Global administrator role has access to every other role – the biggest role in azure

Federation – joining active directories together

Deny assignments – to block users from performing specific actions – azure RBAC –
only through AZURE BLUEPRINTS
Azure roles (rbac)- they are used to control access of azure resources like vms,
apps, etc
has built in roles 4:
Owner
Contributor
Reader
User access administrator
Azure ad roles – they are used to control access of ad resources like users, groups
etc:
a few of them
Global admin – full access, but does not have access to azure resources, but they
can gain it by obtaining user access administrator
User admin – manage user access
Billing admin – access to billing, make purchases
You can create custom but you need p1 or p2 premium
Classic administrators – classic role system – 3 roles
Account admin
service admin
co-admin
IAM allows you to assign and create azure roles
Azure policy = compliance. Do not restrict access , they only check for compliance
Policy definition grouped together = policy initiative
Azure Resource Manager is the deployment and management service for Azure. It
provides a management layer that enables you to create, update, and delete
resources in your Azure account. You use management features, like access control,
locks, and tags, to secure and organize your resources after deployment.
Management groups are above subscription, next resource groups
At the subscription level you have the ability to set access controls
In order to use azure resources you have to register resource providers
Some are registered by default. Wiec jesli np nie można znaleźć jakiegoś serwisu to
możliwe ze nie jest zarejestrowany.
In the azure portal You can set the following lock levels:
Cannotdelete
ReadOnly

Only the Owner and the User Access Administrator built-in roles can
create and delete management locks. You can create a custom
role with the required permissions.
Variables are marked with () parenthesis
To call a variable you use ()

JSON template format

$schema Yes Location of the JavaScript Object Notation (JSON) schema

file that describes the version of the template language.
The version number you use depends on the scope of the
deployment and your JSON editor.

If you're using Visual Studio Code with the Azure Resource

Manager tools extension, use the latest version for
resource group deployments:
https://schema.management.azure.com/schemas/2019-04-01/deployme
ntTemplate.json#

Other editors (including Visual Studio) may not be able to

process this schema. For those editors, use:
https://schema.management.azure.com/schemas/2015-01-01/deployme
ntTemplate.json#

For subscription deployments, use:

https://schema.management.azure.com/schemas/2018-05-01/subscrip
tionDeploymentTemplate.json#

For management group deployments, use:

https://schema.management.azure.com/schemas/2019-08-01/manageme
ntGroupDeploymentTemplate.json#

For tenant deployments, use:

https://schema.management.azure.com/schemas/2019-08-01/tenantDe
ploymentTemplate.json#
languageVersio No Language version of the template. To view the
n enhancements of languageVersion 2.0,
see languageVersion 2.0.
contentVersion Yes Version of the template (such as 1.0.0.0). You can provide
any value for this element. Use this value to document
significant changes in your template. When deploying
resources using the template, this value can be used to
make sure that the right template is being used.
apiProfile No An API version that serves as a collection of API versions
for resource types. Use this value to avoid having to specify
API versions for each resource in the template. When you
specify an API profile version and don't specify an API
version for the resource type, Resource Manager uses the
API version for that resource type that is defined in the
profile.

The API profile property is especially helpful when

deploying a template to different environments, such as
Azure Stack and global Azure. Use the API profile version
to make sure your template automatically uses versions
that are supported in both environments. For a list of the
current API profile versions and the resources API versions
defined in the profile, see API Profile.

For more information, see Track versions using API profiles.

definitions No Schemas that are used to validate array and object values.
Definitions are only supported in languageVersion 2.0.
parameters No Values that are provided when deployment is executed to
customize resource deployment.
variables No Values that are used as JSON fragments in the template to
simplify template language expressions.
functions No User-defined functions that are available within the
template.
resources Yes Resource types that are deployed or updated in a resource
group or subscription.
outputs No Values that are returned after deployment.

There are 2 types of performance tiers for storage accounts: standard and premium
IOPS stands for input/output operations per second. The higher IOPS the better
Premium are on SSDS – no moving parts
Standard are on HDDS – Options – hot,cool, archive
Rehydrating – moving a blob archive to another storage
From cooler to hotter tier – write operation to the destination
From hotter to cooler – read operation from the source
Charges per 10,000 and data retrieval per gb
Synchronously – primary region – if you read your data is up to date
Asynchronously – another region – the data at another region might not be up to date
Redundancy in read access – the reason for that is your data in the secondary region
is copied synchronously- is up to date
Blob storage is a object storage that is optimized for storing massive amounts of
unstructured data

There are 3 types of BLOBs:

Block blobs – text and binary data, up to 4,75 tb. Made up of blocks
Append Blobs – optimized for append. Logging data from VM
Page blobs – random access files up to 8tb. VHD files and serve as disks for virtual
machines
File share – one shared drive for vms
To connect to file share a network protocol is used:
SMB samba server message block
NFS network file system
Mounting is a process by which a computer's operating system makes files and directories on
a storage device (such as hard drive, CD-ROM, or network share) available for users to access
via the computer's file system.

Azure files backup

You can backup your file share with shared snapshots

-up to 200 snapshots per file

- retain backups up to 10 years

Soft delete- you can prevent deletion by soft delete

Azure files backup store tiers:

Premium – on ssd

Transaction optimized (standard) – HDD

Hot- team shares and azure file sync

Cool – hdd good for archive scenario

General purpose v2 – hdd

Filestorage – ssd

Identity:
On-premise – azure storage can be joined to on premise AD domain service

Managed – azure storage can be joined to Microsoft managed AD DS

Store account key – a username (storage account name) and password (account key) can be used to
mount

Networking:

Azure files are accessible inside or outside storage account public endpoint

SMB connects to port 445

Encryption:

Azure files is encrypted at rest azure storage service encryption (sse)

Azure files is encrypted in transit with smb 3.0 or https

Azure file sync – allows you to cache azure file shares on a on premises windows server and
cloud vm

Azure storage explorer – a standalone app that makes it easy to work with azure storage
AZ-copy is a command line utility. It’s a executable file you download. You can access via SAS and
AD. Use the copy command to upload and download

Azure IMPORT/EXPORT service – used to securely import large amounts of data to azure blob
and files by physical shipping disk drives (azure data box) to an azure data center

To move data to ADB you will use a tool WAImportexport – 2 version – version 1 (for blob) version 2
for files. Compatible only with 64 bit windows

JOURNALfile will need to be generated

You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft
backbone network.

To ensure that all the traffic from VM1 to storage1 travels across the Microsoft
backbone network without going out to the public internet, you should use a private
endpoint. A private endpoint uses a private IP address from your VNet, effectively
bringing the service into your VNet. Any traffic between your virtual machine and the
storage account will traverse over the VNet and stay on the Microsoft backbone
network, without ever leaving it. Thus, the correct answer is: B. private endpoints.

Below are some of the notes that may help for Blob and file storage:
 A. Blob Storage: 1-Archive is supported in Blob Storage and General Purpose v2
(GPv2) accounts. Only storage accounts that are configured for LRS, GRS, or RA-
GRS support moving blobs to the archive tier.
B. 2-Import supports Azure Blob storage and Azure File storage
C. 3 -Export supports Azure Blob storage
D. 4-support Lifecycle management policies. Lifecycle management policies are
supported for block blobs and append blobs in general-purpose v2, premium
block blob, and Blob Storage accounts.
E. 5-Object Replication supports General Purpose V2 and Premium Blob accounts.
6-Support both Azure (AD) and SAS (Shared Access Signature) token.

A sync group contains one cloud endpoint, or Azure file share, and at least one server
endpoint.

Box 2: No Azure File Sync does not support more than one server endpoint from the
same server in the same Sync Group.

Box 3: Yes Multiple server endpoints can exist on the same volume if their namespaces
are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is syncing
to a unique sync group.

Box 1: VM1 only VM1 is in the same region as Vault1. File1 is not in the same region as
Vautl1. SQL is not in the same region as Vault1. Blobs cannot be backup up to service
vaults. Note: To create a Vault to protect VMs, the Vault must be in the same Region as
the VMs.

Box 2: Share1 only Storage1 is in the same region as Vault2. Share1 is in Storage1.
Note: Only VM and Fileshare is allowed to Backup.

Box 1: Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are
supported for Blob storage.

Box 2: Only Shared Access Signature (SAS) token is supported for File storage.

Storage accounts: Storage 3 only Storage Account must be in the same Region as the
Recovery Services Vault.

Log Analytics workspaces: Analytics1, Analytics2, and Analytics3

Set up one or more Log Analytics workspaces to store your Backup reporting data. The
location and subscription where this Log Analytics workspace can be created is
independent of the location and subscription where your Vaults exist.
Box 1: contoso104 only Premium file shares are hosted in a special purpose storage
account kind, called a FileStorage account.

Box 2: contoso101 and contos103 only Object storage data tiering between hot, cool,
and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts.
General Purpose v1 (GPv1) accounts don't support tiering. The archive tier supports
only LRS, GRS, and RA-GRS.

If you want to change the recovery service vault you need to disassociate the previous
RSV and delete the backup data. To delete backup data, you need to stop the backup
first. So: 1. Stop the backup in RSV1 (D) 2. Remove the backup data. 3. Disassociate the
VM in RSV1. 4. Associate the VM in RSV2.

Bob 3. No. To access blob data in the Azure portal with Azure AD credentials, a user
must have the following role assignments: A data access role, such as Storage Blob
Data Contributor The Azure Resource Manager Reader role
Ref.https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-
access?tabs=portal

Hierarchical namespace: The hierarchical namespace is required for Azure Data

Lake Storage, as it enables the storage account to support the data lake's file system
structure.
to convert to ZRS must the Kind be: Standard general-purpose v2 (StorageV2),
Premium block blobs (BlockBlobStorage) or Premium file shares (FileStorage) and
the Replication is from LRS possible (…from GRS/RA-GRS convert to LRS first)
Any data is stored in three different copies, either within a data center or across
different availability zones or regions. Infrequently used data can be stored most
cost-effiiently on the cold access tier.
Three types of blobes:
Block blobe – most common – streaming content,images, videos
Append blob – Append operation – log files
Page blob – read write operations – virtual machine disks

Correct Answer B - No To deploy the YAML file you need to runs kubectl apply -f file

IF you want to create a azure alert on a vm

You create an Azure Log Analytics workspace and configure the data settings. You
install the Microsoft Monitoring Agent on VM1. You create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.

We cannot just move a virtual machine between networks. What we need to do is

identify the disk used by the VM, delete the VM itself while retaining the disk, and
recreate the VM in the target virtual network and then attach the original disk to it.
Note: You can change the Subnet a VM is connected to after it's created, but you
cannot change the VNet.

Box 1: ASP1 and ASP3 only ASP.NET Core apps can be hosted both on Windows or
Linux. The region in which your app runs is the region of the App Service Plan is in.
ASP2 is in Central US, not the same as WebApp1. Different locations.
Box 2: ASP1 only ASP.NET apps can be hosted on Windows only. Only ASP1 is in
the same Location as the WebApp2 (West US).

The Custom Script Extension downloads and executes scripts on Azure VMs. This
extension is useful for post deployment configuration, software installation, or any
other configuration / management task. Scripts can be downloaded from Azure
storage or GitHub, or provided to the Azure portal at extension run-time.

To install kubectl locally, use the az aks install-cli command.

No more than 20% of the Scale Set upgrading at any time, then 2 machines out of 10
will have maintenance, the 8 remaining VMs will be up. Virtual machine scale sets
are created with five fault domains by default in Azure regions with no zones.
For the regions that support zonal deployment of virtual machine scale sets and this
option is selected, the default value of the fault domain count is 1 for each of the
zones. FD=1 in this case implies that the VM instances belonging to the scale set will
be spread across many racks on a best effort basis.

You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named www.contoso.com to webapp1.
What should you do first?
You can use either a CNAME record or an A record to map a custom DNS name to
App Service. You should use CNAME records for all custom DNS names except root
domains (for example, contoso.com). For root domains, use A records.
VM1 connects to VNET1.
You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
Does this meet the goal?

Instead, you should delete VM1. Then recreate VM1 and add the network interface
for VM1. To migrate a VM from a VNET to another VNET. The only option is to delete
the VM and redeploy it using a new NIC and NIC connected to VNET2.

Also, you can’t use Windows and Linux Apps in the same App Service Plan, because
when you create a new App Service plan you have to choose the OS type. You can't
mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.

Box 1: 60 One alert per minute will trigger one email per minute. Box 2: 12 or 0 -If it’s
a typo and it means Alert1, then Answer = 12 (60/5 = 12) -If it is actually Alert2 then
Answer = 0 No more than 1 SMS every 5 minutes can be send, which equals 12 per
hour (60/5 = 12).
Note: Rate limiting is a suspension of notifications that occurs when too many are
sent to a particular phone number, email address or device. Rate limiting ensures
that alerts are manageable and actionable. The rate limit thresholds are: ✑ SMS: No
more than

1 SMS every 5 minutes. ✑

Voice: No more than 1 Voice call every 5 minutes. ✑

Email: No more than 100 emails in an hour. ✑

Other actions are not rate limited.

Backup must be in the same subscription and region

The following criteria is important for vault backup, the data source (VM) must be in
the same region and subscription. It works with any resource group or any Operating
system. Accordingly the answer is correct.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare

PORTS USED by Azure

3389 – RDP
22 – ssh
80 – http
443 – https
1433 – sql database
389 – LDAP
88 – Kerberos
443 – TLS – file sync
Availability set:
3 fault domain max
20 update domains max

Each availability set can be configured with up to three fault domains and
twenty update domains.'