prawin-s / az-303 Goto Github PK

Notes on Site-to-Site VPN Connection
A Site-to-Site VPN connection is used to establish a secure connection between an on-premise network and an Azure network via the Internet.

Below is a diagram from the Microsoft documentation on a sample scenario

Image reference - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

On the on-premise side, you need to have a VPN device that can route traffic via the Internet onto the VPN gateway in Azure. The VPN device can be a hardware device like a Cisco router or a software device ( e.g Windows Server 2016 running Routing and Remote services). The VPN device needs to have a publically routable IP address.

The subnets in your on-premise network must not overlap with the subnets in your Azure virtual network

The Site-to-Site VPN connection uses an IPSec tunnel to encrypt the traffic.

The VPN gateway resource you create in Azure is used to route encrypted traffic between your on-premise data center and your Azure virtual network.

There are different SKU's for the Azure VPN gateway service. Each SKU has a different pricing and attributes associated with it - Reference - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings

Security Center -

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.

1. Gain tenant-wide visibility : Gain visibility and manage the security posture of all your Azure subscriptions by leveraging Azure management groups and assigning a security role on the root management group.
2. Configure security policies : Set policies to define workload configuration, help ensure compliance, and protect sensitive data.
3. Add non-Azure servers : Use the Microsoft Monitoring Agent to extend Security Center capabilities to servers running outside of Azure, including resources running on-premises and in other clouds.

Upgrade to Azure Defender for additional security. Available at resource level as well.

Make the most of Security Center by enabling data collection agents. To receive security alerts and recommendations, agents must be installed on your virtual machines for data collection.

What is Regulatory Compliance?
Regulatory Compliance enables you to monitor your environment for risks based on compliance standards, and view a report that shows your compliance posture relative to each standard.
You can filter by regulations, export reports, and resolve compliance issues directly within the experience.

Regulatory Compliance is only available for the subscriptions in standard tier.

How does it work?
Security Center assessments have been mapped to compliance regulations, such that each applicable regulation control has some assessments associated with it.
You can view your compliance relative to the supported controls of a regulation based on the passing vs. failing assessments that align with that regulation.
As you remediate more assessments, your compliance posture improves.

Log Analytics workspace

A Log Analytics workspace is the basic management unit of Azure Monitor Logs.

With Azure Monitor Logs you can easily store, retain, and query data collected from your monitored resources in Azure and other environments for valuable insights. A Log Analytics workspace is the logical storage unit where your log data is collected and stored.

Log Analytics collects data from a variety of sources and uses a powerful query language to give you insights into the operation of your applications and resources. Use Azure Monitor to access the complete set of tools for monitoring all of your Azure resources.

If you enable collection of guest OS diagnostics data, you will have the ability to collect data on the performance counters on Windows based virtual machines.

Notes on Point-to-Site VPN Connection
A Point-to-Site VPN connection is used to establish a secure connection between multiple client machines an an Azure virtual network via the Internet.

Below is a diagram from the Microsoft documentation on a sample scenario

Image reference -https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

This sort of connection is based off certificates for authentication.

You need to have a root certificate in place that needs to be uploaded to Azure for the point-to-site connection.

A client certificate needs to be generated from the root certificate. This client certificate needs to be on each client computer that needs to connect to the Azure virtual network via the Point-to-Site connection.

To generate the certificates, you can use a Certificate authority or generate a self-signed certificate using PowerShell. Some commands are given below

// To generate the root certificate

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject "CN=RootCertificate" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

// To generate the client certificate

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `

-Subject "CN=ClientCertificate" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" `

-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Live migration only works for general-purpose v2 accounts and the current replication techniques supported are Locally- redundant storage and Geo-redundant storage.

The correct format for the permission to manage support tickets with Microsoft is “Microsoft.Support/*”

Azure Storage Accounts

There are different types of storage accounts

1. General-purpose v2 accounts – This is recommended for most scenarios. This storage account type provides the blob, file , queue and table service.

2. General-purpose v1 accounts – This also provides the blob, file , queue and table service, but is the older version of this account type.

3. BlockBlobStorage accounts – This is specifically when you want premium performance for storing block or append blobs.

4. FileStorage accounts – This is specifically when you want premium performance for file-only storage.

5. BlobStorage accounts – This is a legacy storage account. Use General-purpose v2 account as much as possible

More on Azure Blob storage

This is object storage for the cloud.

Here you can store massive amounts of unstructured data on the cloud.

This is highly recommended when you want to store images, documents, video and audio files.

Within the blob service, you create a container that is used to store the blob objects.

There are three different types of blobs

Block blobs – This is used for storing text and binary data.

Append blobs – This is ideal for logging data.

Page blobs – This is used to store virtual hard disk files for Azure virtual machines

Replication Techniques

Locally-redundant storage (LRS) - Here data is replicated synchronously three times within a physical location in the primary region.

Zone-redundant storage (ZRS) - Here data is replicated synchronously across three Azure availability zones in the primary region. This is good when you want to have data present even in the event of a data center failure.

Geo-redundant storage (GRS) - Here data is replicated synchronously three times in the primary region, then replicated asynchronously to the secondary region.

Read access Geo-redundant storage (RA-GRS) - Here data is replicated synchronously three times in the primary region, then replicated asynchronously to the secondary region. Here the data in the secondary region is also available for read-only purposes.

Geo-zone-redundant storage (GZRS) - Here data is replicated synchronously across three Azure availability zones in the primary region, then replicated asynchronously to the secondary region.

Read Access Geo-zone-redundant storage (RA-GZRS) - Here data is replicated synchronously across three Azure availability zones in the primary region, then replicated asynchronously to the secondary region. Here the data in the secondary region is also available for read-only purposes.

Here is a snapshot from the Microsoft documentation on the different storage account types

Reference - https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

Azure Blob Storage - Access Tiers

Hot – This is optimized for storing data that is accessed frequently. This can be set at the account level.

Cool – This is optimized for storing data that is infrequently accessed and stored for at least 30 days. This can be set at the account level.

Note:- For the Cool Access tier , the storage costs are lower than the Hot tier. But the access costs are higher than the Hot access tier.

Archive tier - This is optimized for storing data that is rarely accessed and stored for at least 180 days. This can be set only at the blob level.

Note:- When a blob is in the archive tier, you can’t access the blob. You have to rehydrate the blob first before it can be accessed.

Also the storage costs are the least when it comes to the Archive access tier. But the access costs are the highest

Availability Sets

When you host your virtual machines in Azure, you sometimes need to cater to the following

1. An unplanned event wherein the underlying infrastructure fails unexpectedly. The failures could be attributed to network failures , local disk failures or even rack failures.

2. Planned maintenance events , wherein Microsoft needs to make planned updates to the underlying physical environment. In such cases , a reboot might be required on your virtual machine.

You can increase the availability of your application by making use of availability sets. Each virtual machine that is assigned to the availability set is assigned a separate fault and update domain.

Fault domains are used to define the group of virtual machines that share a common source and network switch. You can have up to 3 fault domains.

Update domains are used to group virtual machines and physical hardware that can be rebooted at the same time. You can have up to 20 update domains.

Availability Zones

This features help provides better availability for your application by protecting them from datacenter failures.

Each Availability zone is a unique physical location in an Azure region.

Each zone comprises of one or more data centers that has independent power, cooling, and networking

Hence the physical separation of the Availability Zones helps protect applications against data center failures

Using Availability Zones, you can be guaranteed an availability of 99.99% for your virtual machines. You need to ensure that you have 2 or more virtual machines running across multiple availability zones

Azure compute unit (ACU)
The concept of the Azure Compute Unit (ACU) provides a way of comparing compute (CPU) performance across Azure SKUs. This will help you easily identify which SKU is most likely to satisfy your performance needs.

Azure Scale up and Scale Out
You can increase the capacity of an App Service App by one of the following two ways -

Scale-up – Upgrade the capacity of the host where the app is hosted (PAAS environment). Ex: Increase the RAM size from 1 cores to 4 cores.
Scale-out – Upgrade the capacity of the app by increasing the number of host instances (PAAS Environment). Ex: Having a Load Balancer where your app is hosted on multiple instances. You can do a scale-out in any of the following two ways based on the Tier of your App Service Plan.

Manual Scale-out : You have to manually scale the apps that are based on Free, Shared and Basic App Service Plans.

Auto Scale-out : Auto Scaling is possible only for apps that are hosted in Standard and Premium App Service Plans.

We can configure the Auto Scale based on the following parameters -

• CPU Percentage
• Memory (RAM) percentage
• Disk queue Length
• HTTP Queue Length
• Data in
• Data Out

Logic Apps & Azure Functions -

When creating a function app, you must create or link to a general-purpose azure storage account that supports Blobs, Queue and Table storage.

Integration Service Environment -
An ISE is a dedicated environment that uses dedicated storage and other resources that are kept separate from the "global" multi-tenant Logic Apps service. This separation also reduces any impact that other Azure tenants might have on your apps' performance. An ISE also provides you with your own static IP addresses. These IP addresses are separate from the static IP addresses that are shared by the logic apps in the public, multi-tenant service.

Load Balancing

Load balancing and network security

Question 1:
A company has to deploy an application to Azure. The application consists of a web front end and an application tier. You have to implement a load balancing solution that has to comply with the following requirements.

• From the Internet to Web Front End:

Provides support for URL-based routing

Provides support for connection draining

Provides support for preventing SQL injection attacks

• From the Web Front End to the application tier:

Provides support for port forwarding

Provides support for HTTPS health probes

Provides support for having an availability set as the backend pool

Which of the following is a Load Balancing solution you would recommend for the Internet to Web Front End?

Ans :

Question 2:
A company is planning to deploy a web application to Azure. The web application will be deployed to the Azure Web App service. The company has the following requirements:

• Provide support for efficient SSL encryption and decryption processing to support high traffic loads on the web application.

• Provide support to protect the web application against web vulnerabilities and attacks without modifying the backend code.

• Be able to optimize web application responsiveness and reliability by routing HTTP requests and responses to the endpoint with the client's lowest network latency.

Which of the following can be used for the following requirement?

“Be able to optimize web application responsiveness and reliability by routing HTTP requests and responses to the endpoint with the lowest network latency for the client.”

Options - Web Application Firewall, Azure Monitor, Azure Security Center, Azure Traffic Manager

Ans : Azure Traffic Manager

You can use routing methods in the Azure Application Gateway to route traffic.

Question 3:
An organization has set up virtual machines (VMs) to act as jump boxes in each of its six virtual networks. Why should the organization consider using Azure Bastion?
Ans -

Azure Bastion is a fully managed PaaS service. It provides seamless RDP/SSH access to VMs over the internet without requiring the installation of connection software like Remote Desktop

Question 4:
You decide to deploy Azure Bastion to an existing virtual network by using the Azure CLI. What resources do you need to create?

Ans -

Create a subnet named AzureBastionSubnet for the virtual network; create a public IP; and then create the Azure Bastion resource with the virtual network and public IP address information.

Question 5:
A company has to deploy an application to Azure. The application consists of a web front end and an application tier. You have to implement a load balancing solution that has to comply with the following requirements.

• From the Internet to Web Front End:

Provides support for URL-based routing

Provides support for connection draining

Provides support for preventing SQL injection attacks

• From the Web Front End to the application tier:

Provides support for port forwarding

Provides support for HTTPS health probes

Provides support for having an availability set as the backend pool

Which of the following is a Load Balancing solution you would recommend for the Web Front End to the application tier?

And :

Azure governance

Question 1:
A company has set up an Azure subscription. They have set up a storage account and are currently using the BLOB service. They want to assign permissions to 3 user groups.

GroupA – This group should have the ability to manage the storage account

GroupB – This group should be able to manage containers within a storage account

GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control

You need to assign the relevant Role-Based Access Control ensuring the privilege of least access.

Which of the following would you assign to GroupA?

Options - Owner, Contributor, Storage Account Contributor, Storage Blob Data Owner

Ans - Storage Account Contributor

Question 2:
A company has just set up an Azure account and subscription. There is a requirement to ensure that IT administrators can only spin up virtual machines of a particular SKU size. Which of the following can help achieve this?

Ans :

Question 3:
A company is planning on using Azure for the various services they offer. They want to ensure that they can bill each department for the resources they consume. They decide to use Azure role-based access control to separate the bills department wise.

Would this fulfill the requirement?

Ans : No

This is used to control access to resources and can’t be used for billing purposes

Note : There is no concept of subscription policies.
Azure AD roles are specifically meant to control access to Azure AD.
Policies are used to control permissions at the resource property level.

Question 4:
The following policy is going to be assigned to an Azure subscription. Snippets of the policy are shown below

The policy is basically ensuring that no one can create Azure SQL servers in the Pay-As-You-Go subscription But there is one exclusion which is the "rg" Resource Group. So, the policy will not apply to this Resource Group. Hence you will be able to be able to create Azure SQL servers in this Resource Group.

Security for Applications

Question 1:
You have to ensure that the Virtual Machines use the right mechanism to access the Azure SQL Server backend data store. Which of the following could be a feature to be used for secure access?

Ans - Managed Service Identity

Question 2:
The following requirements need to be met for a Virtual Machine.

• The underlying data disks for the Virtual Machine need to be encrypted.

• The company does not want to store the encryption keys locally.

Which of the following needs to be modified to ensure the Azure Virtual Machines can use the encryption keys in Azure Key Vault?

Ans :

Question 3:
Which of the following would you use to store asymmetric keys to allow for real-time I/O encryption and decryption of Azure SQL database data and log files?

Ans :

Question 4:
Your company needs to deploy resources for several departments. These resources will reside in Azure. Each department has a separate requirement when it comes to security. Which of the following would you use to allow applications to retrieve x.509 certificates, stored in an Azure AD-protected resource by using an access token?

Application infrastructure

Question 1:
A company wants to host a web application using the Azure Web App service. It also needs to be ensured that the web application can scale based on demand. You also have to ensure that costs are minimized.

You decide to allocate the Azure Web App to a Shared App Service Plan.

Would this solution fulfill the requirement?

Ans - No

Question 2:
A company wants to host a web application using the Azure Web App service. It also needs to be ensured that the web application can scale based on demand. You also have to ensure that costs are minimized.

You decide to allocate the Azure Web App to a Premium App Service Plan.

Would this solution fulfill the requirement?
Ans - No

Even though the Premium App Service plan would allow the autoscaling feature, it would not be cost-effective. You need to choose the Standard App Service plan for this.

Question 3:
An Azure Function called Function1 will be deployed. This app must be able to connect directly to the private IP of the Azure VM's. The Function App must also be able to automatically process uploaded Blobs with no delays.

Which of the following plans would you use for the Azure Function?

Ans -

Since the Azure function Function1 has a requirement for VNet Integration. It also processes Blob without delay. You have to ensure that the function is part of an App Service plan that supports the VNet Integration and the Always On feature.

The Shared App Service plan has no support for the Always-On feature.

Question 4:
CompanyA has an internal processing system. This is a C# Windows-based service that gets invoked based on requests from the main training system. Each invocation of this service lasts for a maximum of 2 minutes.

Which of the following service could be used to host the Processing system?

Ans -

You can use Azure Functions, which is an ideal service for hosting code in Azure.
Even though you can host the Windows service or scale sets on a VM, this would not be a cost-effective option.

ACR Task - To automate building container images and pushing those to container registry.

Create ACR Task to Build Docker Image on GitHub Commit

az acr task create -t node-demo:{{.Run.ID}} -n node-demo -r
-f Dockerfile -c https://github.com/mikepfeiffer/node-docker-demo.git
--pull-request-trigger-enabled true
--git-access-token

Link : https://gist.github.com/mikepfeiffer/0717d2d58ac7e027b7d57b500e87df7e

Managing Azure Key Vault secrets

You can use the following commands for practice

// List the secrets in the key vault

az keyvault secret list --vault-name demovault9090

// List the value of a particular secret

az keyvault secret show --vault-name demovault9090 --id "https://demovault9090.vault.azure.net/secrets/dbpassword"

// Mark a disabled secret and enabled

az keyvault secret set-attributes --name apppassword --vault-name demovault9090 --version "03daa86af5894027890852d0d8e76d04" --enabled true

Implement VMs for Windows and Linux

Question 1:
You have a set of virtual machines that are hosting mission-critical applications. You have to ensure the experience of virtual machines experiences as little downtime as possible.

Which of the following can you use to maintain application performance across an identical set of Virtual Machines?

Ans : Scale Sets

If you have an identical set of virtual machines, you can use Virtual Machine scale sets and scaling conditions to maintain application performance.

Question 2:
You are planning the move of some app to Azure. You create a network security group (NSG). You need to recommend a solution to provide users with access to the app. What should you recommend?

Ans :

If you have a Network Security group, change the Incoming rules to allow port 443. This is so that users from the Internet can access the web server on the secure port 443.

Question 3:
You have a set of virtual machines that are hosting mission-critical applications. You have to ensure the experience of virtual machines as little downtime as possible.

Which of the following can you use to maintain application availability when an Azure datacenter fails?

Ans : Availability Zones

You can use Availability zones to help protect against datacenter level failures.

Question 4:
The following requirements need to be met for the Virtual Machine.

The underlying data disks for the Virtual Machine need to be encrypted.

The company does not want to store the encryption keys locally.

Which of the following would be used for the management of the encryption keys?

Ans : Azure Key Vault

You should use the Azure key vault service for managing the encryption keys.

Automate deployment and configuration of resources

Q. You have a set of virtual machines in Azure. You have to restart the virtual machines when the CPU usage exceeds 85% for more than 30 minutes. You have to implement this with the least amount of administrative effort. Which of the following would you implement for this requirement?

Ans - Automation Runbook

You can use Automation Runbooks that can be triggered by alerts.

Q. A company is planning to deploy 15 virtual machines using Azure Resource Manager templates. All of the virtual machines should run the latest version of Windows Server 2016.
You have to complete the below storageProfile section of the template.

Which of the following would go into Slot2? : Options - 'WindowsClient', 'WindowsServer', '2016-DataCenter'

Ans - 2016-DataCenter

And Which of the following would go into Slot1?

Ans - WindowsServer

You want to look at the Export Template section for a Resource Group. When it has a Windows Server 2016 Virtual machine deployed, you can see the values that go into the "offer" and "SKU" section.

Implement Storage accounts

Azure Storage is a Microsoft-managed service providing cloud storage that is highly available, secure, durable, scalable, and redundant. Azure Storage includes Azure Blobs (objects), Azure Data Lake Storage Gen2, Azure Files, Azure Queues, and Azure Tables. The cost of your storage account depends on the usage and the options you choose.

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time.
An account-level SAS can delegate access to multiple storage services (i.e. blob, file, queue, table).

Azure Storage replication copies your data so that it is protected from transient hardware failures, network or power outages, and natural disasters. If an outage renders the primary endpoint unavailable, then you can initiate a failover to the secondary endpoint to rapidly restore write access to your data.

Q. You have several storage accounts defined as part of your subscription. What replication kind provides 6 copies of data?
Ans - Geo-redundant storage (GRS)

With Geo-redundant storage, you would have three copies in the primary region and three copies of data in the secondary region.

Q. A company has set up a storage account in Azure. They need to ensure that only devices within the IP address range of 141.100.1.0 to 141.100.1.254 has access to the storage account. Which of the following area of the storage account must you configure this setting?

Ans - Firewalls & Virtual Networks

Q. Which role would you assign to manage storage accounts?

Ans - Storage account Contributor

Virtual Networking

Question 1:
There is a requirement to ensure that virtual machines hosted in Virtual Networks can communicate across both virtual networks by using their private IP address. Which of the following can be used to fulfill this requirement?

Ans - Virtual Network Peering

Peering is used to facilitate communication between resources of 2 VNet's using Azure infrastructure.

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. It supports data encryption in transit and installation is a very easy task.

The local network gateway (LNG) typically refers to your on-premises location. It is not the same as a virtual network gateway.

Question 2:
A company currently has an on-premise data center. The data center has 2 VPN devices. They have also set up a Virtual Network in Azure. The Company has the following requirements:

• They need to setup a site-to-site VPN connection.

• Then ensure the Site-to-Site VPN connection failure will not cause an interruption of more than 2 minutes.

Based on the above requirements what is the minimum number of Virtual network gateways that would be required to be set up in Azure?

Ans : 2

Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.

Monitoring

Question 1:
A company is currently hosting 50 Virtual Machines as part of their subscription.

The senior management has given instructions to conduct a review and identify any underutilized virtual machines. This is to ensure that cost is managed effectively for the Azure Virtual Machines. Which of the following could you use for this purpose?

Options - Azure Metrics, Azure Advisor, Azure Active Directory, Azure diagnostics

Ans : Azure Advisor

Question 2:
A company has the following windows virtual machines deployed to their subscription in Azure:

VM1

VM2

The Monitoring department needs to collect certain performance-based counters from the virtual machines. Which of the following could help accomplish this?

Options : Enable Base Collection of Metrics, Enable Collection of Boot Diagnostics, Enable collection of performance diagnostics, Enable collection of guest OS diagnostics data

Ans : Enable collection of guest OS diagnostics data

If you enable collection of guest OS diagnostics data, you will have the ability to collect data on the performance counters on Windows based virtual machines.

Implement Azure Active Directory

Identity : Identity is a representation of a person or an application or a device.

Benefits of Azure AD:

1. Security
2. Reduced developement time, easier support

More Features :

• Centralized Administration
• Only one user ID and password (Single sign-on)
• Integration with other Azure services

Question 1:
Your company has set up an Azure AD tenant with the domain name of softwarearchitect.onmicrosoft.com. The company has purchased the domain softwarearchitect.com from a domain registrar. They want to ensure now that they can define users in Azure AD with the suffix of @softwarearchitect.com.

Which of the following steps would you need to implement for this? Choose answer from the options given below.

Question 2:
A company has an Azure AD tenant named whizlabs.com. The company hires a consultant to perform some work. The consultant needs to authenticate to the tenant using a Microsoft account names [email protected] Which of the following would you do to fulfill this requirement?

If you have an external user who is not part of your domain, you can create a new guest user in Azure AD

Question 3:
A group has been created and all users have been added as part of the group. You create a conditional access policy that enforces the use of multi-factor authentication for the group for all cloud-based applications.

Would User1 with a Multi-factor authentication status of "Enforced" be required to use multi-factor authentication when signing into Azure via the web browser?

Ans : Yes

If the user state is in the Enforced state, then the user will need to use MFA for the login process

AAD Connect and AAD Connect Health

Question 1:
For user authentication, the company wants to enforce the use of their on-premise Active Directory security and password policies. The company decides to configure Azure AD Connect with Pass-through Authentication.

Would this fulfill the requirement?

Ans : Yes

Question 2:
Your company has an Active Directory forest named softwarearchitect.com. The forest contains two child domains: staging.softwarearchitect.com and production.softwarearchitect.com. Your company has now set up an Azure AD tenant named softwarearchitect.com. All of the on-premises user accounts are now being synced onto Azure AD with the help of Azure AD Connect. The company has also implemented a seamless single sign-on.

You now have to change the source of authority for all user accounts in the staging.softwarearchitect.com domain. You have to prevent the synchronization of the staging.softwarearchitect.com domain.

You decide to use the Azure AD Connect wizard.

Would this fulfill the requirement?

Ans : Yes

For more information on Azure AD Connect filtering, please refer to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

Azure workloads

Question 1:
You need to perform an assessment of the Virtual Machines in the on-premise environment which can be migrated to Azure.

You decide to use the Azure Migrate tool.

Does this meet the requirement?

Ans - Yes

Question 2:
A company is preparing its Azure environment for the backup of Azure Virtual Machines. They need to ensure the following when it comes to the backup of Virtual Machines.

• The Virtual machines need to be backed up daily at 03:00 UTC.

• The backups should be retained for a period of 90 days.

Which of the following should you configure in the Azure Recovery Services vault?

Options - Backup Policy, Backup Schedule, Backup Logs, Backup Infrastructure

Ans - Backup Policy

Question 3:
You need to perform an assessment of the Virtual Machines in the on-premise environment which can be migrated to Azure.

You decide to create a replication policy.

Does this meet the requirement?

Ans : No

You create the replication policy when you finally want to perform the replication of the Virtual Machines. It is not used in the assessment phase.

Question 4:
You need to ensure that the virtual machines VM3 and VM4 are protected by Azure Recovery services. Which of the following would you need to do to achieve this?

Options - Create a new Recovery Services Policy, Create a new Backup policy, Create a new Subscription, Create a new Recovery Services Vault

Ans : Create a new Recovery Services Vault

1. monitor security
2. monitor performance
3. monitor health and availability
4. monitor cost
5. configure advanced logging
6. configure logging for workloads
7. initiate automated responses by using Action Groups
8. configure and manage advanced alerts

Container-based applications

Question 1:
You have a custom container image on your system named Image1. You will be deploying a container of the image using the Azure Web App for Container service. You have to upload the image to Azure. Which of the following could you use to store the image?

Ans : Azure Container registry

The Azure Container registry is the private Docker registry in Azure.

Question 2:
Docker Desktop is an app for building and sharing containerized apps and microservices available on which of the following operating systems?

While Docker Desktop is only available for Windows and macOS. It does support using a Linux command line via Windows Subsystem for Linux (WSL)

Question 3:
Suppose your software solution has three critical components. The first component is a web application. The second is a service that processes online orders. The third is a video-rendering and analysis service that runs only as needed and that requires GPU-based VMs. To optimize cost, how many node pools would you deploy in an Azure Kubernetes Service (AKS) cluster to manage the solution?

An AKS cluster with three user node pools gives you flexibility to scale the node count in each pool independently for each component in the solution. Because you didn't enable the autoscaler on the GPU-based node pool, that pool's node count can be scaled to zero to optimize compute costs.

NoSQL databases

Question 1:
You have an Azure Cosmos DB account named Account1. This account has a database named DB1 and a container named "customer" in the database. The partition key is set to "city" for the customer container. You now have to change the partition key for the container. Which of the following would you need to implement first?

In order to change the partition key, you would have to create a new container at first and then copy the contents from the existing container to the new container.

Question 2:
You have to place a set of data stores in Azure. You have to use multiple Azure Cosmos DB accounts for this requirement. The accounts have to meet the following requirements:

Account1 – Be able to host a graph-based database.

Account2 – Be able to host a JSON document.

Which of the following API would you use for Account1?

Question 3:
Your organization is planning to use Azure Cosmos DB to store vehicle telemetry data generated from millions of vehicles every second. Which of the following options for your Partition Key will optimize storage distribution?

Auto manufacturers have transactions occurring throughout the year. This option will create a more balanced distribution of storage across partition key values.

Question 4:
True or false: the benefits of writing to multiple regions are decreased latency, unlimited scaling potential, and improved availability.

Ans : True

Writing to multiple regions has many performance benefits. For example, the latency for write operations is less than in non-multi-master accounts.

Azure SQL databases

Question 1:
Who's responsible for performing software updates on your Azure SQL databases and the underlying OS?

Azure SQL databases are a Platform-as-a-Service (PaaS) offering. Azure manages the hardware, software updates, and OS patches for you.

Question 2:
Your Azure SQL database provides adequate storage and compute power. But you find that you need additional IO throughput. Which performance model might you use?

Options - vCore, DTU, SQL Elastic Pool

Ans - vCore

vCore gives you greater control over what compute and storage resources you create and pay for. You can increase IO throughput but keep the existing amount of compute and storage.

Question 3:
Which of the following scenarios would likely benefit from a SQL elastic pool.

It's likely each dealership's data would be stored in a separate database. This scenario would likely benefit from elastic pools.

Azure AD Identity Protection is an IT admin's solution to prevent, detect, and remediate identity risks in an organization. Azure AD Premium P2 edition (available with EMS E5 subscription) is needed to use Azure AD Identity Protection.

With Azure Active Directory Premium P2 you can gain access to advanced security features, richer reports and rule based assignments to applications. Your end users will benefit from self-service capabilities and customized branding.

Why use Azure AD Identity Protection?

1. REDUCE COST - With automated risk remediation, your users remediate themselves without needing a call to the helpdesk.
2. REDUCE THE TIME TO RESPONSE - Risk remediation is not dependent on a small team of IT admins constantly looking at risky users and risky sign-ins.
3. BALANCE SECURITY VS. PRODUCTIVITY - Sign-ins are only challenged if there is risk involved.

Protection Options :

1. User risk policy : User Account is compromised
2. Sign-in risk policy : Sign in attempts are not from valid user
3. MFA registration policy

Conditional Access

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public Internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.

Azure monitor is an Azure service that helps in maximizing the availability and performance of the applications and proactively identifying problems very quickly by collecting the logs and metrics from Azure resources.

Azure Front Door is a secure and scalable entry point for quick delivery of web applications and ensures high performance and availability

Azure AD Identity Protection helps in detecting the potential vulnerabilities that can affect the organization's identities, configuring automated responses, and investigating incidents.

Azure Sentinel is considered as a SIEM (Security Information Event Management) service that provides multiple facilities such as threat visibility, alert detection, threat response, and proactive hunting. It improves the identification and detection of artificial intelligence and provides threat intelligence and security analytics intelligence within the organization.

Azure sentinel is an AI-based tool that provides intelligent security analytics and threat intelligence across the organization. Azure Sentinel's deep investigation tool helps in understanding the scope and finding the root cause of a potential security threat.

Azure Security Center helps in preventing, detecting, and responding to threats with enhanced visibility into and control over the security of Azure resources. It facilitates the integrated security monitoring and policy management across the subscriptions and helps in detecting the threats that otherwise might remain unnoticed, and works with a wide ecosystem of security options or solutions.

Azure security center strengthens the security posture and ensures that all the compliances are met.

Azure Knowledge Center is a searchable database that contains the common support questions and their answers suggested by the community of Azure experts, customers, developers, and users.

Azure Advisor is a personalized consultant that helps the individuals by suggesting the options for optimizing their Azure deployments.

An availability set represents a logical grouping of Azure VMs which controls their physical placement within the same Azure datacenter. Azure makes sure that the VMs within the same availability set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational. Availability Sets are essential for building reliable cloud solutions. With availability sets, Azure offers 99.95% VM uptime SLA.

Availability zones represent unique physical locations within a single Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. The physical separation of availability zones within a region protects applications and data from datacenter failures. Zone-redundant services replicate your applications and data across availability zones to protect from single-points-of-failure. With availability zones, Azure offers 99.99% VM uptime SLA.

Azure virtual machine scale sets let you create and manage a group of identical, load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update many VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.

You can configure your web pages to send Real User Measurements to Traffic Manager by obtaining a Real User Measurements (RUM) key and embedding the generated code to web page.

Virtual machine scale sets

Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.

Azure virtual machine scale sets provide the management capabilities for applications that run across many VMs, automatic scaling of resources, and load balancing of traffic. Scale sets provide the following key benefits:

1. Easy to create and manage multiple VMs
2. Provides high availability and application resiliency
3. Allows your application to automatically scale as resource demand changes
4. Works at large-scale

Azure Disk Encryption for Windows VMs

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

If you use Azure Security Center, you're alerted if you have VMs that aren't encrypted. The alerts show as High Severity and the recommendation is to encrypt these VMs.

Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory.

Disk Encryption methods in Azure -

1. Server Side Encryption : The disk will be encrypted at rest using Azure or customer managed keys.

Encryption does not impact the performance of managed disks. There is no additional cost for the encryption. You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

2. Azure Disk Encryption : The disk will be encrypted at the OS level using BitLocker (For Windows VMs)and DM-Crypt ( For Linux VMs) technologies

Azure Disk Encryption protects your VM OS and data disks by encrypting them at the OS level. There is no charge for encrypting virtual disks in Azure. Cryptographic keys are stored in Azure Key Vault using software-protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140-2 level 2 standards. These cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. You retain control of these cryptographic keys and can audit their use. An Azure Active Directory service principal provides a secure mechanism for issuing these cryptographic keys as VMs are powered on and off.

Networking requirements

To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:

• To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint
• To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint.
• The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
• If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs.

Azure Key Vault : Key Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS) validated hardware security modules. These standards help to safeguard your cryptographic keys and sensitive secrets.

BitLocker : BitLocker is an industry-recognized Windows volume encryption technology that's used to enable disk encryption on Windows VMs.

Key encryption key (KEK) : The asymmetric key (RSA 2048) that you can use to protect or wrap the secret. You can provide a hardware security module (HSM)-protected key or software-protected key.

Azure VM High Availability : Workloads can be spread across multiple VMs to gain high throughput, performance and to create redundancy in case a VM is impacted due to an update or other event.

Azure Dedicated Hosts :
Is a service that provides physical servers dedicated to one azure subscription.

Steps to create a dedicated Host -

1. Create a Host Group
2. Create a dedicated Host
3. Create a VM in the Dedicated Host

Note : You can raise the support request with Microsoft increase the quota limits.

Q. Complete this sentence: The composite SLA uptime for an application built using Azure services is calculated...
By multiplying together the individual SLAs for any of the services being used.

A simple example would be an app consisting of Azure App Service (99.95% SLA) and Azure Active Directory (99.9% SLA); the resultant SLA will be 99.85%.

Q. You're modifying an application architecture that uses Azure DNS to resolve host names to IP addresses. You want the new architecture to support failover to a standby region. What should you do with Azure DNS?
Make no changes to Azure DNS.

Azure DNS records are replicated globally by default.

Azure DNS

• Used to host the domain name records that that identifies our app.
• Azure DNS provides name resolution entirely through the Azure infrastructure and this service is inherently multi-regional.
• The Azure DNS SLA also has a 100% guarantee that valid DNS requests will receive a response from at least one Azure DNS name server all the time.

Traffic router

• Azure provides several different services that can route traffic between front-end components
• There are two traffic routers in Azure that can do global routing between multiple regions and aren't vulnerable to a single region outage:

1. Azure Traffic Manager

• Azure Traffic Manager is a global load balancer that uses DNS records to route traffic to destinations in multiple Azure regions.
• Traffic Manager uses the DNS system to route traffic, it routes any protocol, not just HTTP traffic. However, Traffic Manager can't route or filter traffic based on HTTP properties, such as client country codes or user-agent headers. It also can't do Transport Layer Security (TLS) protocol termination, where the router decrypts requests and encrypts responses to take that load off the App Service virtual servers. If we need either of these features, we'll have to use Azure Front Door.
• Traffic Manager uses highly configurable endpoint monitoring. For example, we can define the protocol, port, path, custom header settings, expected status code ranges, tolerated number of failures, and so on. Endpoint monitoring gives us a continuous idea of the overall health of all parts of our application.

2. Azure Front Door

• Azure Front Door is a global load balancer. Unlike Traffic Manager, it works at the network application layer, Layer 7, and uses HTTP and HTTPS properties to do filtering and routing.
• With Front Door, we can do many types of routing that Traffic Manager doesn't support. For example, we can route traffic based on the browser's country code. Front Door also supports TLS protocol termination. ( If we want to route traffic for any protocol other than HTTP and HTTPS, we'll have to use Traffic Manager )
• Front Door allows to assign priorities to the various backends and these priorities allow Front Door to route requests as needed. We'll assign our primary region services with a top priority and our secondary region service with a lower priority.

Azure CDN

• Use Azure CDN to cache static content from Azure Blob Storage
• The Azure CDN service is a global network of servers that caches static content close to users.

Q. When should you perform a full failover to another region?
When you know definitively, that a region is down.

First there may be isolated reports from different sources, but they combine together and grow in number and volume until regional failure is the only explanation. Additionally, the Azure team will update the Azure status page with this information.

Q. What is the SLA (Service Level Agreement) for Azure DNS? - 100%

Azure DNS guarantees that valid DNS requests will receive a response from at least one name server 100% of the time.

Azure Active Directory

• Azure AD is designed as a global system by default and not vulnerable to regional failures.

Azure Blob Storage

• Static content, such as images and videos, are stored in Azure Storage accounts as Binary Large Objects (Blobs) and served to users through the Azure CDN.
• Read-Access Geo-Redundant Storage (RA-GRS) and Read-Acces Geo-Zone-Redundant Storage (RA-GZRS) are the two options to choose from when we need to enable geo-redundancy.

Azure App Service and Azure Function Apps

Azure Storage Queues

• Use a queue in an Azure Storage account to manage communications between the apps (App Service and the function app)

When the web app or the web API needs to run a background task, it places a message with all the required information in the queue. The function app monitors the queue for new messages and executes the background task by running the necessary queries against the data stores.

Azure Redis Cache

• Use to maximize the performance of data storage.
• Redis caches all query results generated from our apps as they request data from our database. The following queries for similar data don't need a database query and are fetched from the Redis cache.

Q. If a regional failure takes out Azure Storage, data loss... May briefly occur because data is copied asynchronously.

With RA-GRS, data is copied asynchronously from primary to secondary so data loss is a possibility.

Azure SQL Database

To create a multi-region implementation of Azure SQL Database to store relational data, use either:

1. Active geo-replication

• Azure SQL Database can automatically replicate a database and all its changes from one database to another with the active geo-replication feature. Only the primary logical server hosts a writable copy of the database. We can create up to four other logical servers that host read-only copies of the database.

Managed instances of Azure SQL Database do not support Active geo-replication. Managed instances are designed to make it simple to migrate data from an on-premises SQL Server while maintaining security. If we're using a managed instance, consider using failover groups instead.

2. Auto failover groups

• An auto failover group is a group of databases where data replicates automatically from a primary to one or more secondary servers. This design is like active geo-replication and uses the same data replication method. However, we can automate the response to a failure by defining a policy.
• Consider using an auto failover group if you want to automate the failover of the writeable database without writing custom code to trigger it. Also, use auto failover groups if our database runs in a managed instance of Azure SQL Database.

The replication that underlies both active geo-replication and auto-failover groups are asynchronous. An acknowledgment is sent to the client when a change is applied to the primary replica. At this point, the transaction is considered complete, and replication occurs. If a failure occurs, the latest changes made in the primary database may not have replicated to the secondary. Keep in mind that, after a disaster, the most recent database changes may have been lost.

Azure Cosmos DB

• Cosmos DB is a multi-model database, able to store relational data, semi-structured data, and other forms of data.
• 2 Modes to create Cosmos DB multi-region account : Multi-region accounts with multiple write regions & Multi-region accounts with a single write region.

In Cosmos DB, data replication is synchronous. When a change is applied, the transaction is not considered complete until replicated to a quorum of replicas. Then an acknowledgment is sent to the client. When a failure occurs, no recent changes are lost because replication has already occurred.

Q. In the shipment tracking application, you want to automatically fail over write access to the SQL database, when there is a regional outage. You don't want to write custom code. What should you do?
Use an auto-failover group

By using an auto-failover group, you can configure the primary database to fail over onto the replica in the secondary region automatically.

Q. You want to ensure that no completed transactions are lost in a regional outage. What should you do?
Use Azure Cosmos DB with a single write region.

Azure Cosmos DB using synchronous replication, in which a transaction is only complete when it has replicated to a quorum of replicas.

Original web app architecture :

Proposed distributed architecture :