Algemeen Flashcards
Cmdlet for provisioninig new virtual machine
Via Powershell New-AzVM (NOT create-AzVM)
Via Azure CLI az vm create
Configuring linux machines at first boot after provisioning (f.i. installing packages, writing files, injecting certificates)
Use cloud-init. This only works on Linux VMs, and requires that the VM is created via the Azure CLI with az vm create. Use the – custom-date parameter to provide the cloud-init config file.
Powershell modules
For Powershell use AZ module: Azure Powershell, a collection of powershell modules. The AzureRM module is deprecated.
For other shells use Azure CLI.
Azure Cloud Shell is a hosted Azure shell environment on an Ubuntu container, offering both Azure CLI over bash or Azure Powershell.
Organization of resources
A management group contains many subscriptions or other management groups contains many resource groups. Subs and management groups must trust the same AD tenant.
Each tenant has a root management group, other groups may be nested below this group. Between root and subscription level up to six levels. At each level, groups can contain subscriptions.
Bij default no-one has permissions on the root management group, but global administrators can elevate themselves to User Access Administrator on the root mg and assign other permissions to everyone on everything.
Policy assignments and role assignments cascade down. Allowed resource type policy has the implied effect of denying all non-named resources.
Tags can be assigned to resources, but do not inherit inside resource groups or subscriptions.
Resource groups have an associated location, but can contain resources from all location. Their location only determines where the rg metadata is stored. Moving a resource to a different rg does not change its location.
Conditional access
AD policies applied after first factor authentication. Signals are used as input, which can include user/group, device, IP/location, which application is being accessed, device/platform. Based on the signals rules can be defined that either:
- grant controls: block access, or require specific options, such as: MFA, device being marked as compliant or joined, authentication strength, password change.
- session controls: enabled limited session functionality in the accessed application.
Enabling MFA on Azure AD.
Use MFA configuration page to enable per user.
Basic through security defaults which enabled several policies, such as: for all users of administrators MFA, all users must register for MFA, block legacy authentication, MFA when privileged operations. Included in the free tier.
For more granular controls, use conditional access, which requires a paid Azure AD license.
Upload on-premise vhd to Azure storage account
Add-AzVhd cmdlet
Static IP VM
Set-AzureStaticVNetIP is for legacy
Set-AzNetworkInterface is new
VM availability?
Availability set: logical grouping: allocated so they don’t share same fault domains, within one datacenter. Less latency than availability zones. No extra cost. Configure with platformFaultDomainCount to 1, 2, or 3 (default of 3 if not specified), to choose how many different fault domains, depends on region. Configure with platformUpdateDomainCount up to 20 (default 5), to choose how many update domains. If 1 fault domain, then only one update domain allowed.
To resize with change of physical hardware required, first stop vms in the set.
Availability zones: three per region in supported regions, no extra cost, seperate datacenters. No extra cost.
Network security groups
Layer 4 filtering rules going from 5-tuple to allow/deny. Assigned at the NIC or subnet level.
If multiple nsgs apply, they are processed in order. Both must allow!
Service tags
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
Azure Backup Instant Restore
Snapshot of VM files, retained locally for several days (default 2, configurable). Recovery to any existing VM in the same subscription at file level.
Means less downtime during a restore because no WAN traffic.
Collect and analyze performance metrics and logs in Azure
Azure Monitor, which builds on top of Azure Log Analytics, the platform service that gathers log and metrics data from all your resources. The basic building block is a workspace, which lives in one region.
Azure Monitor is the tool to get the data from the Azure resources, and Log Analytics is the tool to query that data if you want to query over multiple resources.
Insights is a curated list of pre-prepared queries, visualizations, and dashboards.
Azure VM backup, which configs/states supported
Supports backing up the entire VM. Support for VMs that are running or shutdown/offline, Linux distros endorsed bij Azure, all Windows Server since 2008, all personal Windows since Windows 10. Only 64-bit OS-es.
Automated user adding
Powershell:
- New-AzureADUser cmdlet creates native user in the AD
- New-AzureADMSInvitation creates an invitation for an external user
Portal:
- Bulk create for native from csv
- Bulk invite for external from csv, required fields:
Email address to invite - the user who will receive an invitation
Redirection url - the URL to which the invited user is forwarded after accepting the invitation. - Bulk add from csv, required fields:
Name
Upn
Initpasswd
Block Signin
AKS (Azure Kubernetes Services)
Managed Kubernetes cluster. Control plane is created automatically and managed by Azure; no user access. Only pay for the nodes running in the cluster. Each node is a VM, created from image Ubuntu Linux, Azure Linux, or Windows Server 2019. Nodes are grouped in node pools. Nodes run pods that are often 1:1 with containers, but can contain multiple containers.
The cluster is created in a resource group, and creates a node resource group automatically that contains all the node resources, such as VMs, storage and Vnet. This can’t be an existing resource group, name cannot be changed, it must be in the same subscription. Automatically deleted when cluster resource is deleted.
Resources are logically grouped into namespaces, by default there are three: default, kube-system, kube-public. Users can only interact with resources within their assigned namespaces.
Permissions through Kubernetes roles (Kubernetes RBAC), that grant (not deny) permissions. Then assign roles to users through RoleBindings. Users must come from external identity solution, for AKS this is Azure AD. It is also possible to use Azure RBAC.
Azure AD authentication is provided to AKS clusters with OpenID Connect, an identity layer built on top of the OAuth 2.0 protocol. Previously OAuth2 client and server applications had to be configured in the AD tenant, now this is deprecated and managed Azure integration by the cluster is the default, this means creating or updating the cluster with –enable-aad option.
If using Kubnetes Networking then pods receive an IP address from logically different address space to the Azure Virtual Network Subnet and NAT is then used to translate IPs from the PODs to the Azure virtual Network. If using Azure Container Networking Interface (ACNI) then all PODs get IP from the subnet and can be accessed directly.
To support node pools for Windows containers you need to use a network policy that uses Azure CNI, not kubenet. To pull images from ACR you must enable AKS-managed Active Directory.
Office 365 groups
With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. Unlike regular groups they support automatic deletion after a certain time period.
These groups cannot be members of other groups.
Moving resources to another subscription
Possible for Vnets, Storage accounts, Vms with associated disks, recovery services vaults.
Powershell subscription cmdlets
New/Get/Set/Remove-AzApiManagementSubscription
Accept or reject legal terms for marketplace item programmatically
Set-AzMarketplaceTerms
IT Service Management Connector (ITSMC)
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the
Microsoft System Center Service Manager.
Local administrators on Azure joined devices
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
✑ The user performing the Azure AD join
Configure device administrator role members (also) through the devices blade (requires premium tenant).
Cloud Device Administrator AD role
Can perform certain administrative functions on devices, such as removing, enabling or disabling, but cannot change group membership or any other device properties.
Deleting resource group
Deleting rg deletes all resources contained in it. Running or stopped vms, dbs or storage accounts do not block deletion. Backup recovery vaults that contain data cannot be deleted.
Network contributor
Lets you manage networks, but not access to them.
Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.
Security admin/reader AD roles
These deal with administrating security policies and information, not with ad role assignments or rbac assignments.
DNS records to verify custom domain name for Azure AD or App service
MX or TXT for AD
CNAME and TXT for App Service
Azure log analytics queries
Own query language, no powershell or sql syntax
Chain operations with |
Searchbased query:
search in (<table>) “keyword” finds all records where any column contains keyword
Table based query:
<table> | <nextoperation>
where clauses use ==, and, or
search “keyword”
project selects colums to include
All keywords are lowercase
</nextoperation></table>
ARM zones parameter
1,2 or 3: which zone to place vm in
Managed disk
A vhd on a paged blob (inside a storage container?) inside a storage account, but all abstracted away by Azure. Now first-class citizen with granular access control.
Storage concepts
Top-level storage account, can contain file shares, queues, tables or storage containers, which contain blobs, and are namespace levels. Root container $root must be explictely created, lives at the namespace root.
Storage account worldwide unique, only lowercase and numbers, 3-24 characters.
Storage is always encrypted.
For block blobs only there is data access tiering: hot/cool/cold/archive (no zone redundancy). While a blob is in the archive tier, it can’t be read or modified. To read or download a blob in the archive tier, you must first rehydrate it to an online tier, either hot, cool, or cold.
For standard File shares only there is transaction optimized (default), hot, or cool tiers.
File share tier is per file share, independent of the storage account default blob access tier.
Azure files: network file shares, accessible through either SMB or NFS. Standard (HDD) or Premium (SSD). NFS only on premium. Premium File Shares only on FileStorage type.
Azure tables: key/value store, no schema
Azure blob: unstructured data storage, block, page (used for disk), append. Tiering only for block blobs.
Custom role definition - AssignableScopes
The AssignableScopes property specifies the scopes (root, management group, subscriptions, or resource groups) where a role definition can be assigned.
Root = / (only for built-in roles)
Subscriptions = /subscriptions/{subscriptionId1}
RG = /subscriptions/{subscriptionId1}/resourceGroups/{rgname}
Management group= /providers/Microsoft.Management/managementGroups/{groupId1} (only one allowed)
Wildcards are NOT possible
Load balancer types
Internal load balancer - network layer
Public load balancer - network layer
Traffic manager - DNS based solution for public facing applications
Azure application gateway - application layer
Editing properties of on-premise synced users
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory.
UsageLocation is an Azure attribute so can be edited from AzureAD.
Managed identity
Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
Disabled by default.
Two types:
- System-assigned. Some resources allow this to be enabled directly on the resource. For example f.i. Vm.
- User-assigned. You create a managed identity as a standalone Azure resource, and assign it to one or more Azure Resources.
IAAS
Azure is responsible for storage, networking, compute, fabric (=hypervisor)
Paas
Azure is responsible for everything needed for me to run my application.
Resource locks
Locks an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.
Are inherited down to the contained resources, most restrictive lock takes precedence.
Cannot be assigned to management groups.
Share-level permissions on Azure file shares
With on-premise AD DS authentication, the share-level permission is configured against the identity represented in Microsoft Entra ID, whereas the directory/file-level permission is enforced with that in AD DS. Domain joined computers authenticate against both the on-prem DC for a Kerberos ticket, and the Azure AD. So, only hybrid users.
With Azure AD domain services authentication both hybrid and cloud-only users, because Azure runs a DC that is synced from Azure AD automatically. Clients must be domain joined to that hosted domain.
With Azure AD Kerberis authentication only hybrid identities.
Not supported for NFS, not for computer accounts because they are not synched to Azure AD. For computer accounts default share-level permissions can be used.
Tags
To subs, rgs and resources, not to mgs. Don’t inherit.
You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don’t have access to the resource itself. The Tag Contributor role grants this access.
Or you can have write access to the resource itself.
Bulk delete users
To perform a bulk delete of users in Azure Active Directory, you need to create and upload a CSV file that contains the list of users to be deleted. The file should include the user principal name (UPN) of each user only.
Role to enable traffic analytics on a subscription
To enable Traffic Analytics for an Azure subscription, you must have one of the following Azure roles at the subscription scope: - Owner - Contributor - Network Contributor These roles have the nece
Administrative units
Administrative units restrict permissions in a role to any portion of your organization that you define.
Permission to log onto a virtual machine in a custom role definition
The log-in action is a DataAction.
Policies assignment and exclusion scopes
Assignment from root management group down to resource
Exclusion one level lower than scope, root mg not possible
Custom role from clone
Use existing built-in or custom role as starting point. Must be the same type (AD / RBAC), and built-in AD roles cannot be cloned.
