Azure Storage Accounts and Management Policies

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which type of storage account is required to support Data Lake Storage?

Premium File Storage

Cool Blob Storage

Standard General-purpose v1

Standard general-purpose v2 (correct)

What is a key requirement when using a lifecycle management rule for blobs?

Access tracking must be enabled (correct)

Lifecycle policies must be static

Monitoring of service health must be enabled

Access tracking must be disabled

Which of the following options applies to deletion locks?

Can be applied to Resource Groups (correct)

Can be applied to Microsoft 365 groups

Cannot be applied to subscriptions

Can only be applied at the management group level

What must be included in the metadata for specifying a custom recommendation in Azure Policies?

RemediationDescription Signup and view all the answers

Which statement accurately describes the User Access Administrator role in Microsoft Entra?

Grants permissions to manage resource locks Signup and view all the answers

Which of the following attributes is NOT mandatory for license assignment in Microsoft Entra?

User type Signup and view all the answers

To enable POSIX-compliant access control, which feature must be activated on a storage account?

Hierarchical namespace Signup and view all the answers

Which role in Microsoft Entra is specifically designed to manage support tickets?

User Administrator Signup and view all the answers

What is the maximum number of instances available in a Standard App Service Plan?

10 instances Signup and view all the answers

Which command would you use to check the NBT cache on a server?

nbtstat -c Signup and view all the answers

What must be created before enabling log analytics on a load balancer?

A log analytics resource Signup and view all the answers

What is the default backup duration for Azure virtual machines?

30 days Signup and view all the answers

Which of the following statements about Azure VM management is false?

VMs can be easily moved to another VNET without deletion. Signup and view all the answers

Which feature of Azure Monitor analyzes configuration and usage metrics but does not provide time-lapsed data?

Azure Advisor Signup and view all the answers

To connect a VM from one VNET to another VNET, what is required?

Delete and recreate the VM Signup and view all the answers

Which of the following options is necessary to receive alerts via email?

Action group and alert rule Signup and view all the answers

What happens to a duplicate file on a file share and the file server in Azure File Sync?

The file on the server is renamed with the server's name appended. Signup and view all the answers

Which of the following benefits are provided by using Bastion for RDP/SSH connections?

Supports multi-factor authentication. Signup and view all the answers

What is one requirement for enabling user access to an SMB file share from on-premise servers?

Storage accounts must be joined to Azure AD Domain Services. Signup and view all the answers

What is the primary purpose of Azure Application Insights funnels?

To monitor how users are navigating through the application. Signup and view all the answers

What must be done to onboard customer tenants to Azure Lighthouse?

Publish managed services offers that include delegation definitions. Signup and view all the answers

What is required to successfully record network requests in Azure?

Enable azure network watcher flow logs Signup and view all the answers

Which Azure VM series is best suited for memory-intensive enterprise applications?

E-series Signup and view all the answers

To restrict access to an Azure Blob Storage container, what must be established?

Virtual network service endpoints Signup and view all the answers

What must be done to ensure Azure VMs achieve high availability of 99.95%?

Define an availability set alongside a scale set Signup and view all the answers

Which authentication type is NOT associated with Azure Active Directory?

Two-step verification Signup and view all the answers

What enables Azure AD Access Reviews to automate the access review process?

Collecting reviewer input and automatic actions Signup and view all the answers

What is a prerequisite for storing logs with a severity level of Warning or higher?

Enable Application Logging (Blob) and set severity to Warning Signup and view all the answers

What happens to an Azure account when the Fraud feature is enabled?

The account is blocked for 90 days unless an admin intervenes Signup and view all the answers

Which method is NOT a recognized way to migrate an on-premises identity provider to Azure AD?

Impersonation migration Signup and view all the answers

Which of the following provides the most granular and secure way to restrict network access to an Azure storage account?

Azure Service Endpoints Signup and view all the answers

Which of these Azure Backup policy components defines the duration for which backups are stored?

Retention range Signup and view all the answers

In a hub-and-spoke model, what is the primary function of the hub VNET?

To act as the central point of connectivity for shared services Signup and view all the answers

What is a requirement for setting up alert rate limiting in Azure?

Establishing a log analytics workspace Signup and view all the answers

Which type of managed identity in Azure is tied directly to the lifecycle of the resource?

System-assigned identity Signup and view all the answers

Which statement about moving storage resources is true?

Public IPs are not movable between regions Signup and view all the answers

Which method is appropriate for connecting two VNETs that are located in different subscriptions?

Virtual Network Gateway Signup and view all the answers

Study Notes

Storage Accounts

Supports Data Lake Storage through blob storage, available in standard general-purpose v2 and premium block blobs.
Immutability policy can include time-based retention or legal hold, preventing deletion of data.
Lifecycle policies apply to blobs or containers to define actions post a specific time period.
Access tracking is necessary for lifecycle management rules affecting blob movement or deletion.
Hierarchical namespace must be enabled for POSIX-compliant access control lists.
Microsoft Entra Kerberos can be utilized for identity-based access to file storage.

Deletion Locks

Applicable to Resource Groups, Subscriptions, and VMs but not to management groups.

Azure Policies

Use the RemediationDescription field for custom recommendations within policy metadata.

Microsoft Entra Roles

User Administrator: Manages users and groups plus monitors service health.
Billing Administrator: Focused on managing financial aspects.
Service Administrator: Full Azure service access but excluding user and group management.
User Access Administrator: Manages resource lock permissions.

License Assignments

License assignments depend on specifying a user’s Usage location.
Not all Microsoft 365 services are globally available.

Deployments

Utilize various templates (TemplateUri, TemplateFile, TemplateSpecId) for resource deployment within Azure.

App Service Plans

Free Plan: Limited to 0 instances and 1GB storage.
Basic Plan: Offers 10GB storage and 3 instances.
Standard Plan: Includes 50GB storage and can scale to 10 instances.
Premium Plan: Provides 250GB storage and supports up to 30 instances.

Useful Commands

netstat -an: Lists server listening ports.
Test-NetConnection: Executes ping/ICMP tests.
Get-AzVirtualNetwork: Retrieves virtual networks within a resource group.

Azure Monitoring and Metrics

Log Analytics workspace aggregates log data from Azure Monitor and services.
Activity logs are used for proactive issue detection.
Azure Advisor analyzes configurations but lacks time-lapsed data tracking.
Azure VM Insights monitor the health and performance of virtual machines.

VM Management

Backups of VMs are retained for 30 days by default.
Azure Custom Script Extension aids in post-deployment configurations.
Desired State Configuration (DSC) enables configuration as code management.
Azure VMAccess extension allows console access for maintenance tasks.

Alerts

Email alerts require both an alert rule and an action group setup.

DNS Management

Azure DNS Private Resolver proxies DNS queries between on-premises and Azure environments.
Virtual Network Links integrate virtual networks with private DNS zones.

Virtual Machine Series

A-series: Best for entry-level workloads.
D-series: Balanced for production workloads.
E-series: Optimized for memory-intensive applications.
F-series: High CPU-to-memory ratio.
M-series: Tailored for memory-hungry applications.

Network Security Groups (NSG)

Can be associated with network interfaces and subnets for traffic control.

Access Restrictions

Virtual network service endpoints are necessary to restrict access to Azure Blob Storage.

Azure Import/Export

Facilitates large data transfer to Azure Storage Accounts, only containers can be exported.

Azure Password Security

Different reset policy for administrators, not requiring security questions.
Fraud features can block accounts for 90 days if enabled.

SLA Requirements

High availability (99.95%) requires the definition of an availability set alongside a scale set.

Azure AD and Governance

Azure AD Join adds security principals to the local administrators group.
Access reviews automate the review process for user access management.

Azure File Sync

Duplicate files on the server are renamed with server identification.

Application Insights

Funnels, Load times, Retention, and User flows assess app performance and user behavior.
Availability Tests simulate user traffic to measure responsiveness from various regions.

Connectivity Options

Point-to-Site (P2S) for connections from users to a virtual network.
Site-to-Site facilitates connections across multiple networks.

Backup and Restore in App Service

Available under Standard, Premium, Isolated, and App Service Linux plans.

SMB Access

Requires Azure AD Domain Services and storage account joining for on-premises access.

Azure Bastion

Provides secure RDP/SSH access without public IP requirements and supports MFA.

Azure Lighthouse

Enables central management of Azure resources across multiple customer tenants through managed offers.

Identity Migration

Migration to Azure AD can utilize Azure AD Connect cloud sync, password hash sync, or pass-through authentication.

Web Application Firewall (WAF)

Custom WAF rules protect applications from specific web attack patterns.

Disaster Recovery

Geographic redundancy achieved through GRS, RA-GRS, and ZRS for Azure Storage enhances business continuity.

Hub and Spoke Architecture

Centralized hub VNET interconnects multiple spoke VNETs for scalable architecture.

Service Endpoints

Provides granular network access restrictions to a storage account from specific VNETs.

Managed Identities

Two types: system-assigned (resource tied) and user-assigned (independent).

Azure Backup Policy

Retention ranges for backups must be defined within the backup policy.

Azure Resource Graph

Allows querying resource data across subscriptions via KQL, REST API, PowerShell, and Azure CLI.

Azure Security

Azure Sentinel is utilized for analyzing security threats and anomalies.

Alert Rate Limiting

Different thresholds apply for various alert communication methods, ensuring controlled notifications.

Resource Movement

Storage can be moved irrespective of location, but NICs attached to VMs cannot be moved.

Virtual Networks

Virtual Network Gateways are necessary for connecting VNETs across different subscriptions.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge on Azure Storage Accounts, including features like Data Lake Storage, immutability policies, and Azure policies. Explore roles such as User Administrator and Billing Administrator, as well as key concepts like deletion locks and access tracking. This quiz will help you understand essential Azure management capabilities.