John Saville - Gemini Pro Flashcards
What is the new name for Azure AD?
entra ID
What is the key difference between entra ID and Active Directory Domain Services?
entra ID speaks Cloud while ADDS speaks on-premises protocols
What is the standard way to interact with entra ID?
Microsoft Graph
What are the two technologies for replicating from Active Directory to entra ID?
entra Connect and entra Connect Cloud Sync
Which way does the replication flow?
From Active Directory to entra ID
What is the purpose of having a Cloud identity?
To allow applications to trust it for authentication and authorization
What is the name of the particular instance of entra ID for an organization?
Tenant
What is the default domain name for a new entra ID tenant?
something.onmicrosoft.com
What is the purpose of external users?
To allow interaction with users from other organizations without creating separate accounts
What is the difference between a guest and an external user?
Guests are external users by default, but they can be made members of the tenant
What are the different ways to provision accounts in entra ID?
Synchronization, manual creation, bulk creation, and provisioning from external systems
What are the two types of groups in entra ID?
Security groups and Microsoft 365 groups
What is the difference between registering and joining a device in entra ID?
Registering is for personal devices, while joining is for corporate devices
What are the different levels of entra ID licenses?
Free, P1, P2, and Governance add-on
What is the purpose of conditional access?
To enforce additional security checks based on factors such as device, location, and risk
What is the purpose of privileged identity management?
To manage and monitor privileged accounts
What is the purpose of self-service password reset?
To allow users to reset their own passwords without contacting the help desk
Who should have the global administrator role?
Only a few trusted individuals
Is entra ID a hierarchical structure?
No, it is a flat structure
What is the difference between the Azure commercial cloud and other clouds?
They have different URLs, tenants, regions, and availability zones
What is the purpose of availability zones?
To provide redundancy and resilience within a region
How many availability zones are exposed to a subscription?
Three
What is the goal of using multiple regions?
To avoid single points of failure and improve disaster recovery
What is the purpose of subscription?
To organize and manage resources
What is the purpose of management groups?
To organize subscriptions and apply policies, access control, and budgets
What are the three core things that management groups can be used for?
Access control, policy, and budgets
How are policies and budgets inherited?
They are inherited from parent management groups to child management groups and subscriptions
What is the purpose of a management group?
To organize subscriptions and apply policies, access control, and budgets
What is the purpose of a subscription?
To organize and manage resources
What is the purpose of a resource group?
To group related resources that will be provisioned, run, and decommissioned together
What is Azure Hybrid Benefit?
A program that allows customers to use existing Windows Server and SQL Server licenses in the cloud
What is Azure Reservation?
A one or three-year commitment to use a specific service in a specific region, which results in a discount
What is Azure Savings Plan?
A flexible one or three-year commitment to spend a certain amount on included compute services, which results in a discount
How does Azure Savings Plan apply to resources?
It applies the best discount to the resource that is running and then moves on to the next resource
Can a resource have both a Savings Plan and a Reserved Instance?
No, it can only have one or the other
What is the purpose of cost analysis?
To provide insights into spending and identify areas for optimization
What is the purpose of a budget?
To set a financial limit and receive alerts when it is reached or exceeded
What are tags?
Key-value pairs that can be applied to resources, resource groups, and subscriptions for organization and filtering
Do tags get inherited?
No, by default, tags are not inherited from parent to child resources
What is the purpose of Azure policy?
To set guard rails and configure requirements for resources
What is the difference between a policy and an initiative?
A policy is a specific condition and effect, while an initiative is a set of policies
What is the benefit of using initiatives?
Easier assignment and compliance tracking for multiple policies
What is the Microsoft Cloud Security Benchmark?
A free set of initiatives for security best practices
What is role-based access control (RBAC)?
A mechanism for assigning permissions to users and groups at different scopes (management group, subscription, resource group, resource)
What is the principle of least privilege?
Giving users and groups the minimum amount of permissions necessary to perform their tasks
What is the difference between owner, contributor, and reader roles?
Owner: Full access, contributor: All access except changing permissions, reader: Read-only access
Can you create custom roles?
Yes, you can create custom roles by cloning existing roles and adding or removing permissions
What is the difference between control plane and data plane?
Control plane: Managing Azure resources, data plane: Interacting with data (e.g., writing to a database)
What is a virtual network (vnet)?
A private network within Azure that provides IP addresses to resources and defines subnets
What is the purpose of a subnet?
To divide a vnet into smaller IP address ranges
How many IP addresses are lost in each subnet?
Five (network address, broadcast address, gateway, and two for DNS)
What is the difference between standard and basic public IPs?
Standard: Static, basic: Dynamic (retiring on 30th September 2025)
What is a public IP address?
An IP address that allows resources to communicate with the public internet
What is a prefix?
A contiguous block of IP addresses
Can you bring your own IP addresses to Azure?
Yes, but it requires a specific process
What is a peering?
A connection between two virtual networks that allows resources to communicate using private IP addresses
What is the difference between Gateway Transit and Use Remote Gateway?
Gateway Transit: Allows a virtual network to use the Gateway of another virtual network for connectivity, Use Remote Gateway: Allows a virtual network to use the Gateway of another virtual network for egress
What is Azure Virtual Network Manager?
A tool for managing virtual networks and configuring connectivity
What are Network Groups in Azure Virtual Network Manager?
Groups of virtual networks that can be used to define connectivity configurations
What are Security Admin Rules in Azure Virtual Network Manager?
Rules that apply before local virtual network rules and can be used to allow or deny traffic
What is a Network Security Group (NSG)?
A set of rules that control network traffic to and from a virtual network
What is a Service Tag?
A tag that represents a range of IP addresses for Azure services
What is an Application Security Group?
A tag that can be applied to a network interface to control access to resources
What is the default rule for inbound traffic in an NSG?
Deny all traffic except traffic from the virtual network itself
What is the default rule for outbound traffic in an NSG?
Allow all traffic
What is a Network Security Group (NSG)?
A set of rules that control network traffic to and from a virtual network
What is a Service Tag?
A tag that represents a range of IP addresses for Azure services
What is an Application Security Group?
A tag that can be applied to a network interface to control access to resources
What is the difference between Azure Firewall Basic, Standard, and Premium?
Basic: Low performance, Standard: Up to 30 Gbps, Premium: Up to 100 Gbps, Additional features such as intrusion detection and URL filtering
What is Azure DNS?
A public and private DNS service provided by Microsoft
What is the difference between public and private DNS zones in Azure?
Public zones are accessible from the internet, while private zones are only accessible within virtual networks
What is automatic registration in Azure Private DNS?
A feature that automatically creates DNS records for resources in a virtual network
What is Azure Private DNS Resolver?
A service that allows resources outside of a virtual network to resolve records in private DNS zones
What is the default DNS zone for a virtual network?
internal.cloudapp.net
Can custom DNS servers be used with virtual networks?
Yes, but they must also be able to resolve to the Azure DNS IP address (168.63.129.16)
What are the two types of VPN gateways?
Policy-based (static routing) and Route-based (dynamic routing)
What is the difference between policy-based and route-based VPN gateways?
Policy-based: One tunnel, restrictive, Legacy only, Route-based: Multiple tunnels, point-to-site VPN
What is Express Route?
A private connectivity service that extends a customer’s network into Microsoft’s backbone
What is private peering in Express Route?
A type of connectivity that connects private IP spaces within virtual networks
What is Express Route Global Reach?
Enables connectivity between different Express Route circuits and locations using the Microsoft backbone
What is Microsoft peering?
A type of connectivity that allows customers to connect to Azure PaaS services over Express Route
What is Azure Virtual WAN?
A managed service that provides connectivity and routing for virtual networks and other Azure resources
What is the difference between Azure Virtual WAN Basic and Standard?
Basic: Site-to-site VPN only, Standard: Express Route, intra-VNet connectivity, Azure Firewall integration, Network Virtual Appliance deployment
What are User Defined Routes (UDRs)?
Custom routing policies that override default routing tables
What are service endpoints?
Enable specific subnets to communicate with Azure PaaS services
How do service endpoints work?
Create a private connection between a subnet and a service, allowing only resources in the subnet to access the service
What is a private endpoint?
Creates an IP address in a subnet that connects to a specific instance of a service, providing a secure and direct communication channel
How does a private endpoint differ from a service endpoint?
A private endpoint provides an IP address in a subnet that can be accessed from outside the subnet, while a service endpoint only allows communication from within the subnet
What is Azure Bastion?
A managed jump box service that allows secure access to virtual machines from the internet
What are the different Azure Bastion SKUs?
Basic: Same VNet only, Developer: Same VNet only, Standard: Peered VNets, RDP to Linux, SSH to Windows, Azure CLI support, Sharable link, Copy/paste disable
What is Azure Application Gateway?
A Layer 7 load balancer that understands HTTP/S and websockets
What is Azure Load Balancer?
A Layer 4 load balancer that supports TCP and UDP
What are the two SKUs of Azure Load Balancer?
Basic and Standard
How does Azure Load Balancer work?
Has a front-end IP address and one or more backend pools, uses health probes to check backend pool instances
What are the differences between Azure Load Balancer Free and Standard SKUs?
Free: 300 backend instances, no SLA, no outbound rules, Basic IP only, Standard: 1000 backend instances, SLA, outbound rules, Nicknames or IP addresses
What is Azure Application Gateway?
A Layer 7 load balancer that understands HTTP/S, websockets, and other application-layer protocols
What are the benefits of using Azure Application Gateway?
URL-based routing and redirection, SSL/TLS termination, session affinity, web application firewall protection
What is Azure Traffic Manager?
A DNS-based global load balancer that distributes traffic based on performance, priority, and other factors
What is a cross-region load balancer?
A global IP address that points to multiple regional load balancers, providing a single endpoint for clients to access
What is the difference between Azure Storage General Purpose V2 and Premium Storage?
General Purpose V2 offers all types of blobs, queues, tables, and files, while Premium Storage is built on SSD technology and offers block blobs, page blobs, and files with higher performance
What is the difference between Premium Files and regular files?
Premium Files are provisioned based on size, meaning users pay for the size of the share they create rather than the amount of data written to it
What are the different types of Azure Storage services?
Blob, file shares, queues, tables
What is the purpose of Azure Storage Explorer?
A tool for interacting with Azure Storage accounts, including viewing contents, writing items to queues, and adding data to tables
What are the different redundancy options for Azure Storage accounts?
Locally redundant storage (LRS): Three copies within the same storage cluster, Zone redundant storage (ZRS): Three copies spread over three availability zones, Geo-redundant storage (GRS): Three copies within a storage cluster and three copies in a paired region, Geo-zone-redundant storage (GZRS): Three copies spread over three availability zones and three copies in a paired region’s storage cluster
What are the different tiers available for Azure Blob storage?
Hot, Cool, Cold, Archive
How does pricing for Azure Blob storage differ across tiers?
Hot: Highest capacity cost, lowest transaction cost; Cool: Lowest capacity cost, highest transaction cost; Cold: Low capacity cost, high transaction cost; Archive: Super cheap capacity cost, no interaction (offline)
What is Azure Blob storage lifecycle management?
A feature that allows users to create rules for automatically moving data between tiers based on filters such as last access time or creation date
What is Azure Blob storage object replication?
A feature that enables users to replicate data from a container in one storage account to a container in another storage account, regardless of region
What is the difference between Azure Files tiers?
Transaction Optimized: Highest capacity cost, lowest transaction cost; Hot: Low capacity cost, high transaction cost; Cool: Lowest capacity cost, highest transaction cost; Premium: Different type of storage account with higher performance
What are some of the features available for Azure Files?
Performance configuration, backup snapshots, soft delete, backup Vault integration, Azure AD integration
What is Azure File Sync?
A service that enables synchronization of on-premises file shares with Azure Files
What are the benefits of using Azure File Sync?
Infinite scale, data resilience, offloading of less-used data to the cloud
How can I control access to Azure Storage data?
Using data plane role-based access control (RBAC) or shared access signatures (SAS)
What is the difference between a storage account key and a shared access signature?
Storage account keys are powerful and should be rotated regularly; shared access signatures are more granular and can be used for specific services or resources
What is encryption scope?
A feature that enables the use of different encryption keys for different containers or blobs within a storage account
What are the different types of Azure managed disks?
Standard HDD, Standard SSD, Premium SSD, Premium SSD V2, Ultra Disk
How is performance determined for Azure managed disks?
Performance is tied to the size of the disk, with larger disks providing better performance
How can I modify the performance of a Premium SSD V2 or Ultra Disk?
By adjusting the IOPS and throughput settings
How can I encrypt Azure managed disks?
By creating a disk encryption set that uses a key in Azure Key Vault
What is the best way to provision Azure resources?
Using declarative templates such as ARM JSON or Azure Bicep
What are the benefits of using templates for provisioning?
Ensures consistency, reduces errors, and allows for version control
What is the difference between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS)?
IaaS: Vendor manages hypervisor, physical servers, storage, networking; customer manages OS, patching, backup, etc.; PaaS: Vendor manages all of the above except customer application and data
What is the ultimate level of service in the cloud?
Serverless offerings like Azure Functions and Logic Apps
What are the different dimensions of a virtual machine?
CPU, memory, storage, network capabilities, special GPUs (e.g., ratio of CPU cores to memory)
Why is it important to match the VM skew and size to the workload?
To optimize resource utilization and avoid wasting resources
What is the concept of scaling in Azure?
Adding or removing VM instances based on changing workload requirements
What are the different types of virtual machine storage?
Ephemeral, temporary, premium, standard
What is the purpose of a virtual machine extension?
To add capabilities to a virtual machine, such as running scripts or integrating with Azure services
What is Azure Bastion?
A service that provides secure access to virtual machines through a managed jumpbox environment
What is the difference between a fault domain and an availability zone?
Fault domains are within a single data center, while availability zones are isolated across multiple data centers
What is a virtual machine scale set?
A group of virtual machines that can be scaled up or down automatically based on demand
What is the difference between uniform and flexible virtual machine scale sets?
Uniform scale sets have a fixed scaling profile, while flexible scale sets allow for more customization and the inclusion of spot instances
What is a container registry?
A repository for container images
What is the difference between a virtual machine and a container?
A virtual machine virtualizes the hardware, while a container virtualizes the operating system
What is the purpose of a container registry?
To store and manage container images
What is the role of the control plane in Kubernetes?
To manage the cluster and schedule containers
What is a pod in Kubernetes?
A container instance
What is persistent volume claim?
A request for storage that can be mapped to a persistent volume
What is the purpose of the cluster autoscaler in Kubernetes?
To add or remove nodes as needed to meet the demand for pods
What is the difference between Azure Container Instances and AKS?
Azure Container Instances is a managed service for running containers without the need for an orchestrator, while AKS is a managed Kubernetes service
What is the purpose of an app service plan in Azure?
To define the resources and configuration for a group of app service instances
What is the difference between standard and elastic scaling in app service plans?
Standard scaling requires manual configuration of scaling rules, while elastic scaling automatically adjusts the number of instances based on load
What is the purpose of the activity log in Azure?
To record control plane operations at the subscription level
What is the difference between metrics and logs in Azure Monitor?
Metrics are time-based signals, while logs are structured events
What is the purpose of diagnostic settings in Azure Monitor?
To configure the collection and destination of logs
What is the benefit of using a log analytics workspace for log storage?
Powerful analytics capabilities using KQL
What is the purpose of Azure Monitor?
To collect and analyze metrics and logs from Azure resources
What is the difference between metrics and logs in Azure Monitor?
Metrics are time-based signals, while logs are structured events
What is the purpose of diagnostic settings in Azure Monitor?
To configure the collection and destination of logs
What is the purpose of alerts in Azure Monitor?
To notify you when certain conditions are met
What is the difference between alert processing rules and action groups?
Alert processing rules determine which action groups to call and when to suppress alerts, while action groups define the actions to be taken
What is the difference between common and basic log analytics workspaces?
Common workspaces have full KQL capabilities and included data ingestion and storage costs, while basic workspaces have a subset of KQL capabilities and require payment for data ingestion and storage
What is the purpose of Network Watcher?
To troubleshoot network-related issues
What are some of the capabilities of Network Watcher?
IP flow verification, next hop determination, VPN troubleshooting, connection troubleshooting, packet capture, and NSG diagnostics
