Microsoft Azure Fundamentals AZ-900 Certification Questions and Answers.
Questions
- Which of the following statements is not true about cloud computing?
- IaaS, PaaS, and SaaS are examples of cloud computing service models.
- Cloud computing resources are usually limited to specific geographic regions.
- Cloud computing typically decreases your operating expenses.
- Three cloud computing deployment models are public cloud, private cloud, and hybrid cloud.
- True or false: You need to purchase an Azure account before you can use any Azure resources.
- False
- True
- True or false: In an IaaS environment, the cloud tenant is responsible for routine hardware maintenance.
- True
- False
Azure Cosmos DB is flexible. At the lowest level, Azure Cosmos DB stores data in atom-record-sequence (ARS) format. The data is then abstracted and projected as an API, which you specify when you’re creating your database. Your choices include SQL, MongoDB, Cassandra, Tables, and Gremlin. This level of flexibility means that as you migrate your company’s databases to Azure Cosmos DB, your developers can stick with the API that they’re the most comfortable with.
Azure SQL Database is a platform as a service (PaaS) database engine.SQL Database provides 99.99 percent availability. SQL Database is a fully managed service that has built-in high availability, backups, and other common maintenance operations. You can migrate your existing SQL Server databases with minimal downtime by using the Azure Database Migration Service. The Microsoft Data Migration Assistant can generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration.
Azure Database for MySQL is a relational database service in the cloud, and it’s based on the MySQL Community Edition database engine, versions 5.6, 5.7, and 8.0. With it, you have a 99.99 percent availability service level agreement from Azure, powered by a global network of Microsoft-managed datacenters. This helps keep your app running 24/7.
Azure Database for PostgreSQL is a relational database service in the cloud. The server software is based on the community version of the open-source PostgreSQL database engine.
Azure Database for PostgreSQL is available in two deployment options: Single Server and Hyperscale (Citus).
The Single Server deployment option delivers:
- Built-in high availability with no additional cost (99.99 percent SLA).
- Predictable performance and inclusive, pay-as-you-go pricing.
- Vertical scale as needed, within seconds.
The Hyperscale (Citus) option horizontally scales queries across multiple machines by using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance generally, workloads that are approaching, or already exceed, 100 GB of data.
The Single Server deployment option offers three pricing tiers: Basic, General Purpose, and Memory Optimized
Synapse Analytics: Data warehouse
HDInsight: Hadoop ecosystem
Databricks: Apache Spark
Data lake analytics: on-demand analytics
- Your development team is interested in writing Graph-based applications that take advantage of the Gremlin API. Which option would be ideal for that scenario?
- Azure Cosmos DB
- Azure SQL Database
- Azure Databricks
- Azure Database for PostgreSQL
- Tailwind Traders uses the LAMP stack for several of its websites. Which option would be ideal for migration?
- Azure Cosmos DB
- Azure Database for MySQL
- Azure SQL Database
- Azure Database for PostgreSQL
- Tailwind Traders has millions of log entries that it wants to analyze. Which option would be ideal for analysis?
- Azure Cosmos DB
- Azure SQL Database
- Azure Database for PostgreSQL
- Azure Synapse Analytics
Functions can be either stateless or stateful. When they’re stateless (the default), they behave as if they’re restarted every time they respond to an event. When they’re stateful (called Durable Functions), a context is passed through the function to track prior activity.
Logic apps are similar to functions. Both enable you to trigger logic based on an event. Where functions execute code, logic apps execute workflows that are designed to automate business scenarios and are built from predefined logic blocks.
Functions and Logic Apps can both create complex orchestrations. An orchestration is a collection of functions or steps that are executed to accomplish a complex task.
- With Functions, you write code to complete each step.
- With Logic Apps, you use a GUI to define the actions and how they relate to one another.
- Which Azure compute resource can be deployed to manage a set of identical virtual machines?
- Virtual machine availability sets
- Virtual machine availability zones
- Virtual machine scale sets
- Which of the following services should be used when the primary concern is to perform work in response to an event (often via a REST command) that needs a response in a few seconds?
- Azure Functions
- Azure App Service
- Azure Container Instances
- Your company has a team of remote workers that need to use Windows-based software to develop your company’s applications, but your team members are using various operating systems like MacOS, Linux, and Windows. Which Azure compute service would help resolve this scenario?
- Azure App Service
- Windows Virtual Desktop
- Azure Container Instances
Azure Files ensures the data is encrypted at rest, and the SMB protocol ensures the data is encrypted in transit.One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world, by using a URL that points to the file. You can also use Shared Access Signature (SAS) tokens to allow access to a private asset for a specific amount of time.
The following considerations apply to the different access tiers:
- Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
- Hot, cool, and archive tiers can be set at the blob level, during upload or after upload.
- Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
- Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data
- What is the first step that you would take in order to share an image file as a blob in Azure Storage?
- Create an Azure Storage container to store the image.
- Create an Azure Storage account.
- Upload the image file and create a container.
- Use a Shared Access Signature (SAS) token to restrict access to the image.
- Which Azure Storage option is better for storing data for backup and restore, disaster recovery, and archiving?
- Azure Files Storage
- Azure Disk Storage
- Azure Blob Storage
When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based. The main difference between these two types of VPNs is how traffic to be encrypted is specified. In Azure, both types of VPN gateways use a pre-shared key as the only method of authentication. Both types also rely on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec). IKE is used to set up a security association (an agreement of the encryption) between two endpoints. This association is then passed to the IPSec suite, which encrypts and decrypts data packets encapsulated in the VPN tunnel.
POLICY-BASED VPNs
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
Key features of policy-based VPN gateways in Azure include:
- Support for IKEv1 only.
- Use of static routing, where combinations of address prefixes from both networks control how traffic is encrypted and decrypted through the VPN tunnel. The source and destination of the tunneled networks are declared in the policy and don’t need to be declared in routing tables.
- Policy-based VPNs must be used in specific scenarios that require them, such as for compatibility with legacy on-premises VPN devices.
ROUTE-BASED VPNs
If defining which IP addresses are behind each tunnel is too cumbersome, route-based gateways can be used. With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They’re more resilient to topology changes such as the creation of new subnets.
Use a route-based VPN gateway if you need any of the following types of connectivity:
- Connections between virtual networks
- Point-to-site connections
- Multisite connections
- Coexistence with an Azure ExpressRoute gateway
Key features of route-based VPN gateways in Azure include:
- Supports IKEv2
- Uses any-to-any (wildcard) traffic selectors
- Can use dynamic routing protocols, where routing/forwarding tables direct traffic to different IPSec tunnels
ACTIVE/STANDBY
By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention. Connections are interrupted during this failover, but they’re typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.
ACTIVE/ACTIVE
With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.
EXPRESS ROUTE FAILOVER
Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in. But they aren’t immune to physical problems that affect the cables delivering connectivity or outages that affect the complete ExpressRoute location. In high-availability scenarios, where there’s risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway that uses the internet as an alternative method of connectivity. In this way, you can ensure there’s always a connection to the virtual networks.
ZONE-REDUNDANT GATEWAYS
In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. These gateways require different gateway SKUs and use Standard public IP addresses instead of Basic public IP addresses.
Azure ExpressRoute fundamentals
Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private.
Two different layers of the Open Systems Interconnection (OSI) model are:
- Layer 2 (L2): This layer is the Data Link Layer, which provides node-to-node communication between two nodes on the same network.
- Layer 3 (L3): This layer is the Network Layer, which provides addressing and routing between nodes on a multi-node network.
LAYER 3 CONNECTIVITY
ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point or any-to-any network. They can also be virtual cross-connections through an exchange.
ACROSS ON-PREMISES CONNECTIVITY WITH EXPRESS ROUTE GLOBAL REACH
You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits. For example, assume that you have a private datacenter in California connected to ExpressRoute in Silicon Valley. You have another private datacenter in Texas connected to ExpressRoute in Dallas. With ExpressRoute Global Reach, you can connect your private datacenters through two ExpressRoute circuits. Your cross-datacenter traffic will travel through the Microsoft network.
DYNAMIC ROUTING
ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.
EXPRESSROUTE CONNECTIVITY MODELS
ExpressRoute supports three models that you can use to connect your on-premises network to the Microsoft cloud:
- CloudExchange colocation
- Point-to-point Ethernet connection
- Any-to-any connection
COLOCATION AT A CLOUD EXCHANGE
Colocated providers can normally offer both Layer 2 and Layer 3 connections between your infrastructure, which might be located in the colocation facility, and the Microsoft cloud. For example, if your datacenter is colocated at a cloud exchange such as an ISP, you can request a virtual cross-connection to the Microsoft cloud.
POINT-TO-POINT ETHERNET CONNECTION
Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and Azure. You can connect your offices or datacenters to Azure by using the point-to-point links. For example, if you have an on-premises datacenter, you can use a point-to-point Ethernet link to connect to Microsoft.
ANY-TO-ANY NETWORKS
With any-to-any connectivity, you can integrate your wide area network (WAN) with Azure by providing connections to your offices and datacenters. Azure integrates with your WAN connection to provide a connection like you would have between your datacenter and any branch offices.
With any-to-any connections, all WAN providers offer Layer 3 connectivity. For example, if you already use Multiprotocol Label Switching to connect to your branch offices or other sites in your organization, an ExpressRoute connection to Microsoft behaves like any other location on your private WAN.
- Tailwind Traders wants to create a secure communication tunnel between its branch offices. Which of the following technologies can’t be used?
- Point-to-site virtual private network
- Implicit FTP over SSL
- Azure ExpressRoute
- Site-to-site virtual private network
- Tailwind Traders wants to use Azure ExpressRoute to connect its on-premises network to the Microsoft cloud. Which of the following choices isn’t an ExpressRoute model that Tailwind Traders can use?
- Any-to-any connection
- Site-to-site virtual private network
- Point-to-point Ethernet connection
- CloudExchange colocation
- Which of the following options can you use to link virtual networks?
- Network address translation
- Multi-chassis link aggregation
- Dynamic Host Control Protocol
- Virtual network peering
- Which of the following options isn’t a benefit of ExpressRoute?
- Redundant connectivity
- Consistent network throughput
- Encrypted network communication
- Access to Microsoft cloud services
- You need to predict future behavior based on previous actions. Which product option should you eliminate as a candidate?
- Azure Machine Learning
- Azure Bot Service
- Azure Cognitive Services
- You need to create a human-computer interface that uses natural language to answer customer questions. Which product option should you eliminate as a candidate?
- Azure Machine Learning
- Azure Cognitive Services
- Azure Bot Service
- You need to identify the content of product images to automatically create alt tags for images formatted properly. Which production option is the best candidate?
- Azure Machine Learning
- Azure Cognitive Services
- Azure Bot Service
Azure DevOps Services is a suite of services that address every stage of the software development lifecycle.
- Azure Repos is a centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration.
- Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
- Azure Pipelines is a CI/CD pipeline automation tool.
- Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps.
- Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.
AZURE DEVTEST LABS
Azure DevTest Labs provides an automated means of managing the process of building, setting up, and tearing down virtual machines (VMs) that contain builds of your software projects. This way, developers and testers can perform tests across a variety of environments and builds. And this capability isn’t limited to VMs. Anything you can deploy in Azure via an ARM template can be provisioned through DevTest Labs. Provisioning pre-created lab environments with their required configurations and tools already installed is a huge time saver for quality assurance professionals and developers.
- Which of the following choices would not be used to automate a CI/CD process?
- Azure Pipelines
- GitHub Actions
- Azure Boards
- Which service could help you manage the VMs that your developers and testers need to ensure that your new app works across various operating systems?
- Azure DevTest Labs
- Azure Test Labs
- Azure Repos
- Which service lacks features to assign individual developers tasks to work on?
- Azure Boards
- GitHub
- Azure Pipelines
AZURE ADVISOR
Azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs. Advisor is designed to help you save time on cloud optimization. The recommendation service includes suggested actions you can take right away, postpone, or dismiss.
The recommendations are divided into five categories:
- Reliability: Used to ensure and improve the continuity of your business-critical applications.
- Security: Used to detect threats and vulnerabilities that might lead to security breaches.
- Performance: Used to improve the speed of your applications.
- Cost: Used to optimize and reduce your overall Azure spending.
- Operational Excellence: Used to help you achieve process and workflow efficiency, resource manageability, and deployment best practices.
-C-R-O-P-S-.
AZURE MONITOR
Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment.
The following diagram illustrates just how comprehensive Azure Monitor is.
- On the left is a list of the sources of logging and metric data that can be collected at every layer in your application architecture, from application to operating system and network.
- In the center, you can see how the logging and metric data is stored in central repositories.
- On the right, the data is used in a number of ways. You can view real-time and historical performance across each layer of your architecture, or aggregated and detailed information. The data is displayed at different levels for different audiences. You can view high-level reports on the Azure Monitor Dashboard or create custom views by using Power BI and Kusto queries.
AZURE SERVICE HEALTH
Azure Service Health provides a personalized view of the health of the Azure services, regions, and resources you rely on. The status.azure.com website, which displays only major issues that broadly affect Azure customers, doesn’t provide the full picture.
Service Health helps you keep an eye on several event types:
- Service issues are problems in Azure, such as outages, that affect you right now. You can drill down to the affected services, regions, updates from your engineering teams, and find ways to share and track the latest information.
- Planned maintenance events can affect your availability. You can drill down to the affected services, regions, and details to show how an event will affect you and what you need to do. Most of these events occur without any impact to you and aren’t shown here. In the rare case that a reboot is required, Service Health allows you to choose when to perform the maintenance to minimize the downtime.
- Health advisories are issues that require you to act to avoid service interruption, including service retirements and breaking changes. Health advisories are announced far in advance to allow you to plan.
- You want to be alerted when new recommendations to improve your cloud environment are available. Which service will do this?
Azure Advisor
Azure Monitor
Azure Service Health - Which service provides official outage root cause analyses (RCAs) for Azure incidents?
Azure Advisor
Azure Monitor
Azure Service Health - Which service is a platform that powers Application Insights, monitoring for VMs, containers, and Kubernetes?
Azure Advisor
Azure Monitor
Azure Service Health
There are two approaches to infrastructure as code: imperative (Azure client & Powershell) code and declarative (ARM Templates) code. Imperative code details each individual step that should be performed to achieve a desired outcome. By contrast, declarative code details only a desired outcome, and it allows an interpreter to decide how to best achieve that outcome. This distinction is important because tools that are based on declarative code can provide a more robust approach to deploying dozens or hundreds of resources simultaneously and reliably.
THE AZURE MOBILE APP
The Azure mobile app provides iOS and Android access to your Azure resources when you’re away from your computer. With it, you can:
- Monitor the health and status of your Azure resources.
- Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual machine (VM).
- Run the Azure CLI or Azure PowerShell commands to manage your Azure resources.
DO YOU NEED A WAY TO REPEATEDLY SET UP ONE OR MORE RESOURCES AND ENSURE THAT ALL THE DEPENDENCIES ARE CREATED IN THE PROPER ORDER?
ARM templates express your application’s infrastructure requirements for a repeatable deployment. A validation step ensures that all resources can be created, so that the resources are created in the proper order based on dependencies, in parallel, and idempotent.
By contrast, it’s entirely possible to use either PowerShell or the Azure CLI to set up all the resources for a deployment. However, there’s no validation step in these tools. If a script encounters an error, the dependency resources can’t be rolled back easily, deployments happen serially, and only some operations are idempotent.
- As an administrator, you need to retrieve the IP address from a particular VM by using Bash. Which of the following tools should you use?
- ARM templates
- Azure PowerShell
- The Azure portal
- The Azure CLI
- You’re a developer who needs to set up your first VM to host a process that runs nightly. Which of the following tools is your best choice?
- ARM templates
- Azure PowerShell
- The Azure portal
- The Azure CLI
- What is the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively?
- ARM templates
- Azure PowerShell
- The Azure portal
- The Azure CLI
Azure serverless computing services: Azure Functions and Azure Logic Apps.
AZURE FUNCTIONS
With the Azure Functions service, you can host a single method or function by using a popular programming language in the cloud that runs in response to an event. An example of an event might be an HTTP request, a new message on a queue, or a message on a timer.
An Azure function is a stateless environment. A function behaves as if it’s restarted every time it responds to an event. This feature is ideal for processing incoming data. And if state is required, the function can be connected to an Azure storage account. Azure Functions can perform orchestration tasks by using an extension called Durable Functions, which allows developers to chain functions together while maintaining state.
AZURE LOGIC APPS
Logic Apps is a low-code/no-code development platform hosted as a cloud service. The service helps you automate and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Azure Logic Apps is designed in a web-based designer and can execute logic that’s triggered by Azure services without your having to write any code. You build an app by linking triggers to actions with connectors.
The primary difference between the two services is their intent. Azure Functions is a serverless compute service, and Azure Logic Apps is intended to be a serverless orchestration service. Although you can use Azure Functions to orchestrate a long-running business process that involves various connections, this was not its primary use case when it was designed.
Additionally, the two services are priced differently. Azure Functions pricing is based on the number of executions and the running time of each execution. Logic Apps pricing is based on the number of executions and the type of connectors that it utilizes.
- You need to process messages from a queue, parse them by using some existing imperative logic written in Java, and then send them to a third-party API. Which serverless option should you choose?
Azure Functions
Azure Logic Apps - You want to orchestrate a workflow by using APIs from several well-known services. Which is the best option for this scenario?
Azure Functions
Azure Logic Apps - Your team has limited experience with writing custom code, but it sees tremendous value in automating several important business processes. Which of the following options is your team’s best option?
Azure Functions
Azure Logic Apps
AZURE IOT HUB
Azure IoT Hub is a managed service that’s hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution back end. You can connect virtually any device to your IoT hub.
The IoT Hub service supports communications both from the device to the cloud and from the cloud to the device. It also supports multiple messaging patterns, such as device-to-cloud telemetry, file upload from devices, and request-reply methods to control your devices from the cloud. After an IoT hub receives messages from a device, it can route that message to other Azure services.
From a cloud-to-device perspective, IoT Hub allows for command and control. That is, you can have either manual or automated remote control of connected devices, so you can instruct the device to open valves, set target temperatures, restart stuck devices, and so on.
AZURE IOT CENTRAL
Azure IoT Central builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices. The visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages. You can watch the overall performance across all devices in aggregate, and you can set up alerts that send notifications when a specific device needs maintenance. Finally, you can push hardware updates to the device.
AZURE SPHERE
Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Sphere has built-in communication and security features for internet-connected devices.
Azure Sphere comes in three parts:
- The first part is the Azure Sphere micro-controller unit (MCU), which is responsible for processing the operating system and signals from attached sensors. The following image displays the Seeed Azure Sphere MT3620 Development Kit MCU, one of several different starter kits that are available for prototyping and developing Azure Sphere applications.
- The second part is a customized Linux operating system (OS) that handles communication with the security service and can run the vendor’s software.
- The third part is Azure Sphere Security Service, also known as AS3. Its job is to make sure that the device has not been maliciously compromised. When the device attempts to connect to Azure, it first must authenticate itself, per device, which it does by using certificate-based authentication. If it authenticates successfully, AS3 checks to ensure that the device hasn’t been tampered with. After it has established a secure channel of communication, AS3 pushes any OS or approved customer-developed software updates to the device.
IOT HUB or IOT CENTRAL
If you want a pre-built customizable user interface with which you can view and control your devices remotely, you might prefer to start with IoT Central. With this solution, you can control a single device or all devices at once, and you can set up alerts for certain conditions, such as a device failure.
IoT Central integrates with many different Azure products, including IoT Hub, to create a dashboard with reports and management features. The dashboard is based on starter templates for common industry and usage scenarios. You can use the dashboard that’s generated by the starter template as is or customize it to suit your needs.
- A company wants to build a new voting kiosk for sales to governments around the world. Which IoT technologies should the company choose to ensure the highest degree of security?
IoT Hub
IoT Central
Azure Sphere - A company wants to quickly manage its individual IoT devices by using a web-based user interface. Which IoT technology should it choose?
IoT Hub
IoT Central
Azure Sphere - You want to send messages from the IoT device to the cloud and vice versa. Which IoT technology can send and receive messages?
IoT Hub
IoT Central
Azure Sphere
WHAT’S AZURE SECURITY CENTER?
Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Security Center can:
- Monitor security settings across on-premises and cloud workloads.
- Automatically apply required security settings to new resources as they come online.
- Provide security recommendations that are based on your current configurations, resources, and networks.
- Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
- Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
- Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
- Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.
WHAT’S SECURE SCORE?
Secure score is a measurement of an organization’s security posture.
Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the score you receive. Your score improves when you remediate all of the recommendations for a single resource within a control.
Secure score helps you:
- Report on the current state of your organization’s security posture.
- Improve your security posture by providing discoverability, visibility, guidance, and control.
- Compare with benchmarks and establish key performance indicators (KPIs).
DETECT AND RESPOND TO SECURITY THREATS BY USING AZURE SENTINEL
Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.
Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
AZURE SENTINEL CAPABILITIES
Azure Sentinel enables you to:
- Collect cloud data at scale: Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
- Detect previously undetected threats: Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence.
- Investigate threats with artificial intelligence: Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
- Respond to incidents rapidly: Utilize built-in orchestration and automation of common tasks.
AZURE KEY VAULT
Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
WHAT CAN AZURE KEY VAULT DO?
Azure Key Vault can help you:
- Manage secrets: You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
- Manage encryption keys: You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
- Manage SSL/TLS certificates: Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
- Store secrets backed by hardware security modules (HSMs): These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
WHAT ARE THE BENEFITS OF AZURE DEDICATED HOST?
Azure Dedicated Host:
- Gives you visibility into, and control over, the server infrastructure that’s running your Azure VMs.
- Helps address compliance requirements by deploying your workloads on an isolated server.
- Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.
Consider the following scenario. Then choose the best response for each question that follows and select Check your answers.
Tailwind Traders is moving its online payment system from its datacenter to the cloud. The payment system consists of virtual machines (VMs) and SQL Server databases.
Here are a few security requirements that the company identifies as it plans the migration:
- It wants to ensure a good security posture across all of its systems, both on Azure and on-premises.
- In the datacenter, access to virtual machines requires a TLS certificate. The company needs a place to safely store and manage its certificates.
Here are some additional requirements that relate to regulatory compliance:
- Tailwind Traders must store certain customer data on-premises, in its datacenter.
- For certain workloads, the company must be the only customer running VMs on the physical hardware.
- The company must only run approved business applications on each VM.
Here’s a diagram that shows the proposed architecture:
On Azure, Tailwind Traders will use both standard virtual machines and virtual machines that run on dedicated physical hardware. In the datacenter, the company will run virtual machines that can connect to databases within its internal network.
- How can Tailwind Traders enforce having only certain applications run on its VMs?
- Connect your VMs to Azure Sentinel.
- Create an application control rule in Azure Security Center.
- Periodically run a script that lists the running processes on each VM. The IT manager can then shut down any applications that shouldn’t be running.
- What’s the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a single report that it can take action on?
- Collect security data in Azure Sentinel.
- Build a custom tool that collects security data and displays a report through a web application.
- Look through each security log daily and email a summary to your team.
- Which is the best way for Tailwind Traders to safely store its certificates so that they’re accessible to cloud VMs?
- Place the certificates on a network share.
- Store them on a VM that’s protected by a password.
- Store the certificates in Azure Key Vault.
- How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers?
- Configure the network to ensure that VMs on the same physical host are isolated.
- This is not possible. These workloads need to be run on-premises.
- Run the VMs on Azure Dedicated Host.
LAYERS OF DEFENSE IN DEPTH
Here’s a brief overview of the role of each layer:
- The physical security layer is the first line of defense to protect computing hardware in the datacenter.
- The identity and access layer controls access to infrastructure and change control.
- The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
- The network layer limits communication between resources through segmentation and access controls.
- The compute layer secures access to virtual machines.
- The application layer helps ensure that applications are secure and free of security vulnerabilities.
- The data layer controls access to business and customer data that you need to protect.
AZURE FIREWALL
Azure Firewall is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks.Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability.
DDOS PROTECTION PROVIDES THESE SERVICE TIERS:
- Basic :The Basic service tier is automatically enabled for free as part of your Azure subscription. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. The Basic service tier ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack.
- Standard service prevents:
Volumetric attacks: The goal of this attack is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource-layer (application-layer) attacks (only with web application firewall): These attacks target web application packets to disrupt the transmission of data between hosts. You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF from volumetric and protocol attacks.
NETWORK SECURITY GROUPS
A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Tailwind Traders is moving its online payment system to Azure. The processing of online orders begins through a website, which Tailwind Traders manages through Azure App Service. (App Service is a way to host web applications on Azure.)
The web application that runs the website passes order information to virtual machines (VMs), which further process each order. These VMs exist on an Azure virtual network, but they need to access the internet to retrieve software packages and system updates.
Here’s a diagram that shows the basic architecture of the company’s payment system:
The security team wants to ensure that only valid network traffic reaches the company’s Azure resources. As an extra layer of defense, the team also wants to ensure that the VMs can reach only trusted hosts on specific ports.
- An attacker can bring down your website by sending a large volume of network traffic to your servers. Which Azure service can help Tailwind Traders protect its App Service instance from this kind of attack?
- Azure Firewall
- Network security groups
- Azure DDoS Protection
- What’s the best way for Tailwind Traders to limit all outbound traffic from VMs to known hosts?
- Configure Azure DDoS Protection to limit network access to trusted ports and hosts.
- Create application rules in Azure Firewall.
- Ensure that all running applications communicate with only trusted ports and hosts.
- How can Tailwind Traders most easily implement a deny by default policy so that VMs can’t connect to each other?
- Allocate each VM on its own virtual network.
- Create a network security group rule that prevents access from another VM on the same network.
- Configure Azure DDoS Protection to limit network access within the virtual network.
Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems. Self-service password reset prevents users from using known compromised passwords.
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate.
These elements fall into three categories:
- Something the user knows: This might be an email address and password.
- Something the user has: This might be a code that’s sent to the user’s mobile phone.
- Something the user is: This is typically some sort of biometric property, such as a fingerprint or face scan that’s used on many mobile devices.
SUMMARY
- Authentication (AuthN) establishes the user’s identity.
- Authorization (AuthZ) establishes the level of access that an authenticated user has.
- Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications.
- Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables an organization to control access to apps and resources based on its business requirements.
- Azure Multi-Factor Authentication provides additional security for identities by requiring two or more elements to fully authenticate. In general, multifactor authentication can include something the user knows, something the user has, and something the user is.
- Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals such as the user’s location.
- How can the IT department ensure that employees at the company’s retail stores can access company applications only from approved tablet devices?
- SSO
- Conditional Access
- Multifactor authentication
- How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers to prove their identities?
- SSO
- Conditional Access
- Multifactor authentication
- How can the IT department reduce the number of times users must authenticate to access multiple applications?
- SSO
- Conditional Access
- Multifactor authentication
CLOUD ADOPTION FRAMEWORK
SUBSCRIPTION GOVERNANCE STRATEGY
BILLING
You can create one billing report per subscription. If you have multiple departments and need to do a “chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by project.
ACCESS CONTROL
A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.
Subscription limits
Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase. If you’ll need to exceed those limits, you might need to add more subscriptions.
MANAGEMENT GROUPS
Management groups are also available to assist with managing subscriptions. A management group manages access, policies, and compliance across multiple Azure subscriptions. You’ll learn more about management groups later in this module.
How is role-based access control applied to resources?
Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.
- A management group (a collection of multiple subscriptions).
- A single subscription.
- A resource group.
- A single resource.
Observers, Users managing resources, Admins, and Automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles.
When you grant access at a parent scope, those permissions are inherited by all child scopes. For example:
- When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
- When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.
- When you assign the Contributor role to an application at the resource group scope, the application can manage resources of all types within that resource group, but not other resource groups within the subscription.
RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
RESOURCE LOCKS
A resource lock prevents resources from being accidentally deleted or changed.Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed.
You can set the lock level to CanNotDelete or ReadOnly.
- CanNotDelete means authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
- ReadOnly means authorized people can read a resource, but they can’t delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.
To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.
TAGS
Tags provide extra information, or metadata, about your resources. This metadata is useful for:
- Resource management: Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
- Cost management and optimization: Tags enable you to group resources so that you can report on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
- Operations management: Tags enable you to group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs). An SLA is an uptime or performance guarantee between you and your users.
- Security: Tags enable you to classify data by its security level, such as public or confidential.
- Governance and regulatory compliance: Tags enable you to identify resources that align with governance or regulatory compliance requirements, such as ISO 27001.
- Tags can also be part of your standards enforcement efforts. For example, you might require that all resources be tagged with an owner or department name.
- Workload optimization and automation: Tags can help you visualize all of the resources that participate in complex deployments. For example, you might tag a resource with its associated workload or application name and use software such as Azure DevOps to perform automated tasks on those resources.
AZURE POLICY
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.
POLICY INITIATIVES
Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent noncompliant resources from being created.
An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.
POLICY ASSIGNMENT
A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group.Policy assignments are inherited by all child resources within that scope. If a policy is applied to a resource group, that policy is applied to all resources within that resource group. You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment.
AZURE BLUEPRINTS
Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed the development and deployment phases.
Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:
- Role assignments
- Policy assignments
- Azure Resource Manager templates
- Resource groups
When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization.
Implementing a blueprint in Azure Blueprints involves these three steps:
- Create an Azure blueprint.
- Assign the blueprint.
- Track the blueprint assignments.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.Each component in the blueprint definition is known as an artifact.
Tailwind Traders has created environments for development and testing for its e-commerce system.Here’s a diagram that shows the basic compute, database, and networking components found in each environment.
- How can Tailwind Traders allow some users to control the virtual machines in each environment but prevent them from modifying networking and other resources in the same resource group or Azure subscription?
- Create a role assignment through Azure role-based access control (Azure RBAC).
- Create a policy in Azure Policy that audits resource usage.
- Split the environment into separate resource groups.
- Which is the best way for Tailwind Traders to ensure that the team deploys only cost-effective virtual machine SKU sizes?
- Periodically inspect the deployment manually to see which SKU sizes are used.
- Create an Azure RBAC role that defines the allowed virtual machine SKU sizes.
- Create a policy in Azure Policy that specifies the allowed SKU sizes.
- Which is likely the best way for Tailwind Traders to identify which billing department each Azure resource belongs to?
- Track resource usage in a spreadsheet.
- Split the deployment into separate Azure subscriptions, where each subscription belongs to its own billing department.
- Apply a tag to each resource that includes the associated billing department.
OST
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft’s online services that you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps.
TRUST CENTER
The Trust Center showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.
AZURE COMPLIANCE DOCUMENTATION
The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
Here you find compliance offerings across these categories:
- Global
- US government
- Financial services
- Health
- Media and manufacturing
- Regional
Under Compliance blueprints, you find reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription. The PCI DSS blueprint deploys a core set of policies that map to PCI DSS compliance and help you govern your Azure workloads against this standard.
DPA
The Data Protection Addendum (DPA) further defines the data processing and security terms for online services. These terms include:
- Compliance with laws.
- Disclosure of processed data.
- Data Security, which includes security practices and policies, data encryption, data access, customer responsibilities, and compliance with auditing.
- Data transfer, retention, and deletion.
Consider the following scenario. Then choose the best response for each question that follows, and select Check your answers.
At Tailwind Traders, the legal and IT departments want to better understand how Microsoft handles personal data. They also want to better understand how Azure services can help them meet their compliance goals.
Their needs go beyond just Azure. For example, applications in their retail stores use Cortana to help store employees quickly locate items.
- Where can the team access details about the personal data Microsoft processes and how the company processes it, including for Cortana?
Microsoft Privacy Statement
The Azure compliance documentation
Microsoft compliance offerings - Where can the legal team access information around how the Microsoft cloud helps them secure sensitive data and comply with applicable laws and regulations?
Microsoft Privacy Statement
Trust Center
Online Services Terms - Where can the IT department find reference blueprints that it can apply directly to its Azure subscriptions?
Online Services Terms
Azure compliance documentation
Microsoft Privacy Statement
Use Azure Advisor to monitor your usage
Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. This information helps you configure your resources to match your actual workload.
Use spending limits to restrict your spending
If you have a free trial or a credit-based Azure subscription, you can use spending limits to prevent accidental overrun.
Use Azure Reservations to prepay
Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72 percent as compared to pay-as-you-go prices. To receive a discount, you reserve services and resources by paying in advance.
Use Azure Cost Management + Billing to control spending
Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use.
Before they migrate their existing e-commerce system from their datacenter to production environments on Azure, the Tailwind Traders team wants to first set up environments for development and testing.
Here’s a diagram that shows the basic compute, database, and networking components found in each environment:
After the development team verifies changes to the Dev environment, they promote changes to the Test environment. The Test environment is where the testing team verifies new app features and also verifies that no regressions, or breaks to existing features, happen as new features are added.
- Which is the best first step the team should take to compare the cost of running these environments on Azure versus in their datacenter?
- They’re just test environments. Spin them up and check the bill at the end of the month.
- Assume that running in the cloud costs about the same as running in the datacenter.
- Run the Total Cost of Ownership Calculator.
- What’s the best way to ensure that the development team doesn’t provision too many virtual machines at the same time?
- Do nothing. Let the development team use what they need.
- Apply spending limits to the development team’s Azure subscription.
- Verbally give the development lead a budget and hold them accountable for overages.
- Which is the most efficient way for the testing team to save costs on virtual machines on weekends, when testers are not at work?
- Delete the virtual machines before the weekend and create a new set the following week.
- Deallocate virtual machines when they’re not in use.
- Just let everything run. Azure bills you only for the CPU time that you use.
- Resources in the Dev and Test environments are each paid for by different departments. What’s the best way to categorize costs by department?
- Apply a tag to each virtual machine that identifies the appropriate billing department.
- Split the cost evenly between departments.
- Keep a spreadsheet that lists each team’s resources.
When you build applications on Azure, the availability of the services that you use affect your application’s performance. Understanding the SLAs involved can help you establish the SLA you set with your customers. You don’t need an Azure subscription to review service SLAs. Each Azure service defines its own SLA. Azure services are organized by category.
A service credit is the percentage of the fees you paid that are credited back to you according to the claim approval process. Free products typically don’t have an SLA.
Azure status provides a global view of the health of Azure services and regions. If you suspect there’s an outage, this is often a good place to start your investigation.
Typically, you need to file a claim with Microsoft to receive a service credit. If you purchase Azure services from a Cloud Solution Provider (CSP) partner, your CSP typically manages the claims process.
You can access preview features that are specific to the Azure portal from Microsoft Azure (Preview) .
The Azure updates page provides information about the latest updates to Azure products, services, and features, as well as product roadmaps and announcements.
- Which of the following choices isn’t a cloud computing category?
- Platform-as-a-Service (PaaS)
- Networking-as-a-Service (NaaS)
- Infrastructure-as-a-Service (IaaS)
- Software-as-a-Service (SaaS)
- Which of the following statements is true?
- With Operating Expenses (OpEx), you are responsible for purchasing and maintaining your computing resources.
- With Operating Expenses (OpEx), you are only responsible for the computing resources that you use.
- With Capital Expenses (CapEx), you are only responsible for the computing resources that you use.
- Which of the following options isn’t a type of cloud computing?
- Distributed cloud
- Hybrid cloud
- Private cloud
- Public cloud
- Which of the following choices isn’t a benefit of using cloud services?
- Scalability
- Geographic isolation
- Disaster recovery
- High availability
The following image shows the top-down hierarchy of organization for these levels.
- Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
- Resource groups: Resources are combined into resource groups, which act as a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed.
- Subscriptions: A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
- Management groups: These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.
An Azure subscription is a logical unit of Azure services that links to an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
- Billing boundary: This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
- Access control boundary: Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures. An example is that within a business, you have different departments to which you apply distinct Azure subscription policies. This billing model allows you to manage and control access to the resources that users provision with specific subscriptions.
Subscription limits: Subscriptions are bound to some hard limitations. For example, the maximum number of Azure ExpressRoute circuits per subscription is 10. Those limits should be considered as you create subscriptions on your account. If there’s a need to go over those limits in particular scenarios, you might need additional subscriptions.
If you have multiple subscriptions, you can organize them into invoice sections. Each invoice section is a line item on the invoice that shows the charges incurred that month. For example, you might need a single invoice for your organization but want to organize charges by department, team, or project.
Depending on your needs, you can set up multiple invoices within the same billing account. To do this, create additional billing profiles. Each billing profile has its own monthly invoice and payment method.
The following diagram shows an overview of how billing is structured. If you’ve previously signed up for Azure or if your organization has an Enterprise Agreement, your billing might be set up differently.
AZURE MANAGEMENT GROUPS
If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. All subscriptions within a single management group must trust the same Azure AD tenant.
Important facts about management groups
- 10,000 management groups can be supported in a single directory.
- A management group tree can support up to six levels of depth. This limit doesn’t include the root level or the subscription level.
- Each management group and subscription can support only one parent.
- Each management group can have many children.
- All subscriptions and management groups are within a single hierarchy in each directory.
- Which of the following can be used to manage governance across multiple Azure subscriptions?
Azure initiatives
Management groups
Resource groups - Which of the following is a logical unit of Azure services that links to an Azure account?
Azure subscription
Management group
Resource group - Which of the following features doesn’t apply to resource groups?
Resources can be in only one resource group.
Role-based access control can be applied to the resource group.
Resource groups can be nested. - Which of the following statements is a valid statement about an Azure subscription?
Using Azure doesn’t require a subscription.
An Azure subscription is a logical unit of Azure services.
You can’t have more than one subscription.
Answers
Answer Keys
- Most cloud computing resources can be distributed to global datacenters.
- U can use a free Azure account or a Microsoft Learn sandbox to create resources.
- In an IaaS environment, the cloud provider is responsible for any h/w maint.
- Azure Cosmos DB supports SQL, MongoDB, Cassandra, Tables, and Gremlin APIs.
- Azure Database for MySQL is the logical choice for existing LAMP stack applications.
- Azure Synapse Analytics is the logical choice for analyzing large volumes of data.
- Virtual machine scale sets let you deploy and manage a set of identical virtual machines.
- Azure Functions is used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, an* When that work can be completed quickly, within seconds or less.
- Windows Virtual Desktop enables your team members to run Windows in the cloud, with access to the required applications for your company’s needs.
- You must create an Azure Storage account before you can use any Azure Storage features.
- Azure Blob Storage is your best option for storing disaster recovery files and archives.
- FTP over SSL can’t be used to create a secure communication tunnel.
- A site-to-site virtual private network isn’t an ExpressRoute model.
- Virtual network peering can be used to link virtual networks.
- ExpressRoute does provide private connectivity, but it isn’t encrypted.
- Azure Bot Service will not help with prediction. It should be eliminated as a candidate.
- Although Azure Machine Learning could be used to create a natural language model, it would likely be cost and time prohibitive. It should be eliminated as a candidate
- Azure Cognitive Services includes Vision services that can identify the content of an image. Azure Cognitive Services is the best candidate.
- Azure Boards is an agile project management tool. It would not be used to automate a CI/CD process.
- Azure DevTest Labs is used to manage VMs for testing, including configuration, provisioning, and automatic de-provisioning.
- Azure Pipelines is a CI/CD tool for building an automated toolchain. It lacks features to assign tasks for individual developers to work on. However, it can automate other tools to assign tasks to users.
- Azure Advisor can alert you when new recommendations are available.
- Azure Service Health provides incident history and RCAs to share with your stakeholders.
- Azure Monitor is the platform used by Application Insights.
- The Azure CLI enables you to use Bash to run one-off tasks on Azure.
- An Azure portal is a great place for newcomers to learn about Azure and set up their first resources.
- ARM templates are the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively.
- Azure Functions is the correct choice because you can use existing Java code with minimal modification.
- Azure Logic Apps makes it easy to create a workflow across well-known services with less effort than writing code and manually orchestrating all the steps yourself.
- Azure Logic Apps is best suited for users who are more comfortable in a visual environment that allows them to automate their business processes. Logic Apps is the best option in this scenario.
- Azure Sphere provides the highest degree of security to ensure the device has not been tampered with.
- IoT Central quickly creates a web-based management portal to enable reporting and communication with IoT devices.
- An IoT hub communicates to IoT devices by sending and receiving messages.
- With Azure Security Center, you can define a list of allowed applications to ensure that only applications you allow can run. Azure Security Center can also detect and block malware from being installed on your VMs.
- Azure Sentinel is Microsoft’s cloud-based SIEM. A SIEM aggregates security data from many different sources to provide additional capabilities for threat detection and responding to threats.
- Azure Key Vault enables you to store your secrets in a single, central location. Key Vault also makes it easier to enroll and renew certificates from public certificate authorities (CAs).
- Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
- DDoS Protection helps protect your Azure resources from DDoS attacks. A DDoS attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users.
- Azure Firewall enables you to limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDNs).
- A network security group rule enables you to filter traffic to and from resources by source and destination IP address, port, and protocol.
- Conditional Access enables you to require users to access your applications only from approved, or managed, devices.
- Authenticating through multifactor authentication can include something the user knows, something the user has, and something the user is.
- SSO enables a user to remember only one ID and one password to access multiple applications.
- Azure RBAC enables you to create roles that define access permissions. You might create one role that limits access only to virtual machines and a second role that provides administrators with access to everything.
- After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones. Azure Policy also evaluates any current virtual machines in your environment.
- Tags provide extra information, or metadata, about your resources. The team might create a tag that’s named BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure that the proper tags are assigned when resources are provisioned.
- The Microsoft Privacy Statement provides information that’s relevant to specific services, including Cortana.
- The Trust Center is a great resource for people in your organization who might play a role in security, privacy, and compliance.
- The compliance documentation provides reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription.
- Running the Total Cost of Ownership Calculator is a great first step because it can provide an accurate comparison of running workloads in the datacenter versus on Azure, certified by an independent research company.
- If you exceed your spending limit, active resources are deallocated. You can then decide whether to increase your limit or provision of fewer resources.
- When you deallocate virtual machines, the associated hard disks and data are still kept in Azure. But you don’t pay for CPU or network consumption, which can help save costs.
- You can apply tags to groups of Azure resources to organize billing data.
- NaaS isn’t a cloud computing category.
- –
- A distributed cloud isn’t a valid type of cloud computing.
- You can choose to create resources in a single region; however, one of the primary advantages to cloud computing is geographic distribution.
- Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each management group, with Azure Policy and Azure role-based access controls, to manage Azure subscriptions effectively. The resources and subscriptions assigned to a management group automatically inherit the conditions applied to the management group.
- An Azure subscription is a logical unit of Azure services that links to an Azure account.
- Resource groups can’t be nested.
- A subscription is a set of Azure services bundled together for tracking and billing purposes.