Algemeen Flashcards

Question

Network contributor

Answer 1

Lets you manage networks, but not access to them.

Answer 2

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.

Answer 3

These deal with administrating security policies and information, not with ad role assignments or rbac assignments.

Answer 4

MX or TXT for AD CNAME and TXT for App Service

Answer 5

Own query language, no powershell or sql syntax Chain operations with | Searchbased query: search in () “keyword” finds all records where any column contains keyword Table based query:

| where clauses use ==, and, or search “keyword” project selects colums to include All keywords are lowercase

ARM zones parameter

1,2 or 3: which zone to place vm in

Managed disk

A vhd on a paged blob (inside a storage container?) inside a storage account, but all abstracted away by Azure. Now first-class citizen with granular access control.

Storage concepts

Top-level storage account, can contain file shares, queues, tables or storage containers, which contain blobs, and are namespace levels. Root container $root must be explictely created, lives at the namespace root. Storage account worldwide unique, only lowercase and numbers, 3-24 characters. Storage is always encrypted. For block blobs only there is data access tiering: hot/cool/cold/archive (no zone redundancy). While a blob is in the archive tier, it can't be read or modified. To read or download a blob in the archive tier, you must first rehydrate it to an online tier, either hot, cool, or cold. For standard File shares only there is transaction optimized (default), hot, or cool tiers. File share tier is per file share, independent of the storage account default blob access tier. Azure files: network file shares, accessible through either SMB or NFS. Standard (HDD) or Premium (SSD). NFS only on premium. Premium File Shares only on FileStorage type. Azure tables: key/value store, no schema Azure blob: unstructured data storage, block, page (used for disk), append. Tiering only for block blobs.

Custom role definition - AssignableScopes

The AssignableScopes property specifies the scopes (root, management group, subscriptions, or resource groups) where a role definition can be assigned. Root = / (only for built-in roles) Subscriptions = /subscriptions/{subscriptionId1} RG = /subscriptions/{subscriptionId1}/resourceGroups/{rgname} Management group= /providers/Microsoft.Management/managementGroups/{groupId1} (only one allowed) Wildcards are NOT possible

Load balancer types

Internal load balancer - network layer Public load balancer - network layer Traffic manager - DNS based solution for public facing applications Azure application gateway - application layer

Editing properties of on-premise synced users

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. UsageLocation is an Azure attribute so can be edited from AzureAD.

Managed identity

Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. Disabled by default. Two types: - System-assigned. Some resources allow this to be enabled directly on the resource. For example f.i. Vm. - User-assigned. You create a managed identity as a standalone Azure resource, and assign it to one or more Azure Resources.

IAAS

Azure is responsible for storage, networking, compute, fabric (=hypervisor)

Paas

Azure is responsible for everything needed for me to run my application.

Resource locks

Locks an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly. Are inherited down to the contained resources, most restrictive lock takes precedence. Cannot be assigned to management groups.

Share-level permissions on Azure file shares

With on-premise AD DS authentication, the share-level permission is configured against the identity represented in Microsoft Entra ID, whereas the directory/file-level permission is enforced with that in AD DS. Domain joined computers authenticate against both the on-prem DC for a Kerberos ticket, and the Azure AD. So, only hybrid users. With Azure AD domain services authentication both hybrid and cloud-only users, because Azure runs a DC that is synced from Azure AD automatically. Clients must be domain joined to that hosted domain. With Azure AD Kerberis authentication only hybrid identities. Not supported for NFS, not for computer accounts because they are not synched to Azure AD. For computer accounts default share-level permissions can be used.

Tags

To subs, rgs and resources, not to mgs. Don’t inherit. You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don't have access to the resource itself. The Tag Contributor role grants this access. Or you can have write access to the resource itself.

Bulk delete users

To perform a bulk delete of users in Azure Active Directory, you need to create and upload a CSV file that contains the list of users to be deleted. The file should include the user principal name (UPN) of each user only.

Role to enable traffic analytics on a subscription

To enable Traffic Analytics for an Azure subscription, you must have one of the following Azure roles at the subscription scope: - Owner - Contributor - Network Contributor These roles have the nece

Administrative units

Administrative units restrict permissions in a role to any portion of your organization that you define.

Permission to log onto a virtual machine in a custom role definition

The log-in action is a DataAction.

Policies assignment and exclusion scopes

Assignment from root management group down to resource Exclusion one level lower than scope, root mg not possible

Custom role from clone

Use existing built-in or custom role as starting point. Must be the same type (AD / RBAC), and built-in AD roles cannot be cloned.

Service tags

Service tags represent a group of IP addresses associated with Azure PaaS and SaaS services, can be used in Network Security Groups.

AD group licensing

AD licenses can be assigned to both users and groups, but group nesting is not supported: only first-level members of the group will receive the license. Only security groups or M365 groups for which securityEnabled=TRUE, mail-enabled no problem. If assigned a license through a group the license cannot be removed from individual users, but the user can always be deleted. Also additional licenses can directily be assigned to the user. A group with a license assigned can not be deleted.

Role assignable groups

Only for new groups they can be configured to allow AD roles to be assigned to them. If this happens, any member of the group receives the role. The role-assignable property is immutable. The group must be of type assigned, not dynamic, M365 and security groups are supported. Group nesting is not supported: a group can’t be added as a member of role-assignable group.

Private endpoint

A private endpoint uses a private IP address from your VNet, effectively bringing a Azure service (the private link resource) such as Azure Storage or SQL into your VNet. Any traffic between your virtual machine and the service will traverse over the VNet and stay on the Microsoft backbone network, without ever leaving it. The private endpoint must be deployed in the same region and subscription as the virtual network. Azure Monitor private links are structured differently from private links to other services you might use. Instead of creating multiple private links, one for each resource the virtual network connects to, Azure Monitor uses a single private link connection, from the virtual network to an AMPLS. AMPLS is the set of all Azure Monitor resources to which a virtual network connects through a private link.

Service endpoints

Service Endpoints work by enabling a subnet on your virtual network to support Service Endpoints. When Service Endpoints are enabled, the PaaS resource sees traffic coming from your VNETs private IP, not its public IP. Another advantage of using service endpoints is that traffic is routed to the Azure resources optimally, over the Microsoft backbone. This means you can now configure your PaaS resource to only accept traffic from those subnets. There is no requirement to do any IP filtering or NAT translation; you tell the PaaS resource which VNET and Subnet to allow traffic from. Virtual Network service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over a service endpoint, and allow access to only specific Azure Storage accounts. Endpoint policy is configured on a subnet in a virtual network. Service endpoints for Azure Storage should be enabled on the subnet to apply the policy. Virtual networks must be in the same region as the service endpoint policy. By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied.

Co-administrator

Co-administrators have full access to all resources in a subscription, including the ability to create, read, update, and delete resources. Legacy role, deprecated. Can only be assigned at the subscription level.

Azure Import/Export

Azure Import/Export service is used to securely import/export large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. Azure Import/Export supports the following storage types: ✑ Import supports Azure Blob storage and Azure File storage ✑ Export supports Azure Blob storage

Storage account types

The different storage account options are: ✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for tiering and redundancy. GPTv2 is standard, there are also premium account types: ✑ BlockBlob premium storage accounts are limited to supporting only block and append blobs. No tiering, no regional redundancy. ✑ FileStorage. Only Azure Files, only Premium, so only type to support NFS. Legacy: ✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing. No data tiering. No zone redundancy. ✑ Blobstorage accounts support all the same blob features as GPv2, but are limited to supporting only block and append blobs. No zone redundancy.

Deploying Azure File Sync

Step 0 - Deploy the Azure Storage Sync Service to Azure Step 1 - Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share Step 2 - Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service. Step 3 - Create a sync group and a cloud endpoint. Step 4 - Create a server endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server. A sync group can only have server endpoint per registered server, a registered server can have multiple server endpoints in different sync groups if their paths don’t overlap.

Azure Import steps

Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe). Before running configure dataset.csv and driveset.csv in the root folder of the tool. Step 2: Create an import job (From the Azure portal, create an import job) Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center) Step 4: Update the job with tracking information (From the Azure portal, update the import job)

UNC path for file shares

\\>.file.core.windows.net\

Azcopy

AzCopy is a command line utility that you can use to copy blobs or files to or from a storage account. AzCopy is a CLI cmdlet, so will work on all operating systems. Authentication for blob with sas or azure ad, for file share with sas. No access keys! Azcopy make - creates blob container or file share

Azure file sync syncing

Endpoints within a sync group are kept in sync with each other. Azure Files doesn't have change notification or journaling yet, so Azure File Sync has a scheduled job called a change detection job. This job is initiated every 24 hours. That means that if you change a file in the Azure file share, you might not see the change on the on-premises file share for up to 24 hours. Changes on the on-premises server are replicated immediately. When there is a naming conflict all files are preserved. The most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is Cloud.

Azure file sync cloud tiering

When enabled, this feature stores only frequently accessed (hot) files on your local server. Infrequently accessed (cool) files are split into namespace (file and folder structure) and file content. The namespace is stored locally and the file content stored in an Azure file share in the cloud. When a user opens a tiered file, Azure File Sync seamlessly recalls the file data from the Azure file share. The volume free space policy tells Azure File Sync to tier cool files to the cloud when a certain amount of space is taken up on your local disk. With the date policy, cool files are tiered to the cloud if they haven't been accessed (read or written to) for x number of days.

Converting storage redundancy levels

Regional on/off through portal Zonal on/off through ms support or sometimes user initiated request One step at a time

Storage container access

Each storage has a public ip, by default accessible by all. Storage firewall protects access to that public endpoint, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. Service endpoints access the public ip, so are covered by the firewall. Turn it on, then enable public address ranges and vnets for access. Trusted Microsoft services such as backup can be always granted access with an option. Network rules don't affect virtual machine (VM) disk traffic, including mount and unmount operations and disk I/O. After network access regular RBAC authorization checks apply.

Deleting backup vault

First deregister servers, then delete data, wait for soft delete to expire.

Azure backup

Organized in vault resources. These are storage entities in Azure that house data. The resource being backed-up must be in the same region, no restrictions on resource group. Storage redundancy can be local, zone or geo-redundant. Two types of vault: - Recovery services vault: is a management entity that stores recovery points that are created over time, and it provides an interface to perform backup-related operations. Supports SQL, VMs, Azure Files. - Backup vault: supports PostgreSQL, block blobs and managed disks. This is ‘operational’ backup, meaning that backups are snapshot-based and the data is stored in the storage account, so follows the redundancy of the storage account. Multi-user authentication (MUA): Azure Backup uses the Resource Guard as an additional authorization mechanism for a Recovery Services vault or a Backup vault. Therefore, to perform a critical operation (described below) successfully, you must have sufficient permissions on the associated Resource Guard as well.

Azure backup reports to log analytics

The location and subscription of the Log Analytics workspaces is independent of the location and subscription where your vaults exist.

Azure storage account keys

When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key. Storage account access keys provide full access to the configuration of a storage account, as well as the data. SAS (Shared Access Signatures) tokens provide more limited scope of access, and are signed with the storage account keys. Remember: net use can’t utilize SAS token, only access key.

Azure Storage lifecycle management

Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. Supported for block and append blob in gpv2 and blobstorage, premium block blobstorage (no tiering). Only delete is supported for append blob, set tier isn't supported.

SMB port

445

Object replication for blobs

Object replication asynchronously copies block blobs between a source storage account and a destination account. Object replication requires that the following Azure Storage features are also enabled: change feed on the source account, blob versioning on both accounts. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and page blobs aren't supported.

Encryption Scope

By default, a storage account is encrypted with a key that is scoped to the entire storage account. When you define an encryption scope, you specify a key that may be scoped to a container or an individual blob.

SMB Multichannel

Requires premium file share, so in a FileStorage account type.

RBAC assignment conditions

A condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For storage, only supported by containers and queues.

Storage account encryption

Data in your storage account is automatically encrypted by Azure Storage. Azure Storage encryption offers two options for managing encryption keys at the level of the storage account: - Microsoft-managed keys. By default, Microsoft manages the keys used to encrypt your storage account. - Customer-managed keys. You can optionally choose to manage encryption keys for your storage account. Customer-managed keys must be stored in Azure Key Vault. Switching between these models is always supported. By default, Queue storage and Table storage use an own key that is scoped to the service and managed by Microsoft. To use customer managed keys for them, you must configure that the account key is also used for these services. This setting cannot be changed after storage account creation. Blob storage and Azure Files always use the account encryption key to encrypt data. When infrastructure encryption is enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. The storage account must be of type general-purpose v2 or premium block blob. Infrastructure encryption cannot be enabled or disabled after the account has been created.

Azure Key Vault supprted keys

RSA 2048,3192,4096

Azure Disk Encryption

Azure Disk Encryption (ADE) encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. Creating and configuring a key vault for use with Azure Disk Encryption involves three steps: 1.Creating a key vault. 2. Setting key vault advanced access policies to ‘Enable access to Azure Disk Encryption for volume encryption’. The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. 3. (Optional) Set up a key encryption key (KEK). Azure Disk Encryption uses BitLocker for Windows VMs, which requires a key for encrypting the data disk. If you're using a KEK, the BEK (BitLocker Encryption Key) will be wrapped by this KEK before writing it to the vault. Azure Key Vault key auto-rotation isn't currently compatible with Azure Disk Encryption.

Azure Data Lake Storage

Azure Data Lake Storage requires a hierarchical namespace to support its features.

Blob versioning and snapshots

You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Blob versions are immutable. You can't modify the content or metadata of an existing blob version. Blob versioning is available for standard general-purpose v2, premium block blob, and legacy Blob storage accounts. A blob snapshot is a read-only copy of a blob that's taken at a specific point in time. Blob snapshots and blob versions are similar, but a snapshot is created manually by you or your application, while a blob version is created automatically on a write or delete operation when blob versioning is enabled for your storage account.

prefixMatch

Includes containername

Blob RBAC permissions

Control-plane permissions such as contributor, storage account contributor or reader do not grant access to the blob data, only management operations on the container or metadata of the blob. Data-plane permissions such as Storage blob data contributor are required for data access. Anonymous blob access can be configured at the container level.

Creating AKS with CLI

1. az aks create Manage cluster with kubectl, install locally with az aks install-cli. First download credentials to kubectl with 2. az aks get-credentials Deployments of pods are configured with YAML manifest files. 3. Kubectl apply -f file.yaml

Monitoring inside VMs

Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor. Azure Monitor Agent uses data collection rules, where you define which data you want each agent to collect. It is an Azure VM extension, can be used on both Windows and Azure. Other extension that does the same is Diagnostic extension (LAD for Linux, WAD for Windows), can only be enabled only on VMs that reside within Azure. Microsoft Monitoring Agent cannot be installed as an extension.

Moving vm between vnets and subscriptions, changing size

Not possible. Delete vm (not resources), create vm in dest vnet. You can change the Subnet a VM is connected to after it's created, but you cannot change the VNet. When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved along with it. While resizing the VM it must be in a stopped state, or Azure will restart the vm.

Web app on App Service

The region in which your app runs is the region of the App Service plan it's in. App Service also supports running both Windows and Linux containers. Using virtual network integration for your web app enables your app to access resources in the virtual network you're integrated with and resources in virtual networks peered to the virtual network your app is integrated with including global peering connections. Vnet from same region are supported. Requires empty subnet in the vnet. The virtual network integration feature is used in Azure App Service dedicated compute pricing tiers (basic and up). If your app is in an App Service Environment (isolated tiers), it's already integrated with a virtual network and doesn't require you to configure virtual network integration feature to reach resources in the same virtual network. It doesn't grant inbound private access to your app from the virtual network, and so nsgs don’t apply to inbound traffic. Use private endpoint for that.

Installing extra components on new windows vms

The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software installation, or any other configuration / management task. Integrates with ARM templates. Add the extension with the extensionprofile section.

App service tiers

Free, Shared, Basic, Standard, Premium, Isolated. Increasing tier is called scaling up the app service. Staging slots supported on Standard/Premium/Isolated. Only standard and higher supports automatic scale-up.

Availability of VM scale sets

A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update domains. Scale sets of more than 100 VMs span multiple placement groups.

Redeploy VM

When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.

VM quotas

Quota is calculated based on the total number of cores in use both allocated and deallocated.

VM Scale Set orchestration modes

Scale set orchestration modes allow you to have greater control over how virtual machine instances are managed by the scale set. The orchestration mode is defined when you create the scale set and cannot be changed or updated later. In flexible orchestration mode (old name: VM), you manually create and add a virtual machine of any configuration to the scale set. You can add the virtual machine to a scale set in the same region, zone, and resource group. In uniform orchestration mode (old name: SCALESETVM), you define a virtual machine model and Azure will generate identical instances based on that model. This is the default.

Alert rate limiting

The rate limit thresholds are: ✑ SMS: No more than 1 SMS every 5 minutes. ✑ Voice: No more than 1 Voice call every 5 minutes. ✑ Email: No more than 100 emails in an hour. ✑ Other actions are not rate limited.

AKS autoscaling

AKS clusters can scale in one of two ways: - The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. It also regularly checks nodes for a lack of running pods and scales down the number of nodes as needed. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. The cluster autoscaler works at the Kubernetes level and is configured with Azure tooling: az aks create/update --enable-cluster-autoscaler \ --min-count 1 \ --max-count 3 Set-AzAksCluster The horizontal pod autoscaler works within Kubernetes and is configured with kubectl.

Azure proximity placement groups

To achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among them. When you assign your virtual machines to a proximity placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications. Ppg must be in the same region as the resources.

New VM disk configuration

In Azure, every VM – regardless if Linux or Windows – gets a temporary disk assigned automatically. This temporary disk is located on the physical server (the hypervisor) where the Azure VM is hosted and is non-persistent. Disks used by the operating system or additionally added data disks are persistent disks and stored in Azure Storage. The temporary storage will be lost on a reboot, move, resize, redeploy, etc. For Windows Server, the temporary disk is mounted as D:\. Linux based VM’s have the temporary disk mounted as “/dev/sdb1”.

VM Scale Set Automatic Image Upgrades

With automatic OS image upgrades the latest OS image published by image publishers is automatically applied to the scale set without user intervention. Works for all VM sizes, and for both Windows and Linux images. The OS Disk of a VM is replaced with the new OS Disk created with latest image version. Configured extensions and custom data scripts are run, while persisted data disks are retained. Upgrades take place in batches, with no more than 20% of the scale set upgrading at any time. To configure automatic OS image upgrade, ensure that the upgradePolicy->automaticOSUpgradePolicy.enableAutomaticOSUpgrade property is set to true in the scale set model definition. For scale sets using Windows virtual machines, the property virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches without replacing the OS disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows Update is not required. Don’t confuse with upgradePolicy->mode, which can be automatic or manual and configures automatic application of changes to the VM model (f.i. VM size).

Azure Backup and restore for VMs

1. Azure Backup starts a backup job according to the backup schedule you specify. Enhanced policy required for Trusted Launch VM or multiple backups per day. 2. During the first backup, a backup extension is installed on the VM if the VM is running (VMSnapshot / VMSnapshotLinux). 3. Backup takes a snapshot and sends it to the vault (recovery point). For Windows VMs, the Backup service coordinates with VSS to take an app-consistent snapshot of the VM disks. Backups of disks are parallel and incremental. Azure Backup provides several ways to restore a VM: - Create a new VM. The new VM must be created in the same region as the source VM. - Restore a VM disk, which can then be used to create a new VM, or can be attached to a different VM. The restore job generates a template that you can download and use to specify custom VM settings, and create a VM. - You can restore a disk, and use it to replace a disk on the existing VM. Replace existing is supported for unencrypted managed VMs, it is unsupported for classic VMs and unmanaged VMs. This requires the VM to be shutdown during the restore. - You can restore individual files and folders from an Azure VM Backup by downloading a script that mounts the recovery point as a network drive. This script can be run on machines in- and outside of Azure. If you're restoring VMs from a single vault, use different general-purpose v2 storage accounts per vm to ensure that the target storage account doesn't get throttled. Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. The Microsoft Azure Recovery Services (MARS) agent is also known as the Azure Backup agent. Generally, you back up an Azure VM by using an Azure Backup extension on the VM. This method backs up the entire VM. If you want to back up specific files and folders on the VM, install and use the MARS agent alongside the extension. To restore data, you use the Recover Data wizard in the MARS Agent. You can: - Restore data to the same machine from which the backups were taken. - Restore data to an alternate machine.

Vm and vnets and nsg and vnic

Must all be in the same region

Powershell deploying ARM template

You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands. - To deploy to a tenant, use New-AzTenantDeployment. - To deploy to a management group, use New-AzManagementGroupDeployment. - To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet. For subscription level deployments, you must provide a location for the deployment. The location of the deployment is separate from the location of the resources you deploy. The deployment location specifies where to store deployment data. - To deploy to a resource group, use New-AzResourceGroupDeployment. Parameter -Mode specifies the deployment mode: - Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template. - Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified in the template.

App service backups

There are two types of backups in App Service. Automatic backups are made for your app regularly as long as it's in a supported pricing tier. Custom backups require initial configuration, and can be made on-demand or on a schedule. Exclude files with a _backup.filter file. Retention of automatic backups is 30 days, not configurable, for custom 0-30 days or indefintrle. Automatic backups do not require customer storage, custom backups require a storage account.

Azure Container Group

The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a single container instance. Within a container group, container instances can reach each other via localhost on any port, even if those ports aren't exposed externally on the group's IP address or from the container.

Public IP addresses

Public IP addresses allow Internet resources to communicate inbound to Azure resources. You dedicate the address to the resource until you unassign it. A resource without a public IP assigned can communicate outbound. Public IPs are region specific and can’t be moved between regions. Standard or basic. Standard is always static, basic is dynamic for ipv6 and static/dynamic for ipv4. Standard supports zone redundancy and cross-region load balancers (use global tier), basic does not. Standard IP is closed for inbound traffic by default and requires NSG to accept traffic.

Azure Firewall

Supports only Standard IP4, no IP6 or basic. The firewall, VNet, and the public IP address all must be in the same resource group.

Azure Compute Gallery

If you have a large number of images that you need to maintain, and would like to make them available throughout your company, you can use an Azure Compute Gallery as a repository. Images are grouped under definitions with multiple versions per definition. The metadata of an image definition is descriptive and doesn’t constrain the image you can use.

Azure Container Apps

Azure Container Apps allows you to run containerized applications without worrying about orchestration or infrastructure. It is based on Kubernetes. It only supports Linux images. ACA is more app-centric and provides a simpler and more serverless experience than AKS, abstracting away the Kubernetes cluster.

Service principals for resources

For resources, there are two ways to obtain a service principal: 1. (Recommended) enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application's service principal and automatically authenticates the application with other Azure services. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. There are two variants: system-assigned (tied to the resource), or user-assigned (created by user, can be assigned to multiple resources). 2. Register an application with the Azure AD tenant.

Authentication for Key Vault

Entra authenticates a security principal (user/group or service) and then Key Vault checks if the security principal has the necessary permission for requested operation. Data plane access is granted through RBAC or vault access policy (legacy). App service certificates support only access policies.

Azure Load Balancer

Layer 4 load balancer that distributes inbound traffic to backend pool instances. The backend pool instances can be Azure Virtual Machines or instances in a Virtual Machine Scale Set. The backend pool defines the group of resources that will serve traffic for a given load-balancing rule. Public Load Balancers are used to load balance internet traffic to your VMs, and provide outbound Internet access. Azure Internal/Private Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope. When the load balancer's health probe indicates a healthy back-end endpoint, backend instances are available to receive new traffic flows. Load balancer rules that apply to all ports and protocols are called HA ports. Floating IP allows the reuse of the same backend port across multiple rules. Basic and Standard SKUs are supported. Basic load balancer doesn’t support HTTPS health probes or zones or diagnostics in Azure Monitor, or HA rules, backend pools must be virtual machines in a single availability set or virtual machine scale set. For Standard the backend instances must be on the same vnet. Virtual machines must have a standard SKU public IP or no public IP.

Private DNS zone

To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. You can also enable autoregistration on a virtual network link. When you enable autoregistration on a virtual network link, the DNS records for the virtual machines in that virtual network are registered in the private zone. A specific virtual network can be linked to only one private zone if automatic registration of VM DNS records is enabled. Reverse DNS works only for private IP space in the linked virtual network. DNS zone is a global resource.

Peering vnets

Virtual network peering enables you to connect virtual networks in the same region and across regions. The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Microsoft Entra tenant. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Peerings by themselves aren't transitive. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. [obsolete] You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering. You can now add or remove address spaces without having to remove the peering first and re-establishing the peering. You can simply add the address space in VNET1 and perform a resync using Powershell with Sync-AzVirtualNetworkPeering To resolve peering status Disconnected, delete the peering from both virtual networks, and then re-create them.

Migrating private DNS zone to Azure DNS

Use CLI: az network dns zone import -g -n -f

Application Security Group

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules. The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC should join, and then click Save to commit the change.

Azure VPN Gateway

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway resources and services use. It requires a free subnet range within the VNET of the gateway. All gateway subnets must be named 'GatewaySubnet' to work properly, and only one per vnet. When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. VNet-to-VNet Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connection types use a VPN gateway, so require a vpn gateway subnet. Several SKUs, you can’t choose the Basic SKU from the portal. BasicSKU cannot coexist with ExpressRoute. A P2S connection requires a RouteBased VPN type, PolicyBased not supported.

Network Watcher

Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products. Network Watcher isn't designed or intended for PaaS monitoring or Web analytics. When you create or update a virtual network in your subscription, Network Watcher is automatically enabled in your virtual network's region. Network Watcher consists of three major sets of tools and capabilities: 1. Monitoring 2. Network diagnostic tools 3. Traffic NSG flow logging requires the Microsoft.Insights provider, the flow logs are stored in a storage account. Specific tools: - IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. - NSG Flow logs enable you to log 5-tuple flow information about your Azure IP traffic that passes through a network security group or Azure virtual network. This data can be used by Traffic Analytics to analyze network traffic in your environment. - Connection Troubleshoot. The connection troubleshoot feature of Network Watcher provides the capability for a one-time check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. - The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint over a period of time. You can select only the source VMs that are created in the region of the connection monitor. - Variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine or a scale set. - Network Performance Monitor - for latency and network issues in hybrid, on-premises, across environments setups.

Azure Bastion

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26. Bastion always requires a Standard public static IPv4, Regional, not Global Tier. Basic SKU: 2 instances (50 connections at most) Standard SKU: you can specify the number of instances between 2-50 (25 connections by instance at most). One IP required on the Bastion subnet per instance. Bastion inbound traffic is on port 443, it communicates from its subnet to the VMs on port 22 (Linux) or port 3389 (Windows). The native client feature lets you connect to your target VMs with native ssh and rdp clients from your machine via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Using the native client requires the Standard SKU tier for Azure Bastion. Connect from Azure CLI with az network bastion rdp. Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.

Networking policies AKS

Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet (Linux).

Routing table

Assigned to a subnet, applies to all outbound traffic from that subnet.

SSPR for administrators

By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. With a two-gate policy, administrators don't have the ability to use security questions.

Multi-step web test

Application Insights

Data collection rule

Only source vm, only dest log analytics

Answer 6

1,2 or 3: which zone to place vm in

Answer 7

A vhd on a paged blob (inside a storage container?) inside a storage account, but all abstracted away by Azure. Now first-class citizen with granular access control.

Answer 8

Top-level storage account, can contain file shares, queues, tables or storage containers, which contain blobs, and are namespace levels. Root container $root must be explictely created, lives at the namespace root. Storage account worldwide unique, only lowercase and numbers, 3-24 characters. Storage is always encrypted. For block blobs only there is data access tiering: hot/cool/cold/archive (no zone redundancy). While a blob is in the archive tier, it can't be read or modified. To read or download a blob in the archive tier, you must first rehydrate it to an online tier, either hot, cool, or cold. For standard File shares only there is transaction optimized (default), hot, or cool tiers. File share tier is per file share, independent of the storage account default blob access tier. Azure files: network file shares, accessible through either SMB or NFS. Standard (HDD) or Premium (SSD). NFS only on premium. Premium File Shares only on FileStorage type. Azure tables: key/value store, no schema Azure blob: unstructured data storage, block, page (used for disk), append. Tiering only for block blobs.

Answer 9

The AssignableScopes property specifies the scopes (root, management group, subscriptions, or resource groups) where a role definition can be assigned. Root = / (only for built-in roles) Subscriptions = /subscriptions/{subscriptionId1} RG = /subscriptions/{subscriptionId1}/resourceGroups/{rgname} Management group= /providers/Microsoft.Management/managementGroups/{groupId1} (only one allowed) Wildcards are NOT possible

Answer 10

Internal load balancer - network layer Public load balancer - network layer Traffic manager - DNS based solution for public facing applications Azure application gateway - application layer

Answer 11

You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. UsageLocation is an Azure attribute so can be edited from AzureAD.

Answer 12

Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. Disabled by default. Two types: - System-assigned. Some resources allow this to be enabled directly on the resource. For example f.i. Vm. - User-assigned. You create a managed identity as a standalone Azure resource, and assign it to one or more Azure Resources.

Answer 13

Azure is responsible for storage, networking, compute, fabric (=hypervisor)

Answer 14

Azure is responsible for everything needed for me to run my application.

Answer 15

Locks an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly. Are inherited down to the contained resources, most restrictive lock takes precedence. Cannot be assigned to management groups.

Answer 16

With on-premise AD DS authentication, the share-level permission is configured against the identity represented in Microsoft Entra ID, whereas the directory/file-level permission is enforced with that in AD DS. Domain joined computers authenticate against both the on-prem DC for a Kerberos ticket, and the Azure AD. So, only hybrid users. With Azure AD domain services authentication both hybrid and cloud-only users, because Azure runs a DC that is synced from Azure AD automatically. Clients must be domain joined to that hosted domain. With Azure AD Kerberis authentication only hybrid identities. Not supported for NFS, not for computer accounts because they are not synched to Azure AD. For computer accounts default share-level permissions can be used.

Answer 17

To subs, rgs and resources, not to mgs. Don’t inherit. You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don't have access to the resource itself. The Tag Contributor role grants this access. Or you can have write access to the resource itself.

Answer 18

To perform a bulk delete of users in Azure Active Directory, you need to create and upload a CSV file that contains the list of users to be deleted. The file should include the user principal name (UPN) of each user only.

Answer 19

To enable Traffic Analytics for an Azure subscription, you must have one of the following Azure roles at the subscription scope: - Owner - Contributor - Network Contributor These roles have the nece

Answer 20

Administrative units restrict permissions in a role to any portion of your organization that you define.

Answer 21

The log-in action is a DataAction.

Answer 22

Assignment from root management group down to resource Exclusion one level lower than scope, root mg not possible

Answer 23

Use existing built-in or custom role as starting point. Must be the same type (AD / RBAC), and built-in AD roles cannot be cloned.

Answer 24

Service tags represent a group of IP addresses associated with Azure PaaS and SaaS services, can be used in Network Security Groups.

Answer 25

AD licenses can be assigned to both users and groups, but group nesting is not supported: only first-level members of the group will receive the license. Only security groups or M365 groups for which securityEnabled=TRUE, mail-enabled no problem. If assigned a license through a group the license cannot be removed from individual users, but the user can always be deleted. Also additional licenses can directily be assigned to the user. A group with a license assigned can not be deleted.

Answer 26

Only for new groups they can be configured to allow AD roles to be assigned to them. If this happens, any member of the group receives the role. The role-assignable property is immutable. The group must be of type assigned, not dynamic, M365 and security groups are supported. Group nesting is not supported: a group can’t be added as a member of role-assignable group.

Answer 27

A private endpoint uses a private IP address from your VNet, effectively bringing a Azure service (the private link resource) such as Azure Storage or SQL into your VNet. Any traffic between your virtual machine and the service will traverse over the VNet and stay on the Microsoft backbone network, without ever leaving it. The private endpoint must be deployed in the same region and subscription as the virtual network. Azure Monitor private links are structured differently from private links to other services you might use. Instead of creating multiple private links, one for each resource the virtual network connects to, Azure Monitor uses a single private link connection, from the virtual network to an AMPLS. AMPLS is the set of all Azure Monitor resources to which a virtual network connects through a private link.

Answer 28

Service Endpoints work by enabling a subnet on your virtual network to support Service Endpoints. When Service Endpoints are enabled, the PaaS resource sees traffic coming from your VNETs private IP, not its public IP. Another advantage of using service endpoints is that traffic is routed to the Azure resources optimally, over the Microsoft backbone. This means you can now configure your PaaS resource to only accept traffic from those subnets. There is no requirement to do any IP filtering or NAT translation; you tell the PaaS resource which VNET and Subnet to allow traffic from. Virtual Network service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over a service endpoint, and allow access to only specific Azure Storage accounts. Endpoint policy is configured on a subnet in a virtual network. Service endpoints for Azure Storage should be enabled on the subnet to apply the policy. Virtual networks must be in the same region as the service endpoint policy. By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied.

Answer 29

Co-administrators have full access to all resources in a subscription, including the ability to create, read, update, and delete resources. Legacy role, deprecated. Can only be assigned at the subscription level.

Answer 30

Azure Import/Export service is used to securely import/export large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. Azure Import/Export supports the following storage types: ✑ Import supports Azure Blob storage and Azure File storage ✑ Export supports Azure Blob storage

Answer 31

The different storage account options are: ✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for tiering and redundancy. GPTv2 is standard, there are also premium account types: ✑ BlockBlob premium storage accounts are limited to supporting only block and append blobs. No tiering, no regional redundancy. ✑ FileStorage. Only Azure Files, only Premium, so only type to support NFS. Legacy: ✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing. No data tiering. No zone redundancy. ✑ Blobstorage accounts support all the same blob features as GPv2, but are limited to supporting only block and append blobs. No zone redundancy.

Answer 32

Step 0 - Deploy the Azure Storage Sync Service to Azure Step 1 - Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share Step 2 - Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service. Step 3 - Create a sync group and a cloud endpoint. Step 4 - Create a server endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server. A sync group can only have server endpoint per registered server, a registered server can have multiple server endpoints in different sync groups if their paths don’t overlap.

Answer 33

Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe). Before running configure dataset.csv and driveset.csv in the root folder of the tool. Step 2: Create an import job (From the Azure portal, create an import job) Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center) Step 4: Update the job with tracking information (From the Azure portal, update the import job)

Answer 34

\\>.file.core.windows.net\

Answer 35

AzCopy is a command line utility that you can use to copy blobs or files to or from a storage account. AzCopy is a CLI cmdlet, so will work on all operating systems. Authentication for blob with sas or azure ad, for file share with sas. No access keys! Azcopy make - creates blob container or file share

Answer 36

Endpoints within a sync group are kept in sync with each other. Azure Files doesn't have change notification or journaling yet, so Azure File Sync has a scheduled job called a change detection job. This job is initiated every 24 hours. That means that if you change a file in the Azure file share, you might not see the change on the on-premises file share for up to 24 hours. Changes on the on-premises server are replicated immediately. When there is a naming conflict all files are preserved. The most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name is Cloud.

Answer 37

When enabled, this feature stores only frequently accessed (hot) files on your local server. Infrequently accessed (cool) files are split into namespace (file and folder structure) and file content. The namespace is stored locally and the file content stored in an Azure file share in the cloud. When a user opens a tiered file, Azure File Sync seamlessly recalls the file data from the Azure file share. The volume free space policy tells Azure File Sync to tier cool files to the cloud when a certain amount of space is taken up on your local disk. With the date policy, cool files are tiered to the cloud if they haven't been accessed (read or written to) for x number of days.

Answer 38

Regional on/off through portal Zonal on/off through ms support or sometimes user initiated request One step at a time

Answer 39

Each storage has a public ip, by default accessible by all. Storage firewall protects access to that public endpoint, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. Service endpoints access the public ip, so are covered by the firewall. Turn it on, then enable public address ranges and vnets for access. Trusted Microsoft services such as backup can be always granted access with an option. Network rules don't affect virtual machine (VM) disk traffic, including mount and unmount operations and disk I/O. After network access regular RBAC authorization checks apply.

Answer 40

First deregister servers, then delete data, wait for soft delete to expire.

Answer 41

Organized in vault resources. These are storage entities in Azure that house data. The resource being backed-up must be in the same region, no restrictions on resource group. Storage redundancy can be local, zone or geo-redundant. Two types of vault: - Recovery services vault: is a management entity that stores recovery points that are created over time, and it provides an interface to perform backup-related operations. Supports SQL, VMs, Azure Files. - Backup vault: supports PostgreSQL, block blobs and managed disks. This is ‘operational’ backup, meaning that backups are snapshot-based and the data is stored in the storage account, so follows the redundancy of the storage account. Multi-user authentication (MUA): Azure Backup uses the Resource Guard as an additional authorization mechanism for a Recovery Services vault or a Backup vault. Therefore, to perform a critical operation (described below) successfully, you must have sufficient permissions on the associated Resource Guard as well.

Answer 42

The location and subscription of the Log Analytics workspaces is independent of the location and subscription where your vaults exist.

Answer 43

When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key. Storage account access keys provide full access to the configuration of a storage account, as well as the data. SAS (Shared Access Signatures) tokens provide more limited scope of access, and are signed with the storage account keys. Remember: net use can’t utilize SAS token, only access key.

Answer 44

Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. Supported for block and append blob in gpv2 and blobstorage, premium block blobstorage (no tiering). Only delete is supported for append blob, set tier isn't supported.

Answer 45

Object replication asynchronously copies block blobs between a source storage account and a destination account. Object replication requires that the following Azure Storage features are also enabled: change feed on the source account, blob versioning on both accounts. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and page blobs aren't supported.

Answer 46

By default, a storage account is encrypted with a key that is scoped to the entire storage account. When you define an encryption scope, you specify a key that may be scoped to a container or an individual blob.

Answer 47

Requires premium file share, so in a FileStorage account type.

Answer 48

A condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For storage, only supported by containers and queues.

Answer 49

Data in your storage account is automatically encrypted by Azure Storage. Azure Storage encryption offers two options for managing encryption keys at the level of the storage account: - Microsoft-managed keys. By default, Microsoft manages the keys used to encrypt your storage account. - Customer-managed keys. You can optionally choose to manage encryption keys for your storage account. Customer-managed keys must be stored in Azure Key Vault. Switching between these models is always supported. By default, Queue storage and Table storage use an own key that is scoped to the service and managed by Microsoft. To use customer managed keys for them, you must configure that the account key is also used for these services. This setting cannot be changed after storage account creation. Blob storage and Azure Files always use the account encryption key to encrypt data. When infrastructure encryption is enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. The storage account must be of type general-purpose v2 or premium block blob. Infrastructure encryption cannot be enabled or disabled after the account has been created.

Answer 50

RSA 2048,3192,4096

Answer 51

Azure Disk Encryption (ADE) encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. Creating and configuring a key vault for use with Azure Disk Encryption involves three steps: 1.Creating a key vault. 2. Setting key vault advanced access policies to ‘Enable access to Azure Disk Encryption for volume encryption’. The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. 3. (Optional) Set up a key encryption key (KEK). Azure Disk Encryption uses BitLocker for Windows VMs, which requires a key for encrypting the data disk. If you're using a KEK, the BEK (BitLocker Encryption Key) will be wrapped by this KEK before writing it to the vault. Azure Key Vault key auto-rotation isn't currently compatible with Azure Disk Encryption.

Answer 52

Azure Data Lake Storage requires a hierarchical namespace to support its features.

Answer 53

You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Blob versions are immutable. You can't modify the content or metadata of an existing blob version. Blob versioning is available for standard general-purpose v2, premium block blob, and legacy Blob storage accounts. A blob snapshot is a read-only copy of a blob that's taken at a specific point in time. Blob snapshots and blob versions are similar, but a snapshot is created manually by you or your application, while a blob version is created automatically on a write or delete operation when blob versioning is enabled for your storage account.

Answer 54

Includes containername

Answer 55

Control-plane permissions such as contributor, storage account contributor or reader do not grant access to the blob data, only management operations on the container or metadata of the blob. Data-plane permissions such as Storage blob data contributor are required for data access. Anonymous blob access can be configured at the container level.

Answer 56

1. az aks create Manage cluster with kubectl, install locally with az aks install-cli. First download credentials to kubectl with 2. az aks get-credentials Deployments of pods are configured with YAML manifest files. 3. Kubectl apply -f file.yaml

Answer 57

Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor. Azure Monitor Agent uses data collection rules, where you define which data you want each agent to collect. It is an Azure VM extension, can be used on both Windows and Azure. Other extension that does the same is Diagnostic extension (LAD for Linux, WAD for Windows), can only be enabled only on VMs that reside within Azure. Microsoft Monitoring Agent cannot be installed as an extension.

Answer 58

Not possible. Delete vm (not resources), create vm in dest vnet. You can change the Subnet a VM is connected to after it's created, but you cannot change the VNet. When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved along with it. While resizing the VM it must be in a stopped state, or Azure will restart the vm.

Answer 59

The region in which your app runs is the region of the App Service plan it's in. App Service also supports running both Windows and Linux containers. Using virtual network integration for your web app enables your app to access resources in the virtual network you're integrated with and resources in virtual networks peered to the virtual network your app is integrated with including global peering connections. Vnet from same region are supported. Requires empty subnet in the vnet. The virtual network integration feature is used in Azure App Service dedicated compute pricing tiers (basic and up). If your app is in an App Service Environment (isolated tiers), it's already integrated with a virtual network and doesn't require you to configure virtual network integration feature to reach resources in the same virtual network. It doesn't grant inbound private access to your app from the virtual network, and so nsgs don’t apply to inbound traffic. Use private endpoint for that.

Answer 60

The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software installation, or any other configuration / management task. Integrates with ARM templates. Add the extension with the extensionprofile section.

Answer 61

Free, Shared, Basic, Standard, Premium, Isolated. Increasing tier is called scaling up the app service. Staging slots supported on Standard/Premium/Isolated. Only standard and higher supports automatic scale-up.

Answer 62

A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update domains. Scale sets of more than 100 VMs span multiple placement groups.

Answer 63

When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources.

Answer 64

Quota is calculated based on the total number of cores in use both allocated and deallocated.

Answer 65

Scale set orchestration modes allow you to have greater control over how virtual machine instances are managed by the scale set. The orchestration mode is defined when you create the scale set and cannot be changed or updated later. In flexible orchestration mode (old name: VM), you manually create and add a virtual machine of any configuration to the scale set. You can add the virtual machine to a scale set in the same region, zone, and resource group. In uniform orchestration mode (old name: SCALESETVM), you define a virtual machine model and Azure will generate identical instances based on that model. This is the default.

Answer 66

The rate limit thresholds are: ✑ SMS: No more than 1 SMS every 5 minutes. ✑ Voice: No more than 1 Voice call every 5 minutes. ✑ Email: No more than 100 emails in an hour. ✑ Other actions are not rate limited.

Answer 67

AKS clusters can scale in one of two ways: - The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. It also regularly checks nodes for a lack of running pods and scales down the number of nodes as needed. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. The cluster autoscaler works at the Kubernetes level and is configured with Azure tooling: az aks create/update --enable-cluster-autoscaler \ --min-count 1 \ --max-count 3 Set-AzAksCluster The horizontal pod autoscaler works within Kubernetes and is configured with kubectl.

Answer 68

To achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among them. When you assign your virtual machines to a proximity placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications. Ppg must be in the same region as the resources.

Answer 69

In Azure, every VM – regardless if Linux or Windows – gets a temporary disk assigned automatically. This temporary disk is located on the physical server (the hypervisor) where the Azure VM is hosted and is non-persistent. Disks used by the operating system or additionally added data disks are persistent disks and stored in Azure Storage. The temporary storage will be lost on a reboot, move, resize, redeploy, etc. For Windows Server, the temporary disk is mounted as D:\. Linux based VM’s have the temporary disk mounted as “/dev/sdb1”.

Answer 70

With automatic OS image upgrades the latest OS image published by image publishers is automatically applied to the scale set without user intervention. Works for all VM sizes, and for both Windows and Linux images. The OS Disk of a VM is replaced with the new OS Disk created with latest image version. Configured extensions and custom data scripts are run, while persisted data disks are retained. Upgrades take place in batches, with no more than 20% of the scale set upgrading at any time. To configure automatic OS image upgrade, ensure that the upgradePolicy->automaticOSUpgradePolicy.enableAutomaticOSUpgrade property is set to true in the scale set model definition. For scale sets using Windows virtual machines, the property virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches without replacing the OS disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows Update is not required. Don’t confuse with upgradePolicy->mode, which can be automatic or manual and configures automatic application of changes to the VM model (f.i. VM size).

Answer 71

1. Azure Backup starts a backup job according to the backup schedule you specify. Enhanced policy required for Trusted Launch VM or multiple backups per day. 2. During the first backup, a backup extension is installed on the VM if the VM is running (VMSnapshot / VMSnapshotLinux). 3. Backup takes a snapshot and sends it to the vault (recovery point). For Windows VMs, the Backup service coordinates with VSS to take an app-consistent snapshot of the VM disks. Backups of disks are parallel and incremental. Azure Backup provides several ways to restore a VM: - Create a new VM. The new VM must be created in the same region as the source VM. - Restore a VM disk, which can then be used to create a new VM, or can be attached to a different VM. The restore job generates a template that you can download and use to specify custom VM settings, and create a VM. - You can restore a disk, and use it to replace a disk on the existing VM. Replace existing is supported for unencrypted managed VMs, it is unsupported for classic VMs and unmanaged VMs. This requires the VM to be shutdown during the restore. - You can restore individual files and folders from an Azure VM Backup by downloading a script that mounts the recovery point as a network drive. This script can be run on machines in- and outside of Azure. If you're restoring VMs from a single vault, use different general-purpose v2 storage accounts per vm to ensure that the target storage account doesn't get throttled. Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. The Microsoft Azure Recovery Services (MARS) agent is also known as the Azure Backup agent. Generally, you back up an Azure VM by using an Azure Backup extension on the VM. This method backs up the entire VM. If you want to back up specific files and folders on the VM, install and use the MARS agent alongside the extension. To restore data, you use the Recover Data wizard in the MARS Agent. You can: - Restore data to the same machine from which the backups were taken. - Restore data to an alternate machine.

Answer 72

Must all be in the same region

Answer 73

You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands. - To deploy to a tenant, use New-AzTenantDeployment. - To deploy to a management group, use New-AzManagementGroupDeployment. - To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet. For subscription level deployments, you must provide a location for the deployment. The location of the deployment is separate from the location of the resources you deploy. The deployment location specifies where to store deployment data. - To deploy to a resource group, use New-AzResourceGroupDeployment. Parameter -Mode specifies the deployment mode: - Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template. - Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified in the template.

Answer 74

There are two types of backups in App Service. Automatic backups are made for your app regularly as long as it's in a supported pricing tier. Custom backups require initial configuration, and can be made on-demand or on a schedule. Exclude files with a _backup.filter file. Retention of automatic backups is 30 days, not configurable, for custom 0-30 days or indefintrle. Automatic backups do not require customer storage, custom backups require a storage account.

Answer 75

The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a single container instance. Within a container group, container instances can reach each other via localhost on any port, even if those ports aren't exposed externally on the group's IP address or from the container.

Answer 76

Public IP addresses allow Internet resources to communicate inbound to Azure resources. You dedicate the address to the resource until you unassign it. A resource without a public IP assigned can communicate outbound. Public IPs are region specific and can’t be moved between regions. Standard or basic. Standard is always static, basic is dynamic for ipv6 and static/dynamic for ipv4. Standard supports zone redundancy and cross-region load balancers (use global tier), basic does not. Standard IP is closed for inbound traffic by default and requires NSG to accept traffic.

Answer 77

Supports only Standard IP4, no IP6 or basic. The firewall, VNet, and the public IP address all must be in the same resource group.

Answer 78

If you have a large number of images that you need to maintain, and would like to make them available throughout your company, you can use an Azure Compute Gallery as a repository. Images are grouped under definitions with multiple versions per definition. The metadata of an image definition is descriptive and doesn’t constrain the image you can use.

Answer 79

Azure Container Apps allows you to run containerized applications without worrying about orchestration or infrastructure. It is based on Kubernetes. It only supports Linux images. ACA is more app-centric and provides a simpler and more serverless experience than AKS, abstracting away the Kubernetes cluster.

Answer 80

For resources, there are two ways to obtain a service principal: 1. (Recommended) enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application's service principal and automatically authenticates the application with other Azure services. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. There are two variants: system-assigned (tied to the resource), or user-assigned (created by user, can be assigned to multiple resources). 2. Register an application with the Azure AD tenant.

Answer 81

Entra authenticates a security principal (user/group or service) and then Key Vault checks if the security principal has the necessary permission for requested operation. Data plane access is granted through RBAC or vault access policy (legacy). App service certificates support only access policies.

Answer 82

Layer 4 load balancer that distributes inbound traffic to backend pool instances. The backend pool instances can be Azure Virtual Machines or instances in a Virtual Machine Scale Set. The backend pool defines the group of resources that will serve traffic for a given load-balancing rule. Public Load Balancers are used to load balance internet traffic to your VMs, and provide outbound Internet access. Azure Internal/Private Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope. When the load balancer's health probe indicates a healthy back-end endpoint, backend instances are available to receive new traffic flows. Load balancer rules that apply to all ports and protocols are called HA ports. Floating IP allows the reuse of the same backend port across multiple rules. Basic and Standard SKUs are supported. Basic load balancer doesn’t support HTTPS health probes or zones or diagnostics in Azure Monitor, or HA rules, backend pools must be virtual machines in a single availability set or virtual machine scale set. For Standard the backend instances must be on the same vnet. Virtual machines must have a standard SKU public IP or no public IP.

Answer 83

To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. You can also enable autoregistration on a virtual network link. When you enable autoregistration on a virtual network link, the DNS records for the virtual machines in that virtual network are registered in the private zone. A specific virtual network can be linked to only one private zone if automatic registration of VM DNS records is enabled. Reverse DNS works only for private IP space in the linked virtual network. DNS zone is a global resource.

Answer 84

Virtual network peering enables you to connect virtual networks in the same region and across regions. The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Microsoft Entra tenant. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Peerings by themselves aren't transitive. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. [obsolete] You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering. You can now add or remove address spaces without having to remove the peering first and re-establishing the peering. You can simply add the address space in VNET1 and perform a resync using Powershell with Sync-AzVirtualNetworkPeering To resolve peering status Disconnected, delete the peering from both virtual networks, and then re-create them.

Answer 85

Use CLI: az network dns zone import -g -n -f

Answer 86

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules. The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC should join, and then click Save to commit the change.

Answer 87

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway resources and services use. It requires a free subnet range within the VNET of the gateway. All gateway subnets must be named 'GatewaySubnet' to work properly, and only one per vnet. When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. VNet-to-VNet Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connection types use a VPN gateway, so require a vpn gateway subnet. Several SKUs, you can’t choose the Basic SKU from the portal. BasicSKU cannot coexist with ExpressRoute. A P2S connection requires a RouteBased VPN type, PolicyBased not supported.

Answer 88

Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products. Network Watcher isn't designed or intended for PaaS monitoring or Web analytics. When you create or update a virtual network in your subscription, Network Watcher is automatically enabled in your virtual network's region. Network Watcher consists of three major sets of tools and capabilities: 1. Monitoring 2. Network diagnostic tools 3. Traffic NSG flow logging requires the Microsoft.Insights provider, the flow logs are stored in a storage account. Specific tools: - IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. - NSG Flow logs enable you to log 5-tuple flow information about your Azure IP traffic that passes through a network security group or Azure virtual network. This data can be used by Traffic Analytics to analyze network traffic in your environment. - Connection Troubleshoot. The connection troubleshoot feature of Network Watcher provides the capability for a one-time check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. - The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint over a period of time. You can select only the source VMs that are created in the region of the connection monitor. - Variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine or a scale set. - Network Performance Monitor - for latency and network issues in hybrid, on-premises, across environments setups.

Answer 89

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26. Bastion always requires a Standard public static IPv4, Regional, not Global Tier. Basic SKU: 2 instances (50 connections at most) Standard SKU: you can specify the number of instances between 2-50 (25 connections by instance at most). One IP required on the Bastion subnet per instance. Bastion inbound traffic is on port 443, it communicates from its subnet to the VMs on port 22 (Linux) or port 3389 (Windows). The native client feature lets you connect to your target VMs with native ssh and rdp clients from your machine via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Using the native client requires the Standard SKU tier for Azure Bastion. Connect from Azure CLI with az network bastion rdp. Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.

Answer 90

Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet (Linux).

Answer 91

Assigned to a subnet, applies to all outbound traffic from that subnet.

Answer 92

By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. With a two-gate policy, administrators don't have the ability to use security questions.

Answer 93

Application Insights

Answer 94

Only source vm, only dest log analytics

Algemeen Flashcards

(119 cards)