Describe Azure architecture and services

Question 1

Name some resources associated with creating a VM

Answer 1

A resource group
An OS image
A network interface

Question 2

What are the considerations for container instance creation?

Answer 2

Image used cannot be changed after instance creation
DNS name label cannot be changed after instance creation

Question 3

What are the cost considerations for a Vnet?

Answer 3

If you peer Vnets in the same region, no data transfer charges
If you peer Vnets in different regions, you will be billed inter region EGRESS charges

Question 4

What are cost considerations for Azure app services?

Answer 4

Billed even when no web apps are running or the web apps are stopped
Must delete an app service plan to stop billing

Question 5

What is authentication?

Answer 5

Process of establishing the identity of a person or service and proving they are who they say they are

Question 6

What is authorization?

Answer 6

Process of establishing what level of access the authenticated person or service has to a resource
What they can access and what action they can perform

Question 7

What are MFA and conditional access?

Answer 7

MFA: additional layer of security for identifying a user (2 elements or + for auth)
Conditional access: provide more granular levels of access control

Question 8

What are RBAC role scopes?

Answer 8

RBAC scope represents the resource level that the access will apply
Scopes are: management group, subscription, resource group, resource

Question 9

What are resource groups?

Answer 9

Logical containers for Azure resources used as management scopes for access management and policy

Question 10

What are Zero trust foundational principles?

Answer 10

Assume breach
Verify explicitly

Question 11

What is Defence-in-Depth? (DiD)

Answer 11

Strategy that places multiple layers of different forms of defense between attackers and the resources
No single layer of protection or security service is solely responsible for protecting resources

Question 12

What is MS Defender for Cloud?

Answer 12

Service used to improve an organization’s security posture and workload protection
Provides:
Cloud Security Posture Management (CSPM)
Cloud Workload Protection (CWP)

Question 13

Are costs incurred for data transfer in and out Azure?

Answer 13

INGRESS (into) is free
EGRESS (out of) is billed
Data transfer throught VNET peered between 2 regions is billed

Question 14

What factors affect costs?

Answer 14

purchasing model (pay as you go or reservation)
resource type
location
Usage period
network traffic

Question 15

What resources will NOT reduce costs for a VM?

Answer 15

Network Security Groups
Network Interfaces
Availability Sets

Question 16

What is Azure Vnet?

Answer 16

Azure VNet is an IaaS resource that enables communication with Azure resources.
A VNet represents a software-defined, single-tenant, private network in a single Azure region

Question 17

To what can you attach a Vnet if you need to create and manage it?

Answer 17

A VNet belongs to a resource group that belongs to a subscription and can only be part of one region.
VNets can span across data center zones but are not available across regions.

Question 18

How do resources communicate?

Answer 18

Resources in different subscriptions can communicate with each other if
- they are part of the same VNet
- they are part of peered VNet
- if a VPN gateway connects the VNets and they don’t have conflicting IP ranges

Question 19

How is data transfer in Vnets billed?

Answer 19

All traffic entering (ingress) a VNet and region is “not billed,”
All traffic leaving (egress) a VNet and between 2 Vnets peered in 2 separated regions is “billed.”

Question 20

Name the 2 kinds of Vnet peering

Answer 20

Regional VNet peering: used to connect VNets from the same region
Global VNet peering: used to connect VNets from different regions

Question 21

What can you use to connect Azure resources, such as Azure SQL databases, to an Azure virtual network?

Answer 21

Service endpoints are used to expose Azure services to a virtual network, providing communication between the two

Question 22

To which object or level is an Azure role-based access control (RBAC) role applied?

Answer 22

An Azure RBAC role is applied to a scope, which is a resource or set of resources that the access applies to

Question 23

You plan to extend your company’s network to Azure.
The network contains a VPN appliance that uses an IP address of 131.107.200.1.
You need to create an Azure resource that defines the VPN appliance in Azure.
Which Azure resource should you create?

Answer 23

A Local Network Gateway is an object in Azure that represents your on-premise VPN device.
A Virtual Network Gateway is the VPN object at the Azure end of the VPN.
A ‘connection’ is what connects the Local Network Gateway and the Virtual Network Gateway to bring up the VPN.

The local network gateway typically refers to your on-premises location.
You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection.
You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device.
The address prefixes you specify are the prefixes located on your on-premises network.
If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Question 24

Your company is considering using Linux-based Azure Container Instance to deploy a simple app. The app runs as a stateful app.
You need to provide storage to retrieve and persist state.
What type of storage should you use?

Answer 24

Azure Files
Only storage that supports persistant storage for ACI
Need to create the share and then create a container specifying the share and volume mount point

Question 25

True or False? Azure Virtual Desktop supports Remote Desktop clients on MacOS and iOS

Answer 25

True

Question 26

True or False? Azure Virtual Desktop users should exist in the same Windows Server Active Directory (AD) that is linked to MS Entra ID

Answer 26

True

Question 27

True or False? Virtual Network peering can be used to connect virtual networks across Azure Regions

Answer 27

True

Question 28

True or False? Virtual Network peering can be used to transfer data between MS Entra tenants

Answer 28

True

Question 29

True or False? Configuring peering requires a short downtime for the peered Vnet

Answer 29

False

Question 30

You have completed the migration of your org's core servers and processes to cloud-based VMs Your final project involves migrating a weekly batch-processing task that can run anytime during the weekend and relies on operating system drivers to print PDF reports. You also need to minimize costs. What should you do?

Answer 30

**Run the batch processing task using spot instances** Spot instances or VMs: * reduce cost by taking advantage of unutilized compute capacity * However, they don't offer guaranteed compute resources at a specific time * Perfect for batch and other asynchronous processing that can occur on a flexible schedule

Question 31

What is Azure spot instance?

Answer 31

Spot pricing provides access to Azure compute resources at deep discounts when unused. You can set the maximum price that you agree to pay: when it's reached or if Azure has no computer capacity available, your spot VMs are automatically evicted Azure capacity is available Spot VMs have no SLA If Azure needs capacity back, spot VMs can be evicted with a 30 secs notice

Question 32

What's Azure Dedicated Host?

Answer 32

Provides physical servers dedicated to your organizational workload only and not shared with other Azure customers. You are billed at the host level, regardless of the number of VMs you deploy

Question 33

What is Azure key vault?

Answer 33

Azure Keyvault is used to securely store secret objects. Features include * securing storage and controlled access to token, passwords, certificates, API keys etc * creating and controlling encryption keys used to encrypt data * provisioning, managing, and deploying both public and private SSL/TLS certificates * Storing secrets and keys proteted by software or FIPS 140-2 level 2 validated hardware security modules

Question 34

MS Entra ID and Active Directory Federation Services When they both exist what's the consequence on authentication process ?

Answer 34

When it's used with on perm Active Directory Federation Services, MS Entra ID hands off authentication to the AD FS server MS Entra ID authentication and authorization support doesn't require integration with an on-perm AD.

Question 35

Is it possible to authenticate with MS Entra ID on a web app?

Answer 35

Web apps must be registered with MS Entra ID to support authentication and authorization services. Registration is through the MS Azure Management Portal

Question 36

2 companies have their own MS Entra tenants. One acquires the other. The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory. What happens to the users and groups with role-based access to manage the subscription?

Answer 36

They loose their access RBAC assignments do not carry over when you associate the subscription with a new tenant Classic subscription admin (Service admin or Co-admin) lose access The only user initially able to manage resources in the subscription is the user account that accepts the transfer

Question 37

2 companies have their own MS Entra tenants. One acquires the other. The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory. What happens to System assigned Managed IDs?

Answer 37

They are **NOT** re-enabled automatically They must be re-enabled after the transfer

Question 38

2 companies have their own MS Entra tenants. One acquires the other. The billing ownership of a subscription for an account in your MS Entra tenant is transfered to an account in another MS Entra tenant. It associates the subscription with the new directory. What happens to the Azure Kubernetes Service cluster owned by the subscription? Does this cause the AKS to lose functionality?

Answer 38

the Azure Kubernetes Service cluster owned by the subscription looses its functionalities This is due to lost service principal and lost role assignments

Question 39

You want to publish on perm web app using MS Entra ID functionality to authenticate. Which minimum license do you need?

Answer 39

P1 or P2

Question 40

You want on perm directory synchro with MS Entra ID Which minimum license should you use?

Answer 40

You can use the free one It also supports SSO and user and group management

Question 41

You want on-perm users to be able to reset their passwords Which minimum MS Entra ID license should you use?

Answer 41

P1 or P2

Question 42

What is the use of Application security groups?

Answer 42

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines, or similar servers, and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.

Question 43

Which solutions can you use to transfer an on-perm virtual hard disk to Azure?

Answer 43

* Azure Copy, using Azure PowerShell or Azure CLI (or Azure CloudShell): CLI to upload and download data to and from Azure Blob, to transfer data within Azure storage accounts or between them * Azure Storage Explorer

Question 44

You use MS 365 for email. You need to ensure that users do not accidentally send credit card numbers to external customers via email What can you do?

Answer 44

In MS Purview 1. Identify and define a sensitive information type 2. Define a MS Purview Data Loss Prevention (DLP) Policy MS Purview comes bundled with predifined info types that you can use to scan content for sensitive infos (credit cards numbers...)

Question 45

What can you use to migrate quickly an SQL Server from an on-perm to Azure with retention of operating system access?

Answer 45

SQL Server on Azure VMs

Question 46

What can you use as a cost effective, serverless database with an intermittent usage pattern and low compute utilization over time?

Answer 46

Azure SQL Database

Question 47

What an you use to lift and shift an on perm SQL server with minimal changes to an Azure PaaS solution?

Answer 47

Azure SQL Managed Instance SQL Managed Instance allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes

Question 48

Which features are supported by MS Entra ID P1 edition?

Answer 48

MS Entra ID P1 edition supports * RBAC * MS Entra Conditional access * users and groups management (like free version) * authentication (like free version) * SSO (like free version)

Question 49

Which features are supported by MS Entra ID P2 edition?

Answer 49

MS Entra ID P2 edition supports * users and groups management (like free version) * authentication (like free version) * SSO (like free version) * RBAC (like P1) * MS Entra Conditional access (like P1) * Identity Protection * Self service entitled management * Privileged Identity Management * just in time access

Question 50

True or false? A Network Security group can be used with virtual networks in multiple regions.

Answer 50

False. An NSG can ONLY be associated with Vnets in THE SAME REGION in which it was created

Question 51

True or false? You can associate a Network seurity group with more than one network interface and subnet

Answer 51

True Multiple networks interfaces and subnets can share the same NSG

Question 52

Does MS Entra ID provides Active Directory Federation Services?

Answer 52

No If you need ADFS you need to keep it and your AD domain controllers are still required to support ADFS authentication

Question 53

Azure Storage is an example of * IaaS * PaaS * SaaS

Answer 53

IaaS In IaaS, network, compute and storage resources are offered

Question 54

What is Application Insights?

Answer 54

**Application Insights** is a **feature of Azure Monitor** that allows you to **visually analyse telemetry data.** It's an App Performance Management service. Developer can install a small instrumentation package in their web app to send telemetry data to Azure

Question 55

You use an Application Container Instance. You want to store its data, in a persistent state. What is the type of storage you must choose?

Answer 55

For ACI persistent storage, the only storage option is **Azure Files** You would need to create the share and then create a container specifying the share and volume mount point

Question 56

Describe Azure Cloud Adaption Framework steps

Answer 56

* **Strategy:** define business justification and expected outcomes of adoption * **Plan** align actionable adoption plans with business outcomes. Inventory of digital estate, establish plans, manage plan changes * **Ready:** prepare the cloud environment for the planned changes * **Adopt**: how to migrate, modernize, innovate, and relocate workloads in Azure * **Govern:** structured approach for establishing and optimizing cloud governance * **Manage:** define, establish and expand management baseline * **Secure:** structured approach for securing your Azure cloud estate. * **Organize:** approach to establishing and maintaining the proper organizational structures

Question 57

What is Infrastucture as a Code (IaC)?

Answer 57

Infrastructure as code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies. Just as the same source code always generates the same binary, an IaC model generates the same environment every time it deploys.

Question 58

Name some Infrastucture as a Code (IaC) benefits

Answer 58

* Avoid manual configuration to enforce consistency: you create a master copy of device, once the template is created and tested, it can be deployed over and over, whenever needed. It facilitates the centralized storage and management of these configurations. * Deliver stable test environments rapidly at scale * By representing desired environment states via well-documented code in formats such as JSON,

Question 59

Name some Infrastucture as a Code (IaC) limits

Answer 59

* Non administrative users can make configuration changes * Administrators are still required to maintain configurations for network devices: laC does not eliminate the requirement for administrators to create and test configurations. It facilitates the centralized storage and management of these configurations.

Question 60

There are 6 required resources for deploying a VPN Gateway. List them

Answer 60

* Virtual network * A Subnet named "Gateway SubNet" * Public IP add * Local Network Gateway (on your VPN on perm device, on site, on point...) * Virtual network gateway * Connection

Question 61

What is Azure Databox Gateway?

Answer 61

Azure Data Box Gateway is a storage solution to and from Azure Data Box. You can use it to replicate data: * between on perm storage and Azure Data Box * to transfer data into and out of Azure storage accounts using you Data box. The virtual device resides in your premises and you write data to it using the NFS and SMB protocols. The device then transfers your data to Azure block blob, page blob, or Azure Files.

Question 62

What is Azure Data Share?

Answer 62

Using Data Share, a data provider can share data and manage their shares all in one place. They can stay in control of how their data is handled by specifying terms of use for their data share. The data consumer must accept these terms before being able to receive the data. Data providers can specify the frequency at which their data consumers receive updates. Access to new updates can be revoked at any time by the data provider.

Question 63

What are managed identities for Azure resources?

Answer 63

Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

Question 64

Name some of the benefits of using managed identities

Answer 64

* You don't need to manage credentials. Credentials aren’t even accessible to you. * You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication, including your own applications. * Managed identities can be used at no extra cost.

Question 65

A Vnet is created in the scope of a-------------

Answer 65

Region

Question 66

For a given scenario, which factors help you to choose between deploying a Vnet peering and deploying a VPN gateway between 2 Vnets?

Answer 66

**Global VNet Peering** provides a low latency, high bandwidth connection useful in scenarios such as cross-region data replication and database failover scenarios. Since *traffic is completely private* and *remains on the Microsoft backbone*, customers **with strict data policies prefer** to use VNet Peering as public internet is not involved. Since there is no gateway in the path, there are no extra hops, ensuring low latency connections. **VPN Gateways** provide a limited bandwidth connection and is useful in *scenarios where encryption is needed*, but bandwidth restrictions are tolerable. In these scenarios, customers are also not as latency-sensitive.

Question 67

What is Azure Storage Explorer?

Answer 67

It's a cloud storage service that offers secure, scalable, and highly available storage solutions for data, applications, and virtual machines. It offers a range of storage options, including Blob Storage, File Storage, Queue Storage, and Table Storage.

Question 68

What are some key advantages with ARM?

Answer 68

* Declarative JSON templates; easy infrastructure management * Manage a single Resource or a group of them - Deploy and Redeploy easily and consistently * Define dependencies between Resources for correct deployment order * Apply RBAC (Role Based Access Control) * Apply additional Tags/Tagging

Question 69

What is Azure WebJobs?

Answer 69

WebJobs is a feature of Azure App Service that allows you to *run a program or script* in the *same context as a Web/API/Mobile app*. Often used to run Background tasks as part of application logic.

Question 70

What is Azure Sentinel and what's the difference between it and Azure Security Center? What are four (4) things that it does?

Answer 70

**Azure's SIEM System.** This is the system you'd go to for breaches. Unlike Security Center which is *proactive* prevention, Sentinel is *reactive* actions and prevention. * **Data Aggregation at scale;** across all users, devices, apps, and both on-prem and cloud infrastructure (even multiple clouds) * **Detects previously undetected threats** using Microsoft's comprehensive analytics and threat intelligence * Investigates threats with AI ; examines suspicious activities at scale * **Rapid Incident Response** with built-in orchestration and automation of common tasks

Question 71

# Hint: PS, IA, P, N, C, A, D What are seven (7) layers that comprise **Defense in Depth** ?

Answer 71

1. Physical Security Layer 2. Identity & Access Layer 3. Perimeter Layer 4. Network Layer 5. Compute Layer 6. Application Layer 7. Data Layer

Question 72

Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?

Answer 72

Azure Firewall Caution: NSG cannot because they cannot filter between subscriptions

Question 73

Which resources can be used as a source for a Network security group inbound security rule?

Answer 73

* IP Addresses, * Service tags * Application security groups

Question 74

You have an Azure Sentinel workspace. You need to automate responses to threats detected by Azure Sentinel. What should you use?

Answer 74

Azure Sentinel playbooks

Question 75

What is the Microsoft identity platform?

Answer 75

cloud identity service that allows you to build applications your users and customers can sign in to using their Microsoft identities or social accounts. The identity platform supports developers building single-tenant, line-of-business (LOB) applications, as well as multi-tenant software-as-a-service (SaaS) applications.

Question 76

To what should an application connect to retrieve security tokens?

Answer 76

The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens

Question 77

Which resource is required to use Azure Cloud Shell ?

Answer 77

**A storage account.** The first time you start Cloud Shell, you're prompted to select your storage options. If you want store files that can be used every time you use Cloud Shell, you must create new or choose existing storage resources. Cloud Shell uses a **Microsoft Azure Files share to persist files across sessions.**

Question 78

How to calculate composite SLA?

Answer 78

When combining SLAs across different service offerings, the resultant SLA is a called a Composite SLA. For example, consider an App Service web app that writes to Azure SQL Database. At the time of this writing, these Azure services have the following SLAs: * App Service web apps = 99.95% * SQL Database = 99.99% The probability of each service failing is independent, so the composite SLA for this application is **99.95% × 99.99% = 99.94%** That's lower than the individual SLAs, which isn't surprising because an application that relies on multiple services has more potential failure points.

Question 79

Which feature in Azure firewall enables users on the internet to access a server on a Vnet ?

Answer 79

**DNAT rules** (Aka Network Address Translation) allow or deny inbound traffic through the firewall public IP address(es). You can use a DNAT rule when you want a public IP address to be translated into a private IP address. The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.