Apply and monitor infrastructure standards with Azure Policy

Question 1

True/False
You have a policy that allows virtual machines of only a certain size in your environment. After this policy is implemented, new and existing resources are evaluated for compliance.

Answer 1

True

Question 2

Which actions can you perform with Azure Policy

Answer 2

Create, Assign and Manage policies

Question 3

What are SKU’s?

Answer 3

Stock keeping units (Pricing tier) for a resource

Question 4

True/False

Azure Policy will audit all the existing VMs in our organization to ensure our policy is enforced.

Answer 4

True

Question 5

True/False

You can integrate Azure Policy with Azure DevOps

Answer 5

True

Question 6

True/False
You can even integrate Azure Policy with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.

Answer 6

True

Question 7

True/False

Azure Policy is a default-allow-and-explicit-deny system.

Answer 7

True

Question 8

True/False

RBAC is a default-allow-and-explicit-deny system.

Answer 8

False

Question 9

What are the steps to apply an Azure Policy?

Answer 9

1. Create a policy definition
2. Assign a definition to a scope of resources
3. View policy evaluation results

Question 10

What is a policy definition?

Answer 10

A policy definition expresses what to evaluate and what action to take

Question 11

True/False

You can use one of the pre-defined policy definitions in Azure Policy or create your own.

Answer 11

True

Question 12

For what is the Microsoft.PolicyInsights extensions used?

Answer 12

To apply an Azure Policy.

Register-AzResourceProvider -ProviderNamespace ‘Microsoft.PolicyInsights’

Question 13

How can you identify non-compliant Azure Policy resources?

Answer 13

• Compliance tab in Azure Policy
• Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName ‘audit-vm-manageddisks’ -Filter ‘IsCompliant eq false’

Question 14

True/False

Policy assignments are not inherited by all child resources

Answer 14

False
This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment.

Question 15

Describe Azure Policy effects.

Answer 15

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy.

Azure Policy will take a specific action based on the assigned effect.
- Deny
The resource creation/update fails due to policy.
- Disabled
The policy rule is ignored (disabled). Often used for testing.
- Append
Adds additional parameters/fields to the requested resource during creation or update. A common example is adding tags on resources such as Cost Center or specifying allowed IPs for a storage resource.
- Audit, AuditIfNotExists
Creates a warning event in the activity log when evaluating a non-compliant resource, but it doesn’t stop the request.
- DeployIfNotExists
Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way.

Question 16

True/False

Azure Policy can allow a resource to be created even if it doesn’t pass validation.

Answer 16

True
In these cases, you can have it trigger an audit event that can be viewed in the Azure Policy portal, or through command-line tools.

Question 17

How can you remove a policy with Powershell?

Answer 17

Remove-AzPolicyAssignment -Name ‘audit-vm-manageddisks’ -Scope ‘/subscriptions//resourceGroups/’

Question 18

What are Azure Policy Iniatives?

Answer 18

Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That’s where initiatives come in.

An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.

Question 19

What are Azure Management Groups?

Answer 19

Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

Question 20

Suppose you have a management group “Geo Region 1” within the Root Management Group, which contains two EA subscriptions. When you apply a policy to “Geo Region 1”, would the EA subscription owners be able to alter the policy?

Answer 20

No.

Question 21

True/False
The resources and subscriptions you assign to a management group automatically inherit the conditions that you apply to that management group.

Answer 21

True

Question 22

Which Azure resource can you use to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.

Answer 22

Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups

Question 23

What are the steps to implement an Azure Blueprint?

Answer 23

The process of implementing Azure Blueprint consists of the following high-level steps:

Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments

Question 24

True/False

Azure Blueprints are stored in an Azure Blob Storage Account.

Answer 24

False.
The Azure Blueprints service is backed by the globally distributed Azure Cosmos database. Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, regardless of which region Blueprints deploys your resources to.

Question 25

How does Azure Blueprint differ from Azure Resource Manager?

Answer 25

The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package—including through a CI/CD pipeline.

a Resource Manager template is a document that doesn’t exist natively in Azure. Resource Manager templates are stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there’s no active connection or relationship to the template.

With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.

Question 26

How does Azure Blueprint differ from Azure Policy?

Answer 26

A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.

A policy is a default-allow and explicit-deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.

Question 27

Where can you check your resource compliance?

Answer 27

1 Microsoft Privacy Statement
2 Microsoft Trust Center
3 Service Trust Portal
4 Compliance Manager

1 The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.

2 Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.

3 The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.

4 Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance.

Question 28

Azure provides two primary services to monitor the health of your apps and resources. What are they?

Answer 28

Azure Monitor

Azure Service Health

Question 29

How can you extend the data you’re collecting into the actual operation of resource in Azure Monitor?

Answer 29

By enabling Diagnostics and adding an agent to compute resources.

Question 30

Describe Application Insights

Answer 30

Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they’re hosted in the cloud or on-premises.

It integrates with Microsoft Visual Studio to support your DevOps processes.

Question 31

Describe Azure Monitor for containers

Answer 31

Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS).

Question 32

Describe Azure Monitor for VMs

Answer 32

Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs

Question 33

Describe Azure Monitor Alerts

Answer 33

Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.

Question 34

Describe Azure Monitor Autoscale

Answer 34

Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load.

Question 35

Describt Azure Service Health

Answer 35

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It an also help you prepare for planned maintenance and changes that could affect the availability of your resources.

Question 36

What are the views of Azure Service Health?

Answer 36

• Azure Status provides a global view of the health state of Azure services
• Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them
• Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources.