Azure fundamental Flashcards

Question 1

Q

VM

Answer

A

emulated PC, running a guest OS
Virtual processors, memory, storage, and networking resources
Hosts an OS
Controlled via remote desktop client

Question 2

Q

containers

Answer

A

execution environment for applications,
no guest OS,
ex. Docker

Virtualization environment for running applications
Run on top of a host OS, but don’t include an OS for the app running inside a container; it bundles the libraries and components needed to run the app
Ex. 5 containers running on a server with 1 Linux kernel; all containers and the apps within them share the same Linux kernel
Kernel = lowest level of software that interfaces with hardware in a computer; it interfaces all applications that run in “user mode” down to the physical hardware
Linux kernel = a free and open-source, monolithic, Unix-like operating system kernel

Question 3

Q

Serverless computing

Answer

A

application code without server,
processing time by function
Cloud-hosted execution environment that runs code separately from underlying host environment
Create an instance of the service, add code, but requires/allows no infrastructure configuration or maintenance

managing the server infrastructure and allocation/de-allocation of resources based on demand.

Infrastructure isn’t your responsibility
- you deploy your code and it automatically runs with high availability.
Scaling and performance are handled automatically
- Application continue working under any workload
- No configuration needed for scaling
billed only for the exact resources you use
- Event driven = resource are only allocated from a direct action, ex. time that takes to run your code
no need to reserve capacity.

focus on the logic you need to execute and the trigger that is used to run your code.
configure serverless apps to respond to events and only triggered by an event. Event could be:
- a REST endpoint
- a periodic timer
- a message received from another Azure service.

Question 4

Q

storage

Answer

A

store data on disk or cloud

Question 5

Q

“Lift and shift”

Answer

A

gradually moves infrastructure and admin cost to cloud

Question 6

Q

Consumption-based pricing model

Answer

A

pay-as-you-go, 
No upfront costs, 
no need to buy infrastructure, 
pay resources when needed, 
stop paying when no longer needed

Question 7

Q

Vertical scaling (scaling up)

Answer

A

add resources to increase power of an existing server,

ex. add more CPUs, RAM, etc.

Question 8

Q

Horizontal scaling (scaling out)

Answer

A

add more servers that functions together as 1 unit.

Question 9

Q

cloud computing - Elastic

Answer

A

Automatically adding or removing resources,

accommodate for spikes or sacks in traffic

Question 10

Q

cloud computing - Current

Answer

A

environment maintains software patches, hardware setup, upgrades, etc,
Hardware upgrades and maintenance are done by provider

Question 11

Q

cloud computing - Reliable

Answer

A

Data backup,
disaster recovery
data replication services,

Question 12

Q

cloud computing - Global

Answer

A

data centers all over the globe

this allows better response time, redundancy and locality

Question 13

Q

cloud computing - Secure

Answer

A

Physical security:
entry to a datacenter,
access to server racks, walls, cameras, gates, security personnel.

Digital security:
connection to systems,
to access data over the network, etc.

Question 14

Q

fault tolerance

Answer

A

redundancy in the cloud services architecture that a backup component takes place when a component fails.

Question 15

Q

Criminal Justice Information Services (CJIS)

Answer

A

FBI database

Question 16

Q

Cloud Security Alliance (CSA) STAR Certification

Answer

A

achieving ISO/IEC 27001 certification,

meet Cloud Controls Matrix (CCM), cloud security

Question 17

Q

General Data Protection Regulation (GDPR)

Answer

A

european privacy law

Question 18

Q

EU model clauses

Answer

A

guarantees around transfers of personal data outside of the EU,
freely move data from Europe to rest of world

Question 19

Q

Health Insurance Portability and Accountability Act (HIPAA)

Answer

A

Protected Health Information (PHI),

Health Information Technology for Economic and Clinical Health Act (HITECH) Act

Question 20

Q

International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018

Answer

A

code of practice,

cover handling of personal information by cloud service provider

Question 21

Q

Multi-Tier Cloud Security (MTCS) Singapore

Answer

A

security certifications for cloud providers

Question 22

Q

Service Organization Controls (SOC)

Answer

A

cloud service audit for data security, availability, processing integrity, and confidentiality

Question 23

Q

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Answer

A

framework consists of standards, guidelines, and best practices to manage cybersecurity-related risks,
audits by third-party Federal Risk and Authorization Management Program (FedRAMP),
validated by Health Information Trust Alliance (HITRUST)

Question 24

Q

UK Government G-Cloud

Answer

A

cloud computing certification in UK

Question 25

Q

Capital Expenditure (CapEx)

Answer

A

CapEx is the spending of money on physical infrastructure up front, and then deducting that expense from your tax bill over time.
ex. server, storage, network, backup and archive, org continuity and disaster recovery, datacenter infrastructure, technical personnel

Benefit:
fixed cost, planned expenses

Question 26

Q

Operational Expenditure (OpEx)

Answer

A

OpEx is spending money on services or products now and being billed for them now.
You can deduct this expense from your tax bill in the same year.
There’s no upfront cost.
You pay for a service or product as you use it.
ex. lease cloud-based server, lease software and customized features, scaling based on usage/demand

Benefit:
no need to invest in equipment and pay as much as needed

Question 27

Q

Cloud agility

Answer

A

ability to rapidly change IT infrastructure to adapt needs of business

Question 28

Q

Cloud deployment models

Answer

A

Public

Private

Hybrid

Question 29

Q

Public Cloud

Answer

A

No local hardware or upkeep;
everything runs on cloud provider’s hardware.

Advantage:
High scalability/agility,
Pay-as-you-go pricing,
easy setup and use;

Disadvantage:
security requirement not met (ex. gov/industry/legal standards),
can’t manage hardware that’s not your own,
may not work for legacy applications

Question 30

Q

Private Cloud

Answer

A

Create cloud environment in your own datacenter and provide self-service access,

Advantages:
complete control over the resources,
support legacy application,
security/compliance/legal requirements.

Disadvantages:
upfront CapEx costs,
limitations to agility/scaling:
ex. buy, install, and setup new hardware.
Require IT skills and expertise that’s hard to come by

Question 31

Q

Hybrid Cloud

Answer

A

Allow public or private cloud.
Ex. website runs in public cloud but database is hosted on private cloud.

Advantages:
allow use of out-of-date hardware or an out-of-date OS,
flexibility of local or cloud,
use cloud or private equipment based on cost.
better control of the environment (security/compliance/legacy) than cloud only.

Disadvantages:
more expensive since it involves some CapEx cost up front,
more complicated to set up and manage

Question 32

Q

Types of cloud services

Answer

A

IaaS

PaaS

SaaS

Question 33

Q

IaaS, Infrastructure as a service

Answer

A

You:
gives up complete control of hardware running your application
need correct configuration,
perform update and ensure availability.
Used for migrating workloads, test and development, website hosting, storage, backup, and recovery,

You manage:
Applications, Data, Runtime, Middleware, OS

Provider manages:
Virtualization, Servers, Storage, Networking

In Azure, customer responsible for everything beyond VMs and virtual networks provided by Microsoft.

Question 34

Q

PaaS, Platform as a service

Answer

A

You:
build, test and deploy software applications,
no need to manage underlying infrastructure.

You manage:
Applications, Data

Provider manages:
Runtime, Middleware, OS, Virtualization, Servers, Storage, Networking

Azure maintains OS and foundational software like database management systems; meaning latest security patches and integration with Azure Active Directory for access control.

can “point and click” within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed. Instead of building whole infrastructures and subnets by hand

Question 35

Q

Development framework

Answer

A

PaaS provides this framework for develop and customize cloud-based applications
create apps using built-in software, scalability, high-availability, and multi-tenant,
reducing the amount of coding

Question 36

Q

Analytics or business intelligence

Answer

A

analyze and mine data,
find insights and patterns,
predict outcomes to improve business decisions such as
forecasting, product design, and investment returns.

Question 37

Q

SaaS, Software as a service

Answer

A

You:
environment is hosted and managed for end customer,
licensed via monthly/annual subscription,
ex. O365, Skype, Dynamics CRM.

You manage:
N/A

Provider manages:
Applications, Data, Runtime, Middleware, OS, Virtualization, Servers, Storage, Networking

managed completely by Azure; customer configures the environment for its needs only

Question 38

Q

Azure Compute services

Answer

A

VMs and containers that can run your applications

Question 39

Q

Azure Database services

Answer

A

provide both relational and NoSQL choices

Question 40

Q

Azure Identity services

Answer

A

authenticate and protect your users

Question 41

Q

Azure Networking services

Answer

A

connect your datacenter to the cloud,

provide high availability or host your DNS domain

Question 42

Q

Azure Storage services

Answer

A

accommodate massive amounts of both structured and unstructured data

Question 43

Q

Azure AI and machine-learning services

Answer

A

can analyze data, text, images, comprehend speech, and make predictions using data

Question 44

Q

Hypervisor

Answer

A

an abstraction layer that separates hardware and OS from VMs (virtual machines).
Emulates functions of a real computer.
Can run multiple VMs (that runs different OS’),
optimize hardware.

***One hypervisor per server rack.

Question 45

Q

fabric controller

Answer

A

special software per server rack, connecting to an Orchestrator

Question 46

Q

Orchestrator

Answer

A

manages everything that happens in Azure,
respond to user requests,
package and picks server rack,
send package to appropriate Fabric Controller

Question 47

Q

Azure VM scale sets

Answer

A

Scaling for Windows or Linux VMs hosted in Azure

Question 48

Q

Azure Kubernetes services

Answer

A

Enables management of a cluster of VMs that run containerized services

Question 49

Q

Azure Service Fabric

Answer

A

Distributed systems platform.

Runs in Azure or on-premises

Question 50

Q

Azure Batch

Answer

A

Managed service for parallel and high-performance computing applications

Question 51

Q

Azure Container Instances

Answer

A

Run containerized apps on Azure without provisioning servers or VMs

Question 52

Q

Azure Functions

Answer

A

An event-driven, serverless compute service

Question 53

Q

Azure Virtual Network

Answer

A

Connects VMs to incoming Virtual Private Network (VPN) connections

Question 54

Q

Azure Load Balancer

Answer

A

Balances inbound and outbound connections to applications or service endpoints

Question 55

Q

Azure Application Gateway

Answer

A

Optimizes app server farm delivery while increasing application security

Question 56

Q

Azure VPN Gateway

Answer

A

Accesses Azure Virtual Networks through high-performance VPN gateways

Question 57

Q

Azure DNS

Answer

A

Provides ultra-fast DNS responses and ultra-high domain availability

Question 58

Q

Azure Content Delivery Network

Answer

A

Delivers high-bandwidth content to customers globally

Question 59

Q

Azure DDoS Protection

Answer

A

Protects Azure-hosted applications from distributed denial of service (DDOS) attacks

Question 60

Q

Azure Traffic Manager

Answer

A

Distributes network traffic across Azure regions worldwide

Question 61

Q

Azure ExpressRoute

Answer

A

Connects to Azure over high-bandwidth dedicated secure connections

Question 62

Q

Azure Network Watcher

Answer

A

Monitors and diagnoses network issues using scenario-based analysis

Question 63

Q

Azure Firewall

Answer

A

Implements high-security, high-availability firewall with unlimited scalability

Question 64

Q

Azure Virtual WAN

Answer

A

Creates a unified wide area network (WAN), connecting local and remote sites

Answer 65

A

Durable and highly available with redundancy and replication.
Secure through automatic encryption and role-based access control.
Scalable with virtually unlimited storage.
Managed, handling maintenance and any critical problems for you.
Accessible from anywhere in the world over HTTP or HTTPS.

Answer 66

A

Storage service for very large objects, such as video files or bitmaps

Answer 67

A

File shares that you can access and manage like a file server

Answer 68

A

A data store for queuing and reliably delivering messages between applications

Answer 69

A

A NoSQL store that hosts unstructured data independent of any schema

Answer 70

A

Azure creates backend services for iOS, Android and Windows apps;
features like corporate sign-in
on-prem sources such as SAP, Oracle, SQL server and SharePoint

Features include:

- Offline data synchronization.
- Connectivity to on-premises data.
- Broadcasting push notifications.
- Autoscaling to match business needs.

Answer 71

A

Globally distributed database that supports NoSQL options

Answer 72

A

Fully managed relational database with auto-scale,
integral intelligence,
robust security

Answer 73

A

Fully managed and scalable MySQL relational database with high availability and security

Answer 74

A

Fully managed and scalable PostgreSQL relational database with high availability and security

Answer 75

A

Host enterprise SQL Server apps in the cloud

Answer 76

A

Fully managed data warehouse with integral security at every level of scale at no extra cost

Answer 77

A

Migrates your databases to the cloud with no application code changes

Answer 78

A

Caches frequently used and static data to reduce data and application latency

Answer 79

A

Fully managed and scalable MariaDB relational database with high availability and security

Answer 80

A

Azure provides multiple database services to store a wide variety of data types and volumes

Answer 81

A

Azure builds and hosts web apps and HTTP-based web services

Answer 82

A

Quickly create powerful cloud web-based apps
PaaS (in Azure) that can host enterprise-grade web-oriented applications
Meet rigorous performance, scalability, security and compliance requirements while using a fully managed platform to perform infrastructure maintenance

build and host web apps, background jobs, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure.
- auto-scaling
- high availability
- supports both Windows and Linux
enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.

Answer 83

A

Send push notifications to any platform from any back end.

Answer 84

A

Publish APIs to developers, partners, and employees securely and at scale.

Answer 85

A

Fully managed search as a service.

Answer 86

A

Create and deploy mission-critical web apps at scale.

Answer 87

A

Add real-time web functionalities easily.

Answer 88

A

Ex. smart devices (phone, appliances, etc.)

Answer 89

A

Fully-managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage your IoT assets at scale

Answer 90

A

Messaging hub that provides secure communications and monitoring between millions of IoT devices

Answer 91

A

Push your data analysis onto your IoT devices instead of in the cloud allowing them to react more quickly to state changes.

Answer 92

A

Large volumes of data. ex. weather systems, communication systems, etc.
Open source cluster technologies have been developed to deal with these large data sets.

Answer 93

A

Run analytics at a massive scale using a cloud-based Enterprise Data Warehouse (EDW) that leverages massive parallel processing (MPP) to run complex queries quickly across petabytes of data

Answer 94

A

Process massive amounts of data with managed clusters of Hadoop clusters in the cloud

Answer 95

A

Collaborative Apache Spark–based analytics service that can be integrated with other Big Data services in Azure.

Answer 96

A

Range of services for Machine Learning.
Machine Learning is a data science technique that allows computers to use existing data to forecast future behaviors, outcomes, and trends.
Using machine learning, computers learn without being explicitly programmed.
Forecasts or predictions from machine learning can make apps and devices smarter.

Answer 97

A

Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models.
It can auto-generate a model and auto-tune it for you.
It will let you start training on your local machine, and then scale out to the cloud

Answer 98

A

Collaborative, drag-and-drop visual workspace where you can build, test, and deploy machine learning solutions using pre-built machine learning algorithms and data-handling modules

Answer 99

A

pre-built APIs you can leverage in your applications to solve complex problems.

Answer 100

A

Image-processing algorithms to smartly identify, caption, index, and moderate your pictures and videos.

Answer 101

A

Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.

Answer 102

A

Map complex information and data in order to solve tasks such as intelligent recommendations and semantic search.

Answer 103

A

Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.

Answer 104

A

Allow your apps to process natural language with pre-built scripts, evaluate sentiment and learn how to recognize what users want.

Answer 105

A

Azure DevOps Services builds and release pipelines that provide continuous integration, delivery, and deployment for your applications.
You can integrate repositories and application tests, perform application monitoring, and work with build artifacts.
You can also work with and backlog items for tracking, automate infrastructure deployment and integrate a range of third-party tools and services such as Jenkins and Chef.

Answer 106

A

Azure DevOps Services (formerly known as Visual Studio Team Services, or VSTS),
provides development collaboration tools including high-performance pipelines,
free private Git repositories,
configurable Kanban boards,
and extensive automated and cloud-based load testing

Answer 107

A

Quickly create on-demand Windows and Linux environments you can use to test or demo your applications directly from your deployment pipelines

Answer 108

A

geographical area on the planet containing 1 or more datacenters with a low-latency network
bring applications closer to users
scalability, redundancy and preservation of data residency

Americas
Europe
Asia Pacific
Middle East and Africa

Answer 109

A

Discrete market typically containing two or more regions that preserve data residency and compliance boundaries.
Keep their data and applications close.
Honor data residency, sovereignty, compliance, and resiliency requirements within geographical boundaries.
Fault-tolerant to withstand complete region failure through their connection to dedicated high-capacity networking infrastructure.

Answer 110

A

physical or geographic location of an organization’s data or information
the legal or regulatory requirements imposed on data based on the country
region in which it resides and is an important consideration when planning out your application data storage.

Answer 111

A

physically separate datacenters within an Azure region

each datacenter contains independent power, cooling and networking

Answer 112

A

3+ zones per supported region

Answer 113

A

you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)

Answer 114

A

platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

Answer 115

A

Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.
Provides replication (redundancy) of resources in case of natural disasters, civil unrest, power outages and physical network outages.
If there’s an extensive Azure outage, one region out of every pair is prioritized to help reduce the time it takes to restore them for applications.
Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.
Data continues to reside within the same geography as its pair (except for Brazil South) for tax and law enforcement jurisdiction purposes.

Answer 116

A

adhering to comprehensive operational policies, standards, and practices.
Capture specific terms that define performance standards that apply to Azure
SLAs describe Microsoft’s commitment to providing Azure customers with specific performance standards.
There are SLAs for individual Azure products and services.
SLAs also specify what happens if a service or product fails to perform to a governing SLA’s specification.
Doesn’t apply to free or shared tiers. Ex. Azure Advisor

Answer 117

A

Performance Targets:
An SLA defines performance targets for an Azure product or service, ex. uptime guarantees, connectivity rates.

Uptime (response time) and Connectivity Guarantees (3 nines to 5 nines)

Service credits
Compensations when SLA isn’t met

Answer 118

A

Web app = 99.95%
SQL DB = 99.99%
Composite SLA for application = 99.95% x 99.99% = 99.94% (combined probability of failure)

Web app = 99.95%
SQL DB = 99.99%
Queue = 99.9%
Composite SLA for database or queue = 1.0 - (0.0001 x 0.001) = 99.99999%
Composite SLA for application = 99.95% x 99.99999% = 99.95%

Answer 119

A

set your own SLA based on performance targets that suit business requirements and specific Azure application

Answer 120

A

ability of system recovery from failures. Goal is to respond to failures that avoids downtime or data loss
High availability
Disaster recover

Answer 121

A

identify possible points of failure and define how applications will respond to those failures.

Answer 122

A

system is functional and working

Answer 123

A

services depending on each other, and multiple points of failures
Workload requiring 99.99% uptime shouldn’t depend upon a service with 99.9% SLA
More availability could lead to higher cost and more complexity
More complex solutions can leader bigger challenge, because downtime is cumulative across SLA levels

Answer 124

A

globally unique entity that gives you access to your Azure subscriptions and services.
tied to a specific identity and holds info:
- Name, email, and contact preferences
- Billing information such as a credit card

signed into

the Azure website
Administer
Deploy services

associated with 1 or more subscriptions

Answer 125

A

logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, etc.

Subscription Types:

Free
Pay-As-You-Go
Enterprise Agreement
Student

Answer 126

A

$200 credit to spend on any service for the first 30 days
popular Azure products for 12 months
25+ products
requires a phone number, a credit card, and a Microsoft account.

Answer 127

A

charges you monthly for the services you used in that billing period.
for individuals, small and large businesses

Answer 128

A

flexibility to buy cloud services and software licenses under one agreement,
discounts for new licenses and Software Assurance.
for enterprise-scale organizations.

Answer 129

A

$100 in Azure credits to be used within the first 12 months
free services without requiring a credit card at sign-up.
Validate email address.

Answer 130

A

Access control and billing occur at the subscription level, not the account level

Answer 131

A

Separate subscriptions to reflect organizational structures to help manage and control access to resources during user provisioning

NOTE: there are hard limits; there’s max number of resources per subscription (ex. max # of Express Route circuits per subscription is 10)

Answer 132

A

Single bill is generated per subscription per month.
Charged 10 days after billing period ends
Credit card statement would say “MSFT Azure”
Account owner is responsible for all subscriptions tied to the account credit card
Can set spending limits
Can generate reports

Answer 133

A

Azure account is authenticated via Azure AD
Web-based authentication standards like OpenID or OAuth. (not Windows AD)
Partitioned into tenants
each application is a subscription
Owner is the original account for billing; but can have additional users, even guests

Answer 134

A

dedicated, isolated instance of Azure AD service, owned and managed by an organization.
Tenants are associated to an organization, which could individuals, teams, companies or any group of people
Email address associated with an organization help tie everything together
Ex. email can be associated with Microsoft Azure, Microsoft Intune, O365 etc all for one company (organization),

Answer 135

A

Azure Support Options
Each subscription includes free supports below:
- Billing and subscription support
- Azure products and services documentation
- Online self-help documentation
- Whitepapers
- Community support forums

Paid Azure support plans

Developer
Standard
Professional Direct
Premier

Answer 136

A

Type of customer
Type of subscription
Billed for support as part of the Enterprise Agreement (EA)

Answer 137

A

TheAzure Knowledge Centeris a searchable database that contains answers to common support questions, from a community of Azure experts, developers, customers, and users. You can browse through all responses within the Azure Knowledge Center. Find specific solutions by entering keyword search terms into the text-entry field and further refine your search results by selecting products or tags from the lists provided by two dropdown lists.

Answer 138

A

Get support by reading responses to Azure technical questions from Microsoft’s developers and testers on theMSDN Azure discussion forums.

Answer 139

A

You can review answers to questions from the development community onStackOverflow.

Answer 140

A

Review community responses to questions about System and Network Administration in Azure onServerFault.

Answer 141

A

Read ideas and suggestions for improving Azure made by Azure users and customers on theAzure feedback forums.

Answer 142

A

Command line
Language-specific Software Development Kits (SDKs)
Developer tools
Migration tools

Answer 143

A

interacting with Azure via a Graphical User Interface (GUI)
Login with Azure account
Create, manage and monitor Azure services
Get help links
Deploy, manage and delete resources
Wizards and tooltips for complex administrative tasks
Dashboard is customizable

Not automated for repetitive tasks (ex. make 1 VM at a time, instead of in bulk)

Answer 144

A

a module that you can install for Windows PowerShell, or PowerShell Core, which is a cross-platform version of PowerShell that runs on Windows, Linux or macOS.
Services include shell window and command parsing

Answer 145

A

sign into Azure with powershell

Answer 146

A

create a VM

Example:
New-AzVM `
    -ResourceGroupName "MyResourceGroup" `
    -Name "TestVm" `
    -Image "UbuntuLTS"
    ...

Answer 147

A

cross-platform command-line program

Answer 148

A

sign into Azure with CLI

Answer 149

A

create a VM

Example
az vm create \
  --resource-group MyResourceGroup \
  --name TestVm \
  --image UbuntuLTS
  --generate-ssh-keys
  ...

Answer 150

A

web-based command-line interface
2 shell environments (Bash for Linux and PowerShell for Windows)
az is default Linux, pwsh switches to PowerShell while in Linux

Answer 151

A

any scripts or data you place here is kept across sessions

each subscription has a unique storage account

Answer 152

A

monitoring and managing your resources from your mobile device

Check the current status and important metrics of your services
Stay informed with notifications and alerts about important health issues
Quickly diagnose and fix issues anytime, anywhere
Review the latest Azure alerts
Start, stop, and restart virtual machines or web apps
Connect to your virtual machines
Manage permissions with role-based access control (RBAC)
Use the Azure Cloud Shell to run saved scripts or perform ad hoc administrative tasks

Answer 153

A

a range of languages and frameworks

Answer 154

A

List of resource types
Can customize favorites
Hide panel via “<

Answer 155

A

default Azure main page

Answer 156

A

slide-out panel containing UI for a single level in a navigation sequence. Each below is a blade.
Ex. Virtual machines > Compute > Ubuntu Server
Blade contains info and configurable options
Certain options generate another blade to the right of existing blade
Adds more blades to the right as more options and info are available
Scrollbar at the bottom helps navigate backward
Can close blade individually
The “New” section is a blade

Answer 157

A

Is a blade
Create new resources in Azure
Find, try, purchase, and provision applications and services
Provision end to end solutions quickly and reliably

Answer 158

A

lists the last actions that have been carried out, along with their status.

Answer 159

A

create a new Azure Cloud Shell session.

Answer 160

A

change the Azure portal settings, including:
Sign out time
Color and contrast themes
Toast notifications (to a mobile device)
Language and regional format

Answer 161

A

opens the Send us feedback blade.

send feedback to Microsoft about Azure.

Answer 162

A

Help + Support
What's new
Azure roadmap
Launch guided tour
Keyboard shortcuts
Show diagnostics
Privacy + terms

Answer 163

A

the main support area for the Azure portal and includes documentation options for a variety of common questions.
New support request link can open a support ticket with the Azure team.
All Azure customers can access billing, quota and subscription-management support
Support ticket sections:
- Problem: dropdown lists and text-entry fields
- Title: test-entry field
- Details: test-entry field
- Preferred contact method: contact details form
- Create: submit the support request
All support requests: status and details of support request

Answer 164

A

Can change between subscriptions or change directory

Answer 165

A

Sign in with another account, or sign out entirely
View your account profile, where you can change your password
Check your permissions
View your bill (click the “…” button on the right-hand side), takes you to Cost Management + Billing invoices page
Update your contact information (click the “…” button on the right-hand side)

Can:
Get proactive, actionable, and personalized best practices recommendations.
Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs.
Get recommendations with proposed actions inline.

Answer 166

A

can search for services through the filter box.

Answer 167

A

opens the Portal settings pane

Answer 168

A

open the Send us feedback blade.

Answer 169

A

show the Help blade
To create a new support request, you would fill in the information in each of the following sections, and then click Create to lodge the issue.
- Basics: the issue type
- Problem: severity of the problem, a summary and description, and any additional information
- Contact information: preferred contact method and the information associated with this contact method

Answer 170

A

show the Directory + subscription blade

can switch between multiple subscriptions or directories

Answer 171

A

filter Tiles by category and resource type
Can drag to work area, resize and change the data.
Can ping elements on child blades by “…” tile edit menu

Answer 172

A

edit a dashboard by changing the JSON file

Edit colSpan and rowSpan variables

Answer 173

A

A feature that’s evaluated and tested successfully, and released to customers as part of Azure’s default product set.

Answer 174

A

Private Preview = feature available to specific Azure customers for evaluation purposes; invite only, issued directly by product team
Public Preview = feature available to all Azure customers for evaluation purposes.

Answer 175

A

On-demand computing for running cloud-based applications
VM
Containers
Azure App Service
Serverless computer

Answer 176

A

Provide IaaS, ex. virtualized server
Total control over the operating system (OS)
The ability to run custom software, or
To use custom hosting configurations

Moving physical server to the cloud with VMs (lift and shift)
Host existing image of the physical server with little to no change

Scaling VMs in Azure
Can support single or multiple VMs
Includes the following 3 features

Answer 177

A

Logical grouping of 2+ VMs that help keep application available during planned or unplanned maintenance
Availability sets have no cost, and can help avoid a single point of failure in the VM architecture

Answer 178

A

The underlying Azure fabric that hosts VMs is updated by Microsoft.
to patch security vulnerabilities, improve performance, and add or update features.
When the VM is part of an availability set, the Azure fabric updates are sequenced so not all of the associated VMs are rebooted at the same time. VMs are put into different update domains.

Answer 179

A

Update domains = indicate groups of VMs and underlying physical hardware that can be rebooted at the same time.
Update domains are a logical part of each data center and are implemented with software and logic.

Answer 180

A

hardware failure in the data center, such as a power outage or disk failure.
VMs that are part of an availability set automatically switch to a working physical server so the VM continues to run. The group of virtual machines that share common hardware are in the same fault domain.

Answer 181

A

Fault domain = rack of servers that provide the physical separation of your workload across different power, cooling, and network hardware that support the physical servers in the data center.
Only server rack(s) of that fault domain are affected by the outage.

Answer 182

A

Create, manage, configure and update a group of individual, load balanced VMs
Help configure additional service to route requests between multiple instances of a website
Provide highly available applications
Build large-scale services for computer, big data and container workloads

Answer 183

A

enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.
Starts a pool of compute VMs for you
Installs applications and staging data
Runs jobs with as many tasks as you have
Identifies failures
Requeues work
Scales down the pool as work completes

Answer 184

A

Allow multiple lightweight containers to run on a single host/VM
Each container has an OS and an app.
Virtualizes the OS instead of the physical machine

Answer 185

A

start, stop and scale out application instances as needed; it’s done dynamically.
Ex. Docker
Secured and isolated
Wait on app to launch instead of (in VM) OS then app to launch
Containerize app size is typically smaller
Development price is simplified, because development runtime environment can look identical to production runtime environment
Container cluster orchestration = deploy and manage multiple containerized applications without worrying about which server will host each container; this is for a large number of containers

Answer 186

A

Fast and simple, no need to manage any virtual machines or configure any additional services.
A PaaS that allows you to upload your containers and execute them directly.

Answer 187

A

a complete orchestration service for containers with distributed architectures with multiple containers.
Can rollback to previous version

Can manage storage:

For storage, Kubernetes allows read/write application data and persist this data across many pod instances.
Application running in Kubernetes can use cloud based storage and data systems like Azure Storage or Azure Cosmos DB

Can manage networking:
Kubernetes network plugins 
- exposes pods to the internet
- Load balance traffic across multiple replicas of a pod
- Network isolation
- Policy-driven network security
- Manage communications
- Manage name resolution between pods in the cluster

Extending Kubernetes functionality

Variety of methods for extending the Kubernetes API
Create operators to perform custom actions, examples:
- producing cloud events on pod creation
- providing custom pod scheduling logic
- On-demand provisioning of managed cloud services
Capable of making platform on which to build SaaS services

Answer 188

A

manages the placement of “pod” inside “node”

When a node crashes, pod can be moved to another node in the cluster

Answer 189

A

manually or automatically (horizontal pod auto-scaling)

Application update deployment can be staggered to minimize downtime.

Answer 190

A

break solutions into smaller, independent pieces. Ex. break a website into separate containers for front-end, back-end, and storage.
This way an app can be split into logical sections for maintenance, scaling or update independently.

ex. when back-end is stressed for resources, can just add more resources or change services to the back-end portion, or even change storage container

Answer 191

A

a web service that is small, well-defined scope and loosely coupled from any other web service
- Organization adopts a microservice architecture, that consists of a collection of microservices

Each microservice is self-contained and implemented for a single business capability
- Don’t need to share the same technology stack, libraries or frameworks
- A single dev team can build, test and deploy a service
- Allows continuous innovation and faster release cadence
- Code base will be easier to understand, and new team member can start or ramp up more easily.
- Independent deployment allows update of an existing service without rebuilding and redeploying the entire application
- More easily rollback or roll forward (redo changes and overwrite to ensure consistency)
- Bug fixes are easier and feature releases are more manageable and less risky,
- Each can scale independently
- Responsible for persisting its own data or external state, and not rely on common repository layer, could have its own database
- Provides a layer of fault isolation; when one service is down it doesn’t take down the entire application
- API: microservices communicate with each other by using well-defined APIs, with internal implementation details of each service encapsulated behind their interface
- - Orchestration or management layer at a higher level consuming application coordinates calls to various lower level microservices and combines results
With a large application microservices architecture provides
- High release velocity (how quickly for a code change deployed into production)
- Highly scalable
- Rich domains or many sub-domains
- Small dev teams

Answer 192

A

determines how much hardware is devoted to your host.

Answer 193

A

Azure App Service helps handle

deployment and management are integrated into the platform
endpoints can be secured
sites can be scaled quickly to handle high traffic loads,
the built-in load balancing and traffic manager provide high availability.

Answer 194

A

Support for hosting web apps like ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python.
Host OS can be either Windows or Linux

Answer 195

A

Build REST-based Web APIs via choice of language and framework
Full Swagger support
Package and publish API in Azure Marketplace
Apps can be consumed from any HTTP(s) based client

Answer 196

A

run a program (.exe, Java, PHP, Python or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app.
Scheduled or run by a trigger
Run background tasks as part of your application logic

Answer 197

A

Build back-end for iOS and Android apps

Store mobile app data in a cloud-based SQL database
Authenticate customers against common social providers such as MSA, Google, Twitter and Facebook
Send push notifications
Execute custom back-end logic in C# or Node.js

SDK support for native iOS & Android, Xamarin, and React native apps.

Answer 198

A

resources are only allocated from a direct action, ex. time that takes to run your code

Answer 199

A

a serverless compute service that enables you to run code on-demand without having to explicitly provision or manage infrastructure.

perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less

scale automatically based on demand; adjust for more data arriving during peak hours

Azure runs your code when it’s triggered and automatically de-allocates resources when the function is finished; only charged for CPU time used while your function runs

Answer 200

A

behaves as if they’re restarted every time they respond to an event

Answer 201

A

where a context is passed through the function to track prior activity.

Answer 202

A

designed in a web-based designer and can execute logic triggered by Azure services without writing any code.

execute workflows built from pre-defined logic blocks. They are specifically designed to automate your business processes.

Azure provides over 200 different connectors and processing blocks to interact with different services, ex. popular enterprise apps.

build custom connectors and workflow steps if the service you need to interact with isn’t covered.

Answer 203

A

create Logic App workflows on the Azure Portal or in Visual Studio

use the visual designer to link connectors and blocks together, passing data through the workflow to do custom processing - often all without writing any code.

Example, a ticket arrives in ZenDesk. You could:

Detect the intent of the message with cognitive services
Create an item in Sharepoint to track the issue
If the customer isn’t in your database, add them to your Dynamics 365 CRM system
Send a follow-up email to acknowledge their request

Answer 204

A

persisted as a JSON file with a known workflow schema

Answer 205

A

Both can create complex orchestrations (collection of functions and steps that are executed to accomplish a complex task)

Azure Functions: write code to complete each step
Logic Apps: use GUI to define actions and how they relate to one another

Can mix and match functions with logic

Answer 206

A

State - Normally stateless, but Durable Functions provide state
Development - Code-first (imperative)
Connectivity - About a dozen built-in binding types, write code for custom bindings
Actions - Each activity is an Azure function; write code for activity functions
Monitoring - Azure Application Insights
Management - REST API, Visual Studio
Execution context - Can run locally or in the cloud

Answer 207

A

State - Stateful
Development - Designer-first (declarative)
Connectivity - Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors
Actions - Large collection of ready-made actions
Monitoring - Azure portal, Log Analytics
Management - Azure portal, REST API, PowerShell, Visual Studio
Execution context - Runs only in the cloud.

Answer 208

A

Use REST endpoints/API, an industry standard
Supports a range of applications and application platforms
(with Azure) communication is made easier with developer packages and libraries along with well documented APIs
Different management strategies and optimized for each data type below
- binary video data
- highly structured data in tables
Closer storage locations allows lower latency
Replicates data across multiple data centers to reach customers globally
Cloud security helps manage data access and safely store user data
- Response, flexible and secure

Answer 209

A

mitigates the risk of losing your data if there is any unforeseen failure or interruption.

Answer 210

A

copies your data to protect it against any planned or unplanned events, such as scheduled maintenance or hardware failures. You can choose to replicate your data at multiple locations across the globe.

Answer 211

A

supports performing analytics on your data consumption.

Answer 212

A

data is encrypted to make it highly secure; you also have tight control over who can access the data.

Answer 213

A

Azure can store almost any type of data you need. It can handle video files, text files, and even large binary files like virtual hard disks. It also has many options for your relational and NoSQL data.

Answer 214

A

Azure also has the capability of storing up to 8 TB of data in its virtual disks. This is a significant capability when you’re storing heavy data such as videos and simulations.

Answer 215

A

storage tiers to prioritize access to data based on frequently used versus rarely used information.

Answer 216

A

adheres to a schema, which has the same fields or properties.
stored in a database table with rows and columns.
relies on keys to indicate how one row in a table relates to data in another row of another table.
referred to as relational data, as the data’s schema defines the table of data, the fields in the table, and the clear relationship between the two.
- easy to enter, query, and analyze.
Ex. sensor data, financial data, etc.

Answer 217

A

doesn’t fit neatly into tables, rows, and columns.
uses tags or keys that organize and provide a hierarchy for the data.
non-relational or NoSQL data.

Answer 218

A

no designated structure
no restrictions on the kinds of data it can hold
Ex. a blob can hold a PDF document, a JPG image, a JSON file, video content, etc.

Answer 219

A

Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine.
high-performance, reliable, fully managed and secure database
You can use it to build data-driven applications and websites in the programming language of your choice without needing to manage infrastructure.

Answer 220

A

migrate your existing SQL Server databases with minimal downtime
Once you assess and perform any remediation required, you’re ready to begin the migration process.
The Azure Database Migration Service performs all of the required steps. You just change the connection string in your apps.

Answer 221

A

used by migration service to generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration.

Answer 222

A

globally distributed database service.
supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data.
You can use this feature to store data that is updated and maintained by users around the world.

Answer 223

A

unstructured, meaning that there are no restrictions on the kinds of data it can hold.
highly scalable and apps work like using files on a disk, ex. read/write data.
can manage
- Ex. thousands of simultaneous uploads
- Ex. massive amounts of video data
- Ex. constantly growing log files
can be reached from anywhere with an internet connection.
not limited to common file formats:
- Ex. gigabytes of binary data streamed from a scientific instrument
- Ex. encrypted message for another application
- Ex. data in a custom format for an app you’re developing.
stream large video or audio files directly to the user’s browser from anywhere in the world
store data for backup, disaster recovery, and archiving.
store up to 8 TB of data for virtual machines

Answer 224

A

A feature that allows you to perform analytics on your data usage and prepare reports.
a large repository that stores both structured and unstructured data.
combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities.
Ingest > Prepare > Store > Analyze

Answer 225

A

fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol
can be mounted by cloud or on-prem deployments of Windows, Linux, and macOS.
Applications running in Azure VM or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share.
Any number of Azure VM or roles can mount and access the file storage share simultaneously.
share files anywhere in the world, diagnostic data, or application data sharing.

Answer 226

A

a service for storing large numbers of messages that can be accessed from anywhere in the world.
build flexible applications and separate functions for better durability across large workloads.
When application components are decoupled, they can scale independently.
provides asynchronous message queuing for communication between application components running:
- in the cloud
- on the desktop
- on-premises
- on mobile devices
Create a backlog of work and to pass messages between different Azure web servers.
Distribute load among different web servers/infrastructure and to manage bursts of traffic.
Build resilience against component failure when multiple users access your data at the same time.

Answer 227

A

add messages to the queue

Answer 228

A

retrieve messages from the front of the queue for processing

Answer 229

A

provides disks for VMs, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios.
allows data to be persistently stored and accessed from an attached virtual hard disk.
The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user.
- For lifting and shifting applications that read and write data to persistent disks
- For storing data that is not required to be accessed from outside the VM to which the disk is attached.
from solid-state drives (SSDs) to traditional spinning hard disk drives (HDDs), with varying performance abilities.
When working with VMs, you can use standard SSD and HDD disks for less critical workloads, and premium SSD disks for mission-critical production applications.
delivered enterprise-grade durability, with an industry-leading ZERO% annualized failure rate

Answer 230

A

Azure offers three storage tiers for blob object storage: Hot storage tier, Cool storage tier, Archive storage tier

Answer 231

A

optimized for storing data that is accessed frequently.

Answer 232

A

optimized for data that is infrequently accessed and stored for at least 30 days.

Answer 233

A

for data that is rarely accessed and stored for at least 180 days with flexible latency requirements.

Answer 234

A

Azure Storage Service Encryption (SSE) for data at rest helps you secure your data to meet the organization’s security and regulatory compliance.
It encrypts the data before storing it and decrypts the data before retrieving it.
The encryption and decryption are transparent to the user.

Answer 235

A

where the data is already encrypted by the client libraries.
Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.

Answer 236

A

A replication type is set up when you create a storage account.
The replication feature ensures that your data is durable and always available.
provides regional and geographic replications to protect your data against natural disasters and other local disasters like fire or flooding.

Answer 237

A

on-prem storage

requires dedicated hardware that needs to be purchased, installed, configured, and maintained.
a significant up-front expense (or capital cost)
Change in requirements can require investment in new hardware.
Your hardware needs to be capable of handling peak demand which means it may sit idle or be under-utilized in off-peak times.

Azure data storage

pay-as-you-go pricing model (operating expense instead of an upfront capital cost)
scalable, allowing you to scale up or scale out as demand dictates and scale back when demand is low
charged for data services only as you need them.

Answer 238

A

On-prem storage

requires data backup, load balancing, and disaster recovery strategies
challenging and expensive as they often each need dedicated servers requiring a significant investment in both hardware and IT resources.

Azure data storage
- provides data backup, load balancing, disaster recovery, and data replication as services to ensure data safety and high availability.

Answer 239

A

Sometimes multiple different storage types are required for a solution, such as file and database storage.

On-prem storage
- requires numerous servers and administrative tools for each storage type.

Azure data storage

a variety of different storage options including distributed access and tiered storage.
makes it possible to integrate a combination of storage technologies providing the best storage choice for each part of your solution.

Answer 240

A

On-prem deployment
- provisioning and deploying new servers and infrastructure pieces, which is a time consuming and expensive activity.

Azure data storage

gives you the flexibility to create new services in minutes.
allows you to change storage back-ends quickly without needing a significant hardware investment.

Answer 241

A

Individual components may have little to no knowledge of the definitions of the other components
They only need to be able to send and receive data from one another
No need to know how data is created or processed by rest of the system
Need to agree on a standard for communication

Answer 242

A

Component can update independently

making changes as long as the communication strategy stays consistent
Doesn’t interfere with Azure dev team update and improve features and performance, without breaking existing azure solutions

Allows services to be replaced without significant impact to rest of the system
Allows additional components at ease

Can be scaled proportionally to the amount of data traffic

Manage performance and cost on services independently
Scale up or scale out for desired services only, and let those services benefit from additional resources
Avoid paying resources not used

Answer 243

A

An architectural pattern that can be used to build loosely coupled systems is N-tier.
An N-tier architecture divides an application into two or more logical tiers.
- a higher tier can access services from a lower tier
- a lower tier should never access a higher tier.
Tiers help separate concerns and are ideally designed to be reusable.
Using a tiered architecture also simplifies maintenance.
Tiers can be updated or replaced independently
new tiers can be inserted if needed.

ex. Three-tier refers to an n-tier application that has three tiers:
- The web tier
- The application tier
- The data tier

Answer 244

A

provides the web interface to your users through a browser.
Ex. the user clicks the button to place the order, the request is sent to the web tier, along with the user’s address and payment information. The web tier passes this information to the application tier

Answer 245

A

runs business logic.

Ex. application tier validates payment information and check inventory

Answer 246

A

includes databases and other storage that hold product information and customer orders.
Ex. application tier might then store the order in the data tier, to be picked up later for fulfillment.

Answer 247

A

a logically isolated network on Azure.
set up networks on Hyper-V, VMware, or even on other public clouds.
allows Azure resources to securely communicate with each other, the internet, and on-premises networks.
scoped to a single region; however, multiple virtual networks from different regions can be connected together using virtual network peering.

Answer 248

A

a virtual network can be segmented into one or more subnets
Subnets help you organize and secure your resources in discrete sections.

ex. The web, application, and data tiers each have a single VM.
All three VMs are in the same virtual network but are in separate subnets.

Answer 249

A

Users interact with the web tier directly, so that VM has a public IP address along with a private IP address.
Users don’t interact with the application or data tiers, so these VMs each have a private IP address only.

Answer 250

A

provide a secure connection between an Azure Virtual Network and an on-premises location over the internet.

ex. keep your service or data tiers in your on-premises network, placing your web tier into the cloud, but keeping tight control over other aspects of your application.

Answer 251

A

You configure virtual networks and gateways through software, which enables you to treat a virtual network just like your own network.
You choose which networks your virtual network can reach, whether that’s the public internet or other networks in the private IP address space.

Answer 252

A

allows or denies inbound network traffic to your Azure resources. Think of a network security group as a cloud-level firewall for your network.

Ex. VM in the web tier allows inbound traffic on ports 22 (SSH) and 80 (HTTP). This VM’s network security group allows inbound traffic over these ports from all sources. You can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust.

Answer 253

A

how long your service is up and running without interruption.

Answer 254

A

a service that’s up and running for a long period of time.

Answer 255

A

a system’s ability to stay operational during abnormal conditions.

Natural disasters
System maintenance, both planned and unplanned, including software updates and security patches.
Spikes in traffic to your site
Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks

Answer 256

A

distributes traffic evenly among each system in a pool.
help achieve both high availability and resiliency.
have additional systems ready, in case one goes down, or is serving too many users at the same time.

The load balancer becomes the entry point to the user. The user doesn’t know (or need to know) which system
the load balancer chooses to receive the request.
- The load balancer receives the user’s request and directs the request to one of the VMs in the web tier.
- If a VM is unavailable or stops responding, the load balancer stops sending traffic to it. The load balancer then directs traffic to one of the responsive servers.
- Load balancing enables you to run maintenance tasks without interrupting service.
- Ex. staggering the maintenance window for each VM. During the maintenance window, the load balancer detects that the VM is unresponsive, and directs traffic to other VMs in the pool.
- the app and data tiers can also have a load balancer. It all depends on what your service requires.

Answer 257

A

a load balancer service that Microsoft provides that helps take care of the maintenance for you.
distributes traffic within the same region to make your services more highly available and resilient.
Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications.

You can use Load Balancer with

incoming internet traffic
internal traffic across Azure services
port forwarding for specific traffic
outbound connectivity for VMs in your virtual network.

When you manually configure typical load balancer software on a virtual machine, there’s a downside: you now have an additional system that you need to maintain. If your load balancer goes down or needs routine maintenance, you’re back to your original problem.

With Azure Load Balancer, there’s no infrastructure or software for you to maintain. You define the forwarding rules based on the source IP and port to a set of destination IP/ports.

Answer 258

A

a load balancer designed for web applications.
It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.
This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.

Answer 259

A

keep a user session on the same backend server.

Answer 260

A

manage SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that.

Answer 261

A

supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.

Answer 262

A

allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network (CDN)

Answer 263

A

You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.

Answer 264

A

is a distributed network of servers that can efficiently deliver web content to users.
get content to users in their local region to minimize latency.
can be hosted in Azure or any other location
can cache content at strategically placed physical nodes across the world and provide better performance to end users.

Examples:

web applications containing multimedia content
a product launch event in a particular region
any event where you expect a high-bandwidth requirement in a region.

Answer 265

A

map user-friendly names to their IP addresses
Ex. your domain name, contoso.com, might map to the IP address of the load balancer at the web tier, 40.65.106.192.
can bring your own DNS server or use Azure DNS, a hosting service for DNS domains that runs on Azure infrastructure.

Answer 266

A

refers to the time it takes for data to travel over the network.
Latency is typically measured in milliseconds.

Answer 267

A

Bandwidth refers to the amount of data that can fit on the connection.

Latency refers to the time it takes for that data to reach its destination.

Factors such as the type of connection you use and how your application is designed can affect latency. But perhaps the biggest factor is distance.
Your e-commerce site delivers standard HTML, CSS, JavaScript, and images. The network latency for many files can add up.

Answer 268

A

Building replicate of entire data center is costy; Azure can cost much less, because Azure already has the equipment and personnel in place.
One way to reduce latency is to provide exact copies of your service in more than one region.

Answer 269

A

uses the DNS server that’s closest to the user to direct user traffic to a globally distributed endpoint.
doesn’t see the traffic that’s passed between the client and server. Rather, it directs the client web browser to a preferred endpoint.
can route traffic to the endpoint with the lowest latency
can connect Traffic Manager to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud. The choice is yours.

Answer 270

A

works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that’s closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways:

When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool.
Traffic Manager monitors the health of your endpoints. In contrast, when Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

Answer 271

A

Walls
Cameras
Gates
Security personnel
Strict procedures for employees
More security certifications than other cloud vendor to date

Answer 272

A

Data can travel many different ways in the cloud:

Within a data center
Between data center
All over internet

Attackers can gain access by compromising each resource or communication, examples:

VM that runs applications and services in the cloud
Data stored in the cloud
Data traveling outside of Azure and across public internet

At endpoints (ex. user devices and computers) that consume data or services

Answer 273

A

Physical security of data centers and of entire Azure environment
At software layer, MS meets security, privacy and compliance needs of customers

Customer however owns data and identities, and is responsible for protecting them, security of on-prem resources and cloud components under customer’s control

Degree of responsibility for security varies based on type of cloud service; more customer control = more responsibility to assume in securing the resources
Ex. full control of a VM (IaaS) = customer responsible for OS, network, applications running on the VM, identity and directory infrastructure, and accounts and access management.
Ex. least control of a VM (SaaS), ex. O365 = MS takes care of all OS updates, network security considerations, application, and provides mechanism for identity and directory infrastructure management. Customer only has to give proper access to users

All services and software managed by Microsoft have built-in mechanism for authentication and authorization, ex. two-way authentication, RBAC
MS provides data encryption, which is a second layer of security in case of a breach
MS ensures data traveling outside of Azure is transmitted over TLS security layer, and user determines which accounts can receive and decrypts data
MS provides monitoring tools, ex. login failures, login attempts from suspicious locations, etc.
- You would need to interpret login attempts and suspend accounts that may have been compromised
MS provides automatic denial of server protection, real-time telemetry to see where requests are coming from, and firewalls to block potentially malicious traffic

Answer 274

A

take in telemetry data from physical equipment and/or Azure Cosmos DB backend of mobile apps

Answer 275

A

a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information.
Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft applies a layered approach to security, both in physical data centers and across Azure services.
The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it.

Answer 276

A

In almost all cases, attackers are after data:
- Stored in a database
- Stored on disk inside virtual machines
- Stored on a SaaS application such as Office 365
- Stored in cloud storage
It’s the responsibility of those storing and controlling access to data to ensure that it’s properly secured.
Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

Answer 277

A

Ensure applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.
Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.
We encourage all development teams to ensure their applications are secure by default, and that they’re making security requirements non-negotiable.

Answer 278

A

Secure access to virtual machines.
Implement endpoint protection and keep systems patched and current.
Malware, unpatched systems, and improperly secured systems open your environment to attacks.
The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues.

Answer 279

A

Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound, where appropriate.
Implement secure connectivity to on-prem networks.
At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required.
By limiting this communication, you reduce the risk of lateral movement throughout your network.

Answer 280

A

Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.
At the network perimeter, it’s about protecting from network-based attacks against your resources.
Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

Answer 281

A

Control access to infrastructure and change control.
Use single sign-on and multi-factor authentication.
Audit events and changes.
The identity and access layer is all about
- ensuring identities are secure
- access granted is only what is needed
- changes are logged.

Answer 282

A

Physical building security and controlling access to computing hardware within the data center is the first line of defense.
With physical security, the intent is to provide physical safeguards against access to assets.
This ensures that other layers can’t be bypassed, and loss or theft is handled appropriately.

Answer 283

A

a monitoring service that provides threat protection across all of your services both in Azure, and on-prem.

Provide security recommendations based on your configurations, resources, and networks.
Monitor security settings across on-prem and cloud workloads, and automatically apply required security to new services as they come online.
Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
Use machine learning to detect and block malware from being installed on your virtual machines and services.
- You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute.
Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
Provide just-in-time (JIT) access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Answer 284

A

Available as part of your Azure subscription,

limited to assessments and recommendations of Azure resources only.

Answer 285

A

full suite of security-related services:
continuous monitoring,
threat detection
just-in-time (JIT) access control for ports

Answer 286

A

Use Security Center for incident response.
To reduce costs and damage, it’s important to have an incident response plan in place before an attack occurs.
You can use Azure Security Center in different stages of an incident response.

Detect > Assess > Diagnose > Stabilize > Close

Answer 287

A

Review the first indication of an event investigation.
For example, you can use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.

Answer 288

A

Perform the initial assessment to obtain more information about the suspicious activity.
For example, obtain more information about the security alert.

Answer 289

A

Conduct a technical investigation and identify containment, mitigation, and workaround strategies.
For example, follow the remediation steps described by Security Center in that particular security alert.

Answer 290

A

You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.

Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls.

For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.

Answer 291

A

set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company’s security requirements.

Answer 292

A

Network perimeters, firewalls, and physical access controls used to be the primary protection for corporate data. But network perimeters have become increasingly porous with the explosion of bring your own device (BYOD), mobile apps, and cloud applications.
Identity has become the new primary security boundary. Therefore, proper authentication and assignment of privileges is critical to maintaining control of your data.

Answer 293

A

the process of establishing the identity of a person or service looking to access a resource.
The act of challenging a party for legitimate credentials
provides the basis for creating a security principal for identity and access control use
establishes if they are who they say they are.

Answer 294

A

the process of establishing what level of access an authenticated person or service has.
specifies what data they’re allowed to access
specifies what they can do with it.

Answer 295

A

a cloud-based identity service
supports synchronizing with existing on-prem Active Directory or can be used stand-alone.
Works for all apps (on-prem and cloud)
Admin and Devs can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.

Answer 296

A

verifies identity to access applications and resources
self-service password reset
multi-factor authentication (MFA)
a custom banned password list
smart lockout services.

Answer 297

A

remember only one ID and one password to access multiple applications
a single identity is tied to a user, simplifying the security model.
access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.

Access across applications is granted to a single identity tied to a user, simplifying the security model.
As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts.
Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.

Answer 298

A

manage apps (on-prem and cloud) using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.

Answer 299

A

Manage guest users and external partners
maintaining control over your own corporate data Business-to-Customer (B2C) identity services
Customize and control how users sign up, sign in, and profile management when using your apps with services.

Answer 300

A

Manage how your cloud or on-prem devices access your corporate data

Answer 301

A

combine multiple data sources into an intelligent security graph
This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-prem AD.
centralizes security controls, reporting, alerting, and administration of your identity infrastructure.

Answer 302

A

provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

Something you know
- password or the answer to a security question.
Something you possess
- a mobile app that receives a notification or a token-generating device
Something you are
- biometric property, such as a fingerprint or face scan used on many mobile devices.

increases security of your identity by limiting the impact of credential exposure.
An attacker who has a user’s password would also need to have possession of their phone or their face in order to fully authenticate.
Authentication with only a single factor verified is insufficient, and the attacker would be unable to use those credentials to authenticate.

Azure AD has MFA capabilities built in and will integrate with other third-party MFA providers.
It’s provided free of charge to any user who has the Global Administrator role in Azure AD, because these are highly sensitive accounts.
All other accounts can have MFA enabled by purchasing licenses with this capability — as well as assigning a license to the account.

Answer 303

A

It’s usually valuable for services to have identities, where credential information is embedded in configuration files. Credentials can be exposed and accessed if there’s no security around the configuration files.
Azure AD addresses this problem through two methods:
- Identity
- Principal

Answer 304

A

something that can be authenticated:

Ex. users with a user name and password
Ex. Applications (authenticated via secret keys or certificates)
Ex. Servers (authenticated via secret keys or certificates)

Answer 305

A

an identity acting with certain roles or claims

Ex. logged in as the same identity as before, but you’ve changed the role under which you are executing, “sudo” (Linux) or “run as Administrator.” (Win)
Ex. Groups with rights assigned.

Answer 306

A

an identity that is used by a service or application.

can be assigned roles.

Answer 307

A

instantly created for any Azure service that supports it—and the list is constantly growing.
When you create a managed identity for a service, you are creating an account on the Azure AD tenant.
The Azure infrastructure will automatically take care of authenticating the service and managing the account.
Use account like any other Azure AD account, including securely letting the authenticated service access other Azure resources.

Answer 308

A

Roles are sets of permissions, like “Read-only” or “Contributor”, that gives users certain access.
Identities are mapped to roles directly or through group membership.
simple access management and fine-grained control to ensure minimum necessary permissions via:
- separating security principals
- access permissions
- resources provides
Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy.

Answer 309

A

ongoing auditing of role members as their organization changes and evolves
an additional, paid-for offering that provides oversight of:
- role assignments
- self-service,
- just-in-time (JIT) role activation
- Azure AD and Azure resource access reviews

Answer 310

A

the only protection its data has once it leaves the data center
If it is stored on mobile devices, it could potentially be hacked or stolen.
Encryption is the process of making data unreadable and unusable to unauthorized viewers.
To use or read the encrypted data, it must be decrypted, which requires the use of a secret key.

Answer 311

A

uses the same key to encrypt and decrypt the data.
Password on a desktop is encrypted with a personal secret key, derived from master password. When data needs to be retrieved the same key is used and data decrypted.

Answer 312

A

uses a public key and private key pair.
Either key can encrypt but a single key can’t decrypt its own encrypted data; it requires the paired key.
Uses Transport Layer Security (TLS) (used in HTTPS) and data signing.

Answer 313

A

Data at rest is the data that has been stored on a physical medium. Data stored:
- on the disk of a server
- in a database
- in a storage account.
ensures that the stored data is unreadable without the keys and secrets needed to decrypt it.
Difficult for an attacker to decrypt the data
The actual data that is encrypted could vary in its content, usage, and importance to the organization:
- financial information critical to the business
- intellectual property that has been developed by the business
- personal data about customers or employees that the business stores,
- keys and secrets used for the encryption of the data itself.

Answer 314

A

Data in transit is the data actively moving from one location to another, such as across the internet or through a private network.
Secure transfer can be handled by several different layers; encrypt data:
- Ex. at the application layer prior to sending it over a network, like HTTPS.
- Ex. at the network layer with secure channel, like VPN.
protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure.

Answer 315

A

for data at rest
helps you protect your data to meet your organizational security and compliance commitments.
Azure storage platform automatically encrypts your data before persisting it to:
- Azure Managed Disks
- Azure Blob storage
- Azure Files
- Azure Queue storage

decrypts the data before retrieval.
The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to (unaware by) applications using the services.

Encrypt virtual machine disks (virtual hard disks, VHDs)

Azure Disk Encryption helps encrypt Windows and Linux IaaS virtual machine disks.
BitLocker for Windows.
dm-crypt for Linux
provide volume encryption for the OS and data disks.
Azure Key Vault controls and manages the disk encryption keys and secrets (Key Vault’s access is managed via managed service identities).

Answer 316

A

helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity.

real-time encryption and decryption of the database
associated backups,
transaction log files at rest without requiring changes to the application.
enabled by default

Answer 317

A

encryption with symmetric key

provides a unique encryption key per logical SQL Server instance and handles all the details by default.

Answer 318

A

supported with keys stored in Azure Key Vault

Answer 319

A

a centralized cloud service for storing your application secrets
Key Vault keeps secrets in a single, central location and by providing:
- secure access
- permissions control
- access logging capabilities

Answer 320

A

You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.

Answer 321

A

You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.

Answer 322

A

Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.

Answer 323

A

Store secrets backed by hardware security modules (HSMs)

The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs

Answer 324

A

Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.

Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.

Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.

Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.

Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.

Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Answer 325

A

A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.

Answer 326

A

focused on limiting and eliminating attacks from the internet.
assessing the resources that are internet-facing, and to only allow inbound and outbound communication where necessary.
identify all resources that are allowing inbound network traffic of any type, and then ensure they are restricted to only the ports and protocols required.

Answer 327

A

identifies internet-facing resources that don’t have network security groups associated with them, as well as resources that are not secured behind a firewall.

Answer 328

A

A firewall is a service that grants server access based on the originating IP address of each request.
Firewall rules specify ranges of IP addresses and only clients from these granted IP addresses will be allowed to access the server.
Firewall rules include specific network protocol and port information.

Answer 329

A

a managed, cloud-based, network security service that protects your Azure Virtual Network resources.
fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
provides inbound protection for non-HTTP/S protocols like:
- Remote Desktop Protocol (RDP)
- Secure Shell (SSH)
- File Transfer Protocol (FTP).
It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Answer 330

A

a load balancer that includes a Web Application Firewall (WAF)
provides protection from common, known vulnerabilities in websites.
designed to protect HTTP traffic.

Answer 331

A

ideal options for non-HTTP services or advanced configurations
similar to hardware firewall appliances

Answer 332

A

A denial of service attack attempts to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.
combine Azure DDoS Protection with application design best practices

Answer 333

A

bring DDoS mitigation capacity to every Azure region.
scrubbing traffic at the Azure network edge before it can impact your service’s availability
Within a few minutes of attack detection, you are notified using Azure Monitor metrics.
legitimate traffic from customers still flows into Azure without any interruption of service.

Answer 334

A

automatically enabled as part of the Azure platform.
Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use.
Azure’s global network is used to distribute and mitigate attack traffic across regions.

Answer 335

A

provides additional mitigation capabilities for Microsoft Azure Virtual Network resources.
simple to enable and requires no application changes.

Answer 336

A

tuned through dedicated traffic monitoring and machine learning algorithms
applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

Answer 337

A

flood the network layer with a substantial amount of seemingly legitimate traffic.

Answer 338

A

render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

Answer 339

A

target web application packets to disrupt the transmission of data between hosts.

Answer 340

A

inside a virtual network (VNet), it’s crucial that you limit communication between resources to only what is required, between VMs.

Answer 341

A

manages restriction

filter network traffic to and from Azure resources in an Azure virtual network.
can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
provide a list of allowed and denied communication to and from network interfaces and subnets
fully customizable.
can completely remove public internet access to your services by restricting access to service endpoints.
- Azure service access can be limited to your virtual network.

Answer 342

A

communication from on-prem networks to VNet or provide improved communication between services in Azure, commonly through VPN.

Answer 343

A

provides dedicated, private connection.
extend your on-prem networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.
improves the security by sending this traffic over the private circuit instead of over the public internet.
no need to allow access to these services for your end users over the public internet
send this traffic through appliances for further traffic inspection.

Answer 344

A

a cloud-based solution
classify and protect documents and emails by applying labels.
You can purchase MSIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise.

Answer 345

A

applied automatically/manually/both based on rules and conditions, guided by recommendations.

Ex. rules that detect sensitive data:
- When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed.
- The tooltip recommends labeling the file as Confidential - All Employees, which is a label that the administrator has configured.
- This label classifies the document and protects it.

After your content is classified, you can track and control how the content is used.

Analyze data flows to gain insight into your business
Detect risky behaviors and take corrective measures
Track access to documents
Prevent data leakage or misuse of confidential information

Answer 346

A

a cloud-based security solution that identifies, detects, and helps you investigate:

advanced threats
compromised identities
malicious insider actions directed at your organization.

capable of detecting:

known malicious attacks and techniques
security issues
risks against your network.

Purchasing Azure Advanced Threat Protection

available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license.
You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model.
It is not available to purchase via the Azure portal.

Answer 347

A

monitor and respond to suspicious activity on ATP portal
can create your Azure ATP instance and view the data received from Azure ATP sensors.
monitor, manage, and investigate threats in your network environment.
must sign in with a user account that is assigned to an Azure AD security group that has access to the Azure ATP portal.

Answer 348

A

installed directly on your domain controllers

monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.

Answer 349

A

runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia.
Azure ATP cloud service is connected to Microsoft’s intelligent security graph.

Answer 350

A

involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues.
Governance is needed when:
- You have multiple engineering teams working in Azure
- You have multiple subscriptions in your tenant
- You have regulatory requirements which must be enforced
- You want to ensure standards are followed for all IT allocated resources

Examples:

You could enforce standards by not allowing teams to directly create Azure resources - and instead have the IT team define and deploy all cloud-based assets. Azure provides several tools you can use to enforce and validate your standards, while still allowing your engineering teams to create and own their own resources in the cloud.
besides IT standards, you need to be able to monitor your resources to make sure they are responsive and performing properly. Azure provides several built-in features to track and analyze your resource utilization and performance.

Answer 351

A

enforce your rules for created resources, so your infrastructure stays compliant with:

your corporate standards
cost requirements
service-level agreements (SLAs) you have with your customers.

a service in Azure that you use to define, assign, and, manage standards for resources in your environment.

prevent the creation of disallowed resources
ensure new resources have specific settings applied
run evaluations of your existing resources to scan for non-compliance.

comes with many built-in policy and initiative definitions that you can use, under categories such as

Storage
Networking
Compute
Security Center
Monitoring

Ex. prohibits any new VM from having more than 4 CPUs during VM creation. Azure Policy will stop anyone from creating a new VM outside the list of allowed stock keeping units (SKUs).
Ex. there’s policy for updating an existing VM
Ex. audit all the existing VMs in our organization to ensure our policy is enforced; look for:
- non-compliant resources
- alter the resource properties
- stop the resource from being created.

Answer 352

A

applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.

Answer 353

A

every policy definition has conditions under which it is enforced. And, it has an accompanying effect that takes place if the conditions are met. To apply a policy, you will:
- Create a policy definition
- Assign a definition to a scope of resources
- View policy evaluation results
Can use pre-defined definitions or create your own
Hundreds of samples in GitHub (https://github.com/Azure/azure-policy)

Answer 354

A

********
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "not": {
          "field": "Microsoft.Compute/virtualMachines/sku.name",
          "in": "[parameters('listOfAllowedSKUs')]"
        }
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}
********
[parameters('listofAllowedSKUs')] 
Replacement token to be filled in when policy definition is applied to a scope
When a parameter is defined, it's given a name and optionally given a value.

Answer 355

A

what to evaluate and what action to take.

Ex. ensure all public websites are secured with HTTPS
Ex. prevent a particular storage type from being created
Ex. force a specific version of SQL Server to be used.

Answer 356

A

This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.

Answer 357

A

This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.

Answer 358

A

This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.

Answer 359

A

This policy enables you to specify a set of VM SKUs that your organization can deploy.

Answer 360

A

Prevents a list of resource types from being deployed.

Answer 361

A

a policy definition that has been assigned to take place within a specific scope.
This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resources. This means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a sub-scope from the policy assignment.
- For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups.
You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters which are defined.

Answer 362

A

stock keeping units

Answer 363

A

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy.
Each policy definition in Azure Policy has a single effect. That effect determines what happens when the associated policy rule is matched. When that happens, Azure Policy will take a specific action based on the assigned effect.

Answer 364

A

The resource creation/update fails due to policy.

Answer 365

A

The policy rule is ignored (disabled). Often used for testing.

Answer 366

A

Adds additional parameters/fields to the requested resource during creation or update. A common example is adding tags on resources such as Cost Center or specifying allowed IPs for a storage resource.

Answer 367

A

Creates a warning event in the activity log when evaluating a non-compliant resource, but it doesn’t stop the request.

Answer 368

A

Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way.

Answer 369

A

Azure Policy can allow a resource to be created even if it doesn’t pass validation. In these cases, you can have it trigger an audit event which can be viewed in the Azure Policy portal, or through command-line tools. The easiest approach is in the portal as it provides a nice graphical overview which you can explore. You can find the Azure Policy section through the search field or All Services.

Answer 370

A

work alongside policies in Azure Policy.
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.
Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.

Answer 371

A

an initiative definition assigned to a specific scope.
Initiative assignments reduce the need to make several initiative definitions for each scope.
This scope could also range from a management group to a resource group.
Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.

Answer 372

A

Initiative definitions simplify the process of managing and assigning policy definitions by grouping a set of policies into a single item.
Ex. you could create an initiative named Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

Answer 373

A

Access management occurs at the Azure subscription level.
This allows an organization to configure each division of the company in a specific fashion based on their responsibilities and requirements.
Planning and keeping rules consistent across subscriptions can be challenging without a little help.

Answer 374

A

containers for managing access, policies, and compliance across multiple Azure subscriptions.
allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions.
All subscriptions within a management group automatically inherit the conditions applied to the management group.
give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

Answer 375

A

Ex. limit VM locations to US West Region on the group “Infrastructure Team management group”.

This policy will inherit onto both EA subscriptions under that management group and will apply to all VMs under those subscriptions.
This security policy cannot be altered by the resource or subscription owner allowing for improved governance.

Ex. provide user access to multi subscriptions

By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group, which will inherit that access to all the subscriptions.
One assignment on the management group can enable users to have access to everything they need instead of scripting RBAC rules over different subscriptions.

Answer 376

A

help you with auditing, traceability, and compliance with your deployments.
allows you to define a repeatable set of Azure resources that implement and adhere to your organization’s standards, patterns, and requirements.
enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.

a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups

The process of implementing Azure Blueprint consists of the following high-level steps:

Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments

With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved deployment tracking and auditing.

Azure Blueprints are different from Azure Resource Manager Templates.

When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or source control).
By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment. Managing relationships, in this way, improves auditing and tracking capabilities.

Azure Blueprints are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.

Answer 377

A

explains what personal data Microsoft processes
how Microsoft processes it
for what purposes.
The statement applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices.
It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services.

Answer 378

A

a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
is an important part of the Microsoft Trusted Cloud Initiative
provides support and resources for the legal and compliance community including:
-In-depth information (across all MS cloud products) about
- - Security
- - Privacy
- - Compliance offerings
- - Policies
- - Features
- - Practices

Recommended resources (a curated list) of the most applicable and widely-used resources for each topic.
Information specific to key organizational roles
- business managers
- tenant admins
- data security teams
- risk assessment and privacy officers
- legal compliance teams.
Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal.
Direct guidance and support for when you can’t find what you’re looking for.

Answer 379

A

hosts the Compliance Manager service
is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.
users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:
- ISO
- SOC
- NIST
- FedRAMP
- GDPR

Service Trust Portal is a companion feature to the Trust Center, and allows you to:

Access audit reports across Microsoft cloud services on a single page.
Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations.
Access trust documents to help you understand how Microsoft cloud services help protect your data.

Answer 380

A

a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.

Compliance Manager provides the following features:

Combines the following three items:
- Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft’s cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST).
- Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR).
- An organization’s self-assessment of their own compliance with these standards and regulations.
Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals.
Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization’s exposure to risk.
Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.
Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.

Compliance Manager provides ongoing risk assessments with a risk-based scores reference displayed in a dashboard view for regulations and standards.
Alternatively, you can create assessments for the regulations or standards that matter more to your organization.
As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance.
You can view all action items, or select the action items that correspond with a specific certification.

**Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations for improvement. The Customer Actions provided in Compliance Manager are recommendations only; it is up to each organization to evaluate the effectiveness of these recommendations in their respective regulatory environment prior to implementation.
**Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.

Answer 381

A

https://azure.microsoft.com/en-us/features/service-health/

Answer 382

A

maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

Answer 383

A

Azure Monitor can collect data from a variety of sources.
monitoring data for your applications in tiers ranging from:
- your application
- any operating system and services it relies on
- the platform itself.

Answer 384

A

Data about the performance and functionality of the code you have written, regardless of its platform.

Answer 385

A

Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises

Answer 386

A

Data about the operation of an Azure resource.

Answer 387

A

Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.

Answer 388

A

Data about the operation of tenant-level Azure services, such as Azure Active Directory.

Answer 389

A

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.

Answer 390

A

record when resources are created or modified

Answer 391

A

tell you how the resource is performing and the resources that it’s consuming.

Answer 392

A

You can extend the data you’re collecting into the actual operation of the resources by enabling diagnostics and adding an agent to compute resources.

Under the resource settings you can enable Diagnostics

Enable guest-level monitoring
Performance counters
Event Logs
Crash Dumps
Sinks
Agent

Answer 393

A

collect performance data

Answer 394

A

enable various event logs

Answer 395

A

enable or disable

Answer 396

A

send your diagnostic data to other services for more analysis

Answer 397

A

configure agent settings

Answer 398

A

is a service that monitors the availability, performance, and usage of your web applications, whether they’re hosted in the cloud or on-premises.
leverages the powerful data analysis platform in Log Analytics
can diagnose errors, without waiting for a user to report them.
includes connection points to a variety of development tools, and integrates with Microsoft Visual Studio to support your DevOps processes.

Answer 399

A

powerful data analysis platform that provides you with deeper insights into your application’s operations.

Answer 400

A

a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS).
gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API.
Container logs are also collected.

Answer 401

A

a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs:
- different processes
- interconnected dependencies on other resources
- external processes
includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.

Answer 402

A

Integrating any, or all, of these monitoring services with Azure Service Health has additional benefits.
Staying informed of the health status of Azure services will help you understand if, and when, an issue affecting an Azure service is impacting your environment.
What may seem like a localized problem could be the result of a more widespread issue, and Azure Service Health provides this kind of insight.
identifies any issues with Azure services that might affect your application
helps you to plan for scheduled maintenance.

a suite of experiences that provide personalized guidance and support when issues with Azure services affect you:

notify you
help you understand the impact of issues
keep you updated as the issue is resolved
prepare for planned maintenance and changes that could affect the availability of your resources.

Azure Service Health is composed of the following views.

Azure Status
Service Health
Resource Health

Answer 403

A

respond proactively to any critical conditions that are identified within the data it collects.

Ex. sending a text or email to an administrator who is responsible for investigating an issue
Ex. launching an automated process that attempts to correct an error condition.

Answer 404

A

Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.
Alert rules based on metrics can provide alerts in almost real-time, based on numeric values.
Alert rules based on logs allow for complex logic across data, from multiple sources.

Answer 405

A

Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively.
enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load.
help reduce your Azure costs by removing resources that are not being used.
can specify a minimum and maximum number of instances,
provide the logic that determines when Autoscale should increase or decrease resources.

Answer 406

A

Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences.
Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences.
Other tools for visualizing data include:
- Dashboards
- Views
- Power BI

Answer 407

A

You’ll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data.
Other Azure services can work with Azure Monitor to provide this integration.

Answer 408

A

provides a global view of the health state of Azure services.
get up-to-the-minute information on service availability
Everyone has access to Azure Status and can view all services that report their health state.

Answer 409

A

provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.

In this dashboard, you can track active events:

ongoing service issues
upcoming planned maintenance
relevant Health advisories.

When events become inactive, they are placed in your Health history for up to 90 days.
use Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.

Answer 410

A

helps you diagnose and obtain support when an Azure service issue affects your resources.
provides you details about the current and past state of your resources
provides technical support to help you mitigate problems
(vs. Azure Status, service problems that affect a broad set of Azure customers) Resource Health gives you a personalized dashboard of your resources’ health.
shows you times, in the past, when your resources were unavailable because of Azure service problems.
easier to understand if an SLA was violated.

Answer 411

A

a logical container for resources deployed on Azure:
- virtual machines
- Application Gateways
- CosmosDB instances.
All resources must be in a resource group
a resource can only be a member of a single resource group.
Resources can be moved between resource groups at any time.
Resource groups can’t be nested.
Before any resource can be provisioned, you need a resource group for it to be placed in.

Answer 412

A

Resource groups exist to help manage and organize your Azure resources.
By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure.

Answer 413

A

If you delete a resource group, all resources contained within are also deleted.
Organizing resources by life cycle can be useful in non-production environments, where you might try an experiment, but then dispose of it when done.
Resource groups make it easy to remove a set of resources at once.

Answer 414

A

Resource groups are also a scope for applying role-based access control (RBAC) permissions.
By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.

Answer 415

A

Resource groups can be created by using the following methods:

Azure portal
Azure PowerShell
Azure CLI
Templates
Azure SDKs (like .NET, Java)

Answer 416

A

Ex. we named our resource group msftlearn-core-infrastructure-rg.

We’ve given some indication of what it’s used for (msftlearn),
the types of resources contained within (core-infrastructure)
the type of resource it is itself (rg).

Answer 417

A

Ex. We might put all resources that are core infrastructure into this resource group
Ex. organize by resource type, 1 resource group per type:
- All VNets
- all VMs
- all Azure Cosmos DB instances

Ex. organize by environment. 1 resource group per environment:

Prod
Dev
QA

Ex. organize by department, 1 resource group per department:

Finance
Marketing
HR

Ex. organize by combination of environment and department,

Prod-Finance
Dev-Finance
Prod-Marketing
Dev-Marketing

Answer 418

A

Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them.
If your database administration team is responsible for managing all of your Azure SQL Database instances, putting them in the same resource group would simplify administration.
You could give them the proper permissions at the resource group level to administer the databases within the resource group.
the database administration team could be denied access to the resource group with virtual networks, so they don’t inadvertently make changes to resources outside the scope of their responsibility.

Answer 419

A

We mentioned earlier that resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it.
If you deploy 10 servers for a project that you know will only last a couple of months, you might put them all in a single resource group.
One resource group is easier to clean up than 10 or more resource groups.

Answer 420

A

placing resources in the same resource group is a way to group them for usage in billing reports.
If you’re trying to understand how your costs are distributed in your Azure environment, grouping them by resource group is one way to filter and sort the data to better understand where costs are allocated.

Answer 421

A

For resources that have multiple uses and better search
name/value pairs of text data that you can apply to resources and resource groups.
allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has:
- department (like finance, marketing, and more)
- environment (prod, test, dev),
- cost center
- life cycle and automation (like shutdown and startup of virtual machines).

A resource can have up to 15 tags. 
The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. 
The tag value is limited to 256 characters for all types of resources. 
aren't inherited from parent resources
Not all resource types support tags
can't be applied to classic resources
can be added and manipulated through:
- Azure portal
- Azure CLI
- Azure PowerShell
- Resource Manager templates 
- REST API

Answer 422

A

az resource tag –tags Department=Finance \
–resource-group msftlearn-core-infrastructure-rg \
–name msftlearn-vnet1 \
–resource-type “Microsoft.Network/virtualNetworks”
****

Answer 423

A

You can use Azure Policy to automatically add or enforce tags for resources your organization creates based on policy conditions that you define.

Ex. you could require that a value for the Department tag is entered when someone in your organization creates a virtual network in a specific resource group.

Answer 424

A

You can use tags to group your billing data.

Ex. group usage by cost center.
Ex. use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment.

When exporting billing data or accessing it through billing APIs, tags are included in that data and can be used to further slice your data from a cost perspective.
You can retrieve all the resources in your subscription with a specific tag name or value.
Tags enable you to retrieve related resources from different resource groups.
This approach is helpful when you need to organize resources for billing or management.

Tagging resources can also help in monitoring to track down impacted resources. Monitoring systems could include tag data with alerts, giving you the ability to know exactly who is impacted.
- Ex. we applied the Department:Finance tag to the msftlearn-vnet1 resource. If an alarm was thrown on msftlearn-vnet1 and the alarm included the tag, we’d know that the finance department may be impacted by the condition that triggered the alarm. This contextual information can be valuable if an issue occurs.

It’s also common for tags to be used in automation.
- Ex. automate the shutdown and startup of VMs in development environments during off-hours to save costs.
- Add a shutdown:6PM and startup:7AM tag to the virtual machines, then create an automation job that looks for these tags, and shuts them down or starts them up based on the tag value.
There are several solutions in the Azure Automation Runbooks Gallery that use tags in a similar manner to accomplish this.

Answer 425

A

We could use policy to restrict which Azure regions we can deploy resources to.

Ex. For organizations that are heavily regulated or have legal or regulatory restrictions on where data can reside
- policies help to ensure that resources aren’t provisioned in geographic areas that would go against these requirements.
Ex. We could use policy to restrict which types of VM sizes can be deployed.
- You may want to allow large VM sizes in your production subscriptions, but maybe you’d like to ensure that you keep costs minimized in your dev subscriptions.
- By denying the large VM sizes through policy in your dev subscriptions, you can ensure they don’t get deployed in these environments.
Ex. We could also use policy to enforce naming conventions.
- If our organization has standardized on specific naming conventions, using policy to enforce the conventions helps us to keep a consistent naming standard across our Azure resources.

Answer 426

A

RBAC provides fine-grained access management for Azure resources
enabling you to grant users the specific rights they need to perform their jobs.
RBAC is considered a core service and is included with all subscription levels at no cost.

Using RBAC, you can:

Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
Allow a database administrator (DBA) group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
Allow an application to access all resources in a resource group.

To view access permissions, use the Access Control (IAM) blade in the Azure portal.

Answer 427

A

RBAC uses an allow model for access.
When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete.
- if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.

Answer 428

A

Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
- Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope.
When planning your access control strategy, grant users the lowest privilege level that they need to do their work.
Use Resource Locks to ensure critical resources aren’t modified or deleted

Answer 429

A

a setting that can be applied to any resource to block modification or deletion.
can set to either Delete or Read-only.
Delete will allow all operations against the resource but block the ability to delete it.
Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.
Resource locks can be applied and inherited when applied at higher levels
- Subscriptions
- Resource groups
- individual resources

Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions.
- Ex. placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.

When a resource lock is applied, you must first remove the lock in order to perform that activity.
By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your administrators from doing something they may not have intended to do.
Resource locks apply regardless of RBAC permissions, including owner of the resource

Answer 430

A

We’ve seen how resource locks can protect from accidental deletion. In order to delete the virtual network, we needed to remove the lock. This concerted action helps ensure that you really intend to delete or modify the resource in question.

Use resource locks to protect those key pieces of Azure that could have a large impact if they were removed or modified:
- ExpressRoute circuits
- virtual networks
- critical databases
- domain controllers.
Evaluate your resources, and apply locks where you’d like to have an extra layer of protection from accidental actions.

Answer 431

A

sign an Enterprise Agreement with Azure that commits them to spend a negotiated amount on Azure services
pay annually
have access to customized Azure pricing.

Answer 432

A

pay general public prices for Azure resources

monthly billing and payments occur through the Azure website.

Answer 433

A

Microsoft partner companies that a customer hires to build solutions on top of Azure
Payment and billing for Azure usage occur through the customer’s CSP.

Answer 434

A

Products and services in Azure are arranged by category, which has various resources that you can provision.
You select the Azure products and services that fit your requirements, and your account is billed according to Azure’s pay-for-what-you-use model.

When you provision an Azure resource, Azure creates one or more meter instances for that resource.
The meters track the resources’ usage, and generate a usage record that is used to calculate your bill.
- Ex. a single virtual machine that you provision in Azure might have the following meters tracking its usage:- - Compute Hours
- - IP Address Hours
- - Data Transfer In
- - Data Transfer Out
- - Standard Managed Disk
- - Standard Managed Disk Operations
- - Standard IO-Disk
- - Standard IO-Block Blob Read
- - Standard IO-Block Blob Write
- - Standard IO-Block Blob Delete
The meters and pricing vary per product
have different pricing tiers based on the size or capacity of the resource
At the end of each monthly billing cycle, the usage values will be charged to your payment method and the meters are reset.

The key takeaway is that resources are always charged based on usage.
- Ex. if you de-allocate a VM then you will not be billed for compute hours, I/O reads or writes or the private IP address since the VM is not running and has no allocated compute resources. However you will incur storage costs for the disks.

**De-allocating a VM is not the same as deleting a VM.
**De-allocation means the VM is not assigned to a CPU or network in a datacenter.
**However, your persistent disks remain, and the resource is present in your subscription. It’s similar to turning off your physical computer.

Answer 435

A

Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type.

**Each meter tracks a particular kind of usage.
bandwidth usage (ingress or egress network traffic in bits-per-second)
the number of operations
size (storage capacity in bytes)

The usage that a meter tracks correlates to a number of billable units, charged each billing period, at a rate depending on what type of resource it is.

Answer 436

A

Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers.
Some subscription types also include usage allowances, which affect costs.
The Azure team develops and offers first-party products and services
products and services from third-party vendors are available in the Azure Marketplace
Different billing structures apply to each of these categories.

Answer 437

A

Azure has datacenters all over the world.
Usage costs vary between locations that offer particular Azure products, services, and resources based on popularity, demand, and local infrastructure costs.
- Ex. you might want to build your Azure solution by provisioning resources in locations that offer the lowest prices, but this would require transferring data between locations if dependent resources and their users are located in different parts of the world.
- If there are meters tracking the volume of data that moves between the resources you provision, any potential savings you make from choosing the cheapest location could be offset by the additional cost of transferring data between those resources.

Answer 438

A

Bandwidth refers to data moving in and out of Azure datacenters.
Most of the time inbound data transfers (data going into Azure datacenters) are free.
For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones.
A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include the listed countries (regions) listed.

Zone 1 - United States, Europe, Canada, UK, France
Zone 2 - Asia Pacific, Japan, Australia, India, Korea
Zone 3 - Brazil
DE Zone 1 - Germany

In most zones, the first outbound 5 GB per month is free. After that, you are billed a fixed price per GB.

**Billing zones aren’t the same as an Availability Zone.
**In Azure, the term zone is for billing purposes only
**the full term Availability Zone refers to the failure protection that Azure provides for datacenters.

Answer 439

A

a free web-based tool that allows you to input Azure services and modify properties and options of the services
outputs the costs per service and total cost for the full estimate.

Answer 440

A

Lists the regions from which you can provision a product. Southeast Asia, central Canada, the western United States, and Northern Europe are among the possible regions available for some resources.

Answer 441

A

Sets the type of tier you wish to allocate to a selected resource, such as Free Tier, Basic Tier, etc.

Answer 442

A

Highlights the billing options available to different types of customer and subscriptions for a chosen product.

Answer 443

A

Allows you to pick from included or paid support pricing options for a selected product.

Answer 444

A

Allows you to choose from available price offerings according to your customer or subscription type.

Answer 445

A

Lists the available development and test prices for a product. Dev/Test pricing applies only when you run resources within an Azure subscription that is based on a Dev/Test offer.

Answer 446

A

Share in Excel (.xlsx) format
Share a URL that you can use to share this estimate. Anyone with this link will be able to access it, making it easy to share with your team.

Save requires user signed in.
We have arrived at a cost estimate for a set of Azure services without spending any money. We didn’t create anything, and we have a fully sharable estimate that we can do further analysis or modifications on in the future. You can use this not only to create estimates for systems where you know the specific services you plan to use but also to compare how different services might impact your overall costs. An example is Microsoft SQL Server on a VM vs. Azure SQL Database.

Answer 447

A

a free service built into Azure that provides recommendations on

high availability
Security
Performance
Cost

Answer 448

A

Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.

this identifies ExpressRoute circuits that have been in the provider status of Not Provisioned for 30+ days
recommends deleting the circuit if you aren’t planning to provision the circuit with your connectivity provider.

Buy reserved instances to save money over pay-as-you-go.

this will review your virtual machine usage over the last 30 days
determine if you could save money in the future by purchasing reserved instances
will show you the regions and sizes where you potentially have the most savings
Will show you the estimated savings you might achieve from purchasing reserved instances.

Right-size or shutdown underutilized virtual machines.

this monitors your virtual machine usage for 14 days
identifies underutilized VMs
- average CPU utilization is 5 percent or less
- network usage is 7 MB or less for 4+ days.

The average CPU utilization threshold is adjustable up to 20 percent.
By identifying these virtual machines, you can decide to resize them to a smaller instance type, reducing your costs.

Answer 449

A

A free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going.
You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set.
You can set budgets, schedule reports, and analyze your cost areas.

Answer 450

A

a Microsoft subsidiary, allows you to track cloud usage and expenditures for your Azure resources and other cloud providers including Amazon Web Services and Google.
Easy-to-understand dashboard reports help with cost allocation and chargebacks.
Cost Management helps optimize your cloud spending by identifying underutilized resources that you can then manage and adjust.
Usage for Azure is free, and there are paid options for premium support and to view data from other clouds.
Cloudyn is being gradually replaced by Azure Cost Management.

Answer 451

A

Azure Total Cost of Ownership calculator
predict your cost savings when starting to migrate to the cloud
Define your workloads; entering details about your on-premises infrastructure into the TCO calculator according to four groups:

Answer 452

A

Enter details of your current on-premises server infrastructure.

Answer 453

A

Enter details of your on-premises database infrastructure in theSourcesection. In theDestinationsection, select the corresponding Azure service you would like to use.

Answer 454

A

Enter the details of your on-premises storage infrastructure.

Answer 455

A

Enter the amount of network bandwidth you currently consume in your on-premises environment.

Answer 456

A

Adjust the values of assumptions that the TCO calculator makes, which might vary between customers. 
To improve the accuracy of the TCO calculator, you should adjust the values, so they match the costs of your current on-premises infrastructure. 
The assumptions you can customize include:
- Storage costs
- IT labor costs
- Hardware costs
- Software costs
- Electricity costs
- Virtualization costs
- Datacenter costs
- Networking costs
- Database costs

View the report; the TCO calculator generates a detailed report based on the details you enter and the adjustments you make.
The report allows you to compare the costs of your on-premises infrastructure with the costs of using Azure products and services to host your infrastructure in the cloud.

Answer 457

A

Visual Studio subscribers can activate a monthly credit benefit which allows you to experiment with, develop, and test new solutions on Azure with Azure Credits, without incurring any monetary costs.

App Service
Windows 10 VMs
Azure SQL Server databases
Containers
Cognitive Services
Functions
Data Lake

you will own a separate Azure subscription under your account with a monthly credit balance that renews each month while you remain an active Visual Studio subscriber.
The credit amount varies based on the program level:
- 50 credits/mouth for VS Professional
- 150 credits/mouth for Enterprise

***The monthly Azure credit for Visual Studio subscribers is for development and testing only and does not carry a financially-backed SLA. Azure will suspend any instance (VM or cloud service) that runs continuously for more than 120 hours or if it’s determined that the instance is being used for production. This benefit is made available to Visual Studio subscribers on a best efforts basis; there is no guarantee of capacity availability.

Answer 458

A

By default, Azure subscriptions which have associated monthly credits (which includes trial accounts) have a spending limit to ensure you aren’t charged once you have used up your credits.
This feature is useful for development teams exploring new solution architectures as it ensures you won’t have an unexpectedly large bill at the end of the month.

***Azure spending limits are not the same as Subscription, Service, or Resource Group limits and quotas.

helps prevent you from exhausting the credit on your account within each billing period.
When your Azure usage results in charges that use all the included monthly credit, the services that you deployed are disabled and turned off for the rest of that billing period.
Once a new billing period starts, assuming there are credits available, the resources are re-activated and deployed.
You are notified by email when you hit the spending limit for your subscription.
Azure portal includes notifications about your credit spend.
You can adjust the spending limit as desired or even turn it off.

***The spending limit feature is specific to subscriptions that include a monthly Azure credit allotment. It is not available on pay-only subscriptions.

Answer 459

A

If you have VM workloads that are static and predictable, particularly ones that run 24x7x365, using reserved instances is a fantastic way to potentially save up to 70-80%, depending on the VM size.
Azure reserved instances saves you up to 72% and using reserved instance plus Azure Hybrid Benefit saves up to 80% in costs.

Reserved instances are purchased in one-year or three-year terms
payment required for the full term up front.
Microsoft matches up the reservation to running instances and decrements the hours from your reservation.
Reservations can be purchased through the Azure portal.
available for both Windows and Linux VMs.

Answer 460

A

The cost of Azure products, services, and resources can vary across locations and regions
should use them in those locations and regions where they cost less.

**Some resources are metered and billed according to how much outgoing network bandwidth they consume (egress).
**You should provision connected resources that are bandwidth metered in the same region to reduce egress traffic between them.

Answer 461

A

Keep up-to-date with the latest Azure customer and subscription offers, and switch to offers that provide the most significant cost-saving benefit.
You can check the Azure Updates page for information about the latest updates to Azure products, services, and features, as well as product roadmaps and announcements.

Answer 462

A

Right-sizing a VM = process of resizing it to a proper size.
Ex. Standard_D4sv3 > Standard_D2sv3, you reduce your compute cost by 50%.
Costs are linear and double for each size larger in the same series.

Over-sized VMs are a common unnecessary expense on Azure and one that can be easily fixed. You can change the size of a VM through the Azure portal, Azure PowerShell, or the Azure CLI.

**Resizing a VM requires it to be stopped, resized, and then restarted. This may take a few minutes depending on how significant the size change is.
**Plan for an outage, or shift your traffic to another instance while you perform this task.

Answer 463

A

If you have VM workloads that are only used during certain periods, but you’re running them every hour of every day, you’re wasting money.
These VMs are great candidates to shut down when not in use and start back up on a schedule
save you compute costs while the VM is deallocated.
Ideally for development environments. It’s often the case that development may happen only during business hours
Give you the flexibility to deallocate these systems in the off hours and stopping your compute costs from accruing.
Azure now has an automation solution fully available for you to leverage in your environment.
You can also use the auto-shutdown feature on a VM to schedule automated shutdowns.

Answer 464

A

start with infrastructure-as-a-service (IaaS) services and then move them to platform-as-a-service (PaaS) as appropriate, in an iterative process.
PaaS services typically provide substantial savings in both resource and operational costs.
effort to transfer your multi-tier application to a container or serverless-based architecture
continuously evaluate the architecture of your applications to determine if there are efficiencies to be gained through PaaS services.
Azure gives you the ability to try out new architecture patterns relatively easily.
Not a quick wins from a cost-savings perspective

Answer 465

A

a great place to get ideas for transforming your application, as well as best practices across a wide array of architectures and Azure services.

Answer 466

A

Many customers have invested in Windows Server licenses and would like to repurpose this investment on Azure.
The Azure Hybrid Benefit gives customers the right to use these licenses for virtual machines on Azure.
That means you won’t be charged for the Windows Server license and will instead be billed at the Linux rate.
Windows licenses must be covered by Software Assurance.
The following guidelines will also apply:
- Each two-processor license or each set of 16-core licenses is entitled to two instances of up to 8 cores or one instance of up to 16 cores.
- Standard Edition licenses can only be used once either on-premises or in Azure. That means you can’t use the same license for an Azure VM and a local computer.
Datacenter Edition benefits allow for simultaneous usage both on-premises and in Azure so that the license will cover two running Windows machines.

***Most customers are typically licensed by core, so you’ll use that model for your calculation.

Applying the benefit is easy. It can be turned on and off at any time with existing VMs or applied at deployment time for new VMs.
The Hybrid Benefit (especially when combined with reserved instances) can provide substantial license savings.

Answer 467

A

helps you maximize the value from your current licensing investments and accelerate your migration to the cloud.
is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.
You can use this benefit even if the Azure resource is active, but the reduced rate will only be applied from the time you select it in the portal.
No credit will be issued retroactively.

Answer 468

A

For Azure SQL Database, the Azure Hybrid Benefit works as follows:
- If you have Standard Edition per core licenses with active Software Assurance, you can get one vCore in the General Purpose service tier for every one license core you own on-premises.

If you have Enterprise Edition per core licenses with active Software Assurance, you can get one vCore in the Business Critical service tier for every one license core you own on-premises.
- Note that the Azure Hybrid Benefit for SQL Server for the Business Critical service tier is available only to customers who have Enterprise Edition licenses.
If you have highly virtualized Enterprise Edition per core licenses with active Software Assurance, you can get four vCores in the General Purpose service tier for every one license core you own on-premises.
- This is a unique virtualization benefit available only on Azure SQL Database.

Answer 469

A

For SQL Server in Azure VMs, the Azure Hybrid Benefit works as follows:
- If you have Standard Edition per core licenses with active Software Assurance, you can get one core of SQL Server Standard Edition in Azure VMs for every one license core you own on-premises.
- If you have Enterprise Edition per core licenses with active Software Assurance, you can get one core of SQL Server Enterprise Edition in Azure VMs for every one license core you own on-premises.
This can make a dramatic impact on your Azure spending with SQL Server workloads.

Answer 470

A

Enterprise Dev/Test - for a customer on an Enterprise Agreement

Pay-As-You-Go Dev/Test - for a customer using Pay-As-You-Go (without an Enterprise Agreement)

Both offers are a benefit for non-production environments.
gives you several discounts:
- most notably for Windows workloads
- eliminating license charges
- only billing you at the Linux rate for VMs.
- applies to SQL Server and any other Microsoft software that is covered under a Visual Studio subscription (formerly known as MSDN).
Requirements:
- only for non-production workloads
- any uses of these environments (excluding testers) must be covered under a Visual Studio subscription

Answer 471

A

For a customer on an Enterprise Agreement and already have an investment in SQL Server licenses
During migration, they can provision bring your own license (BYOL) images off the Azure Marketplace
Use the unused licenses and reduce your Azure VM cost.
by provisioning a Windows VM and manually installing SQL Server, simplifies the creation process by leveraging Microsoft certified images.
Search for BYOL in the Marketplace to find these images.

***An Enterprise Agreement subscription is required to use these certified BYOL images.

Answer 472

A

a free product for nonproduction use
has all the same features that Enterprise Edition has, but for nonproduction workloads
Look for SQL Server images for Developer Edition on the Azure Marketplace
use them for development or testing purposes to eliminate the additional cost for SQL Server in these cases.

**For full licensing information, take a look at the documented pricing guidance.
** https://docs.microsoft.com/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-server-pricing-guidance

Use constrained instance sizes for database workloads
Many customers have high requirements for memory, storage, or I/O bandwidth but low CPU core counts.
popular VM sizes (DS, ES, GS, and MS) in new sizes that constrain the vCPU count to one half or one-quarter of the original VM size, while maintaining the same memory, storage, and I/O bandwidth.

Because database products like SQL Server and Oracle are licensed per CPU, this allows customers to reduce licensing cost by up to 75 percent but still maintain the high performance their database requires.

Brainscape's Knowledge GenomeTM

Azure fundamental Flashcards

Brainscape's Knowledge Genome^TM