Describe Azure architecture and services Flashcards
Name some resources associated with creating a VM
A resource group
An OS image
A network interface
What are the considerations for container instance creation?
Image used cannot be changed after instance creation
DNS name label cannot be changed after instance creation
What are the cost considerations for a Vnet?
If you peer Vnets in the same region, no data transfer charges
If you peer Vnets in different regions, you will be billed inter region EGRESS charges
What are cost considerations for Azure app services?
Billed even when no web apps are running or the web apps are stopped
Must delete an app service plan to stop billing
What is authentication?
Process of establishing the identity of a person or service and proving they are who they say they are
What is authorization?
Process of establishing what level of access the authenticated person or service has to a resource
What they can access and what action they can perform
What are MFA and conditional access?
MFA: additional layer of security for identifying a user (2 elements or + for auth)
Conditional access: provide more granular levels of access control
What are RBAC role scopes?
RBAC scope represents the resource level that the access will apply
Scopes are: management group, subscription, resource group, resource
What are resource groups?
Logical containers for Azure resources used as management scopes for access management and policy
What are Zero trust foundational principles?
Assume breach
Verify explicitly
What is Defence-in-Depth? (DiD)
Strategy that places multiple layers of different forms of defense between attackers and the resources
No single layer of protection or security service is solely responsible for protecting resources
What is MS Defender for Cloud?
Service used to improve an organization’s security posture and workload protection
Provides:
Cloud Security Posture Management (CSPM)
Cloud Workload Protection (CWP)
Are costs incurred for data transfer in and out Azure?
INGRESS (into) is free
EGRESS (out of) is billed
Data transfer throught VNET peered between 2 regions is billed
What factors affect costs?
purchasing model (pay as you go or reservation)
resource type
location
Usage period
network traffic
What resources will NOT reduce costs for a VM?
Network Security Groups
Network Interfaces
Availability Sets
What is Azure Vnet?
Azure VNet is an IaaS resource that enables communication with Azure resources.
A VNet represents a software-defined, single-tenant, private network in a single Azure region
To what can you attach a Vnet if you need to create and manage it?
A VNet belongs to a resource group that belongs to a subscription and can only be part of one region.
VNets can span across data center zones but are not available across regions.
How do resources communicate?
Resources in different subscriptions can communicate with each other if
- they are part of the same VNet
- they are part of peered VNet
- if a VPN gateway connects the VNets and they don’t have conflicting IP ranges
How is data transfer in Vnets billed?
All traffic entering (ingress) a VNet and region is “not billed,”
All traffic leaving (egress) a VNet and between 2 Vnets peered in 2 separated regions is “billed.”
Name the 2 kinds of Vnet peering
Regional VNet peering: used to connect VNets from the same region
Global VNet peering: used to connect VNets from different regions
What can you use to connect Azure resources, such as Azure SQL databases, to an Azure virtual network?
Service endpoints are used to expose Azure services to a virtual network, providing communication between the two
To which object or level is an Azure role-based access control (RBAC) role applied?
An Azure RBAC role is applied to a scope, which is a resource or set of resources that the access applies to
You plan to extend your company’s network to Azure.
The network contains a VPN appliance that uses an IP address of 131.107.200.1.
You need to create an Azure resource that defines the VPN appliance in Azure.
Which Azure resource should you create?
A Local Network Gateway is an object in Azure that represents your on-premise VPN device.
A Virtual Network Gateway is the VPN object at the Azure end of the VPN.
A ‘connection’ is what connects the Local Network Gateway and the Virtual Network Gateway to bring up the VPN.
The local network gateway typically refers to your on-premises location.
You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection.
You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device.
The address prefixes you specify are the prefixes located on your on-premises network.
If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
Your company is considering using Linux-based Azure Container Instance to deploy a simple app. The app runs as a stateful app.
You need to provide storage to retrieve and persist state.
What type of storage should you use?
Azure Files
Only storage that supports persistant storage for ACI
Need to create the share and then create a container specifying the share and volume mount point
True or False?
Azure Virtual Desktop supports Remote Desktop clients on MacOS and iOS
True
True or False?
Azure Virtual Desktop users should exist in the same Windows Server Active Directory (AD) that is linked to MS Entra ID
True
True or False?
Virtual Network peering can be used to connect virtual networks across Azure Regions
True
True or False?
Virtual Network peering can be used to transfer data between MS Entra tenants
True
True or False?
Configuring peering requires a short downtime for the peered Vnet
False
You have completed the migration of your org’s core servers and processes to cloud-based VMs
Your final project involves migrating a weekly batch-processing task that can run anytime during the weekend and relies on operating system drivers to print PDF reports.
You also need to minimize costs.
What should you do?
Run the batch processing task using spot instances
Spot instances or VMs:
* reduce cost by taking advantage of unutilized compute capacity
* However, they don’t offer guaranteed compute resources at a specific time
* Perfect for batch and other asynchronous processing that can occur on a flexible schedule
What is Azure spot instance?
Spot pricing provides access to Azure compute resources at deep discounts when unused.
You can set the maximum price that you agree to pay: when it’s reached or if Azure has no computer capacity available, your spot VMs are automatically evicted
Azure capacity is available
Spot VMs have no SLA
If Azure needs capacity back, spot VMs can be evicted with a 30 secs notice
What’s Azure Dedicated Host?
Provides physical servers dedicated to your organizational workload only and not shared with other Azure customers.
You are billed at the host level, regardless of the number of VMs you deploy
What is Azure key vault?
Azure Keyvault is used to securely store secret objects.
Features include
* securing storage and controlled access to token, passwords, certificates, API keys etc
* creating and controlling encryption keys used to encrypt data
* provisioning, managing, and deploying both public and private SSL/TLS certificates
* Storing secrets and keys proteted by software or FIPS 140-2 level 2 validated hardware security modules
MS Entra ID and Active Directory Federation Services
When they both exist what’s the consequence on authentication process ?
When it’s used with on perm Active Directory Federation Services, MS Entra ID hands off authentication to the AD FS server
MS Entra ID authentication and authorization support doesn’t require integration with an on-perm AD.
Is it possible to authenticate with MS Entra ID on a web app?
Web apps must be registered with MS Entra ID to support authentication and authorization services.
Registration is through the MS Azure Management Portal
2 companies have their own MS Entra tenants. One acquires the other.
The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory.
What happens to the users and groups with role-based access to manage the subscription?
They loose their access
RBAC assignments do not carry over when you associate the subscription with a new tenant
Classic subscription admin (Service admin or Co-admin) lose access
The only user initially able to manage resources in the subscription is the user account that accepts the transfer
2 companies have their own MS Entra tenants. One acquires the other.
The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory.
What happens to System assigned Managed IDs?
They are NOT re-enabled automatically
They must be re-enabled after the transfer
2 companies have their own MS Entra tenants. One acquires the other.
The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory.
What happens to the Azure Kubernetes Service cluster owned by the subscription? Does this cause the AKS to lose functionality?
the Azure Kubernetes Service cluster owned by the subscription looses its functionalities
This is due to lost service principal and lost role assignments
You want to publish on perm web app using MS Entra ID functionality to authenticate.
Which minimum license do you need?
P1 or P2
You want on perm directory synchro with MS Entra ID
Which minimum license should you use?
You can use the free one
It also supports SSO and user and group management
You want on-perm users to be able to reset their passwords
Which minimum MS Entra ID license should you use?
P1 or P2
What is the use of Application security groups?
Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines, or similar servers, and define network security policies based on those groups.
You can reuse your security policy at scale without manual maintenance of explicit IP addresses.
Which solutions can you use to transfer an on-perm virtual hard disk to Azure?
- Azure Copy, using Azure PowerShell or Azure CLI (or Azure CloudShell): CLI to upload and download data to and from Azure Blob, to transfer data within Azure storage accounts or between them
- Azure Storage Explorer
You use MS 365 for email. You need to ensure that users do not accidentally send credit card numbers to external customers via email
What can you do?
In MS Purview
1. Identify and define a sensitive information type
2. Define a MS Purview Data Loss Prevention (DLP) Policy
MS Purview comes bundled with predifined info types that you can use to scan content for sensitive infos (credit cards numbers…)
What can you use to migrate quickly an SQL Server from an on-perm to Azure with retention of operating system access?
SQL Server on Azure VMs
What can you use as a cost effective, serverless database with an intermittent usage pattern and low compute utilization over time?
Azure SQL Database
What an you use to lift and shift an on perm SQL server with minimal changes to an Azure PaaS solution?
Azure SQL Managed Instance
SQL Managed Instance allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes
Which features are supported by MS Entra ID P1 edition?
MS Entra ID P1 edition supports
* RBAC
* MS Entra Conditional access
* users and groups management (like free version)
* authentication (like free version)
* SSO (like free version)
Which features are supported by MS Entra ID P2 edition?
MS Entra ID P2 edition supports
* users and groups management (like free version)
* authentication (like free version)
* SSO (like free version)
* RBAC (like P1)
* MS Entra Conditional access (like P1)
* Identity Protection
* Self service entitled management
* Privileged Identity Management
* just in time access
True or false?
A Network Security group can be used with virtual networks in multiple regions.
False.
An NSG can ONLY be associated with Vnets in THE SAME REGION in which it was created
True or false?
You can associate a Network seurity group with more than one network interface and subnet
True
Multiple networks interfaces and subnets can share the same NSG
Does MS Entra ID provides Active Directory Federation Services?
No
If you need ADFS you need to keep it and your AD domain controllers are still required to support ADFS authentication
Azure Storage is an example of
* IaaS
* PaaS
* SaaS
IaaS
In IaaS, network, compute and storage resources are offered
What is Application Insights?
Application Insights is a feature of Azure Monitor that allows you to visually analyse telemetry data.
It’s an App Performance Management service.
Developer can install a small instrumentation package in their web app to send telemetry data to Azure
You use an Application Container Instance.
You want to store its data, in a persistent state.
What is the type of storage you must choose?
For ACI persistent storage, the only storage option is Azure Files
You would need to create the share and then create a container specifying the share and volume mount point
Describe Azure Cloud Adaption Framework steps
- Strategy: define business justification and expected outcomes of adoption
- Plan align actionable adoption plans with business outcomes. Inventory of digital estate, establish plans, manage plan changes
- Ready: prepare the cloud environment for the planned changes
- Adopt: how to migrate, modernize, innovate, and relocate workloads in Azure
- Govern: structured approach for establishing and optimizing cloud governance
- Manage: define, establish and expand management baseline
- Secure: structured approach for securing your Azure cloud estate.
- Organize: approach to establishing and maintaining the proper organizational structures
What is Infrastucture as a Code (IaC)?
Infrastructure as code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies.
Just as the same source code always generates the same binary, an IaC model generates the same environment every time it deploys.
Name some Infrastucture as a Code (IaC) benefits
- Avoid manual configuration to enforce consistency: you create a master copy of device, once the template is created and tested, it can be deployed over and over, whenever needed. It facilitates the centralized storage and management of these configurations.
- Deliver stable test environments rapidly at scale
- By representing desired environment states via well-documented code in formats such as JSON,
Name some Infrastucture as a Code (IaC) limits
- Non administrative users can make configuration changes
- Administrators are still required to maintain configurations for network devices: laC does not eliminate the requirement for administrators to create and test configurations. It facilitates the centralized storage and management of these configurations.
There are 6 required resources for deploying a VPN Gateway. List them
- Virtual network
- A Subnet named “Gateway SubNet”
- Public IP add
- Local Network Gateway (on your VPN on perm device, on site, on point…)
- Virtual network gateway
- Connection
What is Azure Databox Gateway?
Azure Data Box Gateway is a storage solution to and from Azure Data Box.
You can use it to replicate data:
* between on perm storage and Azure Data Box
* to transfer data into and out of Azure storage accounts using you Data box.
The virtual device resides in your premises and you write data to it using the NFS and SMB protocols.
The device then transfers your data to Azure block blob, page blob, or Azure Files.
What is Azure Data Share?
Using Data Share, a data provider can share data and manage their shares all in one place. They can stay in control of how their data is handled by specifying terms of use for their data share.
The data consumer must accept these terms before being able to receive the data.
Data providers can specify the frequency at which their data consumers receive updates. Access to new updates can be revoked at any time by the data provider.
What are managed identities for Azure resources?
Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication.
Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
Name some of the benefits of using managed identities
- You don’t need to manage credentials. Credentials aren’t even accessible to you.
- You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication, including your own applications.
- Managed identities can be used at no extra cost.
A Vnet is created in the scope of a————-
Region
For a given scenario, which factors help you to choose between deploying a Vnet peering and deploying a VPN gateway between 2 Vnets?
Global VNet Peering provides a low latency, high bandwidth connection useful in scenarios such as cross-region data replication and database failover scenarios.
Since traffic is completely private and remains on the Microsoft backbone, customers with strict data policies prefer to use VNet Peering as public internet is not involved. Since there is no gateway in the path, there are no extra hops, ensuring low latency connections.
VPN Gateways provide a limited bandwidth connection and is useful in scenarios where encryption is needed, but bandwidth restrictions are tolerable. In these scenarios, customers are also not as latency-sensitive.
What is Azure Storage Explorer?
It’s a cloud storage service that offers secure, scalable, and highly available storage solutions for data, applications, and virtual machines.
It offers a range of storage options, including Blob Storage, File Storage, Queue Storage, and Table Storage.
What are some key advantages with ARM?
- Declarative JSON templates; easy infrastructure management
- Manage a single Resource or a group of them - Deploy and Redeploy easily and consistently
- Define dependencies between Resources for correct deployment order
- Apply RBAC (Role Based Access Control)
- Apply additional Tags/Tagging
What is Azure WebJobs?
WebJobs is a feature of Azure App Service that allows you to run a program or script in the same context as a Web/API/Mobile app.
Often used to run Background tasks as part of application logic.
What is Azure Sentinel and what’s the difference between it and Azure Security Center?
What are four (4) things that it does?
Azure’s SIEM System.
This is the system you’d go to for breaches. Unlike Security Center which is proactive prevention, Sentinel is reactive actions and prevention.
- Data Aggregation at scale; across all users, devices, apps, and both on-prem and cloud infrastructure (even multiple clouds)
- Detects previously undetected threats using Microsoft’s comprehensive analytics and threat intelligence
- Investigates threats with AI ; examines suspicious activities at scale
- Rapid Incident Response with built-in orchestration and automation of common tasks
Hint: PS, IA, P, N, C, A, D
What are seven (7) layers that comprise Defense in Depth ?
- Physical Security Layer
- Identity & Access Layer
- Perimeter Layer
- Network Layer
- Compute Layer
- Application Layer
- Data Layer
Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?
Azure Firewall
Caution: NSG cannot because they cannot filter between subscriptions
Which resources can be used as a source for a Network security group inbound security rule?
- IP Addresses,
- Service tags
- Application security groups
You have an Azure Sentinel workspace.
You need to automate responses to threats detected by Azure Sentinel.
What should you use?
Azure Sentinel playbooks
What is the Microsoft identity platform?
cloud identity service that allows you to build applications your users and customers can sign in to using their Microsoft identities or social accounts.
The identity platform supports developers building single-tenant, line-of-business (LOB) applications, as well as multi-tenant software-as-a-service (SaaS) applications.
To what should an application connect to retrieve security tokens?
The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens
Which resource is required to use Azure Cloud Shell ?
A storage account.
The first time you start Cloud Shell, you’re prompted to select your storage options.
If you want store files that can be used every time you use Cloud Shell, you must create new or choose existing storage resources.
Cloud Shell uses a Microsoft Azure Files share to persist files across sessions.
How to calculate composite SLA?
When combining SLAs across different service offerings, the resultant SLA is a called a Composite SLA.
For example, consider an App Service web app that writes to Azure SQL Database.
At the time of this writing, these Azure services have the following SLAs:
* App Service web apps = 99.95%
* SQL Database = 99.99%
The probability of each service failing is independent, so the composite SLA for this application is 99.95% × 99.99% = 99.94%
That’s lower than the individual SLAs, which isn’t surprising because an application that relies on multiple services has more potential failure points.
Which feature in Azure firewall enables users on the internet to access a server on a Vnet ?
DNAT rules (Aka Network Address Translation) allow or deny inbound traffic through the firewall public IP address(es).
You can use a DNAT rule when you want a public IP address to be translated into a private IP address.
The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.
