Skill 1.3 Manage Subscriptions and Governance Flashcards
What is a resource in Azure
A single service instance, which can be a virtual machine, a virtual network, a storage account or any other Azure Service
What are resource groups
logical groupings of resource or those single-service instances
How many resource groups can a resource exist in
one resource group that cannot be renamed
What is Azure Policy
Azure Service that can be used to create, assign, and manage policies that enforce governance in your Azure Environment
What does Azure Policy include
application of rules that allow or deny a given resource type,
apply tags automatically, and
even enforce data sovereignty
What provides a mechanism to express how the environment is governed for all users at a specified scope regardless of RBAC assignments
Azure Policy
What does Azure RBAC default to for access
default deny with an explicit allow mechanism, whearas Policy is default allow mechanism with an explicit deny system
What does azure policy definition do
describes your desired behavior for Azure resources at the time resources are created or updated.
What do you declare though a policy definition
what resources and resource features are considered compliant within your Azure environment and what should happen when a resource is non-compliant
What are the four Azure Policy Scope
Management Groups
Subscriptions
Resource Groups
Resource
What do excluded scopes do
Allow you to model your environment with rich devalrations in the form of Policy definitions that are applied exactly as required by your organizations governance needs.
What are Azure Resource Locks
They are used to prevent the accidental deletion or modification of resources.
What are the two resource lock types
CanNotDelete
ReadOnly
What does the CanNotDelete Resource Lock do
Prevents the deletion of a resource. it only prevents deletion but not the modification
What does a ReadOnly Resource lock do
Prevents users from modifying a resource including updating or deleting
What can resource locks be applied to
A subscription, resource group, and resource scopes
What do resource tags do?
allow you to apply custom metadata to your Azure resources to logically organize them and to build out custom taxonomies.
What is a resource tag
A name and a value
What are some common tag types
environment with which a resource is associated, a cost center or billing code, and resource owner
Where must tags be applied
At the resource scope to be visible in detailed usage exports. Tags applied the resource group scope are not inherited by child resources
What access is needed to apply tags to a subscription, resource group, or resource
Write Access (Contributor Role or higher)
Can tags be applied in both a imperative and declarative manner
yes
What is required for tags to be applied to all resources
Because tags do not have inheritance you have to individually tag all resources in a resource group
What values can be used with the Update-AzTag Command
Replace – replaces the specified tags in the listed resources
Merge – Merges the newly specified tags with the existing ones and overrides the conflicts for the listed resources
Delete – Deletes the specified tags from the listed resources
Are resources locked when moving from one resource group to another
yes
What requirements must be met to move resources between subscriptions
The subscriptions must be associated with the same resource tenant
How many resources can be moved with a single move operation
800
Where can a resource group be deleted from
Azure Portal, Azure Powershell, the Azure CLI, or the REST API
What controls do Azure Subscriptions have available to govern access to resources
Quotas and Tagging for Costs,
Azure Policy to govern the resources allowed in an environment
What access to Classic Subscription Administrators have access to
Full Access to an Azure Subscription with the ability to manage resources through the Azure Portal, Resource Manage API’s
The account that is signed up for an Azure Subscription is automatically set at what
Account Administrator and Service Administrator
Who can create a new Azure subscription and make billing changes
The account administrator
How many account administrators can there be per account
one
How many service administrators can there be per subscription
one
What is the difference between a co-administrator and a service administrator
There can be 200 co-administrators but they cannot change the association of subscriptions
What role does a Service Administrator and a Co-Administrator have equivelant access to
Owner
What are the Azure RBAC roles
Owner
Contributor
Reader
What access does a Azure RBAC owner have access to
Fulll access to all resources and can delegate access to others. The service administrator and Co-Administrators are assigned the owner role at the subscription scope. Applies to all resource types
What does an Azure RBAC owner have permissions to do
Full access to all resources. Delegate access to others. The service administrator and Co-Administrators are assigned the Owner role at the subscription scope. Applies to all resource types
What does the Aure RBAC Contributer have access to do
Create and Manage all types of Azure resources. Cannot grant access to others. Applies to all resource types
What does Azure RBAC reader role have access to
View Azure resources
What does the Azure RBAC User Access Administrator have access to do?
Manage User Access to all resources
What do management groups allow
they allow you to apply governance across subscriptions, including the application of common RBAC controls and the application of Azure policy
What are the benefits of Azure management groups
Reduce Overhead
Enforcement
Reporting
Who inherits RBAC applied at the management group
All child resources within the scope of the management group
What are Azure Resource Quotas
Used to view the consumption and usage of resources within an Azure subscription and understand how that consumption can be affected by azure resource limits
What are Azure Spending Quotas
allow administrators to set alerts within an Azure subscription by configuring budgets to inform the business when there azure spending has hit a certain threshold. It does not stop resources from being created or consumed.
What are resource limits
They can be used to stop a resource from being created.
What is submitting a request to increase a quota
Submitting a request to Microsoft
How can you view resource consumption within a subscription against a resource quota
With powershell
What are Azure Cost Management budgets
Provide Azure Customer subscriptions under many offer types with the ability to proactively manage cost and monitor azure spend over time at a subscription level.
What rights must a user have to view Azure Budgets
Reader rights (Read Access) to the subscription
What rights must a user have to create and manage budgets
Contributor or higher
What are two specialized roles that can be used to grant principals access to data
Cost Management Contributor
Cost Management Reader
What Scopes can budgets be created at
Subscription
Management Group
Resource Group SCope
What are Action Groups
A collection of notification preferences
What is Cost Management
Includes features for performing cost analysis,
setting per-subscription budgets and alerts,
setting recommendations for optimization
Exporting cost management data to performs deeper analysis
What is cost management service dictated by
Scopes
What is required to view cost management
Read Access
What are the two ways to export a template
Export from a resource group or resource
Save from history