Azure

Question 1

Elements of the Control Plane

Answer 1

Web App
Jobs Manager
Notebooks
Metastore
Cluster Manager

Question 2

Elements of the Data Plane

Answer 2

Clusters

NGrok Proxy

Question 3

What ‘features’ protect the frontend webapp?

Answer 3

SSO
SCIM
IP Access-Lists

Question 4

What is BYO VNET?

Answer 4

The ability for customers to specify there own VNET details in Azure. Can be singular per workspace (for Data Isolation), or shared between multiple workspaces

Question 5

What would you use VNET Peering?

Answer 5

VNET peering allows the cluster nodes to peer with data sources in other customer owned VNETs. This means data traverses over the MSFT backbone not the public internet.

Question 6

What does SCIM stand for?

Answer 6

System for Cross Domain Identity Management

Question 7

How can you configure SCIM with Databricks?

Answer 7

No clue - Update later.

Question 8

What are we referring to with “Identity & Access Management”?

Answer 8

Identity (user names), using local accounts, or single sign-on using identity providers (Idp)

Provisioning/Deprovisioning -> SCIM.

Access Control Lists (ACLs) - RBAC - (View,Create,Manage,AttachRun,Delete) on Control Plane Objects

Token Management API

Question 9

What are two Azure specific IAM methods

Answer 9

Service Principals (used for applications, hosted services, automated tools)

Conditional Access (Where & When access is granted), MFA, Device, Patch Level etc

Question 10

What ‘features’ can be used for Data Protection

Answer 10

Data Access Control
Encryption
Table Access Control

Question 11

What feature of Data Access Control allows multiple Idps to be used for authentication and authorisation?

Answer 11

Federated Identity

Called ‘full user identity federation’ in docs - but… I think its just Federated ID (login using google,facebook,etc)

Question 12

What feature of Data Access provides seemless access to customers Lake Storage using same login as webapp

Answer 12

Active Directory Credential Passthrough.

Question 13

Where do you enable ADLS Credential Pass-through?

Answer 13

On the Cluster Properties (under Advanced Options)

Question 14

What needs to happen before Table Access Control can be used?

Answer 14

It needs to be enabled on the cluster

Question 15

What objects can you control with Table Access Control?

Answer 15

CATALOG
DATABASE
TABLE
VIEW
FUNCTION
ANAONYMOUS FUNCTION
ANY FILE

Question 16

What privileges can be granted to Table Access Control Objects?

Answer 16

SELECT
CREATE
MODIFY
READ_METADATA
CREATE_NAMED_FUNCTION
ANONYMOUS FUNCTION
ALL_PRIVILEGES

Question 17

What is the default configuration for table access control

Answer 17

Disabled - All users can access all ‘MANAGED’ tables

Question 18

What languages can be used for granting permissions when using table access control ?

Answer 18

Python & SQL

Question 19

How is Data in transit secured

Answer 19

TLS is used for all comms in the control plane, and within the data plane using ‘server-side’ encryption.

Question 20

Who owns the certificates for Encryption in transit

Answer 20

DONT KNOW - FIND OUT

Question 21

What types of traffic traverse between control & Data Plane

Answer 21

Commands
Queries
Results
Table metadata
Log Information

Question 22

Who is responsible (client or server) for encryption at rest

Answer 22

Server-side (so done by MSFT) by default. Silvio has said client-side encryption is possible.