General Flashcards
Export all resource in a RG as a template
Export-AzResourceGroup cmdlet
Create a template from a deployment in the deployment history of a RG.
Save-AzResourceGroupDeploymentTemplate
Deployment history of RG
Get-AzResourceGroupDeployment
All operations performed during deployment
Get-AzResourceGroupDeploymentOperation
Register this provider namespace for Azure Log Analytics workspace.
Microsoft.OperationalInsights
Register this provider namespace for Azure Policy which is used for governance and guard rails within the Azure landing zone
Microsoft.PolicyInsights
Register this provider namespace forAzure Autmoation that automates different tasks within the environment (ex: patching servers)
Microsoft.Automation
Register this provider namespace for Azure Event Hubs, a big data streaming platform and event ingestion service that can be integrated with Azure native services.
Microsoft.NotificationHubs
- ArcPull
- ArcPush
- Owner
Authenticate with an ACR using Azure AD service principal.
What are the roles assigned to ACR to pull a non-quarantined image?
Pull.
Docker pull a non-quarantined image or pull another supported artifact, such as Helm chart, from a registry.
Requires authentication with the registry using authorized identity.
ArcPull
Pull and push
Docker push an image or push another supported artifact, such as Helm chart, to a registry.
Requires authentication with the registry using authorized identity.
ArcPush
Pull, push, and assign roles to others
Access resource manager
Create/delete registry
Push/pull image
Delete image data
Change policies
No - assign images
ACR role - Owner
Delete container images or other supported artifacts such as Helm chart, from a registry.
ArcDelete
Sign images, usually assigned to an automated process, which would use a service principal
ArcImageSigner
True/False
KEDA checks once every 30 seconds
True (KEDA polling interval)
True/False
If queue is > 0, KEDA scales the app by adding one new instance
True (KEDA scale up step)
Rate new instances are added: 1, 4, 8, 16, 32, …, maxReplicas
Scale up to 30 host instances
Enhanced compute capabilities
Web apps are hosted on dedicated VMs
Azure App Service plan: Premium V2
Virtual instances are shared with other customers.
Multi-tenant infrastructure.
Designed for development and testing
No autoscale
1 instance
Azure App Service plan: Shared
Expensive
Azure App Service plan: Isolated
Scale up to 10 host instances
Storage 5 GB
Web apps are hosted on dedicated VMs
Azure App Service plan: Standard
Deployment template file
Gets the resource group object that will be used to deploy the template.
resourceGroup().location = location parameter
resourceGroup()
Deploy scripts as continuous WebJobs
Create as linked to a web project
Supported in Basic App Service plan
WebJobs
3 instances
No autoscale
Azure App Service plan: Basic
Can be hosted on Windows or Linux
.NET Core 3.0
Can be hosted on Windows
ASP.NET 4.8
Networking feature
Configure access to App Services
Provide service endpoints or private endpoints
Load balancing between regional instances
Azure Application Gateway
Create scalable web applications with instances across multiple regions
Support for Web Application Firewall
Load balancing across multiple regions
Azure Front Door
Efficiently deliver web content to globally distributed users.
High-bandwidth physical delivery nodes placed at strategic locations across the globe.
Azure Content Delivery Network (CDN) endpoints
Centralize an organization’s file shares
Cache Azure file shares to on-premises Windows file servers
Azure File Sync
Can be hosted on Linux
PHP 7.3
Can be hosted on Linux
Ruby 2.6
Adds additional fieds during the creation/update of a resource
If field exists and values are different from policy, policy acts as a deny
Subscription Policy - Append effect
Create a warning event in the activity log for non-compliant resources
Subscription Policy - Audit effect
Evaluated if the request executed by Resource Provider resturns a success status code.
Triggered if the resource does NOT exist or the resource defined by ExistenceCondition is evaluated as false
Subscription Policy - DeployIfNotExists effect
Disabled
Append
Deny
Audit
Subscription Policy - order of effect evaluation
create new resource tag
New-AzTag
- Create Azure AD group; add users to group
- Enable SSPR with Selected option
- Select Azure AD group for which you want to allow SSPR
- Register authentication method for SSPR
Steps to configure SSPR
User Azure CLI
Ensures that the subscription logged into works with Azure Policies
Microsoft.PolicyInsights
Contributor & Owner roles
Azure Policy Insights
Create/configure policies
Create support tickets
Read resources
Resource Policy Contributor
Prevents deletion of resources in RG.
Allows changes to resources in RG.
CanNotDelete lock
Prevent addition of resources to RG
ReadOnly lock
Cost savings by leveraging existing on-premises licenses.
Azure Hybird Benefit
Quickly deploy/manage identical load balanced VMs
VM scale set
User Principal Names
Add UPN as guest users in Azure AD tenant.
This sends an invitation to users to access services.
UPN
Need to enable
Allow hybrid users to use SSPR
Password writeback
Specify requirements for users to access Azure AD protected apps
Conditional access policy
Prevents configuration drift on newly deployed or existing Azure or on-premises nodes
Azure Automation Desired State Configuration (DSC)
Allows customers to define own rules for using Azure.
JSON statements
Custom Azure Policy template
Remove subscription from current management group
Remove-AzManagementGroupSubscription
Add subscription to a management group
New-AzManagementGroupSubscription
Delete management group
Remove-AzManagementGroup
Update supported parameters, such as display name or change the management group parent
Update-AzManagementGroup
An App Service cannot be moved with an SSL certificate configured
SSL (Secure Sockets Layer)
Do NOT move within same subscription.
Load Balancer
Disable before moving VNet.
peer VNet
Can be moved within same subscription.
Move all dependent resources with it (Redis cache)
VNet
Azure AD entitlement management with Microsoft Graph PowerShell.
Retrieve catalog identifier
Microsoft Entra ID Governance
Required for SSPR
Azure AD Premim P1
Required for SSPR.
Secure way to send password updates back from Azure AD to onpremises AD DS
Azure AD Connect
Create/manage users, groups
Manage support tickets
Monitor service health
User Access Administrator
Manage user access to Azure resources but grants full access to all resources
User Access Administrator Role + Contributor Role
Owner role
Create/manage all types of resources
NO - manage users’ access to resources in subscription
Contributor Role
No - Azure resources
Grants permissions to manage users/groups in Azure AD tenant associated with subscription
User Administrator role
Roles assigned to resources does NOT move - orphanced
The roles need to be re-created
Migration between subscriptions
One of the products specified in the group contains a service plan that conflics with another service plan already assigned to the user via a different product.
MutuallyExclusiveViolation
LRS to ZRS
Azure Files NFSv4.1
Manual migration of file storage
LRS to GRS and RA-GRS
Azure portal migration of file storage
LRS to GRS and RA-GRS
PowerShell migration of file storage
LRS to ZRS
NOT Azure Files NFSv4.1
Live migration of file storage
- Open Azure Storage Explorer
- Connecto to “
- Create blob container
- Upload blob to blob container
- Get SAS for blob and specify start/expiry time and permissions
- Use HTTPS to provide access of the URL to user
Steps to give SAS access using Azure Storage Explorer
Use to migrate resources into Blob Storage , Queue, and Table resources using AzCopy.
User Azure AD credentials
Azure AD authorization
Use for Azure files, an identity-based authorization over SMB
Hosted in Azure
Azure AD DS authorization
Use for Azure files, an identity-based authorization over SMB
Hosted on-prem
AD DS authorization
- Create storage account (New-AzStrorageAccount)
- Get access key (Get-AzStorageAccountKeys)
3&4. Create file share- New-AzStorageContext
- New-AzStorageShare
- CMDKEY on Windows Servers - to store access
- New-PSDrive on Windows Servers - map drive
Steps to mount file share in a new storage account
Requirement for mounting Azure file sahre as on-premises SMB file share on on-premises network
TCP port 445 open in on-premises internet firewall
Private connection between on-premises network and Microsoft cloud.
No need to configure on-premises firewall
ExpressRoute circuit
Set Share ACL operation with SMB protocol
Additional level of control over SAS
Stored Access Policy for file shares
Physical device
Import/export data from Azure
Terabytes of data
Azure Data Box
Enables service endpoint (Microsoft.Storage) on the subnet for a storage account
Allows connections from storage account to subnet.
Set-AzVirtualNetworkSubnetConfig
Makes the changes persistent
Set-AzVirtualNetwork
Add firewall exception on the NetworkRule property in the storage account.
Allows communication from subnet to storage account
Add-AzStorageAccountNetworkRule
Updates NetworkRule property to allow other Azure services, like Backup or Event Hubs, to have access to storage account
Update-AzStorageAccountNetworkRuleSet
Allow connections from other Azure services
Update-AzStorageAccountNetworkRuleSet -Bypass AzureServices
Modify storage account
Set a tag, update customer domain, update type of account
Set-AzStorageAccount
Remove NetworkRule property from storage account
Remove-AzStorageAccountNetworkRuleSet
-Bypass
-None (remove access to all Azure services)
-Metrics
-Logging
Parameters for Update-AzStorageAccountNetworkRuleSet
Shared Access Signature
URL
Define time-limited read-only or read-write access to storage account resource
Configure a stored access policy
Validate data written using a SAS
Revoke SAS by deleting a stored access policy
SAS
Azure AD, SAS
Blob storage authentication methods
SAS
File storage authentication methods
Port 445
Users SMB protocol on port 445
Error 67 - blocked port
- Can use domain services, either on-premises or in Azure, to support identity-based access to Azure file shares over SMB protocol
Azure file shares
Port 2049
Network File Share (NFS) protocol
Error 53
Suuport Azure file shares
New Technology LAN Manager version 1 (NTLMv2)
2 options:
1. ad-hoc SAS
2. stored access policy
SAS options
Specify start & expiration time, permissions to URI
ad-hoc SAS
- Put Blob
- Put Block List
- Copy Blob
- Set Blob Metadata
Blob versioning
Create new block, page, or append blob
Update existing block blob (overwrite metadata)
Blob versioning - Put Blob
Writes a blob by specifying the list of block IDs that make up the blobl.
Update a blob by uploading only those blocks that have changed and committing the new/existing blocks together
Blob versioning - Put Block List
Copies a blob to a destination within the storage account
Blob versioning - Copy Blob
Sets user-defined metadata for the specified blob as one or more name-value pairs
Blob versioning - Set Blob Metadata
Zone-redundant storage
Copies data synchronously across 3 AZs in the primary region to provide high availability
Protects against failure at physical location bud does not protect against region-wide failures.
ZRS
Locally Redundant Storage
Copie data synchronously 3x within a single physical location
LRS
GRS - protect against reginal outages
GZRS - maximize availability and durability of
GRS, GZRS