Skill 2.1 Secure Storage

Question 1

How are storage accounts managed

Answer 1

through Azure resource manager, Mangement operations are authenticated and authroized using Azure Active directory and RBAC

Question 2

How are storage account services exposed

Answer 2

as a interent facing endpoint

Question 3

What does a storage firewall do

Answer 3

allows you to limit access to specific IP addresses or a range

Question 4

What route do service endpoints create

Answer 4

a direct network route from the virtual network to the endpoitn

Question 5

What are the two steps to configure service endpoints

Answer 5

1. From the virtual network subnet create the route from the subnet to the storage service but does not restrict which storage account the virtual network can use
2. Configuring which virtual networks can access a particular storage account.

Question 6

Describe blob storage access levels

Answer 6

by default no public read access is enabled for anonymous users, and only users with rights granted through RBAC or with the storage account name and key will have access to the stored blobs

Question 7

What are blob storage access levels,

Answer 7

Private – With this option only the stroage account owber can access the container and its blobs
Blob – with this optio nonly blobs within the container can be accessed anonymously
Container – blobs and there containers can be access anonymously

Question 8

What is a Shared Access Signature Token (SAS Token)

Answer 8

URI query string parameter that grans access to specific containers, blobs, queues, and tables. Used to grant access to a client that should not have access to the entire storage account

Question 9

How do SAS tokens grant access to resources

Answer 9

for a specific period of time with a specified set of instruction

Question 10

What are SAS tokens widely used for

Answer 10

to copy blobs or files to another storage account

Question 11

What protocol do SAS tokens use

Answer 11

HTTPS protocol

Question 12

What are blob

Answer 12

Provides a highly scalable service for storing abitrary data such as text or binary data

Question 13

What are the three types of blobs

Answer 13

Append Blobs
Block Blobs
Page Blobs

Question 14

What are storage account service tables

Answer 14

Provides a NoSQL-style store for storing structured data. Unlike a relational database, tables in Azure storage do not require a fixed schema, so different entries in the same table can have different fields

Question 15

What are storage account Queues

Answer 15

Provide a reliable message queueing between applications

Question 16

What are storage account files

Answer 16

Managed files shares that can be used by either Azure VM or on-prem servers

Question 17

What Storage Account Service Disks do

Answer 17

Provides a persistent volume for Azure VM which can be attached as a virtual hard disk

Question 18

What are the rules for naming storage accounts

Answer 18

Storage account name must be unique across all existing storage account names in Azure
Must be between 3 and 24 characters adn can contain only lowercase letters and numbers

Question 19

What is a standard performance tier

Answer 19

Supports all storage services. Blobs, tables files, queues, and unmanged Azure virtual machine disks. Uses magnetic disks to provide cost-efficient and reliable storage

Question 20

What is the premium performance tier

Answer 20

Designed to support workloads with gratr demand on I/O and is backed by high performance SSDS.

Question 21

What kind of storage is supported by the standard account tier

Answer 21

General purpose v1 and V2 and blob

Question 22

What kind of storage is supported by Premium tier

Answer 22

General-Purpose V1 and V2, BlockBlobStorage and FileStorage

Question 23

What is a Blob storage account

Answer 23

specialized storage account used to store block blobs and append blobs. Page blobs cannot be stored in this account

Question 24

What account types can be upgraded to General-Purpose V2

Answer 24

General-Purpose V2 and Blob storage though the process can’t be reversed.

Question 25

What feature does a General-Purpose V2 Account support

Answer 25

Supports blob, File, table, and queue, suppors unmanged disk, standard and performance tiers. Supports Hot, Cool, and ARchive Access

Question 26

What storage features does General Purpose V1 Support have

Answer 26

Supports Blob, File, Table, and Queue, and unmanaged disk access Standard and Performance Tiers, N/A for supported access tiers.

Question 27

What features does blob storage support have

Answer 27

Supports blob, block and append blobs only. No unmanaged disk support. Standard performance tierW

Question 28

What features does blob block storage have

Answer 28

Supports blob, block adn append blobs only. No unmanaged disk support. Premium performance tier. N/A for access tiers

Question 29

What features does the file storage tier have

Answer 29

Supports only file service. No unmanaged disk support. Supports the premium performance tier

Question 30

What is locally redundant storage (LRS)

Answer 30

Three synchronous copies of data within a single datacenter. Available for general-purpose or blob storage accounts at both the standard and performance tier

Question 31

What is Zone Redundant Storage (ZRS)

Answer 31

Make three synchronous copies to three seperate availability zones within a region. Available for General Purpose V2 storage accounts only.

Question 32

What is geographically redundant storage (GRS)

Answer 32

Same as LRS (three local copies), plus three additional asynchronous copies to a second data center hundreds of miles away from the primary region. Data replication typically occurs within 15 minutes although no SLA is provided

Question 33

Read Access GRS

Answer 33

Same capabilities as GRS, plus you have read-only access to teh data in teh secondary data center.

Question 34

What are the Azure blob storage tiers

Answer 34

Hot Cool Archive

Question 35

Describe the blob Cool Storage Tier

Answer 35

Data is stored for at least 30 days

Question 36

Describe the Archive blob storage tier

Answer 36

Long-term storage, Will remain for 180 days.

Question 37

What storage type is User delegation through Azure AD available with

Answer 37

Blob storage

Question 38

What allows you to change the access parameters (start and end time, permissions) as part of the token.

Answer 38

Stored access policies, Allows for modifying of access of existing tokens without having to reissue them

Question 39

How many stored access policies can you have on a container, table, queue, or file share

Answer 39

five

Question 40

What are access keys used for

Answer 40

Allow full access to all data in all service within the storage account. You can create, read, update, and delete container, blobs, tables, queues, and file shares. You will have full administrative access to everything other then the storage account itself

Question 41

What are access keys used with

Answer 41

the storage account name and an access key

Question 42

What does rolling a storage account access key do

Answer 42

invalidate any SAS tokens that were generated using that key

Question 43

What does Azure key vault do

Answer 43

helps safeguard storage account access keys as well as cryptographic keys and secrets used by cloud applications and services such as authentication keys

Question 44

What is AAD authentication

Answer 44

recently addes authorization mechanism for Azure Storage.

Question 45

What authentication do accounts created with Azure Resource Manager use

Answer 45

authentication Azure AD authorization

Question 46

what can SAS signatures be signed by

Answer 46

Azure AD credentials to provide access to storage accounts

Question 47

What is a managed service identity (MSI)

Answer 47

Can be used for access blobs or queues from an Azure entity like Azure VM, virtual machine scale set, or an Azure functions app

Question 48

What is a container RBAC resource role scope

Answer 48

Selects Blobs, meta data and properties of the container

Question 49

What is a Queue RBAC resource role

Answer 49

All the messages inside the queue, as well as queue properties and metadata will inherit the role assignment when this scope is selected

Question 50

What is a Storage account RBAC resource scope

Answer 50

Under this scope, the role assignment will be applicable at the storage account level. All the containers, blobs, queues, and messages within the storage account will inherit the role assignment when this scope is selected

Question 51

What are the two types of Azure identity authentication

Answer 51

On premesis Active Directory Domain Services (AD DS) Azure Active directory Domain services (Azure AD DS)

Question 52

What must be used to access Azure files by using SAS

Answer 52

You must use the REST method