Azure fundamental Flashcards

Question

Capital Expenditure (CapEx)

Answer 1

CapEx is the spending of money on physical infrastructure up front, and then deducting that expense from your tax bill over time. ex. server, storage, network, backup and archive, org continuity and disaster recovery, datacenter infrastructure, technical personnel Benefit: fixed cost, planned expenses

Answer 2

OpEx is spending money on services or products now and being billed for them now. You can deduct this expense from your tax bill in the same year. There's no upfront cost. You pay for a service or product as you use it. ex. lease cloud-based server, lease software and customized features, scaling based on usage/demand Benefit: no need to invest in equipment and pay as much as needed

Answer 3

ability to rapidly change IT infrastructure to adapt needs of business

Answer 4

Public Private Hybrid

Answer 5

No local hardware or upkeep; everything runs on cloud provider's hardware. Advantage: High scalability/agility, Pay-as-you-go pricing, easy setup and use; Disadvantage: security requirement not met (ex. gov/industry/legal standards), can't manage hardware that's not your own, may not work for legacy applications

Answer 6

Create cloud environment in your own datacenter and provide self-service access, Advantages: complete control over the resources, support legacy application, security/compliance/legal requirements. Disadvantages: upfront CapEx costs, limitations to agility/scaling: ex. buy, install, and setup new hardware. Require IT skills and expertise that's hard to come by

Answer 7

Allow public or private cloud. Ex. website runs in public cloud but database is hosted on private cloud. Advantages: allow use of out-of-date hardware or an out-of-date OS, flexibility of local or cloud, use cloud or private equipment based on cost. better control of the environment (security/compliance/legacy) than cloud only. Disadvantages: more expensive since it involves some CapEx cost up front, more complicated to set up and manage

Answer 8

IaaS PaaS SaaS

Answer 9

You: gives up complete control of hardware running your application need correct configuration, perform update and ensure availability. Used for migrating workloads, test and development, website hosting, storage, backup, and recovery, You manage: Applications, Data, Runtime, Middleware, OS Provider manages: Virtualization, Servers, Storage, Networking In Azure, customer responsible for everything beyond VMs and virtual networks provided by Microsoft.

Answer 10

You: build, test and deploy software applications, no need to manage underlying infrastructure. You manage: Applications, Data Provider manages: Runtime, Middleware, OS, Virtualization, Servers, Storage, Networking Azure maintains OS and foundational software like database management systems; meaning latest security patches and integration with Azure Active Directory for access control. can "point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed. Instead of building whole infrastructures and subnets by hand

Answer 11

PaaS provides this framework for develop and customize cloud-based applications create apps using built-in software, scalability, high-availability, and multi-tenant, reducing the amount of coding

Answer 12

analyze and mine data, find insights and patterns, predict outcomes to improve business decisions such as forecasting, product design, and investment returns.

Answer 13

You: environment is hosted and managed for end customer, licensed via monthly/annual subscription, ex. O365, Skype, Dynamics CRM. You manage: N/A Provider manages: Applications, Data, Runtime, Middleware, OS, Virtualization, Servers, Storage, Networking managed completely by Azure; customer configures the environment for its needs only

Answer 14

VMs and containers that can run your applications

Answer 15

provide both relational and NoSQL choices

Answer 16

authenticate and protect your users

Answer 17

connect your datacenter to the cloud, | provide high availability or host your DNS domain

Answer 18

accommodate massive amounts of both structured and unstructured data

Answer 19

can analyze data, text, images, comprehend speech, and make predictions using data

Answer 20

an abstraction layer that separates hardware and OS from VMs (virtual machines). Emulates functions of a real computer. Can run multiple VMs (that runs different OS'), optimize hardware. ***One hypervisor per server rack.

Answer 21

special software per server rack, connecting to an Orchestrator

Answer 22

manages everything that happens in Azure, respond to user requests, package and picks server rack, send package to appropriate Fabric Controller

Answer 23

Scaling for Windows or Linux VMs hosted in Azure

Answer 24

Enables management of a cluster of VMs that run containerized services

Answer 25

Distributed systems platform. | Runs in Azure or on-premises

Answer 26

Managed service for parallel and high-performance computing applications

Answer 27

Run containerized apps on Azure without provisioning servers or VMs

Answer 28

An event-driven, serverless compute service

Answer 29

Connects VMs to incoming Virtual Private Network (VPN) connections

Answer 30

Balances inbound and outbound connections to applications or service endpoints

Answer 31

Optimizes app server farm delivery while increasing application security

Answer 32

Accesses Azure Virtual Networks through high-performance VPN gateways

Answer 33

Provides ultra-fast DNS responses and ultra-high domain availability

Answer 34

Delivers high-bandwidth content to customers globally

Answer 35

Protects Azure-hosted applications from distributed denial of service (DDOS) attacks

Answer 36

Distributes network traffic across Azure regions worldwide

Answer 37

Connects to Azure over high-bandwidth dedicated secure connections

Answer 38

Monitors and diagnoses network issues using scenario-based analysis

Answer 39

Implements high-security, high-availability firewall with unlimited scalability

Answer 40

Creates a unified wide area network (WAN), connecting local and remote sites

Answer 41

Durable and highly available with redundancy and replication. Secure through automatic encryption and role-based access control. Scalable with virtually unlimited storage. Managed, handling maintenance and any critical problems for you. Accessible from anywhere in the world over HTTP or HTTPS.

Answer 42

Storage service for very large objects, such as video files or bitmaps

Answer 43

File shares that you can access and manage like a file server

Answer 44

A data store for queuing and reliably delivering messages between applications

Answer 45

A NoSQL store that hosts unstructured data independent of any schema

Answer 46

Azure creates backend services for iOS, Android and Windows apps; features like corporate sign-in on-prem sources such as SAP, Oracle, SQL server and SharePoint Features include: - Offline data synchronization. - Connectivity to on-premises data. - Broadcasting push notifications. - Autoscaling to match business needs.

Answer 47

Globally distributed database that supports NoSQL options

Answer 48

Fully managed relational database with auto-scale, integral intelligence, robust security

Answer 49

Fully managed and scalable MySQL relational database with high availability and security

Answer 50

Fully managed and scalable PostgreSQL relational database with high availability and security

Answer 51

Host enterprise SQL Server apps in the cloud

Answer 52

Fully managed data warehouse with integral security at every level of scale at no extra cost

Answer 53

Migrates your databases to the cloud with no application code changes

Answer 54

Caches frequently used and static data to reduce data and application latency

Answer 55

Fully managed and scalable MariaDB relational database with high availability and security

Answer 56

Azure provides multiple database services to store a wide variety of data types and volumes

Answer 57

Azure builds and hosts web apps and HTTP-based web services

Answer 58

Quickly create powerful cloud web-based apps PaaS (in Azure) that can host enterprise-grade web-oriented applications Meet rigorous performance, scalability, security and compliance requirements while using a fully managed platform to perform infrastructure maintenance build and host web apps, background jobs, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure. - auto-scaling - high availability - supports both Windows and Linux enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.

Answer 59

Send push notifications to any platform from any back end.

Answer 60

Publish APIs to developers, partners, and employees securely and at scale.

Answer 61

Fully managed search as a service.

Answer 62

Create and deploy mission-critical web apps at scale.

Answer 63

Add real-time web functionalities easily.

Answer 64

Ex. smart devices (phone, appliances, etc.)

Answer 65

Fully-managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage your IoT assets at scale

Answer 66

Messaging hub that provides secure communications and monitoring between millions of IoT devices

Answer 67

Push your data analysis onto your IoT devices instead of in the cloud allowing them to react more quickly to state changes.

Answer 68

Large volumes of data. ex. weather systems, communication systems, etc. Open source cluster technologies have been developed to deal with these large data sets.

Answer 69

Run analytics at a massive scale using a cloud-based Enterprise Data Warehouse (EDW) that leverages massive parallel processing (MPP) to run complex queries quickly across petabytes of data

Answer 70

Process massive amounts of data with managed clusters of Hadoop clusters in the cloud

Answer 71

Collaborative Apache Spark–based analytics service that can be integrated with other Big Data services in Azure.

Answer 72

Range of services for Machine Learning. Machine Learning is a data science technique that allows computers to use existing data to forecast future behaviors, outcomes, and trends. Using machine learning, computers learn without being explicitly programmed. Forecasts or predictions from machine learning can make apps and devices smarter.

Answer 73

Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud

Answer 74

Collaborative, drag-and-drop visual workspace where you can build, test, and deploy machine learning solutions using pre-built machine learning algorithms and data-handling modules

Answer 75

pre-built APIs you can leverage in your applications to solve complex problems.

Answer 76

Image-processing algorithms to smartly identify, caption, index, and moderate your pictures and videos.

Answer 77

Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.

Answer 78

Map complex information and data in order to solve tasks such as intelligent recommendations and semantic search.

Answer 79

Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.

Answer 80

Allow your apps to process natural language with pre-built scripts, evaluate sentiment and learn how to recognize what users want.

Answer 81

Azure DevOps Services builds and release pipelines that provide continuous integration, delivery, and deployment for your applications. You can integrate repositories and application tests, perform application monitoring, and work with build artifacts. You can also work with and backlog items for tracking, automate infrastructure deployment and integrate a range of third-party tools and services such as Jenkins and Chef.

Answer 82

Azure DevOps Services (formerly known as Visual Studio Team Services, or VSTS), provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing

Answer 83

Quickly create on-demand Windows and Linux environments you can use to test or demo your applications directly from your deployment pipelines

Answer 84

geographical area on the planet containing 1 or more datacenters with a low-latency network bring applications closer to users scalability, redundancy and preservation of data residency Americas Europe Asia Pacific Middle East and Africa

Answer 85

Discrete market typically containing two or more regions that preserve data residency and compliance boundaries. Keep their data and applications close. Honor data residency, sovereignty, compliance, and resiliency requirements within geographical boundaries. Fault-tolerant to withstand complete region failure through their connection to dedicated high-capacity networking infrastructure.

Answer 86

physical or geographic location of an organization's data or information the legal or regulatory requirements imposed on data based on the country region in which it resides and is an important consideration when planning out your application data storage.

Answer 87

physically separate datacenters within an Azure region | each datacenter contains independent power, cooling and networking

Answer 88

3+ zones per supported region

Answer 89

you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)

Answer 90

platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

Answer 91

Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. Provides replication (redundancy) of resources in case of natural disasters, civil unrest, power outages and physical network outages. If there's an extensive Azure outage, one region out of every pair is prioritized to help reduce the time it takes to restore them for applications. Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage. Data continues to reside within the same geography as its pair (except for Brazil South) for tax and law enforcement jurisdiction purposes.

Answer 92

adhering to comprehensive operational policies, standards, and practices. Capture specific terms that define performance standards that apply to Azure SLAs describe Microsoft's commitment to providing Azure customers with specific performance standards. There are SLAs for individual Azure products and services. SLAs also specify what happens if a service or product fails to perform to a governing SLA's specification. Doesn't apply to free or shared tiers. Ex. Azure Advisor

Answer 93

Performance Targets: An SLA defines performance targets for an Azure product or service, ex. uptime guarantees, connectivity rates. Uptime (response time) and Connectivity Guarantees (3 nines to 5 nines) Service credits Compensations when SLA isn't met

Answer 94

Web app = 99.95% SQL DB = 99.99% Composite SLA for application = 99.95% x 99.99% = 99.94% (combined probability of failure) Web app = 99.95% SQL DB = 99.99% Queue = 99.9% Composite SLA for database or queue = 1.0 - (0.0001 x 0.001) = 99.99999% Composite SLA for application = 99.95% x 99.99999% = 99.95%

Answer 95

set your own SLA based on performance targets that suit business requirements and specific Azure application

Answer 96

ability of system recovery from failures. Goal is to respond to failures that avoids downtime or data loss High availability Disaster recover

Answer 97

identify possible points of failure and define how applications will respond to those failures.

Answer 98

system is functional and working

Answer 99

services depending on each other, and multiple points of failures Workload requiring 99.99% uptime shouldn't depend upon a service with 99.9% SLA More availability could lead to higher cost and more complexity More complex solutions can leader bigger challenge, because downtime is cumulative across SLA levels

Answer 100

globally unique entity that gives you access to your Azure subscriptions and services. tied to a specific identity and holds info: - Name, email, and contact preferences - Billing information such as a credit card signed into - the Azure website - Administer - Deploy services associated with 1 or more subscriptions

Answer 101

logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, etc. Subscription Types: - Free - Pay-As-You-Go - Enterprise Agreement - Student

Answer 102

$200 credit to spend on any service for the first 30 days popular Azure products for 12 months 25+ products requires a phone number, a credit card, and a Microsoft account.

Answer 103

charges you monthly for the services you used in that billing period. for individuals, small and large businesses

Answer 104

flexibility to buy cloud services and software licenses under one agreement, discounts for new licenses and Software Assurance. for enterprise-scale organizations.

Answer 105

$100 in Azure credits to be used within the first 12 months free services without requiring a credit card at sign-up. Validate email address.

Answer 106

Access control and billing occur at the subscription level, not the account level

Answer 107

Separate subscriptions to reflect organizational structures to help manage and control access to resources during user provisioning NOTE: there are hard limits; there's max number of resources per subscription (ex. max # of Express Route circuits per subscription is 10)

Answer 108

Single bill is generated per subscription per month. Charged 10 days after billing period ends Credit card statement would say "MSFT Azure" Account owner is responsible for all subscriptions tied to the account credit card Can set spending limits Can generate reports

Answer 109

Azure account is authenticated via Azure AD Web-based authentication standards like OpenID or OAuth. (not Windows AD) Partitioned into tenants each application is a subscription Owner is the original account for billing; but can have additional users, even guests

Answer 110

dedicated, isolated instance of Azure AD service, owned and managed by an organization. Tenants are associated to an organization, which could individuals, teams, companies or any group of people Email address associated with an organization help tie everything together Ex. email can be associated with Microsoft Azure, Microsoft Intune, O365 etc all for one company (organization),

Answer 111

Azure Support Options Each subscription includes free supports below: - Billing and subscription support - Azure products and services documentation - Online self-help documentation - Whitepapers - Community support forums Paid Azure support plans - Developer - Standard - Professional Direct - Premier

Answer 112

Type of customer Type of subscription Billed for support as part of the Enterprise Agreement (EA)

Answer 113

The Azure Knowledge Center is a searchable database that contains answers to common support questions, from a community of Azure experts, developers, customers, and users. You can browse through all responses within the Azure Knowledge Center. Find specific solutions by entering keyword search terms into the text-entry field and further refine your search results by selecting products or tags from the lists provided by two dropdown lists.

Answer 114

Get support by reading responses to Azure technical questions from Microsoft's developers and testers on the MSDN Azure discussion forums.

Answer 115

You can review answers to questions from the development community on StackOverflow.

Answer 116

Review community responses to questions about System and Network Administration in Azure on ServerFault.

Answer 117

Read ideas and suggestions for improving Azure made by Azure users and customers on the Azure feedback forums.

Answer 118

Command line Language-specific Software Development Kits (SDKs) Developer tools Migration tools

Answer 119

interacting with Azure via a Graphical User Interface (GUI) Login with Azure account Create, manage and monitor Azure services Get help links Deploy, manage and delete resources Wizards and tooltips for complex administrative tasks Dashboard is customizable Not automated for repetitive tasks (ex. make 1 VM at a time, instead of in bulk)

Answer 120

``` a module that you can install for Windows PowerShell, or PowerShell Core, which is a cross-platform version of PowerShell that runs on Windows, Linux or macOS. Services include shell window and command parsing ```

Answer 121

sign into Azure with powershell

Answer 122

create a VM ``` Example: New-AzVM ` -ResourceGroupName "MyResourceGroup" ` -Name "TestVm" ` -Image "UbuntuLTS" ... ```

Answer 123

cross-platform command-line program

Answer 124

sign into Azure with CLI

Answer 125

create a VM ``` Example az vm create \ --resource-group MyResourceGroup \ --name TestVm \ --image UbuntuLTS --generate-ssh-keys ... ```

Answer 126

web-based command-line interface 2 shell environments (Bash for Linux and PowerShell for Windows) az is default Linux, pwsh switches to PowerShell while in Linux

Answer 127

any scripts or data you place here is kept across sessions | each subscription has a unique storage account

Answer 128

monitoring and managing your resources from your mobile device - Check the current status and important metrics of your services - Stay informed with notifications and alerts about important health issues - Quickly diagnose and fix issues anytime, anywhere - Review the latest Azure alerts - Start, stop, and restart virtual machines or web apps - Connect to your virtual machines - Manage permissions with role-based access control (RBAC) - Use the Azure Cloud Shell to run saved scripts or perform ad hoc administrative tasks

Answer 129

a range of languages and frameworks

Answer 130

List of resource types Can customize favorites Hide panel via "<

Answer 131

default Azure main page

Answer 132

slide-out panel containing UI for a single level in a navigation sequence. Each below is a blade. Ex. Virtual machines > Compute > Ubuntu Server Blade contains info and configurable options Certain options generate another blade to the right of existing blade Adds more blades to the right as more options and info are available Scrollbar at the bottom helps navigate backward Can close blade individually The "New" section is a blade

Answer 133

Is a blade Create new resources in Azure Find, try, purchase, and provision applications and services Provision end to end solutions quickly and reliably

Answer 134

lists the last actions that have been carried out, along with their status.

Answer 135

create a new Azure Cloud Shell session.

Answer 136

``` change the Azure portal settings, including: Sign out time Color and contrast themes Toast notifications (to a mobile device) Language and regional format ```

Answer 137

opens the Send us feedback blade. | send feedback to Microsoft about Azure.

Answer 138

``` Help + Support What's new Azure roadmap Launch guided tour Keyboard shortcuts Show diagnostics Privacy + terms ```

Answer 139

the main support area for the Azure portal and includes documentation options for a variety of common questions. New support request link can open a support ticket with the Azure team. All Azure customers can access billing, quota and subscription-management support Support ticket sections: - Problem: dropdown lists and text-entry fields - Title: test-entry field - Details: test-entry field - Preferred contact method: contact details form - Create: submit the support request All support requests: status and details of support request

Answer 140

Can change between subscriptions or change directory

Answer 141

Sign in with another account, or sign out entirely View your account profile, where you can change your password Check your permissions View your bill (click the "..." button on the right-hand side), takes you to Cost Management + Billing invoices page Update your contact information (click the "..." button on the right-hand side) Can: Get proactive, actionable, and personalized best practices recommendations. Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs. Get recommendations with proposed actions inline.

Answer 142

can search for services through the filter box.

Answer 143

opens the Portal settings pane

Answer 144

open the Send us feedback blade.

Answer 145

show the Help blade To create a new support request, you would fill in the information in each of the following sections, and then click Create to lodge the issue. - Basics: the issue type - Problem: severity of the problem, a summary and description, and any additional information - Contact information: preferred contact method and the information associated with this contact method

Answer 146

show the Directory + subscription blade | can switch between multiple subscriptions or directories

Answer 147

filter Tiles by category and resource type Can drag to work area, resize and change the data. Can ping elements on child blades by "…" tile edit menu

Answer 148

edit a dashboard by changing the JSON file | Edit colSpan and rowSpan variables

Answer 149

A feature that's evaluated and tested successfully, and released to customers as part of Azure's default product set.

Answer 150

Private Preview = feature available to specific Azure customers for evaluation purposes; invite only, issued directly by product team Public Preview = feature available to all Azure customers for evaluation purposes.

Answer 151

``` On-demand computing for running cloud-based applications VM Containers Azure App Service Serverless computer ```

Answer 152

Provide IaaS, ex. virtualized server Total control over the operating system (OS) The ability to run custom software, or To use custom hosting configurations Moving physical server to the cloud with VMs (lift and shift) Host existing image of the physical server with little to no change Scaling VMs in Azure Can support single or multiple VMs Includes the following 3 features

Answer 153

Logical grouping of 2+ VMs that help keep application available during planned or unplanned maintenance Availability sets have no cost, and can help avoid a single point of failure in the VM architecture

Answer 154

The underlying Azure fabric that hosts VMs is updated by Microsoft. to patch security vulnerabilities, improve performance, and add or update features. When the VM is part of an availability set, the Azure fabric updates are sequenced so not all of the associated VMs are rebooted at the same time. VMs are put into different update domains.

Answer 155

Update domains = indicate groups of VMs and underlying physical hardware that can be rebooted at the same time. Update domains are a logical part of each data center and are implemented with software and logic.

Answer 156

hardware failure in the data center, such as a power outage or disk failure. VMs that are part of an availability set automatically switch to a working physical server so the VM continues to run. The group of virtual machines that share common hardware are in the same fault domain.

Answer 157

Fault domain = rack of servers that provide the physical separation of your workload across different power, cooling, and network hardware that support the physical servers in the data center. Only server rack(s) of that fault domain are affected by the outage.

Answer 158

Create, manage, configure and update a group of individual, load balanced VMs Help configure additional service to route requests between multiple instances of a website Provide highly available applications Build large-scale services for computer, big data and container workloads

Answer 159

``` enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs. Starts a pool of compute VMs for you Installs applications and staging data Runs jobs with as many tasks as you have Identifies failures Requeues work Scales down the pool as work completes ```

Answer 160

Allow multiple lightweight containers to run on a single host/VM Each container has an OS and an app. Virtualizes the OS instead of the physical machine

Answer 161

start, stop and scale out application instances as needed; it's done dynamically. Ex. Docker Secured and isolated Wait on app to launch instead of (in VM) OS then app to launch Containerize app size is typically smaller Development price is simplified, because development runtime environment can look identical to production runtime environment Container cluster orchestration = deploy and manage multiple containerized applications without worrying about which server will host each container; this is for a large number of containers

Answer 162

Fast and simple, no need to manage any virtual machines or configure any additional services. A PaaS that allows you to upload your containers and execute them directly.

Answer 163

a complete orchestration service for containers with distributed architectures with multiple containers. Can rollback to previous version Can manage storage: - For storage, Kubernetes allows read/write application data and persist this data across many pod instances. - Application running in Kubernetes can use cloud based storage and data systems like Azure Storage or Azure Cosmos DB ``` Can manage networking: Kubernetes network plugins - exposes pods to the internet - Load balance traffic across multiple replicas of a pod - Network isolation - Policy-driven network security - Manage communications - Manage name resolution between pods in the cluster ``` Extending Kubernetes functionality - Variety of methods for extending the Kubernetes API - Create operators to perform custom actions, examples: - - producing cloud events on pod creation - - providing custom pod scheduling logic - - On-demand provisioning of managed cloud services - Capable of making platform on which to build SaaS services

Answer 164

manages the placement of "pod" inside "node" | When a node crashes, pod can be moved to another node in the cluster

Answer 165

manually or automatically (horizontal pod auto-scaling) | Application update deployment can be staggered to minimize downtime.

Answer 166

break solutions into smaller, independent pieces. Ex. break a website into separate containers for front-end, back-end, and storage. This way an app can be split into logical sections for maintenance, scaling or update independently. ex. when back-end is stressed for resources, can just add more resources or change services to the back-end portion, or even change storage container

Answer 167

a web service that is small, well-defined scope and loosely coupled from any other web service - Organization adopts a microservice architecture, that consists of a collection of microservices - Each microservice is self-contained and implemented for a single business capability - - Don't need to share the same technology stack, libraries or frameworks - - A single dev team can build, test and deploy a service - - Allows continuous innovation and faster release cadence - - Code base will be easier to understand, and new team member can start or ramp up more easily. - - Independent deployment allows update of an existing service without rebuilding and redeploying the entire application - - More easily rollback or roll forward (redo changes and overwrite to ensure consistency) - - Bug fixes are easier and feature releases are more manageable and less risky, - - Each can scale independently - - Responsible for persisting its own data or external state, and not rely on common repository layer, could have its own database - - Provides a layer of fault isolation; when one service is down it doesn't take down the entire application - - API: microservices communicate with each other by using well-defined APIs, with internal implementation details of each service encapsulated behind their interface - - - Orchestration or management layer at a higher level consuming application coordinates calls to various lower level microservices and combines results - With a large application microservices architecture provides - - High release velocity (how quickly for a code change deployed into production) - - Highly scalable - - Rich domains or many sub-domains - - Small dev teams

Answer 168

determines how much hardware is devoted to your host.

Answer 169

Azure App Service helps handle - deployment and management are integrated into the platform - endpoints can be secured - sites can be scaled quickly to handle high traffic loads, - the built-in load balancing and traffic manager provide high availability.

Answer 170

Support for hosting web apps like ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. Host OS can be either Windows or Linux

Answer 171

Build REST-based Web APIs via choice of language and framework Full Swagger support Package and publish API in Azure Marketplace Apps can be consumed from any HTTP(s) based client

Answer 172

run a program (.exe, Java, PHP, Python or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. Scheduled or run by a trigger Run background tasks as part of your application logic

Answer 173

Build back-end for iOS and Android apps - Store mobile app data in a cloud-based SQL database - Authenticate customers against common social providers such as MSA, Google, Twitter and Facebook - Send push notifications - Execute custom back-end logic in C# or Node.js SDK support for native iOS & Android, Xamarin, and React native apps.

Answer 174

resources are only allocated from a direct action, ex. time that takes to run your code

Answer 175

a serverless compute service that enables you to run code on-demand without having to explicitly provision or manage infrastructure. perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less scale automatically based on demand; adjust for more data arriving during peak hours Azure runs your code when it's triggered and automatically de-allocates resources when the function is finished; only charged for CPU time used while your function runs

Answer 176

behaves as if they're restarted every time they respond to an event

Answer 177

where a context is passed through the function to track prior activity.

Answer 178

designed in a web-based designer and can execute logic triggered by Azure services without writing any code. execute workflows built from pre-defined logic blocks. They are specifically designed to automate your business processes. Azure provides over 200 different connectors and processing blocks to interact with different services, ex. popular enterprise apps. build custom connectors and workflow steps if the service you need to interact with isn't covered.

Answer 179

create Logic App workflows on the Azure Portal or in Visual Studio use the visual designer to link connectors and blocks together, passing data through the workflow to do custom processing - often all without writing any code. Example, a ticket arrives in ZenDesk. You could: 1. Detect the intent of the message with cognitive services 2. Create an item in Sharepoint to track the issue 3. If the customer isn't in your database, add them to your Dynamics 365 CRM system 4. Send a follow-up email to acknowledge their request

Answer 180

persisted as a JSON file with a known workflow schema

Answer 181

Both can create complex orchestrations (collection of functions and steps that are executed to accomplish a complex task) - Azure Functions: write code to complete each step - Logic Apps: use GUI to define actions and how they relate to one another Can mix and match functions with logic

Answer 182

State - Normally stateless, but Durable Functions provide state Development - Code-first (imperative) Connectivity - About a dozen built-in binding types, write code for custom bindings Actions - Each activity is an Azure function; write code for activity functions Monitoring - Azure Application Insights Management - REST API, Visual Studio Execution context - Can run locally or in the cloud

Answer 183

State - Stateful Development - Designer-first (declarative) Connectivity - Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors Actions - Large collection of ready-made actions Monitoring - Azure portal, Log Analytics Management - Azure portal, REST API, PowerShell, Visual Studio Execution context - Runs only in the cloud.

Answer 184

Use REST endpoints/API, an industry standard Supports a range of applications and application platforms (with Azure) communication is made easier with developer packages and libraries along with well documented APIs Different management strategies and optimized for each data type below - binary video data - highly structured data in tables Closer storage locations allows lower latency Replicates data across multiple data centers to reach customers globally Cloud security helps manage data access and safely store user data - Response, flexible and secure

Answer 185

mitigates the risk of losing your data if there is any unforeseen failure or interruption.

Answer 186

copies your data to protect it against any planned or unplanned events, such as scheduled maintenance or hardware failures. You can choose to replicate your data at multiple locations across the globe.

Answer 187

supports performing analytics on your data consumption.

Answer 188

data is encrypted to make it highly secure; you also have tight control over who can access the data.

Answer 189

Azure can store almost any type of data you need. It can handle video files, text files, and even large binary files like virtual hard disks. It also has many options for your relational and NoSQL data.

Answer 190

Azure also has the capability of storing up to 8 TB of data in its virtual disks. This is a significant capability when you're storing heavy data such as videos and simulations.

Answer 191

storage tiers to prioritize access to data based on frequently used versus rarely used information.

Answer 192

adheres to a schema, which has the same fields or properties. stored in a database table with rows and columns. relies on keys to indicate how one row in a table relates to data in another row of another table. referred to as relational data, as the data's schema defines the table of data, the fields in the table, and the clear relationship between the two. - easy to enter, query, and analyze. Ex. sensor data, financial data, etc.

Answer 193

doesn't fit neatly into tables, rows, and columns. uses tags or keys that organize and provide a hierarchy for the data. non-relational or NoSQL data.

Answer 194

no designated structure no restrictions on the kinds of data it can hold Ex. a blob can hold a PDF document, a JPG image, a JSON file, video content, etc.

Answer 195

Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine. high-performance, reliable, fully managed and secure database You can use it to build data-driven applications and websites in the programming language of your choice without needing to manage infrastructure.

Answer 196

migrate your existing SQL Server databases with minimal downtime Once you assess and perform any remediation required, you're ready to begin the migration process. The Azure Database Migration Service performs all of the required steps. You just change the connection string in your apps.

Answer 197

used by migration service to generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration.

Answer 198

globally distributed database service. supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data. You can use this feature to store data that is updated and maintained by users around the world.

Answer 199

unstructured, meaning that there are no restrictions on the kinds of data it can hold. highly scalable and apps work like using files on a disk, ex. read/write data. can manage - Ex. thousands of simultaneous uploads - Ex. massive amounts of video data - Ex. constantly growing log files can be reached from anywhere with an internet connection. not limited to common file formats: - Ex. gigabytes of binary data streamed from a scientific instrument - Ex. encrypted message for another application - Ex. data in a custom format for an app you're developing. stream large video or audio files directly to the user's browser from anywhere in the world store data for backup, disaster recovery, and archiving. store up to 8 TB of data for virtual machines

Answer 200

A feature that allows you to perform analytics on your data usage and prepare reports. a large repository that stores both structured and unstructured data. combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities. Ingest > Prepare > Store > Analyze

Answer 201

fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol can be mounted by cloud or on-prem deployments of Windows, Linux, and macOS. Applications running in Azure VM or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share. Any number of Azure VM or roles can mount and access the file storage share simultaneously. share files anywhere in the world, diagnostic data, or application data sharing.

Answer 202

a service for storing large numbers of messages that can be accessed from anywhere in the world. build flexible applications and separate functions for better durability across large workloads. When application components are decoupled, they can scale independently. provides asynchronous message queuing for communication between application components running: - in the cloud - on the desktop - on-premises - on mobile devices Create a backlog of work and to pass messages between different Azure web servers. Distribute load among different web servers/infrastructure and to manage bursts of traffic. Build resilience against component failure when multiple users access your data at the same time.

Answer 203

add messages to the queue

Answer 204

retrieve messages from the front of the queue for processing

Answer 205

provides disks for VMs, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. allows data to be persistently stored and accessed from an attached virtual hard disk. The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user. - For lifting and shifting applications that read and write data to persistent disks - For storing data that is not required to be accessed from outside the VM to which the disk is attached. from solid-state drives (SSDs) to traditional spinning hard disk drives (HDDs), with varying performance abilities. When working with VMs, you can use standard SSD and HDD disks for less critical workloads, and premium SSD disks for mission-critical production applications. delivered enterprise-grade durability, with an industry-leading ZERO% annualized failure rate

Answer 206

Azure offers three storage tiers for blob object storage: Hot storage tier, Cool storage tier, Archive storage tier

Answer 207

optimized for storing data that is accessed frequently.

Answer 208

optimized for data that is infrequently accessed and stored for at least 30 days.

Answer 209

for data that is rarely accessed and stored for at least 180 days with flexible latency requirements.

Answer 210

Azure Storage Service Encryption (SSE) for data at rest helps you secure your data to meet the organization's security and regulatory compliance. It encrypts the data before storing it and decrypts the data before retrieving it. The encryption and decryption are transparent to the user.

Answer 211

where the data is already encrypted by the client libraries. Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.

Answer 212

A replication type is set up when you create a storage account. The replication feature ensures that your data is durable and always available. provides regional and geographic replications to protect your data against natural disasters and other local disasters like fire or flooding.

Answer 213

on-prem storage - requires dedicated hardware that needs to be purchased, installed, configured, and maintained. - a significant up-front expense (or capital cost) - Change in requirements can require investment in new hardware. - Your hardware needs to be capable of handling peak demand which means it may sit idle or be under-utilized in off-peak times. Azure data storage - pay-as-you-go pricing model (operating expense instead of an upfront capital cost) - scalable, allowing you to scale up or scale out as demand dictates and scale back when demand is low - charged for data services only as you need them.

Answer 214

On-prem storage - requires data backup, load balancing, and disaster recovery strategies - challenging and expensive as they often each need dedicated servers requiring a significant investment in both hardware and IT resources. Azure data storage - provides data backup, load balancing, disaster recovery, and data replication as services to ensure data safety and high availability.

Answer 215

Sometimes multiple different storage types are required for a solution, such as file and database storage. On-prem storage - requires numerous servers and administrative tools for each storage type. Azure data storage - a variety of different storage options including distributed access and tiered storage. - makes it possible to integrate a combination of storage technologies providing the best storage choice for each part of your solution.

Answer 216

On-prem deployment - provisioning and deploying new servers and infrastructure pieces, which is a time consuming and expensive activity. Azure data storage - gives you the flexibility to create new services in minutes. - allows you to change storage back-ends quickly without needing a significant hardware investment.

Answer 217

Individual components may have little to no knowledge of the definitions of the other components They only need to be able to send and receive data from one another No need to know how data is created or processed by rest of the system Need to agree on a standard for communication

Answer 218

Component can update independently - making changes as long as the communication strategy stays consistent - Doesn't interfere with Azure dev team update and improve features and performance, without breaking existing azure solutions Allows services to be replaced without significant impact to rest of the system Allows additional components at ease Can be scaled proportionally to the amount of data traffic - Manage performance and cost on services independently - Scale up or scale out for desired services only, and let those services benefit from additional resources - Avoid paying resources not used

Answer 219

An architectural pattern that can be used to build loosely coupled systems is N-tier. An N-tier architecture divides an application into two or more logical tiers. - a higher tier can access services from a lower tier - a lower tier should never access a higher tier. Tiers help separate concerns and are ideally designed to be reusable. Using a tiered architecture also simplifies maintenance. Tiers can be updated or replaced independently new tiers can be inserted if needed. ex. Three-tier refers to an n-tier application that has three tiers: - The web tier - The application tier - The data tier

Answer 220

provides the web interface to your users through a browser. Ex. the user clicks the button to place the order, the request is sent to the web tier, along with the user's address and payment information. The web tier passes this information to the application tier

Answer 221

runs business logic. | Ex. application tier validates payment information and check inventory

Answer 222

includes databases and other storage that hold product information and customer orders. Ex. application tier might then store the order in the data tier, to be picked up later for fulfillment.

Answer 223

a logically isolated network on Azure. set up networks on Hyper-V, VMware, or even on other public clouds. allows Azure resources to securely communicate with each other, the internet, and on-premises networks. scoped to a single region; however, multiple virtual networks from different regions can be connected together using virtual network peering.

Answer 224

a virtual network can be segmented into one or more subnets Subnets help you organize and secure your resources in discrete sections. ex. The web, application, and data tiers each have a single VM. All three VMs are in the same virtual network but are in separate subnets.

Answer 225

Users interact with the web tier directly, so that VM has a public IP address along with a private IP address. Users don't interact with the application or data tiers, so these VMs each have a private IP address only.

Answer 226

provide a secure connection between an Azure Virtual Network and an on-premises location over the internet. ex. keep your service or data tiers in your on-premises network, placing your web tier into the cloud, but keeping tight control over other aspects of your application.

Answer 227

You configure virtual networks and gateways through software, which enables you to treat a virtual network just like your own network. You choose which networks your virtual network can reach, whether that's the public internet or other networks in the private IP address space.

Answer 228

allows or denies inbound network traffic to your Azure resources. Think of a network security group as a cloud-level firewall for your network. - Ex. VM in the web tier allows inbound traffic on ports 22 (SSH) and 80 (HTTP). This VM's network security group allows inbound traffic over these ports from all sources. You can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust.

Answer 229

how long your service is up and running without interruption.

Answer 230

a service that's up and running for a long period of time.

Answer 231

a system's ability to stay operational during abnormal conditions. - Natural disasters - System maintenance, both planned and unplanned, including software updates and security patches. - Spikes in traffic to your site - Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks

Answer 232

distributes traffic evenly among each system in a pool. help achieve both high availability and resiliency. have additional systems ready, in case one goes down, or is serving too many users at the same time. The load balancer becomes the entry point to the user. The user doesn't know (or need to know) which system the load balancer chooses to receive the request. - The load balancer receives the user's request and directs the request to one of the VMs in the web tier. - If a VM is unavailable or stops responding, the load balancer stops sending traffic to it. The load balancer then directs traffic to one of the responsive servers. - Load balancing enables you to run maintenance tasks without interrupting service. - Ex. staggering the maintenance window for each VM. During the maintenance window, the load balancer detects that the VM is unresponsive, and directs traffic to other VMs in the pool. - the app and data tiers can also have a load balancer. It all depends on what your service requires.

Answer 233

a load balancer service that Microsoft provides that helps take care of the maintenance for you. distributes traffic within the same region to make your services more highly available and resilient. Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use Load Balancer with - incoming internet traffic - internal traffic across Azure services - port forwarding for specific traffic - outbound connectivity for VMs in your virtual network. When you manually configure typical load balancer software on a virtual machine, there's a downside: you now have an additional system that you need to maintain. If your load balancer goes down or needs routine maintenance, you're back to your original problem. With Azure Load Balancer, there's no infrastructure or software for you to maintain. You define the forwarding rules based on the source IP and port to a set of destination IP/ports.

Answer 234

a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios. This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.

Answer 235

keep a user session on the same backend server.

Answer 236

manage SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that.

Answer 237

supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.

Answer 238

allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network (CDN)

Answer 239

You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.

Answer 240

is a distributed network of servers that can efficiently deliver web content to users. get content to users in their local region to minimize latency. can be hosted in Azure or any other location can cache content at strategically placed physical nodes across the world and provide better performance to end users. Examples: - web applications containing multimedia content - a product launch event in a particular region - any event where you expect a high-bandwidth requirement in a region.

Answer 241

map user-friendly names to their IP addresses Ex. your domain name, contoso.com, might map to the IP address of the load balancer at the web tier, 40.65.106.192. can bring your own DNS server or use Azure DNS, a hosting service for DNS domains that runs on Azure infrastructure.

Answer 242

refers to the time it takes for data to travel over the network. Latency is typically measured in milliseconds.

Answer 243

Bandwidth refers to the amount of data that can fit on the connection. Latency refers to the time it takes for that data to reach its destination. Factors such as the type of connection you use and how your application is designed can affect latency. But perhaps the biggest factor is distance. Your e-commerce site delivers standard HTML, CSS, JavaScript, and images. The network latency for many files can add up.

Answer 244

Building replicate of entire data center is costy; Azure can cost much less, because Azure already has the equipment and personnel in place. One way to reduce latency is to provide exact copies of your service in more than one region.

Answer 245

uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint. doesn't see the traffic that's passed between the client and server. Rather, it directs the client web browser to a preferred endpoint. can route traffic to the endpoint with the lowest latency can connect Traffic Manager to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud. The choice is yours.

Answer 246

works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user. Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways: - When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. - Traffic Manager monitors the health of your endpoints. In contrast, when Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

Answer 247

``` Walls Cameras Gates Security personnel Strict procedures for employees More security certifications than other cloud vendor to date ```

Answer 248

Data can travel many different ways in the cloud: - Within a data center - Between data center - All over internet Attackers can gain access by compromising each resource or communication, examples: - VM that runs applications and services in the cloud - Data stored in the cloud - Data traveling outside of Azure and across public internet At endpoints (ex. user devices and computers) that consume data or services

Answer 249

Physical security of data centers and of entire Azure environment At software layer, MS meets security, privacy and compliance needs of customers Customer however owns data and identities, and is responsible for protecting them, security of on-prem resources and cloud components under customer's control - Degree of responsibility for security varies based on type of cloud service; more customer control = more responsibility to assume in securing the resources - Ex. full control of a VM (IaaS) = customer responsible for OS, network, applications running on the VM, identity and directory infrastructure, and accounts and access management. - Ex. least control of a VM (SaaS), ex. O365 = MS takes care of all OS updates, network security considerations, application, and provides mechanism for identity and directory infrastructure management. Customer only has to give proper access to users All services and software managed by Microsoft have built-in mechanism for authentication and authorization, ex. two-way authentication, RBAC MS provides data encryption, which is a second layer of security in case of a breach MS ensures data traveling outside of Azure is transmitted over TLS security layer, and user determines which accounts can receive and decrypts data MS provides monitoring tools, ex. login failures, login attempts from suspicious locations, etc. - You would need to interpret login attempts and suspend accounts that may have been compromised MS provides automatic denial of server protection, real-time telemetry to see where requests are coming from, and firewalls to block potentially malicious traffic

Answer 250

take in telemetry data from physical equipment and/or Azure Cosmos DB backend of mobile apps

Answer 251

a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it.

Answer 252

In almost all cases, attackers are after data: - Stored in a database - Stored on disk inside virtual machines - Stored on a SaaS application such as Office 365 - Stored in cloud storage It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

Answer 253

Ensure applications are secure and free of vulnerabilities. Store sensitive application secrets in a secure storage medium. Make security a design requirement for all application development. Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. We encourage all development teams to ensure their applications are secure by default, and that they're making security requirements non-negotiable.

Answer 254

Secure access to virtual machines. Implement endpoint protection and keep systems patched and current. Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues.

Answer 255

Limit communication between resources. Deny by default. Restrict inbound internet access and limit outbound, where appropriate. Implement secure connectivity to on-prem networks. At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.

Answer 256

Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. Use perimeter firewalls to identify and alert on malicious attacks against your network. At the network perimeter, it's about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

Answer 257

Control access to infrastructure and change control. Use single sign-on and multi-factor authentication. Audit events and changes. The identity and access layer is all about - ensuring identities are secure - access granted is only what is needed - changes are logged.

Answer 258

Physical building security and controlling access to computing hardware within the data center is the first line of defense. With physical security, the intent is to provide physical safeguards against access to assets. This ensures that other layers can't be bypassed, and loss or theft is handled appropriately.

Answer 259

a monitoring service that provides threat protection across all of your services both in Azure, and on-prem. - Provide security recommendations based on your configurations, resources, and networks. - Monitor security settings across on-prem and cloud workloads, and automatically apply required security to new services as they come online. - Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited. - Use machine learning to detect and block malware from being installed on your virtual machines and services. - - You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute. - Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred. - Provide just-in-time (JIT) access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Answer 260

Available as part of your Azure subscription, | limited to assessments and recommendations of Azure resources only.

Answer 261

full suite of security-related services: continuous monitoring, threat detection just-in-time (JIT) access control for ports

Answer 262

Use Security Center for incident response. To reduce costs and damage, it’s important to have an incident response plan in place before an attack occurs. You can use Azure Security Center in different stages of an incident response. Detect > Assess > Diagnose > Stabilize > Close

Answer 263

Review the first indication of an event investigation. For example, you can use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.

Answer 264

Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.

Answer 265

Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.

Answer 266

You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center. Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls. For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.

Answer 267

set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements.

Answer 268

Network perimeters, firewalls, and physical access controls used to be the primary protection for corporate data. But network perimeters have become increasingly porous with the explosion of bring your own device (BYOD), mobile apps, and cloud applications. Identity has become the new primary security boundary. Therefore, proper authentication and assignment of privileges is critical to maintaining control of your data.

Answer 269

the process of establishing the identity of a person or service looking to access a resource. The act of challenging a party for legitimate credentials provides the basis for creating a security principal for identity and access control use establishes if they are who they say they are.

Answer 270

the process of establishing what level of access an authenticated person or service has. specifies what data they're allowed to access specifies what they can do with it.

Answer 271

a cloud-based identity service supports synchronizing with existing on-prem Active Directory or can be used stand-alone. Works for all apps (on-prem and cloud) Admin and Devs can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.

Answer 272

``` verifies identity to access applications and resources self-service password reset multi-factor authentication (MFA) a custom banned password list smart lockout services. ```

Answer 273

remember only one ID and one password to access multiple applications a single identity is tied to a user, simplifying the security model. access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.

Answer 274

manage apps (on-prem and cloud) using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.

Answer 275

Manage guest users and external partners maintaining control over your own corporate data Business-to-Customer (B2C) identity services Customize and control how users sign up, sign in, and profile management when using your apps with services.

Answer 276

Manage how your cloud or on-prem devices access your corporate data

Answer 277

combine multiple data sources into an intelligent security graph This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-prem AD. centralizes security controls, reporting, alerting, and administration of your identity infrastructure.

Answer 278

provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories: - Something you know - - password or the answer to a security question. - Something you possess - - a mobile app that receives a notification or a token-generating device - Something you are - - biometric property, such as a fingerprint or face scan used on many mobile devices. increases security of your identity by limiting the impact of credential exposure. An attacker who has a user's password would also need to have possession of their phone or their face in order to fully authenticate. Authentication with only a single factor verified is insufficient, and the attacker would be unable to use those credentials to authenticate. Azure AD has MFA capabilities built in and will integrate with other third-party MFA providers. It's provided free of charge to any user who has the Global Administrator role in Azure AD, because these are highly sensitive accounts. All other accounts can have MFA enabled by purchasing licenses with this capability — as well as assigning a license to the account.

Answer 279

It's usually valuable for services to have identities, where credential information is embedded in configuration files. Credentials can be exposed and accessed if there's no security around the configuration files. Azure AD addresses this problem through two methods: - Identity - Principal

Answer 280

something that can be authenticated: - Ex. users with a user name and password - Ex. Applications (authenticated via secret keys or certificates) - Ex. Servers (authenticated via secret keys or certificates)

Answer 281

an identity acting with certain roles or claims - Ex. logged in as the same identity as before, but you've changed the role under which you are executing, "sudo" (Linux) or "run as Administrator." (Win) - Ex. Groups with rights assigned.

Answer 282

an identity that is used by a service or application. | can be assigned roles.

Answer 283

instantly created for any Azure service that supports it—and the list is constantly growing. When you create a managed identity for a service, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. Use account like any other Azure AD account, including securely letting the authenticated service access other Azure resources.

Answer 284

Roles are sets of permissions, like "Read-only" or "Contributor", that gives users certain access. Identities are mapped to roles directly or through group membership. simple access management and fine-grained control to ensure minimum necessary permissions via: - separating security principals - access permissions - resources provides Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy.

Answer 285

ongoing auditing of role members as their organization changes and evolves an additional, paid-for offering that provides oversight of: - role assignments - self-service, - just-in-time (JIT) role activation - Azure AD and Azure resource access reviews

Answer 286

the only protection its data has once it leaves the data center If it is stored on mobile devices, it could potentially be hacked or stolen. Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key.

Answer 287

uses the same key to encrypt and decrypt the data. Password on a desktop is encrypted with a personal secret key, derived from master password. When data needs to be retrieved the same key is used and data decrypted.

Answer 288

uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data; it requires the paired key. Uses Transport Layer Security (TLS) (used in HTTPS) and data signing.

Answer 289

Data at rest is the data that has been stored on a physical medium. Data stored: - on the disk of a server - in a database - in a storage account. ensures that the stored data is unreadable without the keys and secrets needed to decrypt it. Difficult for an attacker to decrypt the data The actual data that is encrypted could vary in its content, usage, and importance to the organization: - financial information critical to the business - intellectual property that has been developed by the business - personal data about customers or employees that the business stores, - keys and secrets used for the encryption of the data itself.

Answer 290

Data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers; encrypt data: - Ex. at the application layer prior to sending it over a network, like HTTPS. - Ex. at the network layer with secure channel, like VPN. protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure.

Answer 291

for data at rest helps you protect your data to meet your organizational security and compliance commitments. Azure storage platform automatically encrypts your data before persisting it to: - Azure Managed Disks - Azure Blob storage - Azure Files - Azure Queue storage decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to (unaware by) applications using the services. Encrypt virtual machine disks (virtual hard disks, VHDs) - Azure Disk Encryption helps encrypt Windows and Linux IaaS virtual machine disks. - BitLocker for Windows. - dm-crypt for Linux - provide volume encryption for the OS and data disks. - Azure Key Vault controls and manages the disk encryption keys and secrets (Key Vault's access is managed via managed service identities).

Answer 292

helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. - real-time encryption and decryption of the database - associated backups, - transaction log files at rest without requiring changes to the application. - enabled by default

Answer 293

encryption with symmetric key | provides a unique encryption key per logical SQL Server instance and handles all the details by default.

Answer 294

supported with keys stored in Azure Key Vault

Answer 295

a centralized cloud service for storing your application secrets Key Vault keeps secrets in a single, central location and by providing: - secure access - permissions control - access logging capabilities

Answer 296

You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.

Answer 297

You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.

Answer 298

Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.

Answer 299

Store secrets backed by hardware security modules (HSMs) | The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs

Answer 300

Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked. Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization. Monitor access and use. Using Key Vault, you can monitor and control access to company secrets. Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools. Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services. Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Answer 301

A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.

Answer 302

focused on limiting and eliminating attacks from the internet. assessing the resources that are internet-facing, and to only allow inbound and outbound communication where necessary. identify all resources that are allowing inbound network traffic of any type, and then ensure they are restricted to only the ports and protocols required.

Answer 303

identifies internet-facing resources that don't have network security groups associated with them, as well as resources that are not secured behind a firewall.

Answer 304

A firewall is a service that grants server access based on the originating IP address of each request. Firewall rules specify ranges of IP addresses and only clients from these granted IP addresses will be allowed to access the server. Firewall rules include specific network protocol and port information.

Answer 305

a managed, cloud-based, network security service that protects your Azure Virtual Network resources. fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. provides inbound protection for non-HTTP/S protocols like: - Remote Desktop Protocol (RDP) - Secure Shell (SSH) - File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Answer 306

a load balancer that includes a Web Application Firewall (WAF) provides protection from common, known vulnerabilities in websites. designed to protect HTTP traffic.

Answer 307

ideal options for non-HTTP services or advanced configurations similar to hardware firewall appliances

Answer 308

A denial of service attack attempts to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive. combine Azure DDoS Protection with application design best practices

Answer 309

bring DDoS mitigation capacity to every Azure region. scrubbing traffic at the Azure network edge before it can impact your service's availability Within a few minutes of attack detection, you are notified using Azure Monitor metrics. legitimate traffic from customers still flows into Azure without any interruption of service.

Answer 310

automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.

Answer 311

provides additional mitigation capabilities for Microsoft Azure Virtual Network resources. simple to enable and requires no application changes.

Answer 312

tuned through dedicated traffic monitoring and machine learning algorithms applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

Answer 313

flood the network layer with a substantial amount of seemingly legitimate traffic.

Answer 314

render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

Answer 315

target web application packets to disrupt the transmission of data between hosts.

Answer 316

inside a virtual network (VNet), it's crucial that you limit communication between resources to only what is required, between VMs.

Answer 317

manages restriction - filter network traffic to and from Azure resources in an Azure virtual network. - can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. - provide a list of allowed and denied communication to and from network interfaces and subnets - fully customizable. - can completely remove public internet access to your services by restricting access to service endpoints. - - Azure service access can be limited to your virtual network.

Answer 318

communication from on-prem networks to VNet or provide improved communication between services in Azure, commonly through VPN.

Answer 319

provides dedicated, private connection. extend your on-prem networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. improves the security by sending this traffic over the private circuit instead of over the public internet. no need to allow access to these services for your end users over the public internet send this traffic through appliances for further traffic inspection.

Answer 320

a cloud-based solution classify and protect documents and emails by applying labels. You can purchase MSIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise.

Answer 321

applied automatically/manually/both based on rules and conditions, guided by recommendations. - Ex. rules that detect sensitive data: - - When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed. - - The tooltip recommends labeling the file as Confidential - All Employees, which is a label that the administrator has configured. - - This label classifies the document and protects it. After your content is classified, you can track and control how the content is used. - Analyze data flows to gain insight into your business - Detect risky behaviors and take corrective measures - Track access to documents - Prevent data leakage or misuse of confidential information

Answer 322

a cloud-based security solution that identifies, detects, and helps you investigate: - advanced threats - compromised identities - malicious insider actions directed at your organization. capable of detecting: - known malicious attacks and techniques - security issues - risks against your network. Purchasing Azure Advanced Threat Protection - available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. - You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model. - It is not available to purchase via the Azure portal.

Answer 323

monitor and respond to suspicious activity on ATP portal can create your Azure ATP instance and view the data received from Azure ATP sensors. monitor, manage, and investigate threats in your network environment. must sign in with a user account that is assigned to an Azure AD security group that has access to the Azure ATP portal.

Answer 324

installed directly on your domain controllers | monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.

Answer 325

runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.

Answer 326

involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. Governance is needed when: - You have multiple engineering teams working in Azure - You have multiple subscriptions in your tenant - You have regulatory requirements which must be enforced - You want to ensure standards are followed for all IT allocated resources Examples: - You could enforce standards by not allowing teams to directly create Azure resources - and instead have the IT team define and deploy all cloud-based assets. Azure provides several tools you can use to enforce and validate your standards, while still allowing your engineering teams to create and own their own resources in the cloud. - besides IT standards, you need to be able to monitor your resources to make sure they are responsive and performing properly. Azure provides several built-in features to track and analyze your resource utilization and performance.

Answer 327

enforce your rules for created resources, so your infrastructure stays compliant with: - your corporate standards - cost requirements - service-level agreements (SLAs) you have with your customers. a service in Azure that you use to define, assign, and, manage standards for resources in your environment. - prevent the creation of disallowed resources - ensure new resources have specific settings applied - run evaluations of your existing resources to scan for non-compliance. comes with many built-in policy and initiative definitions that you can use, under categories such as - Storage - Networking - Compute - Security Center - Monitoring Ex. prohibits any new VM from having more than 4 CPUs during VM creation. Azure Policy will stop anyone from creating a new VM outside the list of allowed stock keeping units (SKUs). Ex. there's policy for updating an existing VM Ex. audit all the existing VMs in our organization to ensure our policy is enforced; look for: - non-compliant resources - alter the resource properties - stop the resource from being created.

Answer 328

applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.

Answer 329

every policy definition has conditions under which it is enforced. And, it has an accompanying effect that takes place if the conditions are met. To apply a policy, you will: - Create a policy definition - Assign a definition to a scope of resources - View policy evaluation results Can use pre-defined definitions or create your own Hundreds of samples in GitHub (https://github.com/Azure/azure-policy)

Answer 330

``` ******** { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "not": { "field": "Microsoft.Compute/virtualMachines/sku.name", "in": "[parameters('listOfAllowedSKUs')]" } } ] }, "then": { "effect": "Deny" } } ******** [parameters('listofAllowedSKUs')] Replacement token to be filled in when policy definition is applied to a scope When a parameter is defined, it's given a name and optionally given a value. ```

Answer 331

what to evaluate and what action to take. - Ex. ensure all public websites are secured with HTTPS - Ex. prevent a particular storage type from being created - Ex. force a specific version of SQL Server to be used.

Answer 332

This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.

Answer 333

This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.

Answer 334

This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.

Answer 335

This policy enables you to specify a set of VM SKUs that your organization can deploy.

Answer 336

Prevents a list of resource types from being deployed.

Answer 337

a policy definition that has been assigned to take place within a specific scope. This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resources. This means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a sub-scope from the policy assignment. - For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters which are defined.

Answer 338

stock keeping units

Answer 339

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy. Each policy definition in Azure Policy has a single effect. That effect determines what happens when the associated policy rule is matched. When that happens, Azure Policy will take a specific action based on the assigned effect.

Answer 340

The resource creation/update fails due to policy.

Answer 341

The policy rule is ignored (disabled). Often used for testing.

Answer 342

Adds additional parameters/fields to the requested resource during creation or update. A common example is adding tags on resources such as Cost Center or specifying allowed IPs for a storage resource.

Answer 343

Creates a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.

Answer 344

Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way.

Answer 345

Azure Policy can allow a resource to be created even if it doesn't pass validation. In these cases, you can have it trigger an audit event which can be viewed in the Azure Policy portal, or through command-line tools. The easiest approach is in the portal as it provides a nice graphical overview which you can explore. You can find the Azure Policy section through the search field or All Services.

Answer 346

work alongside policies in Azure Policy. An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.

Answer 347

an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group. Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.

Answer 348

Initiative definitions simplify the process of managing and assigning policy definitions by grouping a set of policies into a single item. Ex. you could create an initiative named Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

Answer 349

Access management occurs at the Azure subscription level. This allows an organization to configure each division of the company in a specific fashion based on their responsibilities and requirements. Planning and keeping rules consistent across subscriptions can be challenging without a little help.

Answer 350

containers for managing access, policies, and compliance across multiple Azure subscriptions. allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group. give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

Answer 351

Ex. limit VM locations to US West Region on the group "Infrastructure Team management group". - This policy will inherit onto both EA subscriptions under that management group and will apply to all VMs under those subscriptions. - This security policy cannot be altered by the resource or subscription owner allowing for improved governance. Ex. provide user access to multi subscriptions - By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group, which will inherit that access to all the subscriptions. - One assignment on the management group can enable users to have access to everything they need instead of scripting RBAC rules over different subscriptions.

Answer 352

help you with auditing, traceability, and compliance with your deployments. allows you to define a repeatable set of Azure resources that implement and adhere to your organization's standards, patterns, and requirements. enables development teams to rapidly build and deploy new environments with the knowledge that they're building within organizational compliance with a set of built-in components that speed up development and delivery. a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as: - Role assignments - Policy assignments - Azure Resource Manager templates - Resource groups The process of implementing Azure Blueprint consists of the following high-level steps: - Create an Azure Blueprint - Assign the blueprint - Track the blueprint assignments With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved deployment tracking and auditing. Azure Blueprints are different from Azure Resource Manager Templates. - When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or source control). - By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment. Managing relationships, in this way, improves auditing and tracking capabilities. Azure Blueprints are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.

Answer 353

explains what personal data Microsoft processes how Microsoft processes it for what purposes. The statement applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices. It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services.

Answer 354

a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. is an important part of the Microsoft Trusted Cloud Initiative provides support and resources for the legal and compliance community including: -In-depth information (across all MS cloud products) about - - Security - - Privacy - - Compliance offerings - - Policies - - Features - - Practices - Recommended resources (a curated list) of the most applicable and widely-used resources for each topic. - Information specific to key organizational roles - - business managers - - tenant admins - - data security teams - - risk assessment and privacy officers - - legal compliance teams. - Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal. - Direct guidance and support for when you can't find what you're looking for.

Answer 355

hosts the Compliance Manager service is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services. includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as: - ISO - SOC - NIST - FedRAMP - GDPR Service Trust Portal is a companion feature to the Trust Center, and allows you to: - Access audit reports across Microsoft cloud services on a single page. - Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations. - Access trust documents to help you understand how Microsoft cloud services help protect your data.

Answer 356

a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure. Compliance Manager provides the following features: - Combines the following three items: - - Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft's cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST). - - Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR). - - An organization's self-assessment of their own compliance with these standards and regulations. - Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization's compliance goals. - Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization's exposure to risk. - Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities. - Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders. Compliance Manager provides ongoing risk assessments with a risk-based scores reference displayed in a dashboard view for regulations and standards. Alternatively, you can create assessments for the regulations or standards that matter more to your organization. As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance. You can view all action items, or select the action items that correspond with a specific certification. * **Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations for improvement. The Customer Actions provided in Compliance Manager are recommendations only; it is up to each organization to evaluate the effectiveness of these recommendations in their respective regulatory environment prior to implementation. * **Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.

Answer 357

https://azure.microsoft.com/en-us/features/service-health/

Answer 358

maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

Answer 359

Azure Monitor can collect data from a variety of sources. monitoring data for your applications in tiers ranging from: - your application - any operating system and services it relies on - the platform itself.

Answer 360

Data about the performance and functionality of the code you have written, regardless of its platform.

Answer 361

Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises

Answer 362

Data about the operation of an Azure resource.

Answer 363

Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.

Answer 364

Data about the operation of tenant-level Azure services, such as Azure Active Directory.

Answer 365

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.

Answer 366

record when resources are created or modified

Answer 367

tell you how the resource is performing and the resources that it's consuming.

Answer 368

You can extend the data you're collecting into the actual operation of the resources by enabling diagnostics and adding an agent to compute resources. Under the resource settings you can enable Diagnostics - Enable guest-level monitoring - Performance counters - Event Logs - Crash Dumps - Sinks - Agent

Answer 369

collect performance data

Answer 370

enable various event logs

Answer 371

enable or disable

Answer 372

send your diagnostic data to other services for more analysis

Answer 373

configure agent settings

Answer 374

is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. leverages the powerful data analysis platform in Log Analytics can diagnose errors, without waiting for a user to report them. includes connection points to a variety of development tools, and integrates with Microsoft Visual Studio to support your DevOps processes.

Answer 375

powerful data analysis platform that provides you with deeper insights into your application's operations.

Answer 376

a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected.

Answer 377

a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs: - different processes - interconnected dependencies on other resources - external processes includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.

Answer 378

Integrating any, or all, of these monitoring services with Azure Service Health has additional benefits. Staying informed of the health status of Azure services will help you understand if, and when, an issue affecting an Azure service is impacting your environment. What may seem like a localized problem could be the result of a more widespread issue, and Azure Service Health provides this kind of insight. identifies any issues with Azure services that might affect your application helps you to plan for scheduled maintenance. a suite of experiences that provide personalized guidance and support when issues with Azure services affect you: - notify you - help you understand the impact of issues - keep you updated as the issue is resolved - prepare for planned maintenance and changes that could affect the availability of your resources. Azure Service Health is composed of the following views. - Azure Status - Service Health - Resource Health

Answer 379

respond proactively to any critical conditions that are identified within the data it collects. - Ex. sending a text or email to an administrator who is responsible for investigating an issue - Ex. launching an automated process that attempts to correct an error condition.

Answer 380

Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions. Alert rules based on metrics can provide alerts in almost real-time, based on numeric values. Alert rules based on logs allow for complex logic across data, from multiple sources.

Answer 381

Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load. help reduce your Azure costs by removing resources that are not being used. can specify a minimum and maximum number of instances, provide the logic that determines when Autoscale should increase or decrease resources.

Answer 382

Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences. Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences. Other tools for visualizing data include: - Dashboards - Views - Power BI

Answer 383

You'll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data. Other Azure services can work with Azure Monitor to provide this integration.

Answer 384

provides a global view of the health state of Azure services. get up-to-the-minute information on service availability Everyone has access to Azure Status and can view all services that report their health state.

Answer 385

provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events: - ongoing service issues - upcoming planned maintenance - relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. use Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.

Answer 386

helps you diagnose and obtain support when an Azure service issue affects your resources. provides you details about the current and past state of your resources provides technical support to help you mitigate problems (vs. Azure Status, service problems that affect a broad set of Azure customers) Resource Health gives you a personalized dashboard of your resources' health. shows you times, in the past, when your resources were unavailable because of Azure service problems. easier to understand if an SLA was violated.

Answer 387

a logical container for resources deployed on Azure: - virtual machines - Application Gateways - CosmosDB instances. All resources must be in a resource group a resource can only be a member of a single resource group. Resources can be moved between resource groups at any time. Resource groups can't be nested. Before any resource can be provisioned, you need a resource group for it to be placed in.

Answer 388

Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure.

Answer 389

If you delete a resource group, all resources contained within are also deleted. Organizing resources by life cycle can be useful in non-production environments, where you might try an experiment, but then dispose of it when done. Resource groups make it easy to remove a set of resources at once.

Answer 390

Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.

Answer 391

Resource groups can be created by using the following methods: - Azure portal - Azure PowerShell - Azure CLI - Templates - Azure SDKs (like .NET, Java)

Answer 392

Ex. we named our resource group msftlearn-core-infrastructure-rg. - We've given some indication of what it's used for (msftlearn), - the types of resources contained within (core-infrastructure) - the type of resource it is itself (rg).

Answer 393

Ex. We might put all resources that are core infrastructure into this resource group Ex. organize by resource type, 1 resource group per type: - All VNets - all VMs - all Azure Cosmos DB instances Ex. organize by environment. 1 resource group per environment: - Prod - Dev - QA Ex. organize by department, 1 resource group per department: - Finance - Marketing - HR Ex. organize by combination of environment and department, - Prod-Finance - Dev-Finance - Prod-Marketing - Dev-Marketing

Answer 394

Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them. If your database administration team is responsible for managing all of your Azure SQL Database instances, putting them in the same resource group would simplify administration. You could give them the proper permissions at the resource group level to administer the databases within the resource group. the database administration team could be denied access to the resource group with virtual networks, so they don't inadvertently make changes to resources outside the scope of their responsibility.

Answer 395

We mentioned earlier that resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it. If you deploy 10 servers for a project that you know will only last a couple of months, you might put them all in a single resource group. One resource group is easier to clean up than 10 or more resource groups.

Answer 396

placing resources in the same resource group is a way to group them for usage in billing reports. If you're trying to understand how your costs are distributed in your Azure environment, grouping them by resource group is one way to filter and sort the data to better understand where costs are allocated.

Answer 397

For resources that have multiple uses and better search name/value pairs of text data that you can apply to resources and resource groups. allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has: - department (like finance, marketing, and more) - environment (prod, test, dev), - cost center - life cycle and automation (like shutdown and startup of virtual machines). ``` A resource can have up to 15 tags. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. aren't inherited from parent resources Not all resource types support tags can't be applied to classic resources can be added and manipulated through: - Azure portal - Azure CLI - Azure PowerShell - Resource Manager templates - REST API ```

Answer 398

****** az resource tag --tags Department=Finance \ --resource-group msftlearn-core-infrastructure-rg \ --name msftlearn-vnet1 \ --resource-type "Microsoft.Network/virtualNetworks" ******

Answer 399

You can use Azure Policy to automatically add or enforce tags for resources your organization creates based on policy conditions that you define. Ex. you could require that a value for the Department tag is entered when someone in your organization creates a virtual network in a specific resource group.

Answer 400

You can use tags to group your billing data. - Ex. group usage by cost center. - Ex. use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment. When exporting billing data or accessing it through billing APIs, tags are included in that data and can be used to further slice your data from a cost perspective. You can retrieve all the resources in your subscription with a specific tag name or value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management. Tagging resources can also help in monitoring to track down impacted resources. Monitoring systems could include tag data with alerts, giving you the ability to know exactly who is impacted. - Ex. we applied the Department:Finance tag to the msftlearn-vnet1 resource. If an alarm was thrown on msftlearn-vnet1 and the alarm included the tag, we'd know that the finance department may be impacted by the condition that triggered the alarm. This contextual information can be valuable if an issue occurs. It's also common for tags to be used in automation. - Ex. automate the shutdown and startup of VMs in development environments during off-hours to save costs. - Add a shutdown:6PM and startup:7AM tag to the virtual machines, then create an automation job that looks for these tags, and shuts them down or starts them up based on the tag value. There are several solutions in the Azure Automation Runbooks Gallery that use tags in a similar manner to accomplish this.

Answer 401

We could use policy to restrict which Azure regions we can deploy resources to. - Ex. For organizations that are heavily regulated or have legal or regulatory restrictions on where data can reside - - policies help to ensure that resources aren't provisioned in geographic areas that would go against these requirements. - Ex. We could use policy to restrict which types of VM sizes can be deployed. - - You may want to allow large VM sizes in your production subscriptions, but maybe you'd like to ensure that you keep costs minimized in your dev subscriptions. - - By denying the large VM sizes through policy in your dev subscriptions, you can ensure they don't get deployed in these environments. - Ex. We could also use policy to enforce naming conventions. - - If our organization has standardized on specific naming conventions, using policy to enforce the conventions helps us to keep a consistent naming standard across our Azure resources.

Answer 402

RBAC provides fine-grained access management for Azure resources enabling you to grant users the specific rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription levels at no cost. Using RBAC, you can: - Allow one user to manage VMs in a subscription, and another user to manage virtual networks. - Allow a database administrator (DBA) group to manage SQL databases in a subscription. - Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets. - Allow an application to access all resources in a resource group. To view access permissions, use the Access Control (IAM) blade in the Azure portal.

Answer 403

RBAC uses an allow model for access. When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete. - if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.

Answer 404

Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. - Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope. When planning your access control strategy, grant users the lowest privilege level that they need to do their work. Use Resource Locks to ensure critical resources aren't modified or deleted

Answer 405

a setting that can be applied to any resource to block modification or deletion. can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied and inherited when applied at higher levels - Subscriptions - Resource groups - individual resources Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions. - Ex. placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. When a resource lock is applied, you must first remove the lock in order to perform that activity. By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your administrators from doing something they may not have intended to do. Resource locks apply regardless of RBAC permissions, including owner of the resource

Answer 406

We've seen how resource locks can protect from accidental deletion. In order to delete the virtual network, we needed to remove the lock. This concerted action helps ensure that you really intend to delete or modify the resource in question. Use resource locks to protect those key pieces of Azure that could have a large impact if they were removed or modified: - ExpressRoute circuits - virtual networks - critical databases - domain controllers. Evaluate your resources, and apply locks where you'd like to have an extra layer of protection from accidental actions.

Answer 407

sign an Enterprise Agreement with Azure that commits them to spend a negotiated amount on Azure services pay annually have access to customized Azure pricing.

Answer 408

pay general public prices for Azure resources | monthly billing and payments occur through the Azure website.

Answer 409

Microsoft partner companies that a customer hires to build solutions on top of Azure Payment and billing for Azure usage occur through the customer's CSP.

Answer 410

Products and services in Azure are arranged by category, which has various resources that you can provision. You select the Azure products and services that fit your requirements, and your account is billed according to Azure's pay-for-what-you-use model. When you provision an Azure resource, Azure creates one or more meter instances for that resource. The meters track the resources' usage, and generate a usage record that is used to calculate your bill. - Ex. a single virtual machine that you provision in Azure might have the following meters tracking its usage:- - Compute Hours - - IP Address Hours - - Data Transfer In - - Data Transfer Out - - Standard Managed Disk - - Standard Managed Disk Operations - - Standard IO-Disk - - Standard IO-Block Blob Read - - Standard IO-Block Blob Write - - Standard IO-Block Blob Delete The meters and pricing vary per product have different pricing tiers based on the size or capacity of the resource At the end of each monthly billing cycle, the usage values will be charged to your payment method and the meters are reset. The key takeaway is that resources are always charged based on usage. - Ex. if you de-allocate a VM then you will not be billed for compute hours, I/O reads or writes or the private IP address since the VM is not running and has no allocated compute resources. However you will incur storage costs for the disks. * **De-allocating a VM is not the same as deleting a VM. * **De-allocation means the VM is not assigned to a CPU or network in a datacenter. * **However, your persistent disks remain, and the resource is present in your subscription. It's similar to turning off your physical computer.

Answer 411

Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type. * **Each meter tracks a particular kind of usage. - bandwidth usage (ingress or egress network traffic in bits-per-second) - the number of operations - size (storage capacity in bytes) The usage that a meter tracks correlates to a number of billable units, charged each billing period, at a rate depending on what type of resource it is.

Answer 412

Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include usage allowances, which affect costs. The Azure team develops and offers first-party products and services products and services from third-party vendors are available in the Azure Marketplace Different billing structures apply to each of these categories.

Answer 413

Azure has datacenters all over the world. Usage costs vary between locations that offer particular Azure products, services, and resources based on popularity, demand, and local infrastructure costs. - Ex. you might want to build your Azure solution by provisioning resources in locations that offer the lowest prices, but this would require transferring data between locations if dependent resources and their users are located in different parts of the world. - If there are meters tracking the volume of data that moves between the resources you provision, any potential savings you make from choosing the cheapest location could be offset by the additional cost of transferring data between those resources.

Answer 414

Bandwidth refers to data moving in and out of Azure datacenters. Most of the time inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones. A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include the listed countries (regions) listed. Zone 1 - United States, Europe, Canada, UK, France Zone 2 - Asia Pacific, Japan, Australia, India, Korea Zone 3 - Brazil DE Zone 1 - Germany In most zones, the first outbound 5 GB per month is free. After that, you are billed a fixed price per GB. * **Billing zones aren't the same as an Availability Zone. * **In Azure, the term zone is for billing purposes only * **the full term Availability Zone refers to the failure protection that Azure provides for datacenters.

Answer 415

a free web-based tool that allows you to input Azure services and modify properties and options of the services outputs the costs per service and total cost for the full estimate.

Answer 416

Lists the regions from which you can provision a product. Southeast Asia, central Canada, the western United States, and Northern Europe are among the possible regions available for some resources.

Answer 417

Sets the type of tier you wish to allocate to a selected resource, such as Free Tier, Basic Tier, etc.

Answer 418

Highlights the billing options available to different types of customer and subscriptions for a chosen product.

Answer 419

Allows you to pick from included or paid support pricing options for a selected product.

Answer 420

Allows you to choose from available price offerings according to your customer or subscription type.

Answer 421

Lists the available development and test prices for a product. Dev/Test pricing applies only when you run resources within an Azure subscription that is based on a Dev/Test offer.

Answer 422

Share in Excel (.xlsx) format Share a URL that you can use to share this estimate. Anyone with this link will be able to access it, making it easy to share with your team. Save requires user signed in. We have arrived at a cost estimate for a set of Azure services without spending any money. We didn't create anything, and we have a fully sharable estimate that we can do further analysis or modifications on in the future. You can use this not only to create estimates for systems where you know the specific services you plan to use but also to compare how different services might impact your overall costs. An example is Microsoft SQL Server on a VM vs. Azure SQL Database.

Answer 423

a free service built into Azure that provides recommendations on - high availability - Security - Performance - Cost

Answer 424

Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits. - this identifies ExpressRoute circuits that have been in the provider status of Not Provisioned for 30+ days - recommends deleting the circuit if you aren't planning to provision the circuit with your connectivity provider. Buy reserved instances to save money over pay-as-you-go. - this will review your virtual machine usage over the last 30 days - determine if you could save money in the future by purchasing reserved instances - will show you the regions and sizes where you potentially have the most savings - Will show you the estimated savings you might achieve from purchasing reserved instances. Right-size or shutdown underutilized virtual machines. - this monitors your virtual machine usage for 14 days - identifies underutilized VMs - - average CPU utilization is 5 percent or less - - network usage is 7 MB or less for 4+ days. The average CPU utilization threshold is adjustable up to 20 percent. By identifying these virtual machines, you can decide to resize them to a smaller instance type, reducing your costs.

Answer 425

A free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.

Answer 426

a Microsoft subsidiary, allows you to track cloud usage and expenditures for your Azure resources and other cloud providers including Amazon Web Services and Google. Easy-to-understand dashboard reports help with cost allocation and chargebacks. Cost Management helps optimize your cloud spending by identifying underutilized resources that you can then manage and adjust. Usage for Azure is free, and there are paid options for premium support and to view data from other clouds. Cloudyn is being gradually replaced by Azure Cost Management.

Answer 427

Azure Total Cost of Ownership calculator predict your cost savings when starting to migrate to the cloud Define your workloads; entering details about your on-premises infrastructure into the TCO calculator according to four groups:

Answer 428

Enter details of your current on-premises server infrastructure.

Answer 429

Enter details of your on-premises database infrastructure in the Source section. In the Destination section, select the corresponding Azure service you would like to use.

Answer 430

Enter the details of your on-premises storage infrastructure.

Answer 431

Enter the amount of network bandwidth you currently consume in your on-premises environment.

Answer 432

``` Adjust the values of assumptions that the TCO calculator makes, which might vary between customers. To improve the accuracy of the TCO calculator, you should adjust the values, so they match the costs of your current on-premises infrastructure. The assumptions you can customize include: - Storage costs - IT labor costs - Hardware costs - Software costs - Electricity costs - Virtualization costs - Datacenter costs - Networking costs - Database costs ``` View the report; the TCO calculator generates a detailed report based on the details you enter and the adjustments you make. The report allows you to compare the costs of your on-premises infrastructure with the costs of using Azure products and services to host your infrastructure in the cloud.

Answer 433

Visual Studio subscribers can activate a monthly credit benefit which allows you to experiment with, develop, and test new solutions on Azure with Azure Credits, without incurring any monetary costs. - App Service - Windows 10 VMs - Azure SQL Server databases - Containers - Cognitive Services - Functions - Data Lake you will own a separate Azure subscription under your account with a monthly credit balance that renews each month while you remain an active Visual Studio subscriber. The credit amount varies based on the program level: - 50 credits/mouth for VS Professional - 150 credits/mouth for Enterprise ***The monthly Azure credit for Visual Studio subscribers is for development and testing only and does not carry a financially-backed SLA. Azure will suspend any instance (VM or cloud service) that runs continuously for more than 120 hours or if it's determined that the instance is being used for production. This benefit is made available to Visual Studio subscribers on a best efforts basis; there is no guarantee of capacity availability.

Answer 434

By default, Azure subscriptions which have associated monthly credits (which includes trial accounts) have a spending limit to ensure you aren't charged once you have used up your credits. This feature is useful for development teams exploring new solution architectures as it ensures you won't have an unexpectedly large bill at the end of the month. ***Azure spending limits are not the same as Subscription, Service, or Resource Group limits and quotas. helps prevent you from exhausting the credit on your account within each billing period. When your Azure usage results in charges that use all the included monthly credit, the services that you deployed are disabled and turned off for the rest of that billing period. Once a new billing period starts, assuming there are credits available, the resources are re-activated and deployed. You are notified by email when you hit the spending limit for your subscription. Azure portal includes notifications about your credit spend. You can adjust the spending limit as desired or even turn it off. ***The spending limit feature is specific to subscriptions that include a monthly Azure credit allotment. It is not available on pay-only subscriptions.

Answer 435

If you have VM workloads that are static and predictable, particularly ones that run 24x7x365, using reserved instances is a fantastic way to potentially save up to 70-80%, depending on the VM size. Azure reserved instances saves you up to 72% and using reserved instance plus Azure Hybrid Benefit saves up to 80% in costs. Reserved instances are purchased in one-year or three-year terms payment required for the full term up front. Microsoft matches up the reservation to running instances and decrements the hours from your reservation. Reservations can be purchased through the Azure portal. available for both Windows and Linux VMs.

Answer 436

The cost of Azure products, services, and resources can vary across locations and regions should use them in those locations and regions where they cost less. * **Some resources are metered and billed according to how much outgoing network bandwidth they consume (egress). * **You should provision connected resources that are bandwidth metered in the same region to reduce egress traffic between them.

Answer 437

Keep up-to-date with the latest Azure customer and subscription offers, and switch to offers that provide the most significant cost-saving benefit. You can check the Azure Updates page for information about the latest updates to Azure products, services, and features, as well as product roadmaps and announcements.

Answer 438

Right-sizing a VM = process of resizing it to a proper size. Ex. Standard_D4sv3 > Standard_D2sv3, you reduce your compute cost by 50%. Costs are linear and double for each size larger in the same series. Over-sized VMs are a common unnecessary expense on Azure and one that can be easily fixed. You can change the size of a VM through the Azure portal, Azure PowerShell, or the Azure CLI. * **Resizing a VM requires it to be stopped, resized, and then restarted. This may take a few minutes depending on how significant the size change is. * **Plan for an outage, or shift your traffic to another instance while you perform this task.

Answer 439

If you have VM workloads that are only used during certain periods, but you're running them every hour of every day, you're wasting money. These VMs are great candidates to shut down when not in use and start back up on a schedule save you compute costs while the VM is deallocated. Ideally for development environments. It's often the case that development may happen only during business hours Give you the flexibility to deallocate these systems in the off hours and stopping your compute costs from accruing. Azure now has an automation solution fully available for you to leverage in your environment. You can also use the auto-shutdown feature on a VM to schedule automated shutdowns.

Answer 440

start with infrastructure-as-a-service (IaaS) services and then move them to platform-as-a-service (PaaS) as appropriate, in an iterative process. PaaS services typically provide substantial savings in both resource and operational costs. effort to transfer your multi-tier application to a container or serverless-based architecture continuously evaluate the architecture of your applications to determine if there are efficiencies to be gained through PaaS services. Azure gives you the ability to try out new architecture patterns relatively easily. Not a quick wins from a cost-savings perspective

Answer 441

a great place to get ideas for transforming your application, as well as best practices across a wide array of architectures and Azure services.

Answer 442

Many customers have invested in Windows Server licenses and would like to repurpose this investment on Azure. The Azure Hybrid Benefit gives customers the right to use these licenses for virtual machines on Azure. That means you won't be charged for the Windows Server license and will instead be billed at the Linux rate. Windows licenses must be covered by Software Assurance. The following guidelines will also apply: - Each two-processor license or each set of 16-core licenses is entitled to two instances of up to 8 cores or one instance of up to 16 cores. - Standard Edition licenses can only be used once either on-premises or in Azure. That means you can't use the same license for an Azure VM and a local computer. Datacenter Edition benefits allow for simultaneous usage both on-premises and in Azure so that the license will cover two running Windows machines. ***Most customers are typically licensed by core, so you'll use that model for your calculation. Applying the benefit is easy. It can be turned on and off at any time with existing VMs or applied at deployment time for new VMs. The Hybrid Benefit (especially when combined with reserved instances) can provide substantial license savings.

Answer 443

- helps you maximize the value from your current licensing investments and accelerate your migration to the cloud. is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate. You can use this benefit even if the Azure resource is active, but the reduced rate will only be applied from the time you select it in the portal. No credit will be issued retroactively.

Answer 444

For Azure SQL Database, the Azure Hybrid Benefit works as follows: - If you have Standard Edition per core licenses with active Software Assurance, you can get one vCore in the General Purpose service tier for every one license core you own on-premises. - If you have Enterprise Edition per core licenses with active Software Assurance, you can get one vCore in the Business Critical service tier for every one license core you own on-premises. - - Note that the Azure Hybrid Benefit for SQL Server for the Business Critical service tier is available only to customers who have Enterprise Edition licenses. - If you have highly virtualized Enterprise Edition per core licenses with active Software Assurance, you can get four vCores in the General Purpose service tier for every one license core you own on-premises. - - This is a unique virtualization benefit available only on Azure SQL Database.

Answer 445

For SQL Server in Azure VMs, the Azure Hybrid Benefit works as follows: - If you have Standard Edition per core licenses with active Software Assurance, you can get one core of SQL Server Standard Edition in Azure VMs for every one license core you own on-premises. - If you have Enterprise Edition per core licenses with active Software Assurance, you can get one core of SQL Server Enterprise Edition in Azure VMs for every one license core you own on-premises. This can make a dramatic impact on your Azure spending with SQL Server workloads.

Answer 446

Enterprise Dev/Test - for a customer on an Enterprise Agreement Pay-As-You-Go Dev/Test - for a customer using Pay-As-You-Go (without an Enterprise Agreement) Both offers are a benefit for non-production environments. gives you several discounts: - most notably for Windows workloads - eliminating license charges - only billing you at the Linux rate for VMs. - applies to SQL Server and any other Microsoft software that is covered under a Visual Studio subscription (formerly known as MSDN). Requirements: - only for non-production workloads - any uses of these environments (excluding testers) must be covered under a Visual Studio subscription

Answer 447

For a customer on an Enterprise Agreement and already have an investment in SQL Server licenses During migration, they can provision bring your own license (BYOL) images off the Azure Marketplace Use the unused licenses and reduce your Azure VM cost. by provisioning a Windows VM and manually installing SQL Server, simplifies the creation process by leveraging Microsoft certified images. Search for BYOL in the Marketplace to find these images. ***An Enterprise Agreement subscription is required to use these certified BYOL images.

Answer 448

a free product for nonproduction use has all the same features that Enterprise Edition has, but for nonproduction workloads Look for SQL Server images for Developer Edition on the Azure Marketplace use them for development or testing purposes to eliminate the additional cost for SQL Server in these cases. * **For full licensing information, take a look at the documented pricing guidance. * ** https://docs.microsoft.com/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-server-pricing-guidance Use constrained instance sizes for database workloads Many customers have high requirements for memory, storage, or I/O bandwidth but low CPU core counts. popular VM sizes (DS, ES, GS, and MS) in new sizes that constrain the vCPU count to one half or one-quarter of the original VM size, while maintaining the same memory, storage, and I/O bandwidth. Because database products like SQL Server and Oracle are licensed per CPU, this allows customers to reduce licensing cost by up to 75 percent but still maintain the high performance their database requires.