Storage Accounts Overview

Questions and Answers

What is a requirement for balancing requests across VMs using a Basic Azure Load Balancer?

• The VMs must be part of different virtual networks.
• The VMs need to be part of a scale set or availability set. (correct)
• The Load Balancer must be deployed in multiple availability zones.
• The VMs should have overlapping IP addresses.

Which two parameters are required in a Shared Access Signature (SAS)?

• SignedResourceTypes and SignedStart
• SignedIp and SignedResources
• SignedStart and SignedServices
• SignedServices and SignedResourceTypes (correct)

What happens when Azure needs capacity for other workloads while using Azure Spot Instances?

• The Spot Instances continue to run without interruption.
• The Spot Instances are automatically upgraded to standard VMs.
• The Spot Instances are moved to a different region.
• Azure will stop the Spot Instances as needed. (correct)

How long can data be pinned on the Azure dashboard?

14 days (D)

Which type of DNS record maps a domain name to another domain name?

CNAME record (C)

What is necessary for the Standard Load Balancer to balance requests across VMs?

The VMs must reside in the same virtual network. (C)

Which command is used to create a new managed disk in Azure VM commands?

New-AzDisk (A)

What should be installed on the destination VM to restore a backup successfully?

Microsoft Azure Recovery Services Agent (C)

What is the maximum storage capacity of the Standard App Service Plan?

50GB (B)

Which command is used to perform a ping/ICMP test in Azure?

Test-NetConnection (B)

What is required for a storage account to support Data Lake Storage?

It must support blob storage. (A)

Which Azure service is designed to store metrics in a time-series database?

Azure Monitor (B)

What is the function of the Azure Custom Script Extension?

For post-deployment configuration and software installation (A)

Which type of access control is enabled when a hierarchical namespace is applied?

POSIX-compliant access control lists. (B)

Which role in Microsoft Entra allows the creation and management of users and groups?

User Administrator. (A)

Which statement regarding the management of virtual machines in Azure is true?

VMs must be deleted and recreated to change VNETs. (D)

What is a requirement for applying a lifecycle management rule to blobs?

Access tracking must be enabled. (A)

What is required to receive an email alert on an event in Azure?

An action group and alert rule (B)

Which feature does Azure DNS Private Resolver provide?

Connection between Azure resources and on-premises environments (D)

What is a condition for assigning licenses based on Microsoft Entra ID attributes?

The dynamic group must sync automatically to a license group. (C)

What kind of policy can be applied to prevent data modification in block blobs?

Immutability policy. (B)

What is the retention period for backups of virtual machines in Azure by default?

30 days (B)

What is the main focus of the Billing Administrator role in Microsoft Entra?

Financial aspects of the Azure account. (D)

What type of protocol is used for SMB communication in Azure?

SMB Protocol - 445 (B)

What is a careful method to ensure geographic redundancy in Azure Storage?

Utilizing GRS, RA-GRS, and ZRS (C)

Which of the following methods is NOT part of migrating an on-premises identity provider to Azure AD?

Federated authentication setup (C)

In the hub and spoke model, which function does the hub VNET primarily serve?

Providing shared services and central connectivity (A)

What type of managed identity is specifically tied to the lifecycle of the resource it is associated with?

System-assigned identity (B)

Which protocol can be used to query resource data across Azure subscriptions via the Azure Resource Graph?

KQL (A)

What is the purpose of implementing custom WAF rules?

To protect applications from common web attacks (B)

When moving resources in Azure, which resource cannot be relocated?

Public IPs across regions (A)

Which requirement must be fulfilled to prepare a subscription for alert notifications?

Create a log analytics workspace (C)

What configurations should be set to record successful and failed requests in Azure VM?

Enable Azure Network Watcher flow logs (D)

Which series of Azure VMs is specifically optimized for memory-intensive enterprise applications?

E-series (A)

What is required to restrict access to an Azure Blob Storage container based on specific IP addresses?

Establish virtual network service endpoints (A)

Which of the following authentication types is NOT supported by Azure AD?

OAuth 2.0 authentication (A)

In order to enable high availability of VMs at 99.95%, what must be defined?

An availability set with a scale set (A)

Which Azure VM series is designed with a higher CPU-to-memory ratio?

F-series (A)

What log message severity must be set to store all warnings or higher in Azure?

Warning (C)

When connecting a Windows device to Azure AD using AD Join, which principal is NOT added to the local administrators group?

Local User Administrator (A)

Flashcards are hidden until you start studying

Study Notes

Storage Accounts

• For Data Lake Storage, storage accounts must support blob storage available in standard general-purpose v2 and premium block blobs.
• Immutability policies include timed retention and legal hold policies to prevent block deletion.
• Lifecycle policies dictate the behavior of blobs or containers over time.
• Access tracking must be enabled with lifecycle management rules for automatic blob movement or deletion based on modification or access times.
• POSIX-compliant access control lists require hierarchical namespace activation.
• Microsoft Entra Kerberos can be used for identity-based access in file shares.
• Block blobs and append blobs support Immutable Storage to ensure data integrity.

Deletion Locks

• Deletion locks cannot be applied to management groups.
• They can be applied to resource groups, subscriptions, and VMs.

Azure Policies

• Custom recommendations must use the RemediationDescription field in metadata for Azure Policies.

Microsoft Entra Roles

• User Administrator role allows user and group management, support ticket handling, and monitoring service health.
• Billing Administrator focuses on financial management.
• Service Administrator has full access to Azure services.
• Cost Management Reader can view billing information and manage budgets.
• User Access Administrator grants permissions for resource locks.
• Not all Microsoft 365 services are universal; usage location must be defined for license assignment.

License Assignment

• Dynamic groups are needed for assigning licenses based on MS Entra ID attributes.
• Rules must be configured on custom attributes for dynamic groups to sync automatically.

Deployments

• TemplateUri specifies the location of the template file.
• TemplateFile indicates the local directory of the template file.
• TemplateSpecId refers to templates saved within Azure.
• Resource group specification is possible during template deployment.

App Service Plans

• Free: 0 instances, 1GB storage.
• Basic: 10GB storage, 3 instances.
• Standard: 50GB storage, 10 instances.
• Premium: 250GB storage, 30 instances.

Useful Commands

• netstat -an: Lists the ports the server is listening on.
• Test-NetConnection: Executes a ping/ICMP test.
• nbtstat -c: Checks the NBT cache.
• Get-AzVirtualNetwork: Retrieves virtual networks within a resource group.

Azure Metrics

• Log Analytics workspace is essential for log data from Azure Monitor.
• Azure Monitor uses a time-series database optimized for time-stamped data analysis.
• Activity logs can help preemptively detect and address issues.
• Azure Advisor analyzes configuration and usage metrics without time-lapsed data.
• Azure Cost focuses on spending optimization.
• Azure VM Insights monitors VM health and performance.
• Log analytics requires creating a log analytics resource and enabling diagnostics on load balancers.

Virtual Machines (VM) General Info

• VM backups are maintained for 30 days by default.
• Azure Custom Script Extension facilitates post-deployment configurations.
• Desired State Configuration (DSC) allows management via configuration as code.
• Azure VMAccess extension enables console access for Linux management.
• VMs cannot be moved to another VNET; deletion and recreation are necessary for a new VNET target.
• Creation of VMs in availability zones requires configuring availability options.

Alerts

• Email notifications for events require an alert rule and action group setup.

DNS Resolvers

• Virtual network links integrate with private DNS zones.
• Azure DNS Private Resolver facilitates DNS query proxying between on-premises and Azure.
• Custom DNS servers can be deployed as VMs or appliances but do not work with private DNS zones.

Domain Name Records

• A record connects a domain name to an IP address.
• CNAME record links one domain name to another.
• NS record assigns delegation for subdomains.

Azure Dashboard

• Data can be pinned for a 14-day limit.

Network Peering

• IP addresses must not overlap; location is irrelevant.

Azure Load Balancers

• Basic Load Balancer operates within a single availability zone and supports only Basic SKU public IP.
• Standard Load Balancer is zone-redundant with a higher cost.
• Session persistence must be set to ClientIP and Protocol for consistent server connections.
• VMs using Basic Load Balancer must be part of a scale or availability set.
• Standard Load Balancer requires VMs to belong to the same virtual network.

Tokens

• SAS (Shared Access Signature) requires SignedServices for specifying accessible resources and SignedResourceTypes for service types.
• SAS optional parameters include SignedStart for validity start and SignedIp for IP range restrictions.

Azure Instances

• Azure Spot Instances offer reduced-cost VM provisioning but are susceptible to interruption for higher priority workloads.
• VMs must attach network interfaces within subnets for communication.

Backups

• To restore VM backups, Microsoft Azure Recovery Services Agent must be installed on the destination VM.

Azure VM Series

• A-series: Best for entry-level workloads.
• D-series: Balances vCPUs, memory, and storage for typical production workloads.
• E-series: Optimized for memory-heavy applications.
• F-series: High CPU-to-memory ratio.
• M-series: Ideal for memory-intensive applications.

NSGs (Network Security Groups)

• NSGs can be associated with network interfaces and subnets.

Access Restrictions

• Virtual network service endpoints restrict Azure Blob Storage access to specific networks or IPs.

Diagnostics

• Application Logging (Blob) must be enabled to store warning-level logs for over a week.

Azure Import/Export

• Large data transfers to Azure Storage require Blob Storage or File Storage.
• Only containers, such as blobs, can be exported.

Azure Password Security

• Administrators have a different password reset policy without security question prompts.
• Fraud features block accounts for 90 days unless unblocked by an admin.

Service Level Agreements (SLA)

• Achieving 99.95% availability for VMs requires defining an availability set with a scale set.

Azure AD

• Windows devices joined to Azure AD add specific security principals to local admin groups.
• Authentication types include federated, pass-through, and password hash synchronization.
• Azure AD Access Reviews automate the review process, including reminders and revoking access.

Migration to Azure AD

• Migration methods include Azure AD Connect cloud sync, password hash synchronization, and staged migration processes.

Web Application Firewall (WAF)

• Custom WAF rules can protect applications from common web attacks by blocking specific patterns or keywords.

Disaster Recovery

• GRS, RA-GRS, and ZRS for Azure Storage ensure geographic redundancy and availability for enhanced disaster recovery.

Hub and Spoke Model

• Provides scalable architecture where the hub VNET houses shared services, and spoke VNETs contain specific applications.

Azure Service Endpoints

• Allow precise network access restrictions to storage accounts for heightened security.

Managed Identities

• Authenticate access to other Azure services using system-assigned or user-assigned identities.

Azure Backup Policy

• Retention ranges must be defined within the backup policy to ensure backups are maintained.

Azure Resource Graph

• Facilitates resource data queries using KQL, REST API, PowerShell, and Azure CLI.

Azure Security

• Azure Sentinel is used for the analysis of security threats and anomalies.

Alerts Management

• Rate limiting applies to alerts: SMS (1 every 5 min), Voice (1 every 5 min), Email (up to 100 in an hour).
• Create a log analytics workspace to prepare subscriptions for alerts.

Moving Resources

• Storage can be relocated across locations, but NICs attached to VMs cannot be moved.
• Public IPs are region-specific and thus non-transferable.

Virtual Networks

• A Virtual Network Gateway is required for connecting two VNETs across different subscriptions.
• Secure private connections from on-premises networks to Azure VNET utilize ExpressRoute.