part 3

Question 1

Azure preview portal

Answer 1

beta, preview, pre-release. Can test new features via preview.portal.azure.com

Question 2

Powershell

Answer 2

CL shell and scripting language. Task automation and configuration management framework. Built on top of .Net Common language runtime. Accepts and returns .Net objects, making scripting easier.

Question 3

Azure Cloud Shell

Answer 3

Interactive, authenticated, browser-accessible shell for managing resources. Can choose either bash or powershell.

Question 4

Azure CLI

Answer 4

Command Line Interface - processes commands to a computer program in form of lines of text. OS implement a CLI in a shell or terminal. Azure CLI installed on windows, mac and linux. az followed by commands

Question 5

Azure Trust Center

Answer 5

Public facing web portal providing easy access to privacy, security and regulatory compliance info

Question 6

Compliance programs

Answer 6

Businesses have to ensure Azure is:
NIST 800-53 compliant - voluntary framework for managing cybersecurity risks
UK Government G-Cloud: cloud computing certification for services used by government entities in UK
PIPEDA Compliant
HIPPA Compliant -US federal law regulating patient protected health info
FIPS-140-2 Compliant - US/Canadian gov standard specifying security requirements for cryptographic modules protecting sensitve info
CJIS (criminal justice info services) - any US state or local agency that wants to access FBI’s CJIS db is required to adhere to CJIS security policy
CSA (cloud security alliance STAR certification) - independent 3rd party assessment of a cloud provider’s security
GDPR
EU model clauses - contractual guarantees around transfer of personal data outside EU
ISO and IEC - code of practice re personal info processing by cloud service providers
IDA - standard to apply to addressing customer concerns about security + confidentiality of cloud data
SOC 1,2,3 - independent 3rd party exam reports demonstrating how company achieves compliance controls +objectives

Question 7

Azure AD

Answer 7

identity and access management service. helps employees sign in and access resources. e.g. Azure portal, Office 365, SaaS apps, internal networking, workstations on premise.

1. Free - MFA, SSO, user management, usage reports
2. Office 365 Apps - company branding, SLA etc
3. Premium 1 - hybrid architecture, advanced group/conditional access
4. Premium 2 - identity protection, identity governance

Question 8

Azure Security Center

Answer 8

unified infrastructure security management system. provides advanced threat protection across hybrid workloads in cloud

Question 9

Key Vault

Answer 9

helps safeguard cryptographic keys and secrets used by cloud apps and services.
Secrets management: store and tightly control access to tokens, passwords, certificates, API keys etc
Key management: create and control encryption keys to encrypt data
Certificate management: easily provision, manage, deploy public and private SSL certificates for use with Azure and internal connected resources
Hardware security module: secrets and keys can be protected by software or FIPS 140-2 Level 2 validated HSMs

Question 10

HSM

Answer 10

Hardware security module - piece of hardware designed to store encryption keys. Stored in RAM - so when shuts down, keys are gone.
Multitenant HSMs - FIPS 140-2 compliant (multiple customers virtually isolated on an HSM)
Single tenant HSMs - FIPS 140-3 compliant (single customer on a dedicated HSM)

Question 11

DDOS

Answer 11

Distributed denial of service attack - maliciously disrupting normal traffic by flooding a website with large amounts of fake traffic.
Azure has built in ddos protection

Question 12

two tiers of ddos protection from azure

Answer 12

DDoS protection basic: free, already turned on protect Azure’s global network
DDoS protection standard: starting at $2994/mo. metrics, alerts, reporting, DDoS expert support, application and cost protection SLA

Question 13

Azure firewall

Answer 13

managed, cloud-based network security service that protects your Azure virtual network resources. VNet with firewall is an intermediate between main vnets with VMs. decides which traffic can pass through.

Question 14

Azure firewall features

Answer 14

Centrally create, enforce and log application and network connectivity policies across subscriptions and virtual networks.
Uses a static public IP address for your virtual network resources so outside firewalls can identify traffic originating from your virtual network.
Built in high availability - no load balancers required.
Can configure during deployment to span multiple AZs for inc availability.
No additional cost for a firewall deployed in an AZ

Question 15

Azure info protection (AIP)

Answer 15

protects sensitive info with encryption e.g. emails and docs, restriced access and rights, and integrated security in Office apps

Question 16

Azure app gateway

Answer 16

A web-traffic load balancer (HTTP requests, level 7 HTTP) that re-route traffic based on rules. including security rules. A WAF (web app firewall) can be attached for additional protection on OSI level 7.

Question 17

Advanced Threat Protection (ATP). What is IDS/IPS

Answer 17

Intrusion detection system + intrusion protection system
- Device/software app that monitors a network or systems for malicious activity or policy violations. IDS detects and IPS protects.

Question 18

ATP

Answer 18

cloud based security solution that leverages your on-premises AD signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions directed at organisation.

Question 19

Microsoft Security Development Lifecycle (SDL)

Answer 19

industry-leading software security assurance process.
Microsoft-wide initiative + mandatory policy since 2004.
Critical role in embedding security and privacy in microsoft software + culture
Building security into each SDL phase of dev lifecycle helps catch issues early and reduce dev costs.
Phases: training, requirements, design, implementation, verification, release, response

Question 20

Azure policy

Answer 20

Service you can use to create, assign and manage policies. Allows you to enforce or control the properties of a resource..
Evaluates resources by comparing properties to business rules called policy definitions.

Question 21

RBAC

Answer 21

helps manage who has resource access, what they can do with it and what areas they have access to.

Question 22

Role assignment consists of

Answer 22

security principal, role definition, scope

Question 23

RBAC: security principal + Scope + role def

Answer 23

SP - represents the identities requesting access to an Azure resource e.g. user, group, service principal, managed identity (identity in AAD automatically managed by Azure)
Scope - set of resources that access for the role assignment applies to. e.g. management group, subscription or resource group.
role definition - collection of permissions e.g. read, write, delete. Roles can be high level like owner or specific like VM reader

Question 24

fundamental built in roles

Answer 24

owner - can read, grant access + create, update, delete
contributor - read + create, update, delete
reader - read
user access admin - grant access

Question 25

Lock resources

Answer 25

Admins can lock subscriptions, resource groups or resources to prevent other users from accidentally deleting or modifying critical resources.

• CanNotDelete - can read and modify but not delete a reosurce
• ReadOnly - can read but not update or delete resource

Question 26

Management groups

Answer 26

Manage multiple subscriptions into a hierarchal structure.
Directory given a top-level mangement group (root)
All subscriptions inherit conditions of mgmt group

Question 27

Azure monitor

Answer 27

Comprehensive solution for collecting, analysing and acting on telemetry from your cloud and on-premises environments
- Create visual dashboards, smart alerts, automated actions, log monitoring

Question 28

Service health

Answer 28

Info about current and upcoming issues e.g. service impacting events, planned maintenance, other changes that may affect availability

• Azure status: informs of service outages
• Azure service health: personalised view of health of Azure services + regions using
• Azure resource health: info about health of individual cloud resources e,g. VM

Question 29

Azure advisor

Answer 29

Personalised cloud consultant that helps follow best practices to optimise your Aure deployments.
Displays personalised recommendations for subscriptions in 5 categories - high availability, security, performance, cost, operational excellence

Question 30

Service level agreements (SLA)

Answer 30

Azure’s commitments for uptime and connectivity - individualised per Azure service.
Uptime and connectivity is described as performance targets.
Represented as a percentage (99% = 2 nines, 99.9% = 3 nines) etc
Not provided on free or shared tiers

Question 31

Service credits

Answer 31

Customers may have a discount applied to their azure bill as compensation for an underperforming Azure product or service based on the SLA.
Monthly uptime < 99.9% = service credit 10%
Monthly uptime < 99% = service credit 25%
Monthly uptime < 95% = service credit 100%

Question 32

Composite SLAs

Answer 32

Different services have different SLAs.
Composite - combining SLAs across different sercice offerings, e.g. a web app SLA is the combination of it’s component item’s SLAs
Fallback systems improve overall SLA

Question 33

TCO calculator

Answer 33

estimates cost savings by migrating workloads to Azure.
Generates detailed report and export as a PDF to send to decision makers.
azure.microsoft.com/pricing/calculator

Question 34

Azure Marketplace

Answer 34

Apps and services by third party publishers to quickly get started. Can be free, free trial, pay as you go or bring your own license

Question 35

Azure support

Answer 35

-basic, developer, standard, professional direct, enterprise
Basic: email support only for billing and account, 0/mo
Developer: email tech support during business hours, third party software support. Min business impact (sev C) respond < 8 hours, Architecture general guidance, 29/mo
Standard: 24/7 phone support, third party software support, Min business impact (sev C) respond < 8 hours, Sev B < 4 hours, Sev A < 1 hour, Architecture general guidance, 100/mo
Professional direct: 24/7 phone support, third party software support, Min business impact (sev C) respond < 4 hours, Sev B < 2 hours, Sev A < 1 hour, proactive guidance by prodirect delivery managers, webinars by azure engineers. 1000/mo

Question 36

Azure Hybrid (use) Benefit (HUB)

Answer 36

Customers have invested in windows server licenses and want to repurpose this investment on Azure
Gives customer right to use licenses for VMs on Azure (windows servers, sql servers)
HUB can be turned on and off at anytime for existing VMs
HUB can be applied at deployment time for new VMs
(BYOL) bring your own license

Question 37

Subscriptions

Answer 37

4 tiers: free (200$ USD credits free for 30 days. certain products free for 12 months)
Pay as you go (PAYG) charged at end of month based on consumed cloud resources
Enterprise agreement: enterprise and Azure agree to receive discounted price for licenses and cloud services
Student sub: 100$ usd credits for 12 mo, need student email. no credit card required

Question 38

Azure pricing calc

Answer 38

Configure and estimate costs for Azure products. Download excel spreadsheet.

Question 39

Azure cost management

Answer 39

Perform cost analysis, visualise spending of azure cloud resources
Create budgets, set a budget threshold be alerted when approaching or exceeded