Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Asy Azure > Fundamentals Module 2 > Flashcards

Fundamentals Module 2 Flashcards

1
Q

Core architectural component groups

A
  1. physical infrastructure
  2. management infrastructure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Datacenter

A

facilities with resources arranged in racks, with dedicated power, cooling, and networking infrastructure.

NB: individual datacenters aren’t directly accessible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Regions

A
  1. a geographical area on the planet that contains at least one, but potentially multiple data centers that are nearby and networked together with a low-latency network.
  2. minimum of three separate availability zones are present in all availability zone-enabled regions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Availability Zones

A
  1. physically separate data centres within an Azure region
  2. each availability zone is made up of one or more data centres equipped with independent power, cooling, and networking
  3. connected through high-speed, private fiber-optic networks.

NB not all Azure Regions currently support availability zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Azure services that support availability zones fall into three categories:

A
  1. Zonal services: You pin the resource to a specific zone (for example, VMs, managed disks, IP addresses).
  2. Zone-redundant services: The platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).
  3. Non-regional services: Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Region pairs

A
  1. Most Azure regions are paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away
  2. if a region in a pair was affected by a natural disaster, services would automatically fail over to the other region in its region pair.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Advantages of regional pairs

A

1.Pair of regions are a) directly connected b) far enough apart to be isolated from regional disasters => provide reliable services and data redundancy.

  1. If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure at least one is restored as quickly as possible for applications hosted in that region pair.
  2. Planned Azure updates are rolled out to paired regions one region at a time => minimize downtime and risk of application outage.
  3. Data continues to reside within the same geography as its pair (except for Brazil South) for tax- and law-enforcement jurisdiction purposes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Sovereign Regions

A

instances of Azure that are isolated from the main instance of Azure.

May need to use a sovereign region for compliance or legal purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Azure resource

A

basic building block of Azure, anything you create, provision, deploy

Examples: Virtual Machines (VMs), virtual networks, databases, cognitive services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Resource groups

A
  1. groupings of resources
  2. every resource needs to be placed into a resource group
  3. a resource group can contain many resources, a single resource can only be in one resource group at a time
  4. resource groups can’t be nested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Azure subscriptions

A
  1. subscriptions are a unit of management, billing, and scale
  2. a subscription provides authenticated and authorized access to Azure products and services
  3. It allows to provision resources
  4. An Azure subscription links to an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts
  5. In a multi-subscription account, you can use the subscriptions to configure different billing models and apply different access-management policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Types of subscription boundaries

A
  1. Billing boundary
  2. Access control boundary
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Billing boundary

A
  1. how an Azure account is billed for using Azure
  2. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access control boundary

A
  1. Azure applies access-management policies at the subscription level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Subscriptions use cases

A

create additional subscriptions to separate:

  1. Environments (dev / test) resource AC is at the subscription level
  2. Organizational structures (IT, marketing)
  3. Billing: osts are first aggregated at the subscription level, you might want to create subscriptions to manage and track costs based on your needs. i.e. one subscription for your production workloads and another subscription for your development and testing workloads
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Azure management groups

A
  1. organize subscriptions into containers called management groups and apply governance conditions to the management groups
  2. management groups can be nested.
  3. A management group tree can support up to six levels of depth. This limit doesn’t include the root level or the subscription level.
  4. Each management group and subscription can support only one parent.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Hierarchy

A
  1. resource
  2. resource group
  3. subscription (highest level to lock)
  4. management group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Virtual machine scale sets

A
  1. let you create and manage a group of identical, load-balanced VMs
  2. allow you to centrally manage, configure, and update a large number of VMs in minutes
  3. the number of VM instances can automatically increase or decrease in response to demand, or you can set it to scale based on a defined schedule
  4. Virtual machine scale sets also automatically deploy a load balancer to make sure that your resources are being used efficiently
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Virtual machine availability sets

A
  1. designed to ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure.
  2. Availability sets do this by grouping VMs in two ways: update domain and fault domain.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Update domain

A
  1. VMs that can be rebooted at the same time
  2. Update group going through the update process is given a 30-minute time to recover before maintenance on the next update domain starts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Fault domain

A
  1. groups your VMs by common power source and network switch
  2. an availability set will split your VMs across up to three fault domains
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

VM use cases

A
  1. During testing and development
  2. When running applications in the cloud
  3. When extending your datacenter to the cloud
  4. During disaster recovery (while primary datacenter is not available)
  5. Move to the cloud with VMs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

VM Resources

A
  1. Size (purpose, number of processor cores, and amount of RAM)
  2. Storage disks (hard disk drives, solid state drives, etc.)
  3. Networking (virtual network, public IP address, and port configuration)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Azure Virtual Desktop

A
  1. is a desktop and application virtualization service that runs on the cloud. It enables you to use a cloud-hosted version of Windows from any location
  2. With Azure Virtual Desktop, the data and apps are separated from the local hardware.
  3. The actual desktop and apps are running in the cloud, meaning the risk of confidential data being left on a personal device is reduced
  4. user sessions are isolated in both single and multi-session environments.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
VM vs container
1. a single operating system per virtual machine 2. if you want to run multiple instances of an application on a single host machine, containers are an excellent choice 3. containers are more agile
26
Containers
1. virtualization environment 2. can run multiple containers on a single physical or virtual host 3. you don't manage the operating system for a container 4. are lightweight and designed to be created, scaled out, and stopped dynamically
27
Azure Container Instances
PaaS 1. allow you to upload your containers and then the service will run the containers for you 2. run container without having to manage any virtual machines or adopt any additional services
28
Azure Container Apps
Paas 1. like azure container instance 2. allow you to get up and running right away, they remove the container management piece 3. extra benefit: ability to incorporate load balancing and scaling
29
Azure Kubernetes Service
a container orchestration service.
30
Azure Functions
1. an event-driven, serverless compute option that doesn’t require maintaining virtual machines or containers 2. an event wakes the function, alleviating the need to keep resources provisioned when there are no events 3. scale automatically based on demand, so they may be a good choice when demand is variable 4. runs your code when it's triggered and automatically deallocates resources when the function is finished
31
Benefits of Azure functions
1. you're only concerned about the code running your service and not about the underlying platform or infrastructure 2. you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
32
Azure hosting options
1. virtual machine (VM) 2. containers 3. Azure App Service
33
Types of app services
1. Web apps 2. API apps 3. WebJobs 4. Mobile apps
34
Azure App service
1. enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure 2. offers automatic scaling and high availability 3. enables automated deployments 4. an HTTP-based service for hosting web applications, REST APIs, and mobile back ends
35
Azure App Service manages the following infrastructure decisions
1. Deployment and management are integrated into the platform. 2. Endpoints can be secured. 3. Sites can be scaled quickly to handle high traffic loads. 4. The built-in load balancing and traffic manager provide high availability.
36
WebJobs
1. use to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. 2. can be scheduled or run by a trigger. 3. WebJobs are often used to run background tasks as part of your application logic.
37
Azure virtual networks capabilities
1. Isolation and segmentation 2. Internet communications 3. Communicate between Azure resources 4. Communicate with on-premises resources 5. Route network traffic 6. Filter network traffic 7. Connect virtual networks
38
Isolation and segmentation
Azure virtual network allows you to create multiple isolated virtual networks.
39
Mechanisms to establish on prem connectivity
1. Point-to-site virtual private network connections 2. Site-to-site virtual private networks 3. Azure ExpressRoute
40
Point-to-site virtual private network
1. a computer outside your organization back into your corporate network 2. the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.
41
Site-to-site virtual private networks
1. link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network 2. The connection is encrypted and works over the internet
42
Azure ExpressRoute
a dedicated private connectivity to Azure that doesn't travel over the internet
43
Network security groups
1. Azure resources that can contain multiple inbound and outbound security rules. 2. can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol 3. ) DOES NOT encrypt traffic.
44
Network virtual appliances
specialized VMs that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
45
Virtual network peering
1. allows two virtual networks to connect directly to each other 2. Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet
46
virtual private network (VPN)
1. uses an encrypted tunnel within another network 2. typically deployed to connect two or more trusted private networks to one another over an untrusted network 3. traffic is encrypted while traveling over the untrusted network NB 1. only one VPN gateway in each virtual network 2. can use one gateway to connect to multiple locations
47
Types of VPN
1. policy based 2. route based The primary distinction is how they determine which traffic needs encryption
48
Policy-based VPN
specify statically the IP address of packets that should be encrypted through each tunne
49
Route-based gateways
IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet NB more resilient to topology changes such as the creation of new subnets.
50
How to maximise VPN resiliency
1. Active/standby 2. Active/active 3. ExpressRoute failover 4. Zone-redundant gateways
51
Active/standby
(default) 1. VPN gateways are deployed as two instances in an active/standby 2. connections restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.
52
Active/active
can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address
53
ExpressRoute failover
configure a VPN gateway as a secure failover path for ExpressRoute connections
54
Zone-redundant gateways
1. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures 2. These gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses.
55
Features and benefits of ExpressRoute (as the connection service between Azure and on-premises networks.)
1. Connectivity to Microsoft cloud services across all regions in the geopolitical region 2. Global connectivity to Microsoft services across all regions with the ExpressRoute Global Reach. 3. Dynamic routing between your network and Microsoft via Border Gateway Protocol (BGP). 4. Built-in redundancy in every peering location for higher reliability.
56
ExpressRoute connectivity models
1. CloudExchange colocation 2. Point-to-point Ethernet connection 3. Any-to-any connection 4. Directly from ExpressRoute sites
57
Co-location at a cloud exchange
1. your datacenter, office, or other facility being physically co-located at a cloud exchange, such as an ISP. 2. can request a virtual cross-connect to the Microsoft cloud.
58
Any-to-any networks
integrate your wide area network (WAN) with Azure by providing connections to your offices and datacenters. Azure integrates with your WAN connection to provide a connection like you would have between your datacenter and any branch offices.
59
Benefits of Azure DNS
1. Reliability and performance 2. Security 3. Ease of Use 4. Customizable virtual networks 5. Alias records
60
Storage account in azure
1. provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS 2. Data in this account is secure, highly available, durable, and massively scalable 3. must have a unique-in-Azure account name.
61
Storage account type
Determines the 1. storage services 2. redundancy options
62
Storage service types
1. Azure Blobs (includes support for BigData in Data Lake Storage Gen2.) 2. Azure Files 3. Azure Queue 4. Azure Disks 5. Azure Tables (NoSQL)
63
Azure storage redundancy
Redundancy in the primary region 1. Locally redundant storage 2. Zone-redundant storage Redundancy in a secondary region 1. Geo-redundant storage 2. Geo-zone-redundant storage 3. Read access to data in the secondary region
64
Azure storage factors that affect the choice of redundancy
tradeoffs between lower costs and higher availability 1. Whether your application requires read access to the replicated data in the secondary region if the primary region becomes unavailable. 2. How your data is replicated in the primary region. 3. Whether your data is replicated to a second region that is geographically distant to the primary region, to protect against regional disasters.
65
Locally redundant storage (LRS)
NB Data in an Azure Storage account is always replicated three times in the primary region. 1. replicates your data three times within a single data center in the primary region. 2. provides at least 11 nines of durability (99.999999999%) of objects over a given year. 3. the lowest-cost redundancy option and offers the least durability compared to other options.
66
Zone-redundant storage
1. (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region 2. offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year 3. data is still accessible for both read and write operations even if a zone becomes unavailable
67
Azure Storage offers two options for copying your data to a secondary region:
1. geo-redundant storage (GRS) (running LRS in two regions) 2. geo-zone-redundant storage (GZRS) (running ZRS in the primary region and LRS in the secondary region)
68
Geo-redundant storage
1. copies your data synchronously three times within a single physical location in the primary region using LRS 2. copies your data asynchronously to a single physical location in the secondary region
69
Geo-zone-redundant storage
1. Data in a GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) 2. is also replicated to a secondary geographic region, using LRS, for protection from regional disasters. NB 16 nines (99.99999999999999%) of durability of objects over a given year.
70
Azure data services
1. Azure Blobs 2. Azure Files 3. Azure Queues 4. Azure Disks 5. Azure Tables
71
Benefits of Azure Storage
1. Durable and highly available 2. Secure 3. Scalable 4. Managed 5. Accessible
72
Azure blob storage
1. massively scalable object store for text and binary data 2. includes support for big data analytics through Data Lake Storage Gen2 3. Objects in blob storage can be accessed from anywhere in the world via HTTP or HTTPS
73
Blob storage is ideal for
1. Serving images or documents directly to a browser 2. Storing files for distributed access. 3. Streaming video and audio. 4. Storing data for backup and restore, disaster recovery, and archiving. 5. Storing data for analysis by an on-premises or Azure-hosted service.
74
Storage tiers: motivation
1. organize your data based on attributes like frequency of access and planned retention period 2. Data stored in the cloud can be handled differently based on how it's generated, processed, and accessed over its lifetime
75
Storage tiers
1. Hot access tier 2. Cool access tier (stored for at least 30 days) 3. Cold access tier (stored for at least 90 days) 4. Archive access tier => rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups) => he highest costs to rehydrate and access data
76
Azure Files
1. fully managed file shares in the cloud 2. are accessible via the industry standard Server Message Block (SMB) or Network File System (NFS) protocols
77
Azure files key benefits
1. Shared access: 2. Fully managed (hardware and OS) 3. Scripting and tooling 4. Resiliency 5. Familiar programmability
78
Azure Queues
1. a service for storing large numbers of messages 2. can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS 3. Each individual message can be up to 64 KB in size
79
Azure Disks
block-level storage volumes managed by Azure for use with Azure VMs
80
Azure Tables
1. stores large amounts of structured data. 2. ideal for storing structured, non-relational data. 3. a NoSQL datastore that accepts authenticated calls from inside and outside the Azure cloud
81
Azure Migrate provides:
1. Unified migration platform: A single portal to start, run, and track your migration to Azure. 2. Range of tools 3. Assessment and migration
82
Azure Migrate: Integrated tools
1. Azure Migrate: Discovery and assessment. (on-premises servers running on VMware, Hyper-V) 2. Azure Migrate: Server Migration. (VMware VMs, Hyper-V VMs, physical servers, other virtualized servers) 3. Data Migration Assistant. (assess SQL Servers) 4. Azure Database Migration Service: Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances. 5. Web app migration assistant 6. Azure Data Box
83
Azure Data Box
1. a physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way 2. maximum usable storage capacity of 80 terabytes 3. If you’re transferring data into Azure, the data is automatically uploaded once Microsoft receives the Data Box back
84
Azure data box use case
ideally suited to transfer data sizes larger than 40 TBs in scenarios with no to limited network connectivity 1. Onetime migration 2. Moving a media library from offline tapes into Azure 3. Migrating your VM farm, SQL server, and applications to Azure 4. Moving historical data to Azure 5. Initial bulk transfer 6, Periodic uploads ........................> 1. Disaster recovery 2. Security requirements
85
Azure Migrate
helps to migrate from an on-premises environment to the cloud. It provides 1. Unified migration platform 2. Range of tools (also integrated with independent software vendors) 3. Assessment and migration
86
Azure Migrate: Integrated tools
1. Azure Migrate: Discovery and assessment 2. Azure Migrate: Server Migration 3. Data Migration Assistant. (SQL) 4. Azure Database Migration Service. (SQL) 5. Web app migration assistant (.NET and PHP) 6. Azure Data Box.
87
Azure data box
1. physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way (80 terabytes) 2. entire process is tracked end-to-end by the Data Box service in the Azure portal.
88
Data box use cases
transfer data sizes larger than 40 TBs in scenarios with no to limited network connectivity Export 1. Disaster recovery 2. Security requirements 3. Migrate back to on-premises or to another cloud service provider
89
Azure file movement options (some)
1. AzCopy 2. Azure Storage Explorer 3. Azure File Sync
90
AzCopy
1. CLI utility that you can use to copy blobs or files to or from your storage account 2. can be configured to work with other cloud providers 3. Synchronizing blobs or files with AzCopy is one-direction synchronization
91
Azure Storage Explorer
1. a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account. 2. uses AzCopy on the backend to perform all of the file and blob management tasks. 3. can upload to Azure, download from Azure, or move between storage accounts.
92
Azure File Sync
1. a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server. 2. bi-directionally synced with your files in Azure. With file Synch you can: 1. Have as many caches as you need across the world. 2. Configure cloud tiering so the most frequently accessed files are replicated locally, while infrequently accessed files are kept in the cloud until requested.
93
Azure Active Directory (Azure AD)
1. a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop 2. For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that's managed by your organization 3. When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost
94
Azure AD is for:
1. IT administrators 2. App developers 3. Users 4. Online service subscribers (already use Azure AD to authenticate into their account.)
95
Azure AD Connect
1. can connect Active Directory with Azure AD, enabling a consistent identity experience between cloud and on-premises 2. synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.
96
Azure Active Directory Domain Services
1. a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication 2. lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. 3. A managed domain is configured to perform a one-way synchronization from Azure AD to Azure AD DS.
97
Azure authentication methods
1. standard passwords 2. single sign-on (SSO) 3. multifactor authentication (MFA) 3. passwordless
98
Single sign-on (SSO)
1. enables a user to sign in one time and use that credential to access multiple resources and applications from different providers 2. the different applications and providers must trust the initial authenticator
99
Multifactor authentication
1. the process of prompting a user for an extra form (or factor) of identification during the sign-in process 2. increases identity security by limiting the impact of credential exposure
100
Passwordless authentication
1. the password is removed and replaced with something you have, plus something you are, or something you know 2. needs to be set up on a device before it can work
101
Azure passwordless authentication options
1. Windows Hello for Business 2. Microsoft Authenticator app 3. FIDO2 security keys
102
Windows Hello for Business
1. ideal for information workers that have their own designated Windows PC 2. The biometric and PIN credentials are directly tied to the user's PC 3. (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
103
Microsoft Authenticator App
1. employee's phone to become a passwordless authentication method 2. Users can sign-in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm
104
FIDO2 security keys
1. security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. 2. Fast Identity Online (FIDO) is an open standard for passwordless authentication. 3. select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.
105
external identity
1. a person, device, service, etc. that is outside your organization 2. The external user’s identity provider manages their identity, and you manage access to your apps with Azure AD or Azure AD B2C
106
Capabilities that make up External Identities:
1. Business to business (B2B) collaboration 2. B2B direct connect 3. Azure AD business to customer (B2C)
107
Business to business (B2B) collaboration
Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). Typically guest users
108
B2B direct connect
1. Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration. 2. B2B direct connect users aren't represented in your directory, but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.
109
Azure AD business to customer (B2C)
Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.
110
Azure conditional access
a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals.
111
Identity signals examples
1. who the user is 2. where the user is 3. what device the user is requesting access from 3. the application that the user is trying to access.
112
Conditional access use case:
1. Require multifactor authentication (MFA) to access an application depending on the requester’s role, location, or network. 2. Require access to services only through approved client applications. 3. Require users to access your application only from managed devices. 4. Block access from untrusted sources, such as access from unknown or unexpected locations.
113
The principle of least privilege
should only grant access up to the level needed to complete a task
114
Azure RBAC
1. managing that level of permissions for an entire team would become tedious. 2. Azure provides built-in roles that describe common access rules for cloud resources 3. you can define your own roles 4. Each role has an associated set of access permissions that relate to that role 5. Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to. 6. Azure RBAC doesn't enforce access permissions at the application or data level.
115
Scopes include:
1. A management group (a collection of multiple subscriptions). 2. A single subscription. 3. A resource group. 4. A single resource.
116
Azure RBAC is hierarchica
when you grant access at a parent scope, those permissions are inherited by all child scopes 1. When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
117
Azure Resource Manager
a management service that provides a way to organize and secure your cloud resources.
118
Zero trust model
a security model that assumes the worst case scenario and protects resources with that expectation. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network.
119
guiding principles of zero trust model
1. Verify explicitly - Always authenticate and authorize based on all available data points. 2. Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. 3. Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption
120
Defense-in-depth
1. The goal is: protect information and prevent it from being stolen by those who aren't authorized to access it 2. uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data and provides alert information that security teams can act upon
121
Layers of the defence in depth model
1. Data 2. Application 3. Compute 4. Network 5. Perimeter 6. Identity and access 7. Physical security
122
Physical security
protect computing hardware in the datacenter, access to buildings and controlling access to computing hardware within the datacenter
123
Identity and access
ensuring that identities are secure, that access is granted only to what's needed, and that sign-in events and changes are logged.
124
Perimeter
protects from network-based attacks against your resources. Important to: 1. Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users. 2. Use perimeter firewalls to identify and alert on malicious attacks against your network.
125
Network
the focus is on limiting the network connectivity across all your resources to allow only what's required. it's important to: 1. Limit communication between resources 2. Deny by default. 3. Restrict inbound internet access and limit outbound access where appropriate. 4. Implement secure connectivity to onpremises networks.
126
Compute
making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues. (malware, unpacked systems) important to: 1. Secure access to virtual machines. 2. Implement endpoint protection on devices and keep systems patched and current.
127
Application
it's important to: 1. Ensure that applications are secure and free of vulnerabilities. 2. Store sensitive application secrets in a secure storage medium. 3. Make security a design requirement for all application development.
128
Microsoft Defender for Cloud
1. a monitoring tool for security posture management and threat protection 2. monitors your cloud, on-premises, hybrid, and multi-cloud environments 3. provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and streamline security management 4. natively integrated to Azure
129
Defender for Cloud helps you detect threats across:
1. Azure PaaS services (including activity detection) 2. Azure data services: capabilities that help you automatically classify your data in Azure 3. Networks. helps you limit exposure to brute force attacks. By reducing access to virtual machine ports, using the just-in-time VM access
130
Azure Arc
helps to enable Defender for Cloud's enhanced security features on-prem
131
Defender for Cloud on other cloud
1. Defender for Cloud's CSPM 2. Microsoft Defender for Containers 3. Microsoft Defender for Servers
132
Defender for Cloud fills three vital needs
1. Continuously assess – Know your security posture. Identify and track vulnerabilities. 2. Secure – Harden resources and services with Azure Security Benchmark. 3. Defend – Detect and resolve threats to resources, workloads, and services.
133
Azure Security Benchmark
Microsoft-authored, Azure-specific, benchmark provides a set of guidelines for security and compliance best practices based on common compliance frameworks.
134
Defender for Cloud: Defend
1. Security alerts 2. Advanced threat protection
135
Defender for Cloud: Security alerts
1. Describe details of the affected resources 2. Suggest remediation steps 3. Provide, in some cases, an option to trigger a logic app in response includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started, and what kind of impact it had on your resources.
136
Defender for Cloud: Advanced threat protection
1. provides advanced threat protection features for many of your deployed resources, including virtual machines, SQL databases, containers, web applications, and your network. 2. Protections include securing the management ports of your VMs with just-in-time access, and adaptive application controls to create allowlists for what apps should and shouldn't run on your machines.
137
Azure Logic Apps
is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.
138
What is the maximum number of management groups that can be supported in a single directory?
10 000
139
Max size of a storage account
5PB
140
Factor that impact SLA
Negatively 1. Using composite services (As1 * As2) 2. Using free / preview services Positively 1. Add redundancy LBs: 100 - (Us1 * Us2) 2. Service configuration (availability zones)
141
Types of Locks
1. DELETE (can create + update + read) 2. READ (Read Only)
142
An Azure subscription can trust multiple Azure Active Directory (Azure AD) tenants
No
143
Azure Virtual Network service
1. allows you to create and manage private networks in the cloud and connect them to on-premises networks using a VPN gateway 2. can create subnets, assign IP addresses, and control traffic flow between virtual machines and other resources
144
Azure Traffic Manager
a global DNS-based traffic load balancer that can be used to distribute traffic across multiple endpoints
145
Azure HDInsight
PaaS Run popular open-source frameworks—including Apache Hadoop, Spark, Hive, Kafka, and more—using Azure HDInsight, a customizable, enterprise-grade service for open-source analytics. Effortlessly process massive amounts of data and get all the benefits of the broad open-source project ecosystem with the global scale of Azure. Easily migrate your big data workloads and processing to the cloud.
146
Modern Lifecycle Policy for Azure products and services
For products governed by the Modern Lifecycle Policy, Microsoft will provide a minimum of 12 months' notification prior to ending support if no successor product or service is offered —excluding free services or preview releases.
147
Site-to-Site (IPsec) VPN connection
1. connect two or more virtual networks that are in different regions, data centers, or even different cloud providers 2. It allows you to connect an on-premises network or a branch office network to an Azure virtual network, or to connect two Azure virtual networks that are in different regions.
148
Azure Cognitive Services
1. bring AI within reach of every developer—without requiring machine-learning expertise. 2. all it takes is an API call to embed the ability to see, hear, speak, search, understand, and accelerate decision-making into your apps.
149
Event Hubs
is a fully managed, real-time data ingestion service that’s simple, trusted and scalable. Stream millions of events per second from any source to build dynamic data pipelines and immediately respond to business challenges. Keep processing data during emergencies using the geo-disaster recovery and geo-replication features. Integrate seamlessly with other Azure services to unlock valuable insights. Allow existing Apache Kafka clients and applications to talk to Event Hubs without any code changes – you get a managed Kafka experience without having to manage your own clusters. Experience real-time data ingestion and microbatching on the same stream
150
What is the maximum allowed number of tags per Azure resource?
50
151
Important facts about management groups
1. 10,000 management groups can be supported in a single directory. 2. A management group tree can support up to six levels of depth. (This limit doesn't include the Root level or the subscription level.) 3. Each management group and subscription can only support one parent.

Asy Azure (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions