Module 11 Flashcards
Resource groups are a fundamental element of Azure, what do they do
Logically contain all your resources
What type of resources must be in a resource group
All resources must be part of a resource group
Can resources be moved between resource groups
Many resources can be moved between resources groups however some have limitations of requirements
Can resource groups be nested
No - Resource groups cannot be nested
Resource groups exist to manage and organise resource - what are some of the ways you can use them to provide order/organisations
By placing resources of similar; Usage, Type or location in the groups together
When and why is it useful to organise resource groups by life cycle
Deleting a resource group deletes all resources contained within
Organising by life cycles can be useful for dev and test environments where you might experiment then dispose of when done
RGs make it easy to remove a set of resources in one go.
When and why is it useful to to organise resource groups by Authorization
RGS are also a scope for applying RBAC permissions
RBAC permissions allow you to easily admini and limit access to allow only what is needed
How can you create a resource group
Via Portal, PowerShell, CLI, Templates or SDKs
If you use a resource group to organise for billing, how might this be helpful
Putting resources in the same RG is a way to group for usage in billing reports
To understand how costs are distributedin Azure, group them by resource is a way to filter and sort data to better understand where costs are allocated.
What method could you use to organise a resource with multiple purposes.
What method allows for good search and filter or resources
Tagging
What are tags
Name/Value Pairs of data you can apply to resources and Resource Group, to associate custom details about your resource
How many tags can a resource have
A resource can have 50 tags
What is the name of a tag limited to
The name of a tag is limited to 512 characters, (except storage accounts where limited to 128 characters)
What is the value or a tag limited to
Tag values limited to 256 characters
True Or False, All resources support tags and they are inherited
FALSE: Tags are not inherited AND Not all resource types support tags (i.e. classic resources cannot have tags applied)
How can you manipulate tags
Portal, CLI, PowerShell, Resource Manager Templates, RestAPI
What can enforce tags and what sort of rule might you want to enforce
Azure Policy can enforce tags and a good example would be requiring a value for a dept tag when deploying a resource to a certain RG
Can tags be added to existing resources
Yes, tags can be added to existing resources or added at the point of creation
How can you use tags to filter your resources
Go to all resources, Select add filter, In tags select the tag name then the tag value
What does the Azure Policy Service allow you to do
Allows you to create, assign and manage polices, to enforce rules your resources need to follow
When/What are polices evaluated/enforced against
Polices can enforce when resources are created and be evaluated against existing resources
What are some common things a policy might enforce
Polices can enforce things like -specific types of resource being created or only creating resources in certain regions. Can enforce naming conventions or specific tags to be applied to resources
What is the process for creating a policy
Define a policy through the Policy authoring menu
Set the definition location and name the policy.
Use JSON to define policy rules
How do you enforce a policy you have created
To enforce policy you need to create an assignment.
In assign policy pane, assign policy to your desired scope
Azure Policy ensures employees with Azure access follow standards, what service aims to solve how to protect those resources once deployed
RBAC (Role Based Access Control)
How much does the RBAC service cost
RBAC is considered a core service and is included in all subscriptions at No Cost
What does RBAC provide
RBAC provides fine grained access management enabling you to grant users specific rights required to perform there job
Where can you view permissions for a resource as well as GRANT or REMOVE access
Via the Access Control (IAM) panel for the resource in question
How does RBAC define access
RBAC defines access using an allow model,
When you are assigned a role, RBAC allows you to perform specific actions (Read/Write/Delete etc)
N.B. If one role grants read and another grants write you will have both read and write
What are the best practices for using RBAC
- Segregate duties, grant only amount of access required for each users to perform their job
- Do not give everyone unrestricted access, only allow specific actions at a specific scope
- Grant lowest privellige required to user to do there work
- Use Resource locks to ensure critical resources are not deleted or modifed
What can you user to prevent accidents of users with good intentions of clearing up resources resulting in accidental deletion of resources critical to other systems
Resource Locks
What is a resource lock
Setting applied to any resource to block modification or deleteion
What are the two options for resource locks
Resource locks can be set to DELETE or READ ONLY
What does the delete setting of a resource lock do
- Delete allows all operations against resources but prohibits deletion
What does the read only setting or a resource lock do
Read only will only allow read activity to be performed
At what scopes can resource locks be applied, and do they inherit when applied at higher levels
Can be applied to subscriptions, RGs, or resources and are inherited when applied at higher levels
What is something to be aware of when using a resource lock, if you start seeing odd effects
A read only resource lock can have unexpected results as operators that appear to be read only sometimes do additional actions. E.G. Read only on storage account prevents all users listing keys as this operation is handled by a post request as returned keys are available for write operations.
What needs to happen before you can do the denied activity by a resource lock
Remove the resource lock
Which RBAC permissions do resource locks not apply to
- Resource locks apply regardless of any RBAC permissions
- Even an owner must remove the lock before performing locked activity
Where do you create a resource lock
At the scope you wish to apply it within Settings and Locks
In practice where should you apply resource locks
- Use resource locks to protect key pieces of azure that would have large impact if removed (e.g. Express Route Circuits, vNets, Critical DBs, Domain Controllers
- Evaluate Resources + Apply locks where you would like extra protection.
