides software-protected keys and is compliant with FIPS 140-2 Level 1. - Premium Tier: This tier offers hardware security module (HSM)-protected keys, achieving FIPS 140-2 Level 3 compliance. Therefore, the software-protected storage in Azure Key Vault's Standard Tier is FIPS 140-2 Level 1 compliant.

Answer 394

No, only software-protected storage.

Answer 395

Premium plan, as it used HSM and is FIPS compliant.

Answer 396

Certificate Storage: Azure Key Vault can securely store SSL/TLS certificates, along with their private keys, ensuring that they are protected and easily accessible when needed. Lifecycle Management: Azure Key Vault simplifies managing the entire lifecycle of a certificate, including creation, renewal, and expiration notifications. You can automate much of this process to reduce the manual effort required for managing certificates. Issuance and Renewal: Key Vault integrates with trusted certificate authorities (CAs) such as DigiCert, GlobalSign, or your own custom CA, enabling the issuance and renewal of certificates directly within Key Vault. Access Control: Role-based access control (RBAC) is applied to manage who can read, create, delete, or update certificates, ensuring only authorized users or applications can access the certificates. Policy Enforcement: You can define policies for certificate management, such as renewal periods and notifications before expiration. Key Vault will follow these policies and can send alerts before a certificate expires.

Answer 397

Azure Key Vault has RBAC on the data plane.

Answer 398

Yes, 100% it is a regional service.

Answer 399

No, the critical vault has the option to retail deleted items for a period.

Answer 400

Vault access policy Azure RBAC

Answer 401

Vault access policies enforce access at the vault level, compared to Azure RBAC, which has tighter control and can lock things to individual keys, certs or passwords

Answer 402

User-assigned and System-assigned

Answer 403

Managed identities are assigned to Azure resources, and the platform manages authentication.

Answer 404

This is where the SQL client encrypts the data, and it's encrypted for transit and also at rest.

Answer 405

Azure SQL Database uses the latest SQL engine, and since you can tailor your code to the database's requirements, this is your best option.

Answer 406

For the standard tier, the datbase is deployed in a single data center (AZ) in a given region; availability is achieved through local redundancy within the same data center. It does not span availability zones.

Answer 407

Select to use ge-redundancy backup storage

Answer 408

Azure Blob Storage Azure File Storage Azure Tables and Queues

Answer 409

1. Local Redundant storage (LRS) 2. Zone Redundant Storage (ZRS) 3. Global Redundant Storage (GRS) 4. Geo Zone Redundant Storage (GZRS)

Answer 410

LRS with Blob storage.

Answer 411

GZRS storage is Geo Zone Redundant Storage, offering both zone redundant and geo-replicated storage.

Answer 412

Block Blob Storage

Answer 413

Azure Page

Answer 414

Append Blob

Answer 415

Block Blob (Suited for large files such as media)

Answer 416

For uploading large files, block blob allows uploading chunks of data.

Answer 417

Azure Append Storage is great for logging operations, allowing data to be appended to the end of the blob.

Answer 418

Blob Block (Uploading large files) Blob Append (Good for logs) Blob Page (Good for frequent updates)

Answer 419

1. Built on top of Azure Blob Storage. 2. Designed for big data analytics and hierarchical data management. 3. Hierarchical namespace: Allows directories and file structures similar to a file system, making file organization and data analytics more efficient. 4. Optimized for Hadoop Distributed File System (HDFS): Seamless integration with analytics frameworks like Hadoop, Spark, and Azure Synapse Analytics. 5. Performance: Lower-cost operations for file-based workloads and higher throughput for batch processing or massive file ingestion.

Answer 420

A minimum of three copies of data is stored within a single data center (Zone)

Answer 421

In Azure, DNS is used as follows: 1. Blob service name is account name + the Microsoft domain HTTPS://myacc/blob.core.qwindows.net 2. Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.blob.core.qwindows.net 3. Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting/blob.core.qwindows.net And you also get secondary endpoints. And for file 1. Blob service name is account name + the Microsoft domain HTTPS://myacc/file.core.qwindows.net 2. Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.file.core.qwindows.net 3. Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.file.core.qwindows.net and for table And for table 1. Blob service name is account name + the Microsoft domain HTTPS://myacc/table.core.qwindows.net 2. Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.table.core.qwindows.net 3. Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.table.core.qwindows.net , and for table And for queue 1. Blob service name is account name + the Microsoft domain HTTPS://myacc/queue.core.qwindows.net 2. Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.queue.core.qwindows.net 3. Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.queue.core.qwindows.net , and for table

Answer 422

Blob Table Queue File

Answer 423

Synchronous (within a region) (stream layer) Async (To another region) (partition layer)

Answer 424

Three copies are created in the secondary regions.

Answer 425

It is regional, but it will depend on the configuration if it is LRS or ZRS. You can also have GRS make an async copy of the data to another region, where three copies will be created.

Answer 426

1. Premium storage 2. Limited to Page Blob, File Share, Page Blob.

Answer 427

1, Azure Blob 2. Azure File 3. Azure Page

Answer 428

The durability is : 11x9 for LRS 12 x 9 for ZRS 16 x 9 for GRS

Answer 429

It is four nines

Answer 430

Three copies of the data in a single availability zone in a region

Answer 431

In three separate availability zones in a single region

Answer 432

Three copies in a single availability zone in a single region + three copies in a separate zone.

Answer 433

In three separate availability zones in a single region + In three in single availability zones in a secondary region

Answer 434

The replication is at the Storage account level. Meaning Blob, Table and Queues are all replicated. But you can also replicate Blob Block Objects individually

Answer 435

GRS for Azure Files replicates the entire storage account's file shares

Answer 436

Using Azure Storage Block Blob Replication Policies (container and prefixes)

Answer 437

1. Data plan. 2. Management plane.

Answer 438

1. Two account keys 2. Azure Entra ID 3. Shared Access Signature (SAS)

Answer 439

1. Hot (Access data often) (More to store, less to access) 2. Cold (Store data and access infrequent) (less to store and more to access) 3. Archive (archive data and do not access it seldom) (a lot less to store and expensive to access)

Answer 440

No, it is the cost of the storage

Answer 441

Performance is based on storage size; more storage capacity, more performance.

Answer 442

Yes, you are paying intr region transfer per GB of data.

Answer 443

Azure Table storage is a NoSQL datastore that allows you to store large amounts of structured, non-relational data, which can be accessed quickly and affordably using key/attribute pairs.

Answer 444

Yes, but no-relation.

Answer 445

Azure Table Storage is typically used for scenarios requiring: 1. Highly scalable. 2. Structured data storage. 3. Such as logging dat. 4. User information storage. 5. Applications needing fast access.

Answer 446

Entity is made up of: 1. Partation Key : value (you supply the value) 2. Row key: value (you supply the value) 3: and any numbers of properties thet are key and value and you provide both key and value

Answer 447

Data is organized into tables Each table contains entities. Entities comprise key/value, pairs (properties) with a primary key, consisting of a PartitionKey and a RowKey to ensure uniqueness.

Answer 448

The two key properties are PartitionKey and RowKey. Together, these properties uniquely identify an entity within a table.

Answer 449

Azure Table storage uses geo-redundant storage (GRS) to replicate data to a secondary region, ensuring availability in case of a regional failure.

Answer 450

Data in Azure Table storage can be queried using OData (Open Data Protocol) with LINQ or REST API calls, filtering on PartitionKey and RowKey for efficient lookups.

Answer 451

Azure Table storage provides strong consistency within a partition but only eventual consistency across partitions. This means updates within a partition are immediately visible, but updates across partitions may take time to propagate.

Answer 452

The maximum size of a single entity (row) in Azure Table storage is 1 MB.

Answer 453

Azure Table storage supports batch transactions, but only within the same partition (same PartitionKey). This allows multiple operations to be executed atomically.

Answer 454

Azure Table storage offers the following replication options: Locally Redundant Storage (LRS), Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), and Read-Access Geo-Redundant Storage (RA-GRS).

Answer 455

Hierarchical Namespace

Answer 456

Azure Storage with SFTP enabled and alos hierarchical namespace

Answer 457

It is a administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. It can contain

Answer 458

1. Users 2. Groups 3. Devices.

Answer 459

1. Azure Data Factory is a cloud-based data integration service. 2. It enables you to create data-driven workflows to orchestrate and automate data movement and transformation.

Answer 460