Describe Azure management and governance Flashcards
What is Azure calculator?
Publicly accessible browser-based tool where you can estimate the costs of services created in Azure
What is TCO (Total Cost of Ownership) calculator?
Browser-based tool that can estimate cost savings by moving workloads to Azure
Generates a report that compares the costs of workloads running on on-perm environments with those running in Azure
What are resource tags?
Provide metadata or descriptive infos for Azure resources
Can be used to logically organize all resources that share the same values
What is the common use case for tags?
To capture billing information for cost management purposes
What is MS Purview?
Unified data governance solution that helps organizations govern, protect, and manage their entire data estate, including cloud, hosted and on-perm data sources
Examples of use cases of Azure Policy
Limit what regions can be accessed for resources to be created (data sovereignty compliance)
Limit what resources can be created (VM types)
What is Azure Policy?
Set of resource creation and management rules that apply across multiple subscriptions.
Defines what actions are allowed within a subscription
Assesses resources for compliance standards
Performs remediation for non-compliant resources
What are resource locks?
Used to prevent resources from being modified or accidentally deleted
Locks override any permission set through RBAC
What is Azure Arc?
Hybrid management and governance tool that supports physical and virtual windows servers
Azure arc managed servers are classed as Arc enabled servers
How do you connect a windows server to azure arc?
Azure Connected machine agent is deployed and configured on the server
What are ARM (Azure Ressource Manager) templates?
ARM templates are an Infrastructure as a Code approach to resource deployment
What is Bicep?
As JSON, it’s used to create ARM templates
It’s a MS declarative Domain-specific Language Infrastructure as Code tool
Define Azure Advisor
Included and no-cost service
Provides advice on optimizing Azure resources
Provides personalized and actionable best practice recommandations based on usage analysis
Can be accessed directly within the portal
What are the five recommandation categories used by Azure Advisor?
Cost
Security
Reliability
Operational excellence
Performance
What is Azure status?
Public-facing website (no login required)
Global view of all the platform services across all regions
What information does Azure Service Health provide?
A personalized view of the health of all your Azure resources
Provides guidance and notifications, such as for planned maintenance and other advisories on resource health aspects specific to your tenant
What are the data types used by Azure Monitor?
Logs: record the activities of a data source representing some action taken against the resources
Metrics: record the performance and consumption of data source and represent the meters and counters being triggered
What is Azure Monitor?
included service
Provides actionable insights into the health, availability and performance of Azure and on-perm environments by collecting and analyzing logs and metrics
What would you choose?
You need to prevent any users from deleting resources from a subscription with contents spanning multiple resource groups
Azure Locks
Which factors affect Azure costs?
Usage meters, such as CPU time, disk size, and write operations, are used to calculate your bill for an Azure resource.
Deleting or deallocating a resource means that you will no longer be billed for it.
Different regions can have different associated prices.
Resources cost the same no matter the time of day or the day of the week.
What would you choose?
You need to use information from MS Defender for cloud to develop best practices recommandations for optimization
Azure Advisor
What would you choose?
You need to define a set of policies to help ensure compliance for resources contained in a resource group
Initiative
An Azure initiative is a collection of Azure policies targeted towards reaching a single overall goal.
Simplifies managing and assigning policy definitions by grouping a set of policies as a single item
Initiative can then be assigned to a scope and applied to all the resources contained in that scope.
What is Azure Hybrid Benefit?
It allows you to use existing Windows Server licenses (covered by active MS Software Assurance agreement) to run Windows VM in Azure.
You pay only for the VM’s infrastructure cost (up to 40% of regular costs)
Company plans to commit a 3 years plan for VM and storage ressources to receive a reduction in pay-as-you go prices.
What’s the service?
Azure Reservations
- 1 or 3 years plan
- Committing allows you to get a discount on the resources you use (up to 72% from pay-as-you-go prices).
- Includes VM, storages (blob, Files), Database (SQL database, Cosmos DB…)….
Your company wants to increase default limits on how many select resources of each type can be provisioned per Azure Region.
Which service do you use?
Azure Resource Manager
What is Azure DATA policy app used for?
Azure DATA policy app is used to define access policies that enforce permissions (RBAC) when users request access.
In the policy you define
* subject the policy applies to
* the data resource
* an action (Read or modify)
* an effect
What’s the use of Azure Data Estate Insight App?
Azure Data Estate Insight App is used to determine data classification rates.
Evaluates and manage data governance at scale: whether a data owner has been assigned to a data resource, the classification status and rates or data…
What’s the use of Azure Data Catalog App?
Azure Data Catalog App is used to search for data using data classifications, glossary terms, data types… wherever it’s located in your data estate
Do all resources in Azure support tags?
Not all Azure resources support tags. They do apply to subscriptions, resource groups and most resources
Is a tag applied to a resource group inherited by its resources?
No, a tag applied to a resource group isn’t inherited by its resources
Same thing on the subscription level
To ensure all the required resources are tagged:
* apply them manually
* create an Azure policy that automatically applies tags from resource tag or subscription to resources during their deployement
Which 2 (among all) locations are valid destinations for platform logs and metrics collected by Azure Monitor?
An Azure storage account, an Azure Log Analytics workspace
What allows you to assign permissions to users so they can create resources in Azure?
RBAC
What can you use to reuse a VM as template in the deployment of test and production VMs?
ARM.
You can export the ARM template from a resource and a resource group (open the VM settings in the portal and click the export template menu item)
Can a resource group contain resources from any region or only the region on which it’s located?
resource group can contain resources from any region
Describe 3 main RBAC built-in roles (Owner, contributor, User Access admin)
- Owner: Grants full access to manage resources, including the ability to assign roles in Azure RBAC. Can also create, update, move, delete and read management groups
- Contributor: Grants full access to manage resources. Can also create, update, move, delete and read management groups BUT doesn’t allow to assign roles, manage assignments in Azure Blueprints or, assign Azure policies share image galleries
- User Access Admin : manage user access to Azure resources and assign policies
Service Health is a combination of 3 smaller services. Describe them
1.** Azure status** Public web service that gives global view of the health of all Azure services across all Azure regions
2. Personalized view of the health of the Azure services and regions you’re using. For ex, Planned or unplanned service outages.
3. Provides information about the health of your individual cloud resources. Using Azure Monitor, you can also configure alerts to notify you of availability changes to your cloud resources. For example: notified if App service usage exceeds the usage quota. Can configure a webhook on website to display health incidents.
Which Azure service can use autoscale to add or remove resources as appropriate to minimize costs and ensure optimum performance levels?
Azure Monitor You can create rules based on metrics collected by Azure Monitor to match resources to an application load
Advisor doesn’t use autoscale, but provides recommandations based on best practices
What is a billing zone?
Geographical grouping of Azure regions used to determine billing based on data transfers. Billing applies to both incoming and outgoing data and varies by billing zone.
What’s use case of Azure Resource Graph?
To generate cost savings summaries across all your environments simultaneously.
To query data about resources across Azure tenancy
In MS defender for Cloud, there’s a Regulatory compliance dashboard.
What can you find in it?
Interactive overview of compliance state
In the dashboard you can:
* Get an overall compliance score
* Get a summary of standards controls that have been passed.
* Get of summary of standards that have the lowest pass rate for resources. Number of passing and failing assessments
* Review standards that are applied within the selected scope.
* Review assessments for compliance controls within each applied standard.
* Get a summary report for a specific standard.
* Manage compliance policies to see the standards assigned to a specific scope.
* Run a query to create a custom compliance report
* Create a “compliance over time workbook” to track compliance status over time.
* Download audit reports.
* Review compliance offerings for Microsoft and third-party audit
Which factors affect Azure App Service cost?
- Tier: shared (Free or shared tier) or isolated
- Region
- Operating system (Linux cheaper than Windows)
- Number of instances
- Instance type: size of VM that hosts the app for example (CPU cores, allocated memry, storage size
Which type of data collection in Azure Monitor requires you to enable diagnostics?
- Event logs
- performance counters
- crash logs
What is Azure Blueprints ?
Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Which resources can you deploy with Azure Blueprints?
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
- Role Assignments
- Policy Assignments
- Azure Resource Manager templates (ARM templates)
- Resource Groups
The Azure Blueprints service is backed by the globally distributed Azure Cosmos DB. Blueprint objects are replicated to multiple Azure regions.
What is Microsoft Entra ID Governance?
advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers
How Microsoft Entra ID Governance helps organizations?
Microsoft Entra ID Governance helps organizations address these four key questions, for access across services and applications both on-premises and in clouds:
- Which users should have access to which resources?
- What are those users doing with that access?
- Are there organizational controls in place for managing access?
- Can auditors verify that the controls are working effectively?
With Microsoft Entra ID Governance you can implement the following scenarios for employees, business partners and vendors:
* Govern the identity lifecycle
* Govern the access lifecycle
* Secure privileged access for administration
Can you share Azure dedicated host across your multiple Azure subscriptions?
No. The physical host is single tenant, so dedicated to 1 Azure subscription only
What are the scopes for an Azure Initiative?
The same initiative can be assigned to multiple scopes in order to include resources, resource groups, subscriptions or management groups
When an Azure Initiative is evaluated, what happens to all of the policies in it ?
When an Azure Initiative is evaluated, all of the policies in it are evaluated.
If you want to evaluate a policy by itself, you should either not assign the policy to an initiative or you should create an initiative that only contains that policy
An Azure initiative
Can be assigned across one or multiple scopes?
Can be created on one ——————-
Subscription
You can assign a single initiative to scopes across multiples subscriptions or management groups.
However, you must create the policies and initiatives in the same subscriptions
What can management groups organize?
Multiple subscriptions
What management groups CANNOT organize?
- Multiple MS Entra Tenant: it’s an organization top-level Azure hierarchy
-
Resources groups: They cannot be added directly but are managed indirectly if the subscription in which they are contained is part of a managemennt group
Resources: They cannot be added directly but are managed indirectly if the subscription in which they are contained is part of a management group
What are the 4 types of health events available in Azure Service Health?
Azure Service Health tracks four types of health events that may impact your resources:
1. Service issues : Problems in the Azure services that affect you right now.
2. Planned maintenance : Upcoming maintenance that can affect the availability of your services in the future.
3. Health advisories : Changes in Azure services that require your attention. Examples include deprecation of Azure features or upgrade requirements (e.g upgrade to a supported PHP framework).
4. Security advisories : Security related notifications or violations that may affect the availability of your Azure services.
Resource Groups - What are Region Requirements?
You need to set the Region for a Resource Group. This defines where the metadata for the Resource Group exists, NOT where the Resource(s) in the Group reside. This is important to know if you have data residency requirements to consider (including metadata)
But you can add resources from different regions in a resource group (Resource is in region B and resource group in region A)
You have an Azure Vnet named Vnet1in a resource group named RG1.
You assign to RG1 the Azure Policy definition of “Not Allowed Resources Type” and specify that Vnets are not an allowed resource type.
What happens to VNet1?
Vnet1 continues to function normally BUT will be marked as ‘Non-compliant’ when the policy is assigned.
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
Microsoft Defender for Cloud (because it’s YOUR company environment)
Microsoft Defender for Cloud helps you to meet regulatory compliance requirements by continuously assessing resources against compliance controls, and identifying issues that are blocking you from achieving a particular compliance certification.
In the Regulatory compliance dashboard, you manage and interact with compliance standards. You can see which compliance standards are assigned, turn standards on and off for Azure, AWS, and GCP, review the status of assessments against standards, and more.
Compliance data from Defender for Cloud now seamlessly integrates with Microsoft Purview Compliance Manager, allowing you to centrally assess and manage compliance across your organization’s entire digital estate.
Describe Microsoft Service Trust Portal
The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
The Service Trust Portal (STP) is Microsoft’s public site for publishing audit reports and other compliance-related information associated with Microsoft’s cloud services.
STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
Who can transfer billing ownership for a subscription?
You need to be an administrator of the billing account that has the subscription to be able to transfer the subscription.
This could be a Billing Administrator or Global Administrator.
A subscription owner can manage all resources and permissions within the subscription but cannot transfer ownership of the subscription.
