Describe Azure Architecture And Services

Question 1

What is an Azure Region?

Answer 1

A region is a geographical area that contains multiple datacenters that are nearby and networked together with a low-latency network

Question 2

What is an Availability zone?

Answer 2

Availability zones are physically separate datacenters within an Azure region connected together through high-speed, private fiber-optic networks.

Question 3

What are Azure region pairs

Answer 3

A region pair are azure region that are paired together

Question 4

What are Azure region pairs

Answer 4

A region pair is an azure region that is paired together with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.

If a region in a pair was affected by a natural disaster, services would automatically fail over to the other region in its region pair.

Question 5

What is a resource

Answer 5

A resource is an instance of azure services that you create e.g. VMs, storage account, app services

Question 6

What is a resource group?

Answer 6

Collection of resources grouped together.

• When you apply an action to a resource group, that action will apply to all the resources within the resource group.
• If you delete a resource group, all the resources will be deleted.
• If you grant or deny access to a resource group, you’ve granted or denied access to all the resources within the resource group.

Question 7

What is a Subscription?

Answer 7

Container that is used to provision azure resources (VM, storage, network). The resources are used and billed as a group. An Azure subscription links to an Azure account which provides authentication.

Question 8

What are the two types of subscription boundaries that you can have?

Answer 8

• Billing boundary: This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
• Access control boundary: This billing model allows you to manage and control access to the resources that users provision with different subscriptions.

Question 9

What is a management group

Answer 9

Management groupsallow you to organize your subscriptions and apply governance controls, such as Azure Policy and Role-Based Access Controls (RBAC), to the management groups. All subscriptions within a management group automatically inherit the controls applied to the management group.

Question 10

What are Azure Virtual Machines?

Answer 10

Azure Virtual machines are used to create and use VMs in the cloud

Question 11

What are Azure Virtual machine scale sets?

Answer 11

Azure Virtual machine scale sets let you create, manage, configure and update a large group of identical load-balanced VMs. these VMs instances can increase/decrease to demand or scale based on a defined schedule

Question 12

What are Azure Availability sets? (Update domain or fault domain?)

Answer 12

Azure Availability sets are used to stagger VM updates, they have varied power and network connectivity preventing you from losing all your VMs from a single network for power failure. This is done by grouping VMs in update domains or fault domains

Update domain: The update domain groups VMs that can be rebooted at the same time.

The fault domain groups your VMs by common power source and network switch.

Question 13

What is Azure Virtual Desktop?

Answer 13

Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud. It enables you to use a cloud-hosted version of Windows from any location

Question 14

What are Azure containers?

Answer 14

Containers are a virtualization environment. Unlike virtual machines, you don’t manage the operating system for a container and you can run multiple operating systems on a single container.

VMs virtualise the hardware and Containers virtualise the operating system.

Question 15

What are Azure container instances?

Answer 15

Azure Container Instances are a platform as a service (PaaS) offering. Azure Container Instances allow you to upload your containers and then the service will run the containers for you.

Question 16

What are Azure Functions?

Answer 16

Azure Functions is an event-driven, serverless compute option that doesn’t require maintaining virtual machines or containers. If you build an app using VMs or containers, those resources have to be “running” in order for your app to function. With Azure Functions, an event wakes the function, alleviating the need to keep resources provisioned when there are no events.

Question 17

What is Azure App Service?

Answer 17

App Service is an HTTP-based hosting service that enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. It supports Windows and Linux and enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.

Question 18

Give examples of app services?

Answer 18

Web apps
API jobs
WebJobs
Mobile apps

Question 19

What is Azure Virtual networks and virtual subnets?

Answer 19

Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.

Azure virtual networking supports both public and private endpoints to enable communication between external or internal resources with other internal resources.

• Public endpoints have a public IP address and can be accessed from anywhere in the world.
• Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.

Question 20

What is a point-to-site virtual private network?

Answer 20

Point-to-site virtual private network connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.

Question 21

What is site-to-site virtual private networks?

Answer 21

Site-to-site virtual private networks link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.

Question 22

What is ExpressRoute?

Answer 22

Azure ExpressRoute provides a dedicated private connectivity to Azure that doesn’t travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.

Question 23

What is a VPN Gateway?

Answer 23

A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network to enable connectivity. When you deploy a VPN Gateway, you specify the VPN type: policy-based or route-based

Question 24

What is a VPN?

Answer 24

A VPN establishes a secure, encrypted connection between your computer and the internet, providing a private tunnel for your data and communications while you use public networks.

Question 25

What is the difference between a policy-based or virtual-based VPN gateway?

Answer 25

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

In Route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices

Question 26

What are the ExpressRoute connectivity model?

Answer 26

ExpressRoute supports four models that you can use to connect your on-premises network to the Microsoft cloud:

• CloudExchange co- location
• Point-to-point Ethernet connection
• Any-to-any connection
• Directly from ExpressRoute sites

Question 27

What is Azure DNS?

Answer 27

Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.

Question 28

What are Azure Files?

Answer 28

Offers fully managed cloud file shares that you can access from anywhere via the industry standardServer Message Block (SMB) protocol,Network File System (NFS) protocol, andAzure Files REST API.

You can mount Azure file shares from cloud or on-premises deployments of Windows, Linux, and macOS.
- when you want to lift and shift an application to the cloud
- when you want to replace the on-prem file servers

Question 29

What are Azure Blobs?

Answer 29

Allows unstructured data to be stored and accessed at a massive scale in block blobs.

• to be able to access application data from anywhere

Question 30

What is Azure Elastic SAN?

Answer 30

Azure Elastic SAN (preview) is a fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN, while also offering built-in cloud capabilities like high availability.

Question 31

What are Azure Disks?

Answer 31

Allows data to be persistently stored and accessed from an attached virtual hard disk.

Question 32

What are Azure Queues?

Answer 32

Allows for asynchronous message queueing between application components.

Question 33

What are Azure Tables?

Answer 33

Allows you to store structured NoSQL data in the cloud, providing a key/attribute store with a schemaless design.

• for storing flexible datasets like user data, address books

Question 34

What are Azure NetApps Files?

Answer 34

Offers a fully managed, highly available, enterprise-grade NAS service that can handle the most demanding, high-performance, low-latency workloads requiring advanced data management capabilities.

Question 35

Explain Azure storage redundancy?

Answer 35

Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters. Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region, locally redundant storage (LRS) and zone-redundant storage (ZRS).

Question 36

What is locally redundant storage?

Answer 36

Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year.

Question 37

What is zone-redundant storage?

Answer 37

zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.

Question 38

What are the options for copying your data into a secondary region?

Answer 38

• GRS copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region (the region pair) using LRS. GRS offers durability for Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.
• GZRS combines the high availability provided by redundancy across availability zones with protection from regional outages provided by geo-replication. Data in a GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from regional disasters.

Question 39

What is Azure Migrate?

Answer 39

Azure Migrate is a service that helps you migrate from an on-premises environment to the cloud. Azure Migrate functions as a hub to help you manage the assessment and migration of your on-premises datacenter to Azure.

Question 40

Azure Data Box?

Answer 40

Azure Data Box is a physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device that has a maximum usable storage capacity of 80 terabytes.

Can be used for disaster recovery, Migrate back to on-premises or to another cloud service provider

Question 41

What is AzCopy?

Answer 41

AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage account. With AzCopy, you can upload files, download files, copy files between storage accounts, and even synchronize files. AzCopy can even be configured to work with other cloud providers to help move files back and forth between clouds.

Question 42

What is Azure Storage Explorer?

Answer 42

Azure Storage Explorer is a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account.

Question 43

What is Azure File Sync?

Answer 43

Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server. It’s almost like turning your Windows file server into a miniature content delivery network. Once you install Azure File Sync on your local Windows server, it will automatically stay bi-directionally synced with your files in Azure.

Question 44

What is Azure Active Directory?

Answer 44

Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. It provides authentication, single sign on and application and device management

Question 45

What is Single sign on?

Answer 45

Single sign-on (SSO) is an authentication method that allows users to sign in using one set of credentials to login across applications. For SSO to work, the different applications and providers must trust the initial authenticator. With SSO, you need to remember only one ID and one password.

Question 46

What is multi-factor authentication?

Question 47

What is Windows Hello for Business?

Answer 47

Windows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user’s PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.

Question 48

What is Microsoft Authenticator App?

Answer 48

The Microsoft Authenticator App turns any iOS or Android phone into a strong, passwordless credential.

Question 49

What are FID02 security keys?

Answer 49

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC.

Question 50

What is conditional access in Azure AD?

Answer 50

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. It is used to provide access to resources based on organizational policies.

Question 51

What is role based access control?

Answer 51

The principle of least privilege says you should only grant access up to the level needed to complete a task. Azure RBAC uses an allow model.

Question 52

Describe zero trust model

Answer 52

Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network.

• Verify explicitly- Always authenticate and authorize based on all available data points.
• Use least privilege access- Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
• Assume breach- Minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

Question 53

Describe defense in depth

Answer 53

Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. This approach removes reliance on any single layer of protection. It slows down an attack and provides alert information that security teams can act upon, either automatically or manually.

Question 54

Give a brief overview of each layer

Answer 54

Here’s a brief overview of the role of each layer:

• The physical security layer is the first line of defense to protect computing hardware in the datacenter. Physical security mechanism
• The identity and access layer controls access to infrastructure and change control. Use SSO and MFA
• The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
• Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
• Use perimeter firewalls to identify and alert on malicious attacks against your network.
• The network layer limits communication between resources through segmentation and access controls.
• Limit communication between resources.
• Deny by default.
• Restrict inbound internet access and limit outbound access where appropriate.
• Implement secure connectivity to on-premises networks.
• The compute layer secures access to virtual machines.
• Secure access to VMs
• Implement endpoint protection on devices and keep systems patched and current.
• The application layer helps ensure that applications are secure and free of security vulnerabilities.
• Ensure that applications are secure and free of vulnerabilities.
• Store sensitive application secrets in a secure storage medium.
• Make security a design requirement for all application development.
• The data layer controls access to business and customer data that you need to protect.
• Regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

Question 55

Describe Microsoft defender for cloud

Answer 55

Defender for Cloud is a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.