Design and Deploy ARM Templates (10-15%)

Question 1

What are the Design Principles (6) of Resource Groups using ARM?

Answer 1

1. Organize Azure Resources
2. Logical Grouping
3. Should share the same life cycle
4. Leverage RBAC
5. No Nesting
6. Tag and Lock Them

Question 2

Can a resource group contain resources that reside in different regions?

Answer 2

Yes

Question 3

What are the 3 built in (basic) roles for Azure?

Answer 3

1. Owner - Full Access
2. Contributor - create and manage but cant grant access to others
3. Reader - View Access

Question 4

Max # of Custom RBAC roles

Answer 4

2000

Question 5

What is the Actions property of a custom RBAC role?

Answer 5

The Actions property of a custom role specifies the Azure operations to which the role grants access. It is a collection of operation strings that identify securable operations of Azure resource providers. Operation strings follow the format of:

Microsoft.//

Question 6

PS: list operations of Azure resource providers

Answer 6

Get-AzureRmProviderOperation

Question 7

CLI: list operations of Azure resource providers

Answer 7

azure provider operations show

Question 8

Which property of the custom role specifies the scopes (subscriptions, resource groups, or resources) within which the custom role is available for assignment?

Answer 8

AssignableScopes Property

Question 9

What is a NotActions property of a custom RBAC role?

Answer 9

Use the NotActions property if the set of operations that you wish to allow is more easily defined by excluding restricted operations. The access granted by a custom role is computed by subtracting the NotActions operations from the Actions operations.

Question 10

Is a NotActions a deny rule for custom RBAC?

Answer 10

No, it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.

If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation.

Question 11

What type of files are ARM Templates?

Answer 11

JSON files

Question 12

PS: Deploy template to resource group

Answer 12

New-AzureRmResourceGroupDeployment -name -ResourceGroupName `
-Templatefile

Question 13

CLI: Deploy template to resource group

Answer 13

azure group deployment create -f

Question 14

What are the 2 parts of Azure Policies?

Answer 14

1. Policy Definitions - whats going to be locked down
2. Policy Assignments - Telling WHERE the Policy definition (scope) will be applied at the Subscription, Azure Resource Group, or Azure Resource.

Question 15

True/False: ARM policy is a default allow and explicit deny system.

Answer 15

True

Question 16

What are the 2 options for Resource Locks?

Answer 16

1. CanNotDelete

2. ReadOnly

Question 17

Which RBAC roles can create or delete resource locks?

Answer 17

Owner or User Access Administrator

Question 18

PS: Lock Resource

Answer 18

New-AzureRmResourceLock

Question 19

CLI: Lock Resource

Answer 19

az lock create

Question 20

What are the Actions properties for a custom RBAC role with Lock Resource permissions?

Answer 20

Microsoft.Authorization/* OR Microsoft.Authorization/locks/*