Describe Azure Architecture and Services Flashcards
Describe Azure regions, regional pairs, and sovereign regions
Region: A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network.
Regional pair: Pair of Azure Regions within the same geograpical area (ie US, Europe Asia) atleast 300 miles away. In the event of a region wide outage, a failover will occur to the secondary region.
Sovereign Region: instances of Azure that are isolated from the main instance of Azure. You may need to use a sovereign region for compliance or legal purposes.
Describe availability zones
Consists of physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. If one zone goes down, the other continues working. Availability zones are connected through high-speed, private fiber-optic networks.
Describe Azure datacenters
Facilities with resources arranged in racks, with dedicated power, cooling, and networking infrastructure.
Describe Azure resources
Resources Include (VSVASF):
Virtual Machines
Storage Accounts
Virtual Networks
App Services
SQL Databases
Functions
Describe Resource Groups
A container to manage and aggregate resources in a single unit.
Resources can only exist in one resource group
Resources can exist in different regions.
Resources can be moved to different resource groups
Applications can utilize multiple resource groups
Describe subscriptions
Provides authenticated and authorized access to Azure accounts.
Describe management groups
Management groups can include multiple subscriptions. Subscriptions inherit conditions applied to the management groups.
Ie: three different subscriptions: dev, test, and production. These can be placed in the the management group level to apply the same policies to all subscriptions. Note that each account can have multiple management groups
Describe the hierarchy of resource groups, subscriptions, resources, and management groups
Management groups contain subscriptions
Subscriptions contain resource groups
Resource groups contain resources
What are the five different Azure compute services?
VACAA
Virtual machines
App Services
Container instances
Azure Kubernetes Services
Azure Virtual Desktop
Describe VM options- Azure Virtual Machines
Software emulations of physical computers. An IaaS offering. Includes: virtual processor, memory, storage, networking.
Describe resources required for virtual machines
Virtual machines required processing power, memory, and storage.
Describe the Web Apps feature of Azure App Service
Web Apps-App Service includes full support for hosting web apps by using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.
Describe Azure virtual subnets
A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security
Define public and private endpoints
Public endpoints have a public IP address and can be accessed from anywhere in the world.
Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.
Compare Azure storage services
CDA
Container services (blob, PaaS) - Unstructured data: photos, audio files, pdfs, etc. Used for hosting images for public website
Disk storage: IaaS. Fast and easy to use. Only tied to one virtual machine
Azure Files: Similar to file share in on premises environment. Allows sharing of files over a network. Only those who have access to encryption key can access. SMB protocol will only be associated with Azure Files
Describe storage tiers
HCA
Hot - For storing data that is accessed frequently (most expensive)
Cool - For storing data that is used infrequently and accessed and stored for at least 30 days
Archive - optimized for data that is rarely accessed and is stored for at least 180 days (least expensive)
Describe storage redundancy options
LRS - locally redundant storage - single datacenter in primary region
ZRS - zone redundant storage - Three availability zones in primary region
GRS - geo redundant storage - single datacenter in primary and secondary region
GZRS - geo redundant storage - three availability zones in primary region and single data center in secondary region
What are the storage account types?
SPPP
Standard general-purpose v2
Premium block blobs3
Premium file shares3
Premium page blobs
Identify options for moving files: AzCopy
Command line utility. Can copy blobs or files from your storage account. One direction synchonization.
Describe migration options, including Azure Migrate and Azure Data Box
Azure Migrate: A single portal to start, run, and track your migration to Azure.
Azure Data Box: A physical data storage box. Allows to send data into azure in a fast, safe, reliable way. Can import/export data into azure. Order through azure portal.
Describe directory services in Azure: Azure Active Directory (Azure AD)
Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Azure portal, or SaaS applications.
Describe authentication methods in Azure, including single sign-on (SSO), multifactor
authentication, and passwordless
SSO: Authentication method. Enables users to securely authenticate multiple applications/websites. Uses user name/pass. Allows admins to use single set of credentials
Multifactor authentication: Requres two or more elements for full authentication: Something you know (ie a password) something you possesses ( ie a cell phone or device) or something you are (ie facial recognition, like Windows Hello),
Passwordless: You can also allow your employee’s phone to become a passwordless authentication method. You may already be using the Authenticator app as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option.
Describe external identities and guest access in Azure
External B2B (business to business): Identity and access management for partners, vendors, suppliers, and other collaborators.
External B2C (Business to customer): Identity and access management for your customer-facing apps
Describe Azure AD Conditional Access
Used to bring signals together to make decisions and enforce organizational policies. Signals can include:
The user and user location
Device being used
Any Real Time Risks
The application being used.
If- then statement. Example: If Denis is in Asia, then require multifactor authentication.
Describe Azure role-based access control (RBAC)
Segregate duties within the team and grant only the amount of access to users that they need to perform their jobs.
Describe the concept of Zero Trust
Zero trust: A security model where you assume the worst and assume that a bad actor has access to all assets within a network, and protect all assets.
Describe the purpose of the defense in depth model
A layered approach to security. Each layer has a level of protection, from the physical security (outermost layer), to the data (center)
Describe the purpose of Microsoft Defender for Cloud
Provides threat protection for both Azure and on-premises datacenters.
Provides security recomendations
Detect and block malware
Analyze and identify potential attacks
Just-in-time access control for ports.
Describe subscription billing boundaries
Generate separate billing reports and invoices for each subscription.
Describe subscription access control boundaries
Manage and control access to the resources that users can use with specific subscriptions.
Describe VM options- Azure Virtual Machine Scale Sets
Load balanced. Can scale out when resource needs increase and scale in when resource needs are lower.
Describe VM options - availability sets
A logical group of VMs to provide redundancy and availability. Only charged for VMs that are deployed.
Availability sets contain Fault domains and updated domains which reside in the same datacenter..
Describe VM options - Azure Virtual Desktop
Describe Availability Set Update Domains
Group of VMs. Two VMs in an update domain cannot be updated at the same time.
Describe availability set fault domains
a group of VMs that share a power source and network switch. Can configure up to 3 fault domains at once. Like a server in a data center.
Describe Azure Virtual Desktop
Azure Virtual Desktop is a cloud-hosted version of Windows that can be accessed from any location. Azure Virtual Desktop works across devices and operating systems, and works with apps that you can use to access remote desktops or most modern browsers.
Describe Azure containers
Light weight virtualized environment that does not require OS management, and can respond to changes on demand
Describe Azure Container Instances
PaaS offering that runs a container in Azure without the need to manage a virtual machine or additional services.
Describe Azure Kubernetes Service
Orchestration service for containers with distributed architectures and large volumes of containers
Describe Azure App Services
A PaaS offering. Fully managed platform to build, deploy, and scale web apps and APIs quickly. Works with .NET, .NET Core, Node.js, Java, Python or php
Describe virtual network peering
You can link virtual networks together by using virtual network peering. Peering allows two virtual networks to connect directly to each other.
Describe the supported storage services for the account type: Standard general-purpose v2
Blob Storage (including Data Lake Storage1), Queue Storage, Table Storage, and Azure Files
Describe the supported storage services for the account type: Premium block blobs3
Blob Storage (including Data Lake Storage1)
Describe the supported storage services for the account type: Premium file shares3
Azure Files
Describe the supported storage services for the account type: Premium page blobs3
Page blobs only
Identify options for moving files: Azure Storage Explorer
Graphical User Interface (like Windows File Explorer)
Compatible with Windows, Mac, and Linux
Uses AzCopy to handle file operations
Identify options for moving files: Azure File Sync
Works with on premises files to keep files in sync with azure cloud in a bi directional manner
Keeps frequently accessed files local, while freeing up space
Describe directory services in Azure: Azure Active Directory Domain Services (Azure AD DS)
Provides features:
Domain join,
Group policy,
LDAP,
Kerberos / NTLM authentication.
True or False: Resources can only exist in one resource group
True
True or False: Resources cannot exist in different regions
False. Resources can exist in different regions.
True or False: Resources can be moved to different resource groups
True
True or False: Applications cannot utilize multiple resource groups
False. Applications can utilize multiple resource groups
