AZ-204 Flashcards

Question

What is a function app in Azure?

Answer 1

A function app provides an execution context in Azure in which your functions run. As such, it's the unit of deployment and management for your functions. A function app is composed of one or more individual functions that are managed, deployed, and scaled together. All of the functions in a function app share the same pricing plan, deployment method, and runtime version. Think of a function app as a way to organize and collectively manage your functions.

Answer 2

Azure Blob storage is Microsoft's object storage solution for the cloud

Answer 3

- Serving images or documents directly to a browser. - Storing files for distributed access. - Streaming video and audio. - Writing to log files. - Storing data for backup and restore, disaster recovery, and archiving. - Storing data for analysis by an on-premises or Azure-hosted service.

Answer 4

Hot: - Is optimized for frequent access of objects in the storage account. The Hot tier has the highest storage costs, but the lowest access costs. New storage accounts are created in the hot tier by default. Cool: Is optimized for storing large amounts of data that is infrequently accessed and stored for at least 30 days. The Cool tier has lower storage costs and higher access costs compared to the Hot tier. Archive: - Is available only for individual block blobs. The archive tier is optimized for data that can tolerate several hours of retrieval latency and will remain in the Archive tier for at least 180 days. The archive tier is the most cost-effective option for storing data, but accessing that data is more expensive than accessing data in the hot or cool tiers.

Answer 5

General-purpose v2 - Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Blob Storage or one of the other Azure Storage services. Block Blob - Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency Page blobs - Premium storage account type for page blobs only.

Answer 6

Storage Acoount - Container - Blob

Answer 7

A storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Azure Storage blob endpoint forms the base address for the objects in your storage account.

Answer 8

A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs.

Answer 9

Azure Storage supports three types of blobs: - Block blobs store text and binary data. Block blobs are made up of blocks of data that can be managed individually. Block blobs can store up to about 190.7 TiB. - Append blobs are made up of blocks like block blobs, but are optimized for append operations. Append blobs are ideal for scenarios such as logging data from virtual machines. -Page blobs store random access files up to 8 TB in size. Page blobs store virtual hard drive (VHD) files and serve as disks for Azure virtual machines.

Answer 10

A lifecycle management policy is a collection of rules in a JSON document to manage the lifecycle of data that is stored in various tiers in Azure Blob Storage

Answer 11

- Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for performance and cost - Delete blobs at the end of their lifecycles - Define rules to be run once per day at the storage account level - Apply rules to containers or a subset of blobs (using prefixes as filters)

Answer 12

Rules help mange your data in Azure Blob Storage. One example is lifecycle management policy. Each rule definition includes a filter set and an action set. The filter set limits rule actions to a certain set of objects within a container or objects names. The action set applies the tier or delete actions to the filtered set of objects.

Answer 13

Filters limit rule actions to a subset of blobs within the storage account. If more than one filter is defined, a logical AND runs on all filters. Filters include: - blobTypes: An array of predefined enum values. - prefixMatch: An array of strings for prefixes to be match. Each rule can define up to 10 prefixes. A prefix string must start with a container name. - blobIndexMatch: An array of dictionary values consisting of blob index tag key and value conditions to be matched. Each rule can define up to 10 blob index tag condition.

Answer 14

In Azure Blob Storage, rule actions are part of the Lifecycle Management policy, which allows you to create rules to automatically transition your data to the best access tier and optimize costs. The rule actions define what operations to perform on the blobs when the conditions specified in the rule are met. Actions are applied to the filtered blobs when the run condition is met.

Answer 15

- tierToCool - enableAutoTierToHotFromCool - tierToArchive - delete

Answer 16

If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool.

Answer 17

- daysAfterModificationGreaterThan - daysAfterCreationGreaterThan - daysAfterLastAccessTimeGreaterThan - daysAfterLastTierChangeGreaterThan

Answer 18

Copy an archived blob to an online tier: - You can rehydrate an archived blob by copying it to a new blob in the hot or cool tier with the Copy Blob or Copy Blob from URL operation. Microsoft recommends this option for most scenarios. - Change a blob's access tier to an online tier - You can rehydrate an archived blob to hot or cool by changing its tier using the Set Blob Tier operation.

Answer 19

x-ms-rehydrate-priority

Answer 20

Standard priority: The rehydration request is processed in the order it was received and might take up to 15 hours. High priority: The rehydration request is prioritized over standard priority requests and might complete in under one hour for objects under 10 GB in size.

Answer 21

Changing a blob's tier doesn't affect its last modified time. If there is a lifecycle management policy in effect for the storage account, then rehydrating a blob with Set Blob Tier can result in a scenario where the lifecycle policy moves the blob back to the archive tier after rehydration because the last modified time is beyond the threshold set for the policy.

Answer 22

Represents the storage account, and provides operations to retrieve and configure account properties, and to work with blob containers in the storage account.

Answer 23

Represents a specific blob container, and provides operations to work with the container and the blobs within.

Answer 24

Represents a specific blob, and provides general operations to work with the blob, including operations to upload, download, delete, and create snapshots.

Answer 25

Represents an append blob, and provides operations specific to append blobs, such as appending log data.

Answer 26

Represents a block blob, and provides operations specific to block blobs, such as staging and then committing blocks of data.

Answer 27

Last-Modified

Answer 28

Azure Cosmos DB is a fully managed NoSQL database designed to provide low latency, elastic scalability of throughput, well-defined semantics for data consistency, and high availability.

Answer 29

1. Database Accounts 2. Databases 3. Containers 4. Db Items

Answer 30

An Azure Cosmos DB container is the unit of scalability both for provisioned throughput and storage. A container is horizontally partitioned and then replicated across multiple regions. The items that you add to the container are automatically grouped into logical partitions, which are distributed across physical partitions, based on the partition key.

Answer 31

- Dedicated provisioned throughput mode: The throughput provisioned on a container is exclusively reserved for that container and it's backed by the SLAs. - Shared provisioned throughput mode: These containers share the provisioned throughput with the other containers in the same database (excluding containers that have been configured with dedicated provisioned throughput). In other words, the provisioned throughput on the database is shared among all the “shared throughput” containers.

Answer 32

- Strong - Bounded staleness - Session - Consistent prefix - Eventual

Answer 33

Strong consistency offers a linearizability guarantee. Linearizability refers to serving requests concurrently. The reads are guaranteed to return the most recent committed version of an item. A client never sees an uncommitted or partial write. Users are always guaranteed to read the latest committed write.

Answer 34

Cosmos DB allows a certain amount of lag (in terms of time or operations) between the primary data copy and its other copies. Once that boundary is crossed, the system makes sure all copies are up-to-date.

Answer 35

In session consistency, within a single client session reads are guaranteed to honor the consistent-prefix, monotonic reads, monotonic writes, read-your-writes, and write-follows-reads guarantees. This assumes a single "writer" session or sharing the session token for multiple writers.

Answer 36

Consistent prefix provides the assurance that you'll never read data in a sequence that's different from the way it was written, making sure there's a logical flow to the data changes you observe.

Answer 37

In eventual consistency, there's no ordering guarantee for reads. In the absence of any further writes, the replicas eventually converge. Eventual consistency is the weakest form of consistency because a client may read the values that are older than the ones it read before. Eventual consistency is ideal where the application doesn't require any ordering guarantees. Examples include count of Retweets, Likes, or nonthreaded comments

Answer 38

These APIs allow your applications to treat Azure Cosmos DB as if it were various other databases technologies, without the overhead of management, and scaling approaches.

Answer 39

- If you have existing MongoDB, PostgreSQL Cassandra, or Gremlin applications - If you don't want to rewrite your entire data access layer - If you want to use the open-source developer ecosystem, client-drivers, expertise, and resources for your database

Answer 40

The cost of all database operations is normalized by Azure Cosmos DB and is expressed by request units (or RUs, for short). A request unit represents the system resources such as CPU, IOPS, and memory that are required to perform the database operations supported by Azure Cosmos DB.

Answer 41

Provisioned throughput mode: - In this mode, you provision the number of RUs for your application on a per-second basis in increments of 100 RUs per second. To scale the provisioned throughput for your application, you can increase or decrease the number of RUs at any time in increments or decrements of 100 RUs. You can make your changes either programmatically or by using the Azure portal. You can provision throughput at container and database granularity level. Serverless mode: - In this mode, you don't have to provision any throughput when creating resources in your Azure Cosmos DB account. At the end of your billing period, you get billed for the number of request units that have been consumed by your database operations. Autoscale mode: - In this mode, you can automatically and instantly scale the throughput (RU/s) of your database or container based on its usage. This scaling operation doesn't affect the availability, latency, throughput, or performance of the workload. This mode is well suited for mission-critical workloads that have variable or unpredictable traffic patterns, and require SLAs on high performance and scale.

Answer 42

Creates a new CosmosClient with a connection string. CosmosClient is thread-safe. It's recommended to maintain a single instance of CosmosClient per lifetime of the application that enables efficient connection management and performance.

Answer 43

It can be written in Javascript as code

Answer 44

Pretriggers: Executed before modifying a database item. Posttriggers: Executed after modifying a database item

Answer 45

- Validation of data - Adding metadata

Answer 46

Change feed in Azure Cosmos DB is a persistent record of changes to a container in the order they occur. Change feed support in Azure Cosmos DB works by listening to an Azure Cosmos DB container for any changes. It then outputs the sorted list of documents that were changed in the order in which they were modified. The persisted changes can be processed asynchronously and incrementally, and the output can be distributed across one or more consumers for parallel processing.

Answer 47

- Push Model - Pull Model

Answer 48

With a push model, the change feed processor pushes work to a client that has business logic for processing this work. However, the complexity in checking for work and storing state for the last processed work is handled within the change feed processor. This is the recommended model because you won't need to worry about polling the change feed for future changes, storing state for the last processed change, and other benefits.

Answer 49

With a pull model, the client has to pull the work from the server. The client, in this case, not only has business logic for processing work but also storing state for the last processed work, handling load balancing across multiple clients processing work in parallel, and handling errors.

Answer 50

- Azure Functions - Change feed processor

Answer 51

The change feed processor is part of the Azure Cosmos DB .NET V3 and Java V4 SDKs. It simplifies the process of reading the change feed and distributes the event processing across multiple consumers effectively.

Answer 52

1. The monitored container: The monitored container has the data from which the change feed is generated. Any inserts and updates to the monitored container are reflected in the change feed of the container. 2. The lease container: The lease container acts as a state storage and coordinates processing the change feed across multiple workers. The lease container can be stored in the same account as the monitored container or in a separate account. 3. The compute instance: A compute instance hosts the change feed processor to listen for changes. Depending on the platform, it could be represented by a VM, a kubernetes pod, an Azure App Service instance, an actual physical machine. It has a unique identifier referenced as the instance name throughout this article. 4. The delegate: The delegate is the code that defines what you, the developer, want to do with each batch of changes that the change feed processor reads.

Answer 53

Azure Container Registry (ACR) is a managed, private Docker registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your private Docker container images.

Answer 54

- Scalable orchestration systems that manage containerized applications across clusters of hosts, including Kubernetes, DC/OS, and Docker Swarm. - Azure services that support building and running applications at scale, including Azure Kubernetes Service (AKS), App Service, Batch, Service Fabric, and others.

Answer 55

Basic: - A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Microsoft Entra authentication integration, image deletion, and webhooks). However, the included storage and image throughput are most appropriate for lower usage scenarios. Standard: - Standard registries offer the same capabilities as Basic, with increased included storage and image throughput. Standard registries should satisfy the needs of most production scenarios. Premium: - Premium registries provide the highest amount of included storage and concurrent operations, enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as geo-replication for managing a single registry across multiple regions, content trust for image tag signing, and private link with private endpoints to restrict access to the registry.

Answer 56

- Encyrption at rest - Regional storage - Zone redundancy - Scalable storage

Answer 57

Azure Container Instances (ACI) is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs.

Answer 58

- Fast startup: ACI can start containers in Azure in seconds, without the need to provision and manage VMs - Container access: ACI enables exposing your container groups directly to the internet with an IP address and a fully qualified domain name (FQDN) - Hypervisor-level security: Isolate your application as completely as it would be in a VM - Customer data: The ACI service stores the minimum customer data required to ensure your container groups are running as expected - Custom sizes: ACI provides optimum utilization by allowing exact specifications of CPU cores and memory - Persistent storage: Mount Azure Files shares directly to a container to retrieve and persist state - Linux and Windows: Schedule both Windows and Linux containers using the same API.

Answer 59

The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in Kubernetes.

Answer 60

There are two common ways to deploy a multi-container group: use a Resource Manager template or a YAML file. A Resource Manager template is recommended when you need to deploy additional Azure service resources (for example, an Azure Files share) when you deploy the container instances. Due to the YAML format's more concise nature, a YAML file is recommended when your deployment includes only container instances.

Answer 61

One should use Yaml file if it only contains container instances, but it other azure services need to be orchestrated the Resource Manager template is desired

Answer 62

Always: - Containers in the container group are always restarted. This is the default setting applied when no restart policy is specified at container creation. Never: - Containers in the container group are never restarted. The containers run at most once. OnFailure: - Containers in the container group are restarted only when the process executed in the container fails (when it terminates with a nonzero exit code). The containers are run at least once.

Answer 63

Azure Container Apps provides the flexibility you need with a serverless container service built for microservice applications and robust autoscaling capabilities without the overhead of managing complex infrastructure.

Answer 64

Privileged containers: Azure Container Apps can't run privileged containers. If your program attempts to run a process that requires root access, the application inside the container experiences a runtime error. Operating system: Linux-based (linux/amd64) container images are required.

Answer 65

A revision is an immutable snapshot of a container app version.

Answer 66

By using Revistion, an immutable snapshot of a container app version.

Answer 67

1. OAuth 2.0 and OpenID Connect standard-compliant authentication service enabling developers to authenticate several identity types 2. Open-source libraries: Microsoft Authentication Libraries (MSAL) and support for other standards-compliant libraries 3. Application management portal: A registration and configuration experience in the Azure portal, along with the other Azure management capabilities. 4. Application configuration API and PowerShell: Programmatic configuration of your applications through the Microsoft Graph API and PowerShell so you can automate your DevOps tasks.

Answer 68

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources

Answer 69

Single tenant: only accessible in your tenant Multi-tenant: accessible in other tenants

Answer 70

The application object resides in the Microsoft Entra tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. It consist of some static properties that describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.

Answer 71

- Application - Managed Identity - Legacy

Answer 72

This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

Answer 73

This type of service principal is used to represent a managed identity. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but can't be updated or modified directly.

Answer 74

This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn't have an associated app registration. The service principal can only be used in the tenant where it was created.

Answer 75

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

Answer 76

It is another word for permistions. It contains the permissions for the user.

Answer 77

Delegated permissions App-only access permissions

Answer 78

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

Answer 79

App-only access permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to app-only access permissions.

Answer 80

1. static user consent 2. incremental and dynamic user consent 3. admin consent.

Answer 81

In the static user consent scenario, you must specify all the permissions it needs in the app's configuration in the Azure portal. If the user (or administrator, as appropriate) hasn't granted consent for this app, then Microsoft identity platform prompts the user to provide consent at this time. Static permissions also enable administrators to consent on behalf of all users in the organization.

Answer 82

1. The app needs to request all the permissions it would ever need upon the user's first sign-in. This can lead to a long list of permissions that discourages end users from approving the app's access on initial sign-in. 2. The app needs to know all of the resources it would ever access ahead of time. It's difficult to create apps that could access an arbitrary number of resources.

Answer 83

Incremental and dynamic consent in the context of Azure Identity refers to the practice of asking users for permission step-by-step, only at the time when a particular access level is needed, instead of asking for all permissions upfront.

Answer 84

Dynamic consent can be convenient, but presents a big challenge for permissions that require admin consent, since the admin consent experience doesn't know about those permissions at consent time. If you require admin privileged permissions or if your app uses dynamic consent, you must register all of the permissions in the Azure portal (not just the subset of permissions that require admin consent). This enables tenant admins to consent on behalf of all their users.

Answer 85

Admin consent in Azure Identity refers to a scenario where an administrator grants permissions on behalf of all users within an organization. Instead of each individual user granting consent for an application to access their data, an administrator can provide consent once, allowing the application to work for all users without them having to go through the consent process individually. This is particularly useful for enterprise

Answer 86

The Conditional Access feature in Microsoft Entra ID offers one of several ways that you can use to secure your app and protect a service. Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including: - Multifactor authentication - Allowing only Intune enrolled devices to access specific services - Restricting user locations and IP ranges

Answer 87

Specifically, the following scenarios require code to handle Conditional Access challenges: - Apps performing the on-behalf-of flow - Apps accessing multiple services/resources - Single-page apps using MSAL.js - Web apps calling a resource

Answer 88

The Microsoft Authentication Library (MSAL) can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL gives you many ways to get tokens, with a consistent API for many platforms.

Answer 89

- No need to directly use the OAuth libraries or code against the protocol in your application. - Acquires tokens on behalf of a user or on behalf of an application (when applicable to the platform). - Maintains a token cache and refreshes tokens for you when they're close to expire. - - You don't need to handle token expiration on your own. - Helps you specify which audience you want your application to sign in. - Helps you set up your application from configuration files. - Helps you troubleshoot your app by exposing actionable exceptions, logging, and telemetry.

Answer 90

- Authorization code: Native and web apps securely obtain tokens in the name of the user - Client credentials: Service applications run without user interaction - On-behalf-of: The application calls a service/web API, which in turns calls Microsoft Graph - Implicit: Used in browser-based applications - Device code: Enables sign-in to a device by using another device that has a browser - Integrated Windows: Windows computers silently acquire an access token when they're domain joined - Interactive: Mobile and desktops applications call Microsoft Graph in the name of a user - Username/password: The application signs in a user by using their username and password

Answer 91

With MSAL.NET 3.x, the recommended way to instantiate an application is by using the application builders: PublicClientApplicationBuilder and ConfidentialClientApplicationBuilder. They offer a powerful mechanism to configure the application either from the code, or from a configuration file, or even by mixing both approaches.

Answer 92

A shared access signature (SAS) is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client.

Answer 93

- User delegation SAS - Service SAS - Account SAS

Answer 94

A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

Answer 95

Only blob storage

Answer 96

The Service SAS can be restricted to a specific service, such as Azure Blob Storage, Azure Table Storage, Azure Queue Storage, or Azure File Storage. The permissions granted by a Service SAS are scoped to a specific resource, such as a blob, container, table, queue, or file.

Answer 97

Blob storage, Queue storage, Table storage, or Azure Files.

Answer 98

An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Answer 99

When you use a SAS to access data stored in Azure Storage, you need two components. The first is a URI to the resource you want to access. The second part is a SAS token that you've created to authorize access to that resource.

Answer 100

- To securely distribute a SAS and prevent man-in-the-middle attacks, always use HTTPS. - The most secure SAS is a user delegation SAS. Use it wherever possible because it removes the need to store your storage account key in code. You must use Microsoft - - Entra ID to manage credentials. This option might not be possible for your solution. - Try to set your expiration time to the smallest useful value. If a SAS key becomes compromised, it can be exploited for only a short time. - Apply the rule of minimum-required privileges. Only grant the access that's required. - For example, in your app, read-only access is sufficient. - There are some situations where a SAS isn't the correct solution. When there's an unacceptable risk of using a SAS, create a middle-tier service to manage users and their access to storage.

Answer 101

Use a SAS when you want to provide secure access to resources in your storage account to any client who doesn't otherwise have permissions to those resources.

Answer 102

A stored access policy provides an extra level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy groups SAS and provides more restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

Answer 103

- Blob containers - File shares - Queues - Tables

Answer 104

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.

Answer 105

1. The Microsoft Graph API offers a single endpoint. 2. Microsoft Graph connectors 3. Microsoft Graph Data Connect

Answer 106

- REST API - .NET SDK

Answer 107

GET: Read data from a resource. POST: Create a new resource, or perform an action. PATCH: Update a resource with new values. PUT: Replace a resource with a new one. DELETE: Remove a resource.

Answer 108

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} {HTTP method} - The HTTP method used on the request to Microsoft Graph. {version} - The version of the Microsoft Graph API your application is using. {resource} - The resource in Microsoft Graph that you're referencing. {query-parameters} - Optional OData query options or REST method parameters that customize the response.

Answer 109

GraphServiceClient

Answer 110

- Authentication - Consent and Authorization - Handle responses effectively, pagination etc - Storing Data Locally: Your application should ideally make calls to Microsoft Graph to retrieve data in real time as necessary. You should only cache or store data locally necessary for a specific scenario, and if that use case is covered by your terms of use and privacy policy, and doesn't violate the Microsoft APIs Terms of Use. Your application should also implement proper retention and deletion policies.

Answer 111

Microsoft Graph connectors work in the incoming direction, delivering data external to the Microsoft cloud into Microsoft Graph services and applications, to enhance Microsoft 365 experiences such as Microsoft Search. Connectors exist for many commonly used data sources such as Box, Google Drive, Jira, and Salesforce.

Answer 112

Microsoft Graph Data Connect provides a set of tools to streamline secure and scalable delivery of Microsoft Graph data to popular Azure data stores. The cached data serves as data sources for Azure development tools that you can use to build intelligent applications.

Answer 113

- Vaults: support storing software, HSM-backed keys, secrets, and certificates - hardware security module(HSM) pools: HSM-backed keys

Answer 114

- Centralized application secrets - Securely store secrets and keys - Monitor access and use - Simplified administration of application secrets

Answer 115

- Use separate key vaults - Control access to your vault - Backup - Logging - Recovery Options

Answer 116

- Enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application's service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to various services. - If you can't use managed identity, you instead register the application with your Microsoft Entra tenant. Registration also creates a second application object that identifies the app across all tenants.

Answer 117

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

Answer 118

System-assigned managed identity User-assigned managed identity

Answer 119

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Microsoft Entra tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Microsoft Entra ID.

Answer 120

A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Microsoft Entra tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned.

Answer 121

Azure resources that supports Microsoft Entra authentication

Answer 122

--assign-identity, followed by --role, --scope, --admin-username and --admin-password

Answer 123

DefaultAzureCredential

Answer 124

Azure App Configuration provides a service to centrally manage application settings and feature flags.

Answer 125

As key value pairs

Answer 126

Using a hierarchical naming convention.

Answer 127

App Configuration doesn't version key values automatically as they're modified. Use labels as a way to create multiple versions of a key value.

Answer 128

A feature flag is a variable with a binary state of on or off. The feature flag also has an associated code block. The state of the feature flag triggers whether the code block runs or not.

Answer 129

A feature manager is an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides extra functionality, such as caching feature flags and updating their states.

Answer 130

A filter is a rule for evaluating the state of a feature flag. A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.

Answer 131

Customer-managed keys Private endpoints Managed identities

Answer 132

When customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Microsoft Entra ID. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key.

Answer 133

You can use private endpoints for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a private link. The private endpoint uses an IP address from the VNet address space for your App Configuration store. Network traffic between the clients on the VNet and the App Configuration store traverses over the VNet using a private link on the Microsoft backbone network, eliminating exposure to the public internet.

Answer 134

Your application can be granted two types of identities: - A system-assigned identity is tied to your configuration store. It's deleted if your configuration store is deleted. A configuration store can only have one system-assigned identity. - A user-assigned identity is a standalone Azure resource that can be assigned to your configuration store. A configuration store can have multiple user-assigned identities.

Answer 135

API Management provides the core functionality to ensure a successful API program through developer engagement, business insights, analytics, security, and protection.

Answer 136

API gateway The management plane The Developer portal

Answer 137

The API gateway is the endpoint that: - Accepts API calls and routes them to appropriate backends - Verifies API keys and other credentials presented with requests - Enforces usage quotas and rate limits - Transforms requests and responses specified in policy statements - Caches responses to improve response latency and minimize the load on backend services - Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting

Answer 138

The management plane is the administrative interface where you set up your API program. Use it to: - Provision and configure API Management service settings - Define or import API schema - Package APIs into products - Set up policies like quotas or transformations on the APIs - Get insights from analytics - Manage users

Answer 139

The Developer portal is an automatically generated, fully customizable website with the documentation of your APIs. Using the developer portal, developers can: - Read API documentation - Call an API via the interactive console - Create an account and subscribe to get API keys - Access analytics on their own usage - Download API definitions - Manage API keys

Answer 140

Products are how APIs are surfaced to developers. Products in API Management have one or more APIs, and are configured with a title, description, and terms of use.

Answer 141

Protected products must be subscribed to before they can be used, while open products can be used without a subscription. Subscription approval is configured at the product level and can either require administrator approval, or be autoapproved.

Answer 142

Groups are used to manage the visibility of products to developers.

Answer 143

Administrators - Manage API Management service instances and create the APIs, operations, and products that are used by developers. Azure subscription administrators are members of this group. Developers - Authenticated developer portal users that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API. Guests - Unauthenticated developer portal users. They can be granted certain read-only access, like the ability to view APIs but not call them.

Answer 144

Managed and Self-hosted

Answer 145

The managed gateway is the default gateway component that is deployed in Azure for every API Management instance in every service tier. With the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted.

Answer 146

The self-hosted gateway is an optional, containerized version of the default managed gateway. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

Answer 147

inbound, backend, outbound, and on-error

Answer 148

All APIs: Applies to every API accessible from the gateway Single API: This scope applies to a single imported API and all of its endpoints Product: A product is a collection of one or more APIs that you configure in API Management. You can assign APIs to more than one product. Products can have different access rules, usage quotas, and terms of use.

Answer 149

Having two keys makes it easier when you do need to regenerate a key. For example, if you want to change the primary key and avoid downtime, use the secondary key in your apps.

Answer 150

By setting this header: Ocp-Apim-Subscription-Key

Answer 151

Developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, request access, and try them out.

Answer 152

choose: The choose policy applies enclosed policy statements based on the outcome of evaluation of boolean expressions, similar to an if-then-else or a switch construct in a programming language.

Answer 153

forward-request

Answer 154

limit-concurrency:

Answer 155

log-to-eventhub

Answer 156

mock-response

Answer 157

return-response

Answer 158

Azure Event Grid is a serverless event broker that you can use to integrate applications using events. Events are delivered by Event Grid to subscriber destinations such as applications, Azure services, or any endpoint to which Event Grid has network access. The source of those events can be other applications, SaaS services and Azure services. Publishers emit events, but have no expectation about how the events are handled. Subscribers decide on which events they want to handle.

Answer 159

Event Grid event schema and Cloud event schema

Answer 160

It is Azure's standard of creating an event. It consist of several properies like: - topic - subject - eventType - eventTime - id - data - dataVersion

Answer 161

CloudEvents simplifies interoperability by providing a common event schema for publishing, and consuming cloud based events. This schema allows for uniform tooling, standard ways of routing & handling events, and universal ways of deserializing the outer event schema. With a common schema, you can more easily integrate work across platforms.

Answer 162

- subject - eventType - eventTime - id

Answer 163

No, Event Grid doesn't guarantee order for event delivery, so subscribers may receive them out of order.

Answer 164

Retry the delivery, dead-letter the event, or drop the event based on the type of the error.

Answer 165

- Maximum number of attempts - The value must be an integer between 1 and 30. The default value is 30. - Event time-to-live (TTL) - The value must be an integer between 1 and 1440. The default value is 1440 minutes

Answer 166

You can configure Event Grid to batch events for delivery for improved HTTP performance in high-throughput scenarios.

Answer 167

Max events per batch - Maximum number of events Event Grid delivers per batch. This number won't be exceeded, however fewer events may be delivered if no other events are available at the time of publish. Event Grid doesn't delay events to create a batch if fewer events are available. Must be between 1 and 5,000. Preferred batch size in kilobytes - Target ceiling for batch size in kilobytes. Similar to max events, the batch size may be smaller if more events aren't available at the time of publish. It's possible that a batch is larger than the preferred batch size if a single event is larger than the preferred size. For example, if the preferred size is 4 KB and a 10-KB event is pushed to Event Grid, the 10-KB event will still be delivered in its own batch rather than being dropped.

Answer 168

When Event Grid can't deliver an event within a certain time period or after trying to deliver the event a number of times, it can send the undelivered event to a storage account. This process is known as dead-lettering.

Answer 169

Event isn't delivered within the time-to-live period. The number of tries to deliver the event exceeds the limit.

Answer 170

Event Grid Subscription Reader - Lets you read Event Grid event subscriptions. Event Grid Subscription Contributor - Lets you manage Event Grid event subscription operations. Event Grid Contributor - Lets you create and manage Event Grid resources. Event Grid Data Sender - Lets you send events to Event Grid topics.

Answer 171

Synchronous handshake: At the time of event subscription creation, Event Grid sends a subscription validation event to your endpoint. The schema of this event is similar to any other Event Grid event. The data portion of this event includes a validationCode property. Your application verifies that the validation request is for an expected event subscription, and returns the validation code in the response synchronously. This handshake mechanism is supported in all Event Grid versions. Asynchronous handshake: In certain cases, you can't return the ValidationCode in response synchronously. For example, if you use a third-party service (like Zapier or IFTTT), you can't programmatically respond with the validation code.

Answer 172

Event types Subject begins with or ends with Advanced fields and operators

Answer 173

Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters.

Answer 174

- Event Hubs client - Event Hubs producer - Event Hubs consumer - partition - consumer group - Event receivers - Throughput units or processing units

Answer 175

An Event Hubs client is the primary interface for developers interacting with the Event Hubs client library. There are several different Event Hubs clients, each dedicated to a specific use of Event Hubs, such as publishing or consuming events.

Answer 176

An Event Hubs producer is a type of client that serves as a source of telemetry data, diagnostics information, usage logs, or other log data, as part of an embedded device solution, a mobile device application, a game title running on a console or other device, some client or server based business solution, or a web site.

Answer 177

An Event Hubs consumer is a type of client that reads information from the Event Hubs and allows processing of it. Processing may involve aggregation, complex computation and filtering. Processing may also involve distribution or storage of the information in a raw or transformed fashion. Event Hubs consumers are often robust and high-scale platform infrastructure parts with built-in analytics capabilities, like Azure Stream Analytics, Apache Spark.

Answer 178

A partition is an ordered sequence of events that is held in an Event Hubs. Partitions are a means of data organization associated with the parallelism required by event consumers. Azure Event Hubs provides message streaming through a partitioned consumer pattern in which each consumer only reads a specific subset, or partition, of the message stream. As newer events arrive, they're added to the end of this sequence. The number of partitions is specified at the time an Event Hubs is created and can't be changed.

Answer 179

A consumer group is a view of an entire Event Hubs. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and from their own position. There can be at most five concurrent readers on a partition per consumer group; however it's recommended that there's only one active consumer for a given partition and consumer group pairing. Each active reader receives all of the events from its partition; if there are multiple readers on the same partition, then they'll receive duplicate events.

Answer 180

Is a feature of Azure Event Hubs that allows you to automatically capture the streaming data in Event Hubs and save it to a specified data store for later processing or analysis. It's like turning on continuous data capture for your Event Hub.

Answer 181

In the context of Azure Event Hubs, the partitioned consumer model is used to facilitate the processing of large volumes of events in a scalable and parallel manner.

Answer 182

Partitions: When you create an Event Hub, you define a number of partitions. Each partition acts as an independent message queue that stores a sequence of events.

Answer 183

throughput units. A single throughput unit allows 1 MB per second or 1000 events per second of ingress and twice that amount of egress

Answer 184

We use the EventProcessorClient class. Clients will automatically manage distribution and balancing of work as instances become available or unavailable for the group.

Answer 185

Checkpointing is a process by which an event processor marks or commits the position of the last successfully processed event within a partition. Marking a checkpoint is typically done within the function that processes the events and occurs on a per-partition basis within a consumer group.

Answer 186

- Azure Event Hubs Data Owner: Use this role to give complete access to Event Hubs resources. - Azure Event Hubs Data Sender: Use this role to give send access to Event Hubs resources. - Azure Event Hubs Data Receiver: Use this role to give receiving access to Event Hubs resources.

Answer 187

Service Bus queues Storage queues

Answer 188

Service Bus queues are part of a broader Azure messaging infrastructure that supports queuing, publish/subscribe, and more advanced integration patterns. They're designed to integrate applications or application components that may span multiple communication protocols, data contracts, trust domains, or network environments.

Answer 189

Storage queues are part of the Azure Storage infrastructure. They allow you to store large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

Answer 190

- Your solution needs to receive messages without having to poll the queue. - Your solution requires the queue to provide a guaranteed first-in-first-out (FIFO) ordered delivery. - Your solution needs to support automatic duplicate detection. - You want your application to process messages as parallel long-running streams - Your solution requires transactional behavior and atomicity when sending or receiving multiple messages from a queue. - Your application handles messages that can exceed 64 KB but won't likely approach the 256-KB limit.

Answer 191

- Your application must store over 80 gigabytes of messages in a queue. - Your application wants to track progress for processing a message in the queue. It's useful if the worker processing a message crashes. Another worker can then use that information to continue from where the prior worker left off. - You require server side logs of all of the transactions executed against your queues.

Answer 192

The main difference is a higher throughput rather than variable. And the same thing goes for latency. It also has a fixed pricing when choosing premium, the ability to scale and support larger messages.

Answer 193

Receive and delete or Peek lock.

Answer 194

In this mode, when Service Bus receives the request from the consumer, it marks the message as consumed and returns it to the consumer application.

Answer 195

It works best for scenarios in which the application can tolerate not processing a message if a failure occurs. For example, consider a scenario in which the consumer issues the receive request and then crashes before processing it. As Service Bus marks the message as consumed, the application begins consuming messages upon restart. It misses the message that it consumed before the crash.

Answer 196

In this mode, the receive operation becomes two-stage, which makes it possible to support applications that can't tolerate missing messages. 1. Finds the next message to be consumed, locks it to prevent other consumers from receiving it, and then, return the message to the application. 2. After the application finishes processing the message, it requests the Service Bus service to complete the second stage of the receive process. Then, the service marks the message as consumed.

Answer 197

When applications can't tolerate missing messages.

Answer 198

- Simple request/reply - Multicast request/reply - Multiplexing - Multiplexed request/reply

Answer 199

Simple request/reply: A publisher sends a message into a queue and expects a reply from the message consumer. The publisher owns a queue to receive the replies. The address of that queue is contained in the ReplyTo property of the outbound message. When the consumer responds, it copies the MessageId of the handled message into the CorrelationId property of the reply message and delivers the message to the destination indicated by the ReplyTo property. One message can yield multiple replies, depending on the application context.

Answer 200

Multicast request/reply: As a variation of the prior pattern, a publisher sends the message into a topic and multiple subscribers become eligible to consume the message. Each of the subscribers might respond in the fashion described previously. If ReplyTo points to a topic, such a set of discovery responses can be distributed to an audience.

Answer 201

Multiplexing: This session feature enables multiplexing of streams of related messages through a single queue or subscription such that each session (or group) of related messages, identified by matching SessionId values, are routed to a specific receiver while the receiver holds the session under lock.

Answer 202

Multiplexed request/reply: This session feature enables multiplexed replies, allowing several publishers to share a reply queue. By setting ReplyToSessionId, the publisher can instruct the consumer(s) to copy that value into the SessionId property of the reply message. The publishing queue or topic doesn't need to be session-aware. When the message is sent the publisher can wait for a session with the given SessionId to materialize on the queue by conditionally accepting a session receiver.

Answer 203

Message Sessions

Answer 204

Enables producers and consumers to send and receive messages at different rates. Intermediating message producers and consumers with a queue means that the consuming application only has to be able to handle average load instead of peak load.

Answer 205

Application Insights is an extension of Azure Monitor and provides Application Performance Monitoring (also known as “APM”) features. APM tools are useful to monitor applications from development, through test, and into production in the following ways: - Proactively understand how an application is performing. - Reactively review application execution data to determine the cause of an incident.

Answer 206

- Live Metrics: Observe activity from your deployed application in real time with no effect on the host environment. - Availability: Also known as “Synthetic Transaction Monitoring”, probe your applications external endpoint(s) to test the overall availability and responsiveness over time. - GitHub or Azure DevOps integration: Create GitHub or Azure DevOps work items in context of Application Insights data. - Usage: Understand which features are popular with users and how users interact and use your application - Smart Detection: Automatic failure and anomaly detection through proactive telemetry analysis. - Application Map: A high level top-down view of the application architecture and at-a-glance visual references to component health and responsiveness. - Distributed Tracing: Search and visualize an end-to-end flow of a given execution or transaction.

Answer 207

1. Request rates, response times, and failure rates - Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem. 2. Dependency rates, response times, and failure rates - Find out whether external services are slowing you down. 3. Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported. 4. Page views and load performance - reported by your users' browsers. 5. AJAX calls from web pages - rates, response times, and failure rates. 6. User and session counts. 7. Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage. 8. Host diagnostics from Docker or Azure. 9. Diagnostic trace logs from your app - so that you can correlate trace events with requests. 10. Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold or games won.

Answer 208

. Log-based metrics - Standard metrics

Answer 209

Log-based metrics are custom metrics derived from the log data or telemetry data. They are essentially custom queries written against the logs. They include any custom data that developers want to track and are not limited to predefined standard metrics.

Answer 210

Standard metrics are aggregated and collected by default without requiring any additional configuration. They include metrics like request rates, failure rates, dependency rates, exceptions, and host diagnostics (CPU, memory usage, etc.).

Answer 211

Application Insights is enabled through either Auto-Instrumentation (agent) or by adding the Application Insights SDK to your application code.

Answer 212

Auto-instrumentation is the preferred instrumentation method. It requires no developer investment and eliminates future overhead related to updating the SDK. In essence, all you have to do is enable and - in some cases - configure the agent, which collects the telemetry automatically.

Answer 213

To use the SDK, you install a small instrumentation package in your app and then instrument the web app, any background components, and JavaScript within the web pages. The app and its components don't have to be hosted in Azure. The instrumentation monitors your app and directs the telemetry data to an Application Insights resource by using a unique token

Answer 214

- URL ping test (classic): You can create this test through the portal to validate whether an endpoint is responding and measure performance associated with that response. You can also set custom success criteria coupled with more advanced features, like parsing dependent requests and allowing for retries. - Standard test (Preview): This single request test is similar to the URL ping test. It includes SSL certificate validity, proactive lifetime check, HTTP request verb (for example GET, HEAD, or POST), custom headers, and custom data associated with your HTTP request. - Custom TrackAvailability test: If you decide to create a custom application to run availability tests, you can use the TrackAvailability() method to send the results to Application Insights.

Answer 215

- Data cache: - Content cache - Session store - Job and message queuing - Distributed transactions

Answer 216

- Basic - Standard - Premium - Enterprise - Enterprise Flash

Answer 217

Enterprise

Answer 218

You should always place your cache instance and your application in the same region. Connecting to a cache in a different region can significantly increase latency and reduce reliability. If you're connecting to the cache outside of Azure, then select a location close to where the application consuming the data is running.

Answer 219

With the Premium, Enterprise, and Enterprise Flash tiers you can implement clustering to automatically split your dataset among multiple nodes.

Answer 220

StackExchange.Redis

Answer 221

bool setValue = await db.StringSetAsync("test:key", "100"); string getValue = await db.StringGetAsync("test:key");

Answer 222

1 millisecond

Answer 223

Read: Read the content, metadata, properties etc Add: Add a block to an append blob Create: Write a new blob Write: Create or write content of a blob (updating) Delete: Deleting a blob

Answer 224

The container that is hosting the blob

Answer 225

B grants the token at the blob level and the C grant the token at the container level

Answer 226

1. Assign a managed identity to the Azure Configuration Instance 2. Grant the identity GET, WRAP and UNWRAP permissions

Answer 227

az acr repository delete --name devregistry --image dev/nginx:latest

Answer 228

It enables commans related to the manifest of the artifact and not the image

Answer 229

In the deployment slot settings

Answer 230

The ARR Affinity setting ensures a client application is routed to the same instance for the life of the session.

Answer 231

@Microsoft.KeyVault(SecretName=secret;VaultName=name)

Answer 232

We create a function.json file for each function

Answer 233

with the / symbol before the number. Example 0 */5 * * * *, runs every 5 minutes

Answer 234

1. Seconds 2. Minutes 3. Hours 4. Days 5. Month 6. Day of the week

Answer 235

az webapp show \ --resource-group \ --name \ --query outboundIpAddresses \ --output tsv

Answer 236

az webapp show \ --resource-group \ --name \ --query possibleOutboundIpAddresses \ --output tsv

Answer 237

az webapp log tail --name --resource-group

Answer 238

az storage account management-policy create \ --account-name \ --policy @policy.json \ --resource-group

Answer 239

az storage account create --resource-group az204-blob-rg --name --location --sku Standard_LRS

Answer 240

az acr build --image sample/hello-world:v1 \ --registry \ --file Dockerfile .

Answer 241

az acr repository list --name --output table

Answer 242

az acr repository show-tags --name \ --repository sample/hello-world --output table

Answer 243

az acr run --registry \ --cmd '$Registry/sample/hello-world:v1' /dev/null

Answer 244

az container create --resource-group az204-aci-rg --name mycontainer --image mcr.microsoft.com/azuredocs/aci-helloworld --ports 80 --dns-name-label $DNS_NAME_LABEL --location

Answer 245

az container create \ --resource-group myResourceGroup \ --name mycontainer \ --image mycontainerimage \ --restart-policy OnFailure

Answer 246

az container create \ --resource-group myResourceGroup \ --name mycontainer2 \ --image mcr.microsoft.com/azuredocs/aci-wordcount:latest --restart-policy OnFailure \ --environment-variables 'NumWords'='5' 'MinLength'='8'\

Answer 247

When you have the yaml configuration file, one can specify it by setting the secureValue property in the environment properties, instead of the regular value prop. To push it one can do it like this: az container create --resource-group myResourceGroup \ --file secure-env.yaml \

Answer 248

az container create --resource-group $ACI_PERS_RESOURCE_GROUP --name hellofiles --image mcr.microsoft.com/azuredocs/aci-hellofiles --dns-name-label aci-demo --ports 80 --azure-file-volume-account-name $ACI_PERS_STORAGE_ACCOUNT_NAME --azure-file-volume-account-key $STORAGE_KEY --azure-file-volume-share-name $ACI_PERS_SHARE_NAME --azure-file-volume-mount-path /aci/logs/

Answer 249

az containerapp create \ --name my-container-app \ --resource-group $myRG \ --environment $myAppContEnv \ --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \ --target-port 80 \ --ingress 'external' \ --query properties.configuration.ingress.fqdn

Answer 250

By setting --ingress to external, you make the container app available to public requests. The command returns a link to access your app.

Answer 251

az containerapp update \ --name \ --resource-group \ --image

Answer 252

In the context of Azure Container Apps, a "revision" refers to a specific version or configuration of your containerized application. When you deploy or update an app in Azure Container Apps, the platform keeps track of the different configurations and versions of your app by creating a new revision for each change

Answer 253

az containerapp create \ --resource-group "my-resource-group" \ --name queuereader \ --environment "my-environment-name" \ --image demos/queuereader:v1 \ --secrets "queue-connection-string=$CONNECTION_STRING"

Answer 254

az containerapp create \ --resource-group "my-resource-group" \ --name myQueueApp \ --environment "my-environment-name" \ --image demos/myQueueApp:v1 \ --secrets "queue-connection-string=$CONNECTIONSTRING" \ --env-vars "QueueName=myqueue" "ConnectionString=secretref:queue-connection-string"

Answer 255

az keyvault create --name $myKeyVault --resource-group az204-vault-rg --location $myLocation

Answer 256

az keyvault secret set --vault-name $myKeyVault --name "ExamplePassword" --value "hVFkk965BuUv"

Answer 257

az keyvault secret show --name "ExamplePassword" --vault-name $myKeyVault

Answer 258

az vm create --resource-group myResourceGroup \ --name myVM --image win2016datacenter \ --generate-ssh-keys \ --assign-identity \ --role contributor \ --scope mySubscription \ --admin-username azureuser \ --admin-password myPassword12

Answer 259

az vm identity assign -g myResourceGroup -n myVm

Answer 260

az identity create -g myResourceGroup -n myUserAssignedIdentity

Answer 261

az vm create \ --resource-group \ --name \ --image Ubuntu2204 \ --admin-username \ --admin-password \ --assign-identity \ --role \ --scope

Answer 262

az apim create -n $myApiName \ --location $myLocation \ --publisher-email $myEmail \ --resource-group az204-apim-rg \ --publisher-name AZ204-APIM-Exercise \ --sku-name Consumption

Answer 263

az eventgrid topic create --name $myTopicName \ --location $myLocation \ --resource-group az204-evgrid-rg

Answer 264

az deployment group create \ --resource-group az204-evgrid-rg \ --template-uri "https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/main/azuredeploy.json" \ --parameters siteName=$mySiteName hostingPlanName=viewerhost

Answer 265

az eventgrid event-subscription create \ --source-resource-id "/subscriptions/$subId/resourceGroups/az204-evgrid-rg/providers/Microsoft.EventGrid/topics/$myTopicName" \ --name az204ViewerSub \ --endpoint $endpoint

Answer 266

az servicebus namespace create \ --resource-group az204-svcbus-rg \ --name $myNameSpaceName \ --location $myLocation

Answer 267

az servicebus queue create --resource-group az204-svcbus-rg \ --namespace-name $myNameSpaceName \ --name az204-queue

Answer 268

az redis create --location \ --resource-group az204-redis-rg \ --name $redisName \ --sku Basic --vm-size c0

Answer 269

The Azure CLI provides a special purge verb that will unpublish cached assets from an endpoint.

Answer 270

This is very useful if you have an application scenario where a large amount of data is invalidated and should be updated in the cache.

Answer 271

az cdn endpoint purge \ --content-paths '/css/*' '/js/app.js' \ --name ContosoEndpoint \ --profile-name DemoProfile \ --resource-group ExampleGroup

Answer 272

az cdn endpoint load \ --content-paths '/img/*' '/js/module.js' \ --name ContosoEndpoint \ --profile-name DemoProfile \ --resource-group ExampleGroup

Answer 273

The container name needs to be first

Answer 274

db.StringSetAsync("key", "value", TimeSpan)

Answer 275

Data cache

Answer 276

Data cache: Improves the performance and scalability of applications by storing the results of database queries or the results of computations. Content cache: Used for caching entire pages or page fragments to accelerate web applications by reducing the time to render and serve content

Answer 277

Visual Studio

Answer 278

TrackPageView: Pages, screens, panes, or forms. TrackEvent: User actions and other events. Used to track user behavior or to monitor performance. GetMetric: Zero and multidimensional metrics, centrally configured aggregation, C# only. TrackMetric: Performance measurements such as queue lengths not related to specific events. TrackException: Logging exceptions for diagnosis. Trace where they occur in relation to other events and examine stack traces. TrackRequest: Logging the frequency and duration of server requests for performance analysis. TrackTrace: Resource Diagnostic log messages. You can also capture third-party logs. TrackDependency: Logging the duration and frequency of calls to external components that your app depends on.

Answer 279

Using standard metrics both minimizes the volume of data ingested into Application Insights and maximizes the accuracy of the collected metrics.

Answer 280

API Scope: Policies are applied to all operations within a specific API. Product Scope: Policies are applied to all APIs associated with a specific product.

Answer 281

az eventhubs eventhub update --resource-group MyResourceGroupName --namespace-name MyNamespaceName --name MyEventHubName --partition-count 12

Answer 282

Azure Blob Storage, Azure Data Lake Storage Gen1 and Azure Data Lake Storage Gen2

Answer 283

SQL Filters Boolean Filters Correlation Filters

Answer 284

PeakMessages

Answer 285

The $filter query option must be used to limit the results returned. The $select query option limits the attributes projected from the result set, making the query more efficient

Answer 286

Virtual Machine Contributor

Answer 287

az keyvault key rotate --vault-name mykeyvault --name mykey

Answer 288

az acr repository delete --name devregistry --image dev/nginx:latest

Answer 289

WEBSITE_LOAD_CERTIFICATES

Answer 290

Scaling Out (Horizontal Scaling): - Definition: Scaling out involves adding more nodes or instances to a system to distribute the load evenly and handle increased traffic. Scaling Up (Vertical Scaling): - Definition: Scaling up involves increasing the resources (like CPU, memory, or storage) of an existing node or instance to enhance its capacity to handle more load.

Answer 291

Free Tier: - Features: The Free tier provides basic security features such as continuous assessment and actionable security recommendations. You get visibility into the security state of your Azure resources and can use it to improve your overall security posture. - Cost: The Free tier is available at no additional cost. - Limitations: It does not include advanced threat detection capabilities. Standard Tier: - Features: The Standard tier includes everything in the Free tier along with advanced features such as: Advanced threat protection for Azure services (such as Virtual Machines, Databases, Storage, etc.) Adaptive application control and network hardening Just-in-time VM access Regulatory compliance dashboard Integration with SIEM solutions like Azure Sentinel - Cost: The Standard tier is a paid offering, and pricing details can be found on the official Microsoft Azure pricing page.

Answer 292

Microsoft Defender for Cloud is a cloud-native security service offered by Microsoft to help protect your workloads in Azure, as well as in other cloud and on-premises environments. It provides advanced threat protection, security posture management, and increased visibility into the security state of your resources. Microsoft Defender for Cloud is built to integrate seamlessly with Azure services and helps in detecting and mitigating threats, identifying vulnerabilities, and ensuring compliance with security standards.

Answer 293

Run `az webapp deploy` to a staging slot with auto swap on.

Answer 294

If –clean true is used, the target folder is cleaned

Answer 295

Restarts the app after deployment

Answer 296

`az webapp cors add -g MyResourceGroup -n MyWebApp --allowed-origins https://myapps.com`

Answer 297

`az webapp traffic-routing set --distribution myapps=100 --name MyWebApp --resource-group MyResourceGroup`

Answer 298

`az webapp config access-restriction add -g MyResourceGroup -n MyWebApp --rule-name external --action Allow –ids myapps --priority 200`

Answer 299

OAuth 2.0 On-Behalf-Of flow (OBO) is used when an application invokes a service or web API, which in turn needs to call another service or web API. The idea is to propagate the delegated user identity and permissions through the request chain.

Answer 300

The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.

Answer 301

The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

Answer 302

Suited for clients that are implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of handling the authorization code, an access token is returned directly. It's less secure than the Authorization Code grant and doesn't allow for refresh tokens.

Answer 303

Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.

Answer 304

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

Answer 305

az monitor metrics alert create -n myAlert -g myResourceGroups --scopes targetResourceId

Answer 306

Whern the Time over which to aggregate metrics in "##h##m##s" format.

Answer 307

WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT

Answer 308

maxConcurrentRequests

Answer 309

Allows you to set custom headers in the HTTP response. Default value: none

Answer 310

When enabled, this setting causes the request processing pipeline to periodically check system performance counters like connections/threads/processes/memory/cpu/etc and if any of those counters are over a built-in high threshold (80%), requests will be rejected with a 429 "Too Busy" response until the counter(s) return to normal levels. The default in a Consumption plan is true. The default in a Dedicated plan is false

Answer 311

When isEnabled is set to true, the HTTP Strict Transport Security (HSTS) behavior of .NET Core is enforced, as defined in the HstsOptions class. The above example also sets the maxAge property to 10 days. Default Value: Not Enabled

Answer 312

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against certain types of attacks such as protocol downgrade attacks and cookie hijacking. HSTS is designed to force browsers or other complying user agents to interact with the server using only secure HTTPS connections and not HTTP.

Answer 313

The maximum number of HTTP functions that are executed in parallel. This value allows you to control concurrency, which can help manage resource utilization. The default for a Consumption plan is 100. The default for a Dedicated plan is unbounded (-1)

Answer 314

The maximum number of outstanding requests that are held at any given time. This limit includes requests that are queued but have not started executing, as well as any in progress executions. Any incoming requests over this limit are rejected with a 429 "Too Busy" response. *The default for a Consumption plan is 200. The default for a Dedicated plan is unbounded (-1).

Answer 315

Databases are often too large to load directly into a cache. It's common to use the cache-aside pattern to load data into the cache only as needed. When the system makes changes to the data, the system can also update the cache, which is then distributed to other clients. Additionally, the system can set an expiration on data, or use an eviction policy to trigger data updates into the cache.

Answer 316

Many web pages are generated from templates that use static content such as headers, footers, banners. These static items shouldn't change often. Using an in-memory cache provides quick access to static content compared to backend datastores. This pattern reduces processing time and server load, allowing web servers to be more responsive. It can allow you to reduce the number of servers needed to handle loads. Azure Cache for Redis provides the Redis Output Cache Provider to support this pattern with ASP.NET.

Answer 317

This pattern is commonly used with shopping carts and other user history data that a web application might associate with user cookies. Storing too much in a cookie can have a negative effect on performance as the cookie size grows and is passed and validated with every request. A typical solution uses the cookie as a key to query the data in a database. When you use an in-memory cache, like Azure Cache for Redis, to associate information with a user is faster than interacting with a full relational database.

Answer 318

Applications often add tasks to a queue when the operations associated with the request take time to execute. Longer running operations are queued to be processed in sequence, often by another server. This method of deferring work is called task queuing. Azure Cache for Redis provides a distributed queue to enable this pattern in your application.

Answer 319

Applications sometimes require a series of commands against a backend data-store to execute as a single atomic operation. All commands must succeed, or all must be rolled back to the initial state. Azure Cache for Redis supports executing a batch of commands as a single transaction.

Answer 320

The main connection object in StackExchange.Redis is the StackExchange.Redis.ConnectionMultiplexer class. This object abstracts the process of connecting to a Redis server (or group of servers). It's optimized to manage connections efficiently and intended to be kept around while you need access to the cache.

Answer 321

If you need to make custom API calls to track events/dependencies not captured by default with autoinstrumentation monitoring, you need to use this method

Answer 322

A dependency is a component that's called by your application. It's typically a service called by using HTTP, a database, or a file system. Application Insights measures the duration of dependency calls and whether it's failing or not, along with information like the name of the dependency. You can investigate specific dependency calls and correlate them to requests and exceptions.

Answer 323

Azure Functions requires setting "EnableDependencyTracking" to true in the host.json file. Azure Functions requires setting "enableSqlCommandTextInstrumentation" to true int he host.json file.

Answer 324

Instrumentation key.

Answer 325

Alerts need to be configured inside insight1 and not the web app. You can use the data shown with each component to diagnose performance bottlenecks and failure hotspots. It needs to be configured inside insight1 and not the web app. Usage analysis provides information about an app's users and needs to be configured in insight1, not the web app.

Answer 326

It is the same as standard metrics, so it gives a view based on requests, cpu usage etcx.

Answer 327

Stored access policies are not supported for the user delegation SAS or the account SAS.

Answer 328

The container that is hosting blobs

Answer 329

Set Container ACL

Answer 330

The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.

Answer 331

Key prefixes Labels

Answer 332

A system-assigned managed identity we avoid managing the rotation of secrets but with a user assigned managed identity he secret rotation needs to be managed

Answer 333

Standard tier offers: - Encryption with customer-managed keys - 30,000 instead of 1000 a day - 1gb og storage instead of 10mb - Have an SLA