Module 10 Flashcards
(90 cards)
1
Q
Good IT Governance involves planning initatives and setting prioritees on strategic level to help manage and prevent issues..
What are some situations where Good IT Governance is required (in Azure)
A
- Multiple teams in Azure
- Multiple subscriptions in Azure
- Multiple subscriptions in your tenant
- Regulatory requirements must be enforced
- Ensuring standards for all IT resources.
2
Q
One way to enforce standards is by not allowing teams to directly create azure resources, instead having IT team define and deploy cloud assets. This approach is often used OnPrem.
Why isn’t this a good approach for Azure?
A
This approach reduces agility and innovation.
Instead Azure provides tools to enforce/validate standards, whilst allowing engineering teams to create there own cloud resources.
3
Q
As well as enforcing standards what else do you need to monitor resources for?
A
As well as enforcing standards you need to monitor resources to ensure responsiveness and performing properly.
Azure Provides several built in features to track and analyse your resource utilization and performance.
4
Q
What does planning consistent cloud infrastructure start with?
A
Planning consistent cloud infrastructure starts with setting up policy
5
Q
What does Policy enforce and why does it do this
A
Policy enforces rules for created resources to ensure infrastructure stays compliant with corporate standards, cost requirements and SLAs with your customers.
6
Q
Azure Policy is a service to
A
create/assign/manage policies
7
Q
Azure Policies enforce different rules and effects over resources so resources stay compliant.
How does Azure Policy meet these needs?
A
- Azure policy meets this need by evaluating resouces for non compliance with assigned policies.
- E.G. A policy might allow only a certain size VM, after policy implementation new and existing resources are evaluated for compliance. The right type of policy can bring existing resources into compliance.**
8
Q
If we want to control costs by not allowing users to create VMs with more than 4 cores, how could Azure Policy help us define this
A
Set up an Azure Policy that will stop anyone creating a VM outside of the list of allowed SKUs (stock keeping units)
9
Q
If we have a policy that stops anyone creating a VM outside of the list of allowed SKUs (stock keeping units), what will happen if we try to create or adjust a VM that would compromise this?
A
Updating a VM will cause it to be checked against policy - on audit, non compliant resources have there properties altered or are stopped from being created.
10
Q
Can Azure Policy be intergrated with Azure DevOps
A
Yes - Azure Policy can be integrated with Azure DevOps, applying continuous integration and delivery pipelines that affect pre and post deployment of your applications.
11
Q
How do Azure Policy and RBAC solve different problems
A
- RBAC focuses on user action at different scopes (i.e. you might be added as contributor for a resource group allowing you to make changes to anything in that resource group).
- Azure Policy focuses on resource properties during deployment and altering existing resources. Azure policy controls properties such as types or location of resources
12
Q
Is Azure Policy a default allow or default deny
A
Unlike RBAC, Azure policy is default allow and explicit deny.
13
Q
What is the process for creating a policy
A
- Azure policy starts with creating a policy definition, which has policy definition conditions under which it is enforced.
- And an accompanying affect to happen if conditions are met.
- To apply a policy:
- Create a policy definition
- Assign definition to scope of resouces
- View policy evaluation results.
14
Q
What is an Azure Policy Definition?
A
A policy definition will express what to evaluate and the actions to take (e.g. ensure all public websites are secured with HTTPs OR prevent perticular storage type being created OR Force a specific version of SQL
15
Q
What are some common policy definitions
A
- Allows storage account SKUs - set of condtions/rules to deftermine if storage account being deployed is within SKU sizes = Effect is to deny storage accounts not conforming
- Allowed Resouce Type - Specify resource types organisation can deploy = Effect is to deny all resouces not part of that defined list.
- Allowed Locations - Allows restriction of locations when deploying resources = Effect used to enforce Geographic compliance.
- Allows VM SKUs - Specify set of VM SKUs your organistion can deploy
- Not Allowed Resouce Types - Pevents list of reosuce types being deployed
16
Q
How is a policy definition represented and where can pre-defined definitions be found?
A
Policy definition is represented as JSON file, use predefined definition in the portal or create your own N.B. Lots of samples on GITHUB
17
Q
What methods can you use to apply Azure Policy
A
Use Azure portal or one of the command line tools such as Azure Powershell.
18
Q
Where/How can you identify non compliant resources with your Azure Policy
A
- Use applied policy defintion to Identify resources that are not compliant with policy assigntment through Azure portal
- Results match what you see in resource compliance tab of policy assignment in AZ portal
- Or you can use command line tools to identify non compliant resources in your Resource group.
19
Q
Once one or more policy definitions defined, you will need assign them, a policy assignment is a policy definition that is assigned to take place within a specific scope.
Where can scopes range from and are Policy assignments inherited?
A
- Scope could range from full subscription to a resource group.
- Policy assignments are inherited by all child resources however you can exclude a subscope.
E.G. Enforce a policy at subscription level with a few resource groups excluded.
20
Q
When do parameters defined need to be supplied to an Azure Policy
A
- When assigning a policy you need to supply any parameters defined.
21
Q
Requests to create or update resouces through Azure Resource Manage are evaluated by azure policy first.
Policy will create a list of assignments appertaining to resources that evaluate against definition, processing several effects before handling the request to avoid unnecessary processing.
A policy definition will have a single effect to determine what should happen when a rule is matched, what are these and what are there effects
A
- DENY - Resource create or update failes
- DISABLED - Policy rule is ignored - often used for test
- APPEND - Adds additional parameters/fields to resource (common example is adding tags for a cost center OR specifying allowed Ips for a storage resource.
- AUDIT/AUDITIFNOTEXISTS - Creates warning in activity log- does not stop request
- DEPLOYIFNOTEXISTS - Executes a template deployment when condition is met (E.G. If SQL Encryption is enabled, after creation run template to set it up a certain way)
22
Q
Azure Policy can allow resource creation to be created even if validation fails, where can you view policy evaluation results?
A
- You can have a failed validation trigger an event to be viewed in Azure policy portal or through command line tools.
- The easiest approach is the GUI and you can find Azure policy in search field or all services.
- The portal makes it easy to spot non compliant resources and take action.
23
Q
What methods can you use to remove an Azure Policy
A
Finally you can delete a policy thru portal or Azure PowerShell. (e.g. “Remove-AZPolicyAssignment -Name ‘policyname’ -Scope ‘policyscope”)
24
Q
What method can you use to organise multiple Azure polices
A
Initiatives.
When you have more than a few you will want to organise them - That is where initatives come in
25
Initiatives work alongside polcices, what is an initative definition
An initative definition is a set or group of policy definitions to help track compliance for a larger goal.
26
Why might you use an initiative if you only have a single policy
Even if you only have a single policy you should use initiatives if you foresee the number of policies growing over time.
27
- Like a policy an initiative assignment is an initiative assignment to a specific scope
- This reduces the need to make several initiative definition for each scope.
At what ranges can the scope for an initiative be
- Scope could range from management group to resource group.
| - Once defined, initiatives can be assigned as polices can, they apply all the associated policy definitions
28
Initiatives definitions simplify the processes of managing and assigning policy definitons by grouping policies into a single item.
What sort of policy definitions would make up an initative called "Enable Monitoring in Azure Security Center"
- Monitor unencrypted SQL DB - Monitors unencrypted SQL DBs and Servers
- Monitor OS Vunrabilites - Monitors servers that do not satisfy baseline
- Monitor Missing endpoint protection - Monitors servers without installed endpoint protection
29
How/Where can you define initatives
Define initiatives in Azure portal or command line tools - In portal use the "Authoring" section
30
Enterprise Governance Management:
Where does access management occur?
And what does this allow organisations to do
Access management occurs at Azure subscription level
- Allows organisation to configure each division in a specific fashion based on responsibilities and requirements.
- Without help, keeping rules consistent across subscriptions can be challenging.
31
What are Azure Management groups?
- Azure management groups are containers for managing access, polices and compliance across multiple subscriptions.
- Management groups allow ordering of Azure resources hierarchy into collections, providing a further level of classifications above the level of subscriptions.
32
What is the behaviour of subscriptions with management groups around inheritance and what does Management groups give you?
- Subscriptions with a management group inherit conditions applied to management group
- Management groups gives you enterprise grade management at a large scale not matter what type of subscriptions you have.
33
If you create a hierarchy so you can apply a policy that limits VM locations to a certain region for a specific management group, what would the result for all subscriptions in that management group be?
All subscriptions in that management group would inherit that policy and would inherit that policy and it would apply to all VMs within those subscriptions.
34
Can a security policy be altered by the resource or subscription owner
The security policy cannot be altered by the resource of subscription owner allowing for improved governance.
35
How can you use management groups to provide users access to multiple subscriptions?
And what are the benefits of this
- By having many subscriptions in one management group you can use one RBAC assignment that will allow access to all subscriptions
- One assignment on the management group can enable users to access everything they need instead of scripting RBAC rules over different subscriptions.
36
True or False: Resources and subscriptions you apply to each management group automatically inherit the conditions you apply to that management group.
True
You can manage Azure subscriptions more effectively by using Azure policy and RBAC. These apply distinct governance conditions you can apply to each management group.
37
Adhearing to security or compliacne requirements can be difficult and time consuming, what Azure Service can help with auditing, traceability and compliance of your deployments?
Azure Blueprints
38
A blueprint allows an engineer to sketch a projects design parameters, what does an Azure BluePrint do?
An Azure blue print allows a cloud engineer to define a repeatable set of resources that implements and adhears to standards, patterns and requirements
39
True or False:
Azure blueprints makes it possible for dev teams to rapidly build/deploy new environments with organisational compliance using a set of built-in components to speed up develpement and delivery.
True
Azure Blueprints is a declarative way to orchestrate deployment of various resource templates such as...
- Role assignments, policy assignments, Azure Resource Manager Templates and Resource Groups
40
How can you make use of Azure BluePrints in a DevOps scenario?
Azure blueprints are also useful in DevOps scenerios, where blue prints are associated with specific build artifacts and release pipelines, and can be tracked more rigorously.
41
What is the high level process of implementing an Azure BluePrint
The process of implementing a blue print consists of:
1. Create Azure Blueprint
2. Assign the Blueprint
3. Track the blueprint assignments
42
With regards to Azure Blueprints what are;
1. Blueprint Definition?
2. BluePrint Assignment?
```
Blueprint definiton (what should be deployed)
blueprint assignment (what was deployed)
```
With an Azure Blueprint - the relationship between the blueprint definiton (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
43
BluePrints are replicated to multiple Azure regions, what does this replication provide and what service backs the Azure BluePrint Service?
- Azure Blueprint service is backed by Cosmos DB
The blueprint replication provides low latency, HA, consistent access to blueprint objects, regardless of your region your blueprint deploys your resources for.
44
What is the difference between and Azure Blueprint and a Resource Manager Template
Nearly everything you include for deployment in blueprints can be accomplished with a resource manager template HOWEVER...
- A rsource manager template is a document that doesnt exist natively in Azure
- Resource manager templates are stored either locally or in source control
- The template gets used for deployments of azure resources, but once resources deploy there's no active connection or relationship with the template
- With Blueprints relationship between the defnition (what should be deployed) and the assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments
- Blueprints can also upgrade several subscriptions at once governed by the same blueprint
45
What are Azure BluePrints designed to help with
- Azure blueprints are designed to help with environment setup, often consisting of reosurces groups, policies, role assignments and resource manager template deployments.
- A Blueprint is a package to bring each of these artifact types together and allow you to compose and version that package including thru CI/CD pipeline
- Ultimately each setup is assigned to a subscription in a single operation that can be audited and tracked.
46
Is it best practice to use an Azure BluePrint or Resource Manager Template
- There is no need to choose between Resource manager template and Blueprints, each blueprint can consist of 0 or more resource manager template artifacts
- This means previous effort to maintain a library of resource manager templates are re-usable in blueprints
47
What are the key differences between Azure BluePrints and Azure Policy
- Blueprint is a package or container for composing focus - specific sets of standards, patterns and requirements related to the implementation of cloud serviecs, security and design that can be reused to maintain consistency and compliance.
- A policy is default-allow and explicit deny system focused on resource pipelines during deployment + for existing resources. Supports cloud governance by validating resources within a subscription adhere to requirements and standards
- Including a policy in a blueprint enables creation of right pattern or design during blueprint assignment. This policy inclusion makes sure only approved or expected changes can be made to the environment which protects ongoing compliance to the intent of the blueprint
- A policy can be included as one of many artifacts in a blue print definition. Blue prints also support using parameters with policies and Initatives
48
Governing your resources is only part of the solution when using cloud provider, you must also understand how provider manages the underlying resources you are building on.
What four services does Microsoft use to demonstrate how it takes this management seriously
- MS Privacy statement
- MS Trust Centre
- Service Trust Portal
- Compliance Manager
49
What does the MS Privacy statement explain
- Explains what personal data MS processes
| - Explains how and for what purposes MS processes it
50
What does the MS Privacy statement apply to
- Applies to interactions MS has with you and MS products (i.e MS Services, websites, apps, software, devices)
51
What is the MS Privacy Statement intended to provide
Intended to provide openness/honesty about how MS deals with personal data
52
What is the MS Trust Center
Website containing info re how MS implements and supports security, privacy, compliance and transparency in all MS cloud Products and services.
53
The MS Trust center is an important part of MS trusted cloud initiative and provides support and resources for legal compliance community, what are some of these support and resource offerings?
- In depth security, privacy, compliance offerings, polices, features and practices across MS cloud products
- Curated list of recommended resources for each topic.
- Info specific to key organisational roles incl Business Managers, tenant admins, data security teams, risk assessment/privacy officers and legal compliance teams.
- Cross company document search - coming soon and will enable existing cloud service customers to search the service trust portal
- Direct guidance and support if you cant find what you are looking for.
54
What is the Service Trust Portal (STP) and what does it do?
STP is a MS public site for publishing audit reports and other compliance info which hosts the Compliance manager service
55
STP Users can download reports from where and for what purpose
STP users can download reports from external auditors and gain insight from MS authored reports, providing detail on how MS builds and operates its cloud services
56
True or False:
| STP also has info about how MS can help maintain and track compliance with ISO, SOC, NIST, FedRamp and GDPR
True
57
STP is a companion service to Trust center and allows which key features
- Access audit reports about MS cloud services on single page
- Access compliance guides to help understand how you can use MS cloud features to manage compliance with various regulations
- Access trust documents to help understand how Microsoft Cloud services protect your data
58
What is compliance manager and where is it?
Compliance manager is a Workflow based risk assessment dashboard within STP.
It enables Track, assign and verify of orgs regulatory compliance for MS pro services and MS cloud services, such as O365, Azure and Dynamics
59
Compliance manager combined information from a number of places, what and where is the information from?
- Combine of info from:
- MS to auditors as part of 3rd party audits of MS cloud services against ISO27001, 27018 and NIST
- Info from MS for complinance with HIPPA and GDPR
- Orgs self assessment of there own compliance with these standards and regulations
60
What other services does Compliance manager allow you to do
- Enabled you to assign, track, record, compliance/assessment related activites to help your organisation cross team barriers and achieve your compliance goals.
- Provides compliance score to help track progress and prioritise auditing to help reduce orgs exposure to risk.
- Provides secure repository to upload and manage evidence and other artifacts related to compliance activities
- Produces excel reports documenting compliance activites performed by MS and your Org to be provded to auditors and compliance stake holders
61
Compliance Manager provides a summary of data protection compliance and recommendations, does this offer any guarantee of compliance
No - meeting recommendations is not a guarantee of compliance
62
Once you have deployed resources you will want to know about any performance problems they might encounter, what 2 primary services does Azure provide to monitor the health of your Apps and Resources
Azure Monitor AND Azure Service Health
63
What key things does Azure Monitor do?
- Maximizes availability + performance of you applications by delivering a cmoprehensive solution for collecting, analyzing + acting upon telemetry from your cloud + on prem environments
- Helps you understand how Apps are performing
- Proactively identifies issues affecting them and resources they depend on.
64
True or False:
| Azure monitor can collect data from many data sources
- Azure monitor can collect data from many data sources
| - Think of monitoring in tiers from App to → OS to → Platform
65
With regards to Azure Monitor what is meant by;
| Application Monitoring Data
Performance and functionality of code written regardless of platform
66
With regards to Azure Monitor what is meant by;
| Guest OS monitoring data
Data on OS, either Azure, OnPrem or other Cloud
67
With regards to Azure Monitor what is meant by;
| Resource Monitoring Data
Data about operation of azure resource
68
With regards to Azure Monitor what is meant by;
| Subscription Monitoring Data
Data about operation/management of Azure Subscription and data about health and operation of Azure itself
69
With regards to Azure Monitor what is meant by;
| Azure Tenant monitoring data
Operation of tenant level Azure services (e.g. Azure AD)
70
When does Azure Monitor start collecting data?
As soon as you create a subscription and add resources, Azure monitor starts collecting data.
71
What do activity logs and metrics from Azure Monitor tell you
- Activity logs record resource creation/modification
| - Metrics tell you how resource is performing and resources it's consuming
72
How can you extend the data collected into actual operation of resources
You can extened the data collected into actual operation of resources by enabling diagnostics and adding an agent to compute resources under resource settings enable diagnostics
73
If you extend the data collected by Azure Monitor to collect the actual operation of resources, what sort of things can you monitor/collect?
- Enable guest level monitoring
- Perf Counter - Collect performance data
- Event Logs - enable various event logs
- Crash dumps - Enable or Disable
- Sinks - Send diagnostic data to other services for more analysis
- Agent - Config agent settings.
74
- Data monitoring is only useful if it improves visibility of operations in your company environment, Azure Monitor indicates features/tools that provide insight into applications and other resources they may depend on.
What are these features/tools?
Application Insights
Azure Monitor for Containers
Azure Monitor for VMs
75
What are the features of Application Insights
Application Insights
- Service Monitoring web apps, availability , performance, usage, hosted in on prem or in cloud
- Leverages powerful data analysis platform in log analytics for a deeper insight into your apps operations
- Can diagnose errors without waiting for a user to report them.
- Includes connection points for a varierty of dev tools, intergrates with visual studio to support devops procces.
76
What are the features of Azure Monitor for Containers
Azure Monitor for containers
- Monitors performance of container workloads deployed to manage kubernetes clusters on Azure Kubernetes Service (AKS)
- Gives performance visability by collecting memory and processor metrics from controllers, nodes and containers, availbaile in kubernetes web API
- Container logs also collected
77
What are the features of Azure Monitor for VMs
Azure Monitor for VMs
- Monitors Azure VMs at scale and analyses performance and health of Windows and Linux VMS
- Includign different processes interconnected dependances on other resources
- Includes support for ON prem VM and Other cloud VM
78
Implementing Azure Monitor services with Azure health allows you to stay informed, what will it help you to understand
This will help you understand if/when an issues affecting azure service is impacting your environment.
A localized looking issues could be more widespread and Azure service health gives this kind of insight.
Azure Service Health identifies issues with Azure Services that might affect your application and also helps plan scheduled maintenance.
79
How must an effective monitoring system respond to critical condition in the data it collects
- An effective monitoring solution must respond proactively to critical conditions in the data it collects.
- Could be a text or email to Admin or automated process launch that corrects the error condition
80
Azure Monitoring proactively notifies you of critical conditions using alerts and can attempt to take corrective actions, what can these alerts be based on
- Alerts based on metrics provide near realltime alerts based on numeric values
- Alerts based on logs allow for complex logic across data from multiple sources.
81
Azure monitor can ensure you have the right amount of resources running, what is this process called and how does it determine when to do this?
- Azure monitor uses autoscale to ensure you have the right amount of resources running.
- Enables you to create rules to determine when to automatically add resources to handle increases in load
82
How can Auto scale in Azure monitoring save costs and how can you ensure your costs won't increase too much
- Can reduce costs by removing resources not being used.
| - Specify max number of instances and logic to determine when autoscale should increase or decrease resources.
83
What is available to visualise the monitoring data captured via Azure Monitor
Visualise Monitoring Data
- Charts and tables effective at summarizing monitoring data
- Azure Monitor has features for visualizing monitoring data
- Leverages other Azure Services for publishing data to different audiences
- Other tools include - Dashboards, Views and PowerBI
84
Can other Azure Services integrate with Azure Monitor?
Yes you'll often need to integrate Azure monitor with other services to build custom solutions that use your monitoring data
- Other Azure services can work with azure monitor to do this
85
In broad terms what is Azure Service Health and What can it do for you?
- Suite of experiences to provide personalized guidance and support when issues with Azure services affect you.
- Can notify you and help you understand the impact of issues and update you as issue is resolved
- Can help prep for planned maintenance and changes that could affect availability of resources.
86
What three "rules" is Azure Service Health made up of?
Azure Status
Service Health
Resource Health
87
With regards to Azure Service Health what is the purpose of Azure Status
- Global view of Health of Azure Services
| - Up to minute info on Service Availabiltiy
88
With regards to Azure Service Health what is the purpose of Service Health
- Customizable dashboard to track state of your azure services in regions where you use them
- Track active events (i.e. ongoing issues and planned maintenance and health advisories.
- Inactive events placed in health history for 90 days
- Create alerts to notify when service issues affect you
89
With regards to Azure Service Health what is the purpose of Resource Health
- Helps diagnose/obtain ssupport when Azure Service issue affects your resouyrces
- Provides details on current and past state of resources
- Provides tech support to help mitigate issues
- Resource health is personalised dashboard of your resource health
- Shows times when resources unavailable due to Azure services issues making it easier to understand if SLA was violated.
90
Within Service Health, how long are inactive events placed in Health History for
90 days
