Module 10

Question 1

Good IT Governance involves planning initatives and setting prioritees on strategic level to help manage and prevent issues..

What are some situations where Good IT Governance is required (in Azure)

Answer 1

• Multiple teams in Azure
• Multiple subscriptions in Azure
• Multiple subscriptions in your tenant
• Regulatory requirements must be enforced
• Ensuring standards for all IT resources.

Question 2

One way to enforce standards is by not allowing teams to directly create azure resources, instead having IT team define and deploy cloud assets. This approach is often used OnPrem.

Why isn’t this a good approach for Azure?

Answer 2

This approach reduces agility and innovation.

Instead Azure provides tools to enforce/validate standards, whilst allowing engineering teams to create there own cloud resources.

Question 3

As well as enforcing standards what else do you need to monitor resources for?

Answer 3

As well as enforcing standards you need to monitor resources to ensure responsiveness and performing properly.

Azure Provides several built in features to track and analyse your resource utilization and performance.

Question 4

What does planning consistent cloud infrastructure start with?

Answer 4

Planning consistent cloud infrastructure starts with setting up policy

Question 5

What does Policy enforce and why does it do this

Answer 5

Policy enforces rules for created resources to ensure infrastructure stays compliant with corporate standards, cost requirements and SLAs with your customers.

Question 6

Azure Policy is a service to

Answer 6

create/assign/manage policies

Question 7

Azure Policies enforce different rules and effects over resources so resources stay compliant.

How does Azure Policy meet these needs?

Answer 7

• Azure policy meets this need by evaluating resouces for non compliance with assigned policies.
• E.G. A policy might allow only a certain size VM, after policy implementation new and existing resources are evaluated for compliance. The right type of policy can bring existing resources into compliance.**

Question 8

If we want to control costs by not allowing users to create VMs with more than 4 cores, how could Azure Policy help us define this

Answer 8

Set up an Azure Policy that will stop anyone creating a VM outside of the list of allowed SKUs (stock keeping units)

Question 9

If we have a policy that stops anyone creating a VM outside of the list of allowed SKUs (stock keeping units), what will happen if we try to create or adjust a VM that would compromise this?

Answer 9

Updating a VM will cause it to be checked against policy - on audit, non compliant resources have there properties altered or are stopped from being created.

Question 10

Can Azure Policy be intergrated with Azure DevOps

Answer 10

Yes - Azure Policy can be integrated with Azure DevOps, applying continuous integration and delivery pipelines that affect pre and post deployment of your applications.

Question 11

How do Azure Policy and RBAC solve different problems

Answer 11

• RBAC focuses on user action at different scopes (i.e. you might be added as contributor for a resource group allowing you to make changes to anything in that resource group).
• Azure Policy focuses on resource properties during deployment and altering existing resources. Azure policy controls properties such as types or location of resources

Question 12

Is Azure Policy a default allow or default deny

Answer 12

Unlike RBAC, Azure policy is default allow and explicit deny.

Question 13

What is the process for creating a policy

Answer 13

• Azure policy starts with creating a policy definition, which has policy definition conditions under which it is enforced.
• And an accompanying affect to happen if conditions are met.
• To apply a policy:
  
  • Create a policy definition
  • Assign definition to scope of resouces
  • View policy evaluation results.

Question 14

What is an Azure Policy Definition?

Answer 14

A policy definition will express what to evaluate and the actions to take (e.g. ensure all public websites are secured with HTTPs OR prevent perticular storage type being created OR Force a specific version of SQL

Question 15

What are some common policy definitions

Answer 15

• Allows storage account SKUs - set of condtions/rules to deftermine if storage account being deployed is within SKU sizes = Effect is to deny storage accounts not conforming
• Allowed Resouce Type - Specify resource types organisation can deploy = Effect is to deny all resouces not part of that defined list.
• Allowed Locations - Allows restriction of locations when deploying resources = Effect used to enforce Geographic compliance.
• Allows VM SKUs - Specify set of VM SKUs your organistion can deploy
• Not Allowed Resouce Types - Pevents list of reosuce types being deployed

Question 16

How is a policy definition represented and where can pre-defined definitions be found?

Answer 16

Policy definition is represented as JSON file, use predefined definition in the portal or create your own N.B. Lots of samples on GITHUB

Question 17

What methods can you use to apply Azure Policy

Answer 17

Use Azure portal or one of the command line tools such as Azure Powershell.

Question 18

Where/How can you identify non compliant resources with your Azure Policy

Answer 18

• Use applied policy defintion to Identify resources that are not compliant with policy assigntment through Azure portal
• Results match what you see in resource compliance tab of policy assignment in AZ portal
• Or you can use command line tools to identify non compliant resources in your Resource group.

Question 19

Once one or more policy definitions defined, you will need assign them, a policy assignment is a policy definition that is assigned to take place within a specific scope.

Where can scopes range from and are Policy assignments inherited?

Answer 19

• Scope could range from full subscription to a resource group.
• Policy assignments are inherited by all child resources however you can exclude a subscope.

E.G. Enforce a policy at subscription level with a few resource groups excluded.

Question 20

When do parameters defined need to be supplied to an Azure Policy

Answer 20

• When assigning a policy you need to supply any parameters defined.

Question 21

Requests to create or update resouces through Azure Resource Manage are evaluated by azure policy first.

Policy will create a list of assignments appertaining to resources that evaluate against definition, processing several effects before handling the request to avoid unnecessary processing.

A policy definition will have a single effect to determine what should happen when a rule is matched, what are these and what are there effects

Answer 21

• DENY - Resource create or update failes
• DISABLED - Policy rule is ignored - often used for test
• APPEND - Adds additional parameters/fields to resource (common example is adding tags for a cost center OR specifying allowed Ips for a storage resource.
• AUDIT/AUDITIFNOTEXISTS - Creates warning in activity log- does not stop request
• DEPLOYIFNOTEXISTS - Executes a template deployment when condition is met (E.G. If SQL Encryption is enabled, after creation run template to set it up a certain way)

Question 22

Azure Policy can allow resource creation to be created even if validation fails, where can you view policy evaluation results?

Answer 22

• You can have a failed validation trigger an event to be viewed in Azure policy portal or through command line tools.
• The easiest approach is the GUI and you can find Azure policy in search field or all services.
• The portal makes it easy to spot non compliant resources and take action.

Question 23

What methods can you use to remove an Azure Policy

Answer 23

Finally you can delete a policy thru portal or Azure PowerShell. (e.g. “Remove-AZPolicyAssignment -Name ‘policyname’ -Scope ‘policyscope”)

Question 24

What method can you use to organise multiple Azure polices

Answer 24

Initiatives.

When you have more than a few you will want to organise them - That is where initatives come in

Question 25

Initiatives work alongside polcices, what is an initative definition

Answer 25

An initative definition is a set or group of policy definitions to help track compliance for a larger goal.

Question 26

Why might you use an initiative if you only have a single policy

Answer 26

Even if you only have a single policy you should use initiatives if you foresee the number of policies growing over time.

Question 27

• Like a policy an initiative assignment is an initiative assignment to a specific scope
• This reduces the need to make several initiative definition for each scope.

At what ranges can the scope for an initiative be

Answer 27

• Scope could range from management group to resource group.

- Once defined, initiatives can be assigned as polices can, they apply all the associated policy definitions

Question 28

Initiatives definitions simplify the processes of managing and assigning policy definitons by grouping policies into a single item.

What sort of policy definitions would make up an initative called “Enable Monitoring in Azure Security Center”

Answer 28

• Monitor unencrypted SQL DB - Monitors unencrypted SQL DBs and Servers
• Monitor OS Vunrabilites - Monitors servers that do not satisfy baseline
• Monitor Missing endpoint protection - Monitors servers without installed endpoint protection

Question 29

How/Where can you define initatives

Answer 29

Define initiatives in Azure portal or command line tools - In portal use the “Authoring” section

Question 30

Enterprise Governance Management:
Where does access management occur?
And what does this allow organisations to do

Answer 30

Access management occurs at Azure subscription level

• Allows organisation to configure each division in a specific fashion based on responsibilities and requirements.
• Without help, keeping rules consistent across subscriptions can be challenging.

Question 31

What are Azure Management groups?

Answer 31

• Azure management groups are containers for managing access, polices and compliance across multiple subscriptions.
• Management groups allow ordering of Azure resources hierarchy into collections, providing a further level of classifications above the level of subscriptions.

Question 32

What is the behaviour of subscriptions with management groups around inheritance and what does Management groups give you?

Answer 32

• Subscriptions with a management group inherit conditions applied to management group
• Management groups gives you enterprise grade management at a large scale not matter what type of subscriptions you have.

Question 33

If you create a hierarchy so you can apply a policy that limits VM locations to a certain region for a specific management group, what would the result for all subscriptions in that management group be?

Answer 33

All subscriptions in that management group would inherit that policy and would inherit that policy and it would apply to all VMs within those subscriptions.

Question 34

Can a security policy be altered by the resource or subscription owner

Answer 34

The security policy cannot be altered by the resource of subscription owner allowing for improved governance.

Question 35

How can you use management groups to provide users access to multiple subscriptions?
And what are the benefits of this

Answer 35

• By having many subscriptions in one management group you can use one RBAC assignment that will allow access to all subscriptions
• One assignment on the management group can enable users to access everything they need instead of scripting RBAC rules over different subscriptions.

Question 36

True or False: Resources and subscriptions you apply to each management group automatically inherit the conditions you apply to that management group.

Answer 36

True
You can manage Azure subscriptions more effectively by using Azure policy and RBAC. These apply distinct governance conditions you can apply to each management group.

Question 37

Adhearing to security or compliacne requirements can be difficult and time consuming, what Azure Service can help with auditing, traceability and compliance of your deployments?

Answer 37

Azure Blueprints

Question 38

A blueprint allows an engineer to sketch a projects design parameters, what does an Azure BluePrint do?

Answer 38

An Azure blue print allows a cloud engineer to define a repeatable set of resources that implements and adhears to standards, patterns and requirements

Question 39

True or False:
Azure blueprints makes it possible for dev teams to rapidly build/deploy new environments with organisational compliance using a set of built-in components to speed up develpement and delivery.

Answer 39

True
Azure Blueprints is a declarative way to orchestrate deployment of various resource templates such as…
- Role assignments, policy assignments, Azure Resource Manager Templates and Resource Groups

Question 40

How can you make use of Azure BluePrints in a DevOps scenario?

Answer 40

Azure blueprints are also useful in DevOps scenerios, where blue prints are associated with specific build artifacts and release pipelines, and can be tracked more rigorously.

Question 41

What is the high level process of implementing an Azure BluePrint

Answer 41

The process of implementing a blue print consists of:

1. Create Azure Blueprint
2. Assign the Blueprint
3. Track the blueprint assignments

Question 42

With regards to Azure Blueprints what are;

1. Blueprint Definition?
2. BluePrint Assignment?

Answer 42

Blueprint definiton (what should be deployed) 
blueprint assignment (what was deployed)

With an Azure Blueprint - the relationship between the blueprint definiton (what should be deployed) and the blueprint assignment (what was deployed) is preserved.

Question 43

BluePrints are replicated to multiple Azure regions, what does this replication provide and what service backs the Azure BluePrint Service?

Answer 43

• Azure Blueprint service is backed by Cosmos DB

The blueprint replication provides low latency, HA, consistent access to blueprint objects, regardless of your region your blueprint deploys your resources for.

Question 44

What is the difference between and Azure Blueprint and a Resource Manager Template

Answer 44

Nearly everything you include for deployment in blueprints can be accomplished with a resource manager template HOWEVER…

• A rsource manager template is a document that doesnt exist natively in Azure
• Resource manager templates are stored either locally or in source control
• The template gets used for deployments of azure resources, but once resources deploy there’s no active connection or relationship with the template
• With Blueprints relationship between the defnition (what should be deployed) and the assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments
• Blueprints can also upgrade several subscriptions at once governed by the same blueprint

Question 45

What are Azure BluePrints designed to help with

Answer 45

• Azure blueprints are designed to help with environment setup, often consisting of reosurces groups, policies, role assignments and resource manager template deployments.
• A Blueprint is a package to bring each of these artifact types together and allow you to compose and version that package including thru CI/CD pipeline
• Ultimately each setup is assigned to a subscription in a single operation that can be audited and tracked.

Question 46

Is it best practice to use an Azure BluePrint or Resource Manager Template

Answer 46

• There is no need to choose between Resource manager template and Blueprints, each blueprint can consist of 0 or more resource manager template artifacts
• This means previous effort to maintain a library of resource manager templates are re-usable in blueprints

Question 47

What are the key differences between Azure BluePrints and Azure Policy

Answer 47

• Blueprint is a package or container for composing focus - specific sets of standards, patterns and requirements related to the implementation of cloud serviecs, security and design that can be reused to maintain consistency and compliance.
• A policy is default-allow and explicit deny system focused on resource pipelines during deployment + for existing resources. Supports cloud governance by validating resources within a subscription adhere to requirements and standards
• Including a policy in a blueprint enables creation of right pattern or design during blueprint assignment. This policy inclusion makes sure only approved or expected changes can be made to the environment which protects ongoing compliance to the intent of the blueprint
• A policy can be included as one of many artifacts in a blue print definition. Blue prints also support using parameters with policies and Initatives

Question 48

Governing your resources is only part of the solution when using cloud provider, you must also understand how provider manages the underlying resources you are building on.

What four services does Microsoft use to demonstrate how it takes this management seriously

Answer 48

• MS Privacy statement
• MS Trust Centre
• Service Trust Portal
• Compliance Manager

Question 49

What does the MS Privacy statement explain

Answer 49

• Explains what personal data MS processes

- Explains how and for what purposes MS processes it

Question 50

What does the MS Privacy statement apply to

Answer 50

• Applies to interactions MS has with you and MS products (i.e MS Services, websites, apps, software, devices)

Question 51

What is the MS Privacy Statement intended to provide

Answer 51

Intended to provide openness/honesty about how MS deals with personal data

Question 52

What is the MS Trust Center

Answer 52

Website containing info re how MS implements and supports security, privacy, compliance and transparency in all MS cloud Products and services.

Question 53

The MS Trust center is an important part of MS trusted cloud initiative and provides support and resources for legal compliance community, what are some of these support and resource offerings?

Answer 53

• In depth security, privacy, compliance offerings, polices, features and practices across MS cloud products
• Curated list of recommended resources for each topic.
• Info specific to key organisational roles incl Business Managers, tenant admins, data security teams, risk assessment/privacy officers and legal compliance teams.
• Cross company document search - coming soon and will enable existing cloud service customers to search the service trust portal
• Direct guidance and support if you cant find what you are looking for.

Question 54

What is the Service Trust Portal (STP) and what does it do?

Answer 54

STP is a MS public site for publishing audit reports and other compliance info which hosts the Compliance manager service

Question 55

STP Users can download reports from where and for what purpose

Answer 55

STP users can download reports from external auditors and gain insight from MS authored reports, providing detail on how MS builds and operates its cloud services

Question 56

True or False:

STP also has info about how MS can help maintain and track compliance with ISO, SOC, NIST, FedRamp and GDPR

Answer 56

True

Question 57

STP is a companion service to Trust center and allows which key features

Answer 57

• Access audit reports about MS cloud services on single page
• Access compliance guides to help understand how you can use MS cloud features to manage compliance with various regulations
• Access trust documents to help understand how Microsoft Cloud services protect your data

Question 58

What is compliance manager and where is it?

Answer 58

Compliance manager is a Workflow based risk assessment dashboard within STP.

It enables Track, assign and verify of orgs regulatory compliance for MS pro services and MS cloud services, such as O365, Azure and Dynamics

Question 59

Compliance manager combined information from a number of places, what and where is the information from?

Answer 59

• Combine of info from:
  
  • MS to auditors as part of 3rd party audits of MS cloud services against ISO27001, 27018 and NIST
  • Info from MS for complinance with HIPPA and GDPR
  • Orgs self assessment of there own compliance with these standards and regulations

Question 60

What other services does Compliance manager allow you to do

Answer 60

• Enabled you to assign, track, record, compliance/assessment related activites to help your organisation cross team barriers and achieve your compliance goals.
• Provides compliance score to help track progress and prioritise auditing to help reduce orgs exposure to risk.
• Provides secure repository to upload and manage evidence and other artifacts related to compliance activities
• Produces excel reports documenting compliance activites performed by MS and your Org to be provded to auditors and compliance stake holders

Question 61

Compliance Manager provides a summary of data protection compliance and recommendations, does this offer any guarantee of compliance

Answer 61

No - meeting recommendations is not a guarantee of compliance

Question 62

Once you have deployed resources you will want to know about any performance problems they might encounter, what 2 primary services does Azure provide to monitor the health of your Apps and Resources

Answer 62

Azure Monitor AND Azure Service Health

Question 63

What key things does Azure Monitor do?

Answer 63

• Maximizes availability + performance of you applications by delivering a cmoprehensive solution for collecting, analyzing + acting upon telemetry from your cloud + on prem environments
• Helps you understand how Apps are performing
• Proactively identifies issues affecting them and resources they depend on.

Question 64

True or False:

Azure monitor can collect data from many data sources

Answer 64

• Azure monitor can collect data from many data sources

- Think of monitoring in tiers from App to → OS to → Platform

Question 65

With regards to Azure Monitor what is meant by;

Application Monitoring Data

Answer 65

Performance and functionality of code written regardless of platform

Question 66

With regards to Azure Monitor what is meant by;

Guest OS monitoring data

Answer 66

Data on OS, either Azure, OnPrem or other Cloud

Question 67

With regards to Azure Monitor what is meant by;

Resource Monitoring Data

Answer 67

Data about operation of azure resource

Question 68

With regards to Azure Monitor what is meant by;

Subscription Monitoring Data

Answer 68

Data about operation/management of Azure Subscription and data about health and operation of Azure itself

Question 69

With regards to Azure Monitor what is meant by;

Azure Tenant monitoring data

Answer 69

Operation of tenant level Azure services (e.g. Azure AD)

Question 70

When does Azure Monitor start collecting data?

Answer 70

As soon as you create a subscription and add resources, Azure monitor starts collecting data.

Question 71

What do activity logs and metrics from Azure Monitor tell you

Answer 71

• Activity logs record resource creation/modification

- Metrics tell you how resource is performing and resources it’s consuming

Question 72

How can you extend the data collected into actual operation of resources

Answer 72

You can extened the data collected into actual operation of resources by enabling diagnostics and adding an agent to compute resources under resource settings enable diagnostics

Question 73

If you extend the data collected by Azure Monitor to collect the actual operation of resources, what sort of things can you monitor/collect?

Answer 73

• Enable guest level monitoring
• Perf Counter - Collect performance data
• Event Logs - enable various event logs
• Crash dumps - Enable or Disable
• Sinks - Send diagnostic data to other services for more analysis
• Agent - Config agent settings.

Question 74

• Data monitoring is only useful if it improves visibility of operations in your company environment, Azure Monitor indicates features/tools that provide insight into applications and other resources they may depend on.

What are these features/tools?

Answer 74

Application Insights
Azure Monitor for Containers
Azure Monitor for VMs

Question 75

What are the features of Application Insights

Answer 75

Application Insights

• Service Monitoring web apps, availability , performance, usage, hosted in on prem or in cloud
• Leverages powerful data analysis platform in log analytics for a deeper insight into your apps operations
• Can diagnose errors without waiting for a user to report them.
• Includes connection points for a varierty of dev tools, intergrates with visual studio to support devops procces.

Question 76

What are the features of Azure Monitor for Containers

Answer 76

Azure Monitor for containers

• Monitors performance of container workloads deployed to manage kubernetes clusters on Azure Kubernetes Service (AKS)
• Gives performance visability by collecting memory and processor metrics from controllers, nodes and containers, availbaile in kubernetes web API
• Container logs also collected

Question 77

What are the features of Azure Monitor for VMs

Answer 77

Azure Monitor for VMs

• Monitors Azure VMs at scale and analyses performance and health of Windows and Linux VMS
• Includign different processes interconnected dependances on other resources
• Includes support for ON prem VM and Other cloud VM

Question 78

Implementing Azure Monitor services with Azure health allows you to stay informed, what will it help you to understand

Answer 78

This will help you understand if/when an issues affecting azure service is impacting your environment.

A localized looking issues could be more widespread and Azure service health gives this kind of insight.

Azure Service Health identifies issues with Azure Services that might affect your application and also helps plan scheduled maintenance.

Question 79

How must an effective monitoring system respond to critical condition in the data it collects

Answer 79

• An effective monitoring solution must respond proactively to critical conditions in the data it collects.
• Could be a text or email to Admin or automated process launch that corrects the error condition

Question 80

Azure Monitoring proactively notifies you of critical conditions using alerts and can attempt to take corrective actions, what can these alerts be based on

Answer 80

• Alerts based on metrics provide near realltime alerts based on numeric values
• Alerts based on logs allow for complex logic across data from multiple sources.

Question 81

Azure monitor can ensure you have the right amount of resources running, what is this process called and how does it determine when to do this?

Answer 81

• Azure monitor uses autoscale to ensure you have the right amount of resources running.
• Enables you to create rules to determine when to automatically add resources to handle increases in load

Question 82

How can Auto scale in Azure monitoring save costs and how can you ensure your costs won’t increase too much

Answer 82

• Can reduce costs by removing resources not being used.

- Specify max number of instances and logic to determine when autoscale should increase or decrease resources.

Question 83

What is available to visualise the monitoring data captured via Azure Monitor

Answer 83

Visualise Monitoring Data

• Charts and tables effective at summarizing monitoring data
• Azure Monitor has features for visualizing monitoring data
• Leverages other Azure Services for publishing data to different audiences
• Other tools include - Dashboards, Views and PowerBI

Question 84

Can other Azure Services integrate with Azure Monitor?

Answer 84

Yes you’ll often need to integrate Azure monitor with other services to build custom solutions that use your monitoring data
- Other Azure services can work with azure monitor to do this

Question 85

In broad terms what is Azure Service Health and What can it do for you?

Answer 85

• Suite of experiences to provide personalized guidance and support when issues with Azure services affect you.
• Can notify you and help you understand the impact of issues and update you as issue is resolved
• Can help prep for planned maintenance and changes that could affect availability of resources.

Question 86

What three “rules” is Azure Service Health made up of?

Answer 86

Azure Status
Service Health
Resource Health

Question 87

With regards to Azure Service Health what is the purpose of Azure Status

Answer 87

• Global view of Health of Azure Services

- Up to minute info on Service Availabiltiy

Question 88

With regards to Azure Service Health what is the purpose of Service Health

Answer 88

• Customizable dashboard to track state of your azure services in regions where you use them
• Track active events (i.e. ongoing issues and planned maintenance and health advisories.
• Inactive events placed in health history for 90 days
• Create alerts to notify when service issues affect you

Question 89

With regards to Azure Service Health what is the purpose of Resource Health

Answer 89

• Helps diagnose/obtain ssupport when Azure Service issue affects your resouyrces
• Provides details on current and past state of resources
• Provides tech support to help mitigate issues
• Resource health is personalised dashboard of your resource health
• Shows times when resources unavailable due to Azure services issues making it easier to understand if SLA was violated.

Question 90

Within Service Health, how long are inactive events placed in Health History for

Answer 90

90 days