Module 11

Question 1

Resource groups are a fundamental element of Azure, what do they do

Answer 1

Logically contain all your resources

Question 2

What type of resources must be in a resource group

Answer 2

All resources must be part of a resource group

Question 3

Can resources be moved between resource groups

Answer 3

Many resources can be moved between resources groups however some have limitations of requirements

Question 4

Can resource groups be nested

Answer 4

No - Resource groups cannot be nested

Question 5

Resource groups exist to manage and organise resource - what are some of the ways you can use them to provide order/organisations

Answer 5

By placing resources of similar; Usage, Type or location in the groups together

Question 6

When and why is it useful to organise resource groups by life cycle

Answer 6

Deleting a resource group deletes all resources contained within

Organising by life cycles can be useful for dev and test environments where you might experiment then dispose of when done

RGs make it easy to remove a set of resources in one go.

Question 7

When and why is it useful to to organise resource groups by Authorization

Answer 7

RGS are also a scope for applying RBAC permissions

RBAC permissions allow you to easily admini and limit access to allow only what is needed

Question 8

How can you create a resource group

Answer 8

Via Portal, PowerShell, CLI, Templates or SDKs

Question 9

If you use a resource group to organise for billing, how might this be helpful

Answer 9

Putting resources in the same RG is a way to group for usage in billing reports

To understand how costs are distributedin Azure, group them by resource is a way to filter and sort data to better understand where costs are allocated.

Question 10

What method could you use to organise a resource with multiple purposes.
What method allows for good search and filter or resources

Answer 10

Tagging

Question 11

What are tags

Answer 11

Name/Value Pairs of data you can apply to resources and Resource Group, to associate custom details about your resource

Question 12

How many tags can a resource have

Answer 12

A resource can have 50 tags

Question 13

What is the name of a tag limited to

Answer 13

The name of a tag is limited to 512 characters, (except storage accounts where limited to 128 characters)

Question 14

What is the value or a tag limited to

Answer 14

Tag values limited to 256 characters

Question 15

True Or False, All resources support tags and they are inherited

Answer 15

FALSE: Tags are not inherited AND Not all resource types support tags (i.e. classic resources cannot have tags applied)

Question 16

How can you manipulate tags

Answer 16

Portal, CLI, PowerShell, Resource Manager Templates, RestAPI

Question 17

What can enforce tags and what sort of rule might you want to enforce

Answer 17

Azure Policy can enforce tags and a good example would be requiring a value for a dept tag when deploying a resource to a certain RG

Question 18

Can tags be added to existing resources

Answer 18

Yes, tags can be added to existing resources or added at the point of creation

Question 19

How can you use tags to filter your resources

Answer 19

Go to all resources, Select add filter, In tags select the tag name then the tag value

Question 20

What does the Azure Policy Service allow you to do

Answer 20

Allows you to create, assign and manage polices, to enforce rules your resources need to follow

Question 21

When/What are polices evaluated/enforced against

Answer 21

Polices can enforce when resources are created and be evaluated against existing resources

Question 22

What are some common things a policy might enforce

Answer 22

Polices can enforce things like -specific types of resource being created or only creating resources in certain regions. Can enforce naming conventions or specific tags to be applied to resources

Question 23

What is the process for creating a policy

Answer 23

Define a policy through the Policy authoring menu
Set the definition location and name the policy.
Use JSON to define policy rules

Question 24

How do you enforce a policy you have created

Answer 24

To enforce policy you need to create an assignment.

In assign policy pane, assign policy to your desired scope

Question 25

Azure Policy ensures employees with Azure access follow standards, what service aims to solve how to protect those resources once deployed

Answer 25

RBAC (Role Based Access Control)

Question 26

How much does the RBAC service cost

Answer 26

RBAC is considered a core service and is included in all subscriptions at No Cost

Question 27

What does RBAC provide

Answer 27

RBAC provides fine grained access management enabling you to grant users specific rights required to perform there job

Question 28

Where can you view permissions for a resource as well as GRANT or REMOVE access

Answer 28

Via the Access Control (IAM) panel for the resource in question

Question 29

How does RBAC define access

Answer 29

RBAC defines access using an allow model,

When you are assigned a role, RBAC allows you to perform specific actions (Read/Write/Delete etc)

N.B. If one role grants read and another grants write you will have both read and write

Question 30

What are the best practices for using RBAC

Answer 30

• Segregate duties, grant only amount of access required for each users to perform their job
• Do not give everyone unrestricted access, only allow specific actions at a specific scope
• Grant lowest privellige required to user to do there work
• Use Resource locks to ensure critical resources are not deleted or modifed

Question 31

What can you user to prevent accidents of users with good intentions of clearing up resources resulting in accidental deletion of resources critical to other systems

Answer 31

Resource Locks

Question 32

What is a resource lock

Answer 32

Setting applied to any resource to block modification or deleteion

Question 33

What are the two options for resource locks

Answer 33

Resource locks can be set to DELETE or READ ONLY

Question 34

What does the delete setting of a resource lock do

Answer 34

• Delete allows all operations against resources but prohibits deletion

Question 35

What does the read only setting or a resource lock do

Answer 35

Read only will only allow read activity to be performed

Question 36

At what scopes can resource locks be applied, and do they inherit when applied at higher levels

Answer 36

Can be applied to subscriptions, RGs, or resources and are inherited when applied at higher levels

Question 37

What is something to be aware of when using a resource lock, if you start seeing odd effects

Answer 37

A read only resource lock can have unexpected results as operators that appear to be read only sometimes do additional actions. E.G. Read only on storage account prevents all users listing keys as this operation is handled by a post request as returned keys are available for write operations.

Question 38

What needs to happen before you can do the denied activity by a resource lock

Answer 38

Remove the resource lock

Question 39

Which RBAC permissions do resource locks not apply to

Answer 39

• Resource locks apply regardless of any RBAC permissions

- Even an owner must remove the lock before performing locked activity

Question 40

Where do you create a resource lock

Answer 40

At the scope you wish to apply it within Settings and Locks

Question 41

In practice where should you apply resource locks

Answer 41

• Use resource locks to protect key pieces of azure that would have large impact if removed (e.g. Express Route Circuits, vNets, Critical DBs, Domain Controllers
• Evaluate Resources + Apply locks where you would like extra protection.