AZ-204 Notes.pdf
Document Details
Uploaded by ScenicTriangle
Tags
Full Transcript
From the Redeploy blade, click Redeploy. EnablePurgeProtection - prevents the key vault from being permanently deleted before - moves the VM to a new node within the soft-delete retention p...
From the Redeploy blade, click Redeploy. EnablePurgeProtection - prevents the key vault from being permanently deleted before - moves the VM to a new node within the soft-delete retention period has elapsed. the Azure infrastructure and then powers it back on, retaining all your EnableSoftDelete - allows deleted vault and configuration options and associated its contents to be retained and recoverable resources. for the specified number of days. Key Vault - create a secret containing our Conditional access policy Password. - must be applied or assigned to Users Access Policy - allow access to the previously and Groups created secret. - must be applied when users access the Azure portal, which is a cloud app. kubectl apply -f myapp.yaml - applies a - Access control must require multi- configuration change to a resource from a file factor authentication when granting or stdin. access. WebJobs SDK - design a triggered App Service Active Directory integrated authentication background task. - Azure AD can be the initial Azure AD platformFaultDomainCount – up to 3, max managed domain. Azure AD can also value be an on-premises Active Directory platformUpdateDomainCount – up to 20 Domain Services that is federated update domains with Azure. Consumption plan - compute cost is reduced az keyvault update --enable-soft-delete true - -enable-purge-protection true CLI. SendGrid binding - ensure that an email notification is sent when information is Soft Delete received from IoT devices. - resources marked as deleted Mongorestore - migrate MongoDB to the resources are retained for a specified Azure Cosmos DB account. period (90 days by default). - the service further provides a Managed Service Identity (MSI) mechanism for recovering the deleted - A managed identity from Azure Active object, essentially undoing the Directory allows your app to easily deletion. access other AAD-protected Purge Protection resources. - gives your code an automatically - is an optional Key Vault behavior and managed identity for authenticating to is not enabled by default? Azure services, so that you can keep - can only be enabled once soft delete credentials out of your code is enabled. - when purge protection is on, a vault or For Native Applications you need to provide a an object in the deleted state cannot Redirect URI, which Azure AD will use to be purged until the retention period return token responses. has passed. fuzzy search, proximity search, regular expressions are a few az monitor metrics alert create -n myAlert -g examples. myResourceGroup –scopes targetResourceID –condition avg Percentage CPU > 85 –window Configure the Filter property of the size 5m SearchParameters class - whenever the Web App uses more - gets or sets the OData $filter than 85 percent of the available CPU expression to apply to the search cores over a 5-minute period. Your query. solution must minimize costs. Azure Content Delivery Network (CDN) Logic App Code View - update the definitions - web app that delivers streaming video for an existing Logic App in JSON format. to users. The application makes use Logic Apps Designer - edit the workflows for of continuous integration and an existing Logic App. deployment. application is highly available, and that the users' streaming experience is constant. store data in a geographic location Authenticate with Basic or Client + HTTP(s) that is nearest to the user. for api-management. Configure the web app to the Standard App Implementing Azure Search using.NET SDK Service Tier to import relevant Data - supports auto-scaling, and we should 1. Create a SearchIndexClient object to minimize the cost. We can then connect to search index enable autoscaling on the web app, 2. Create an IndexBatch that contains add a scale rule and add a Scale documents which must be added condition 3. Call the Documents.Index method of SearchIndexClient and pass the Metric signal type - provide a way to get IndexBatch notified when one of your metrics cross a threshold. work on a range of multi- Create separate Azure Event Grid topics and dimensional platform metrics, custom subscriptions for sign-in and sign-out events metrics, Application Insights standard and - to meet the requirements of custom metrics. processing sign-out events as fast as Configure the QueryType property of the possible SearchParameters class - gets or sets a value that specifies the syntax of the search query. The default is 'simple'. Use 'full' if your query uses the Lucene query syntax. - write queries against Azure Search for specialized query forms: wildcard, Configure function and host file and deploy application as an Azure Function High performance workloads + zone redundancy (if datacenter goes down, NOT region outage) - Disk Type: Premium SSD - Redundancy: Zone-redundant storage Azure Static Web app. Ensure user can view (ZDS) after Azure AD authentication Azure Container Instances - Shared Lifecycle: Container Group - only logical answer that can have shared lifecycle - Storage Volume: Empty Directory - can persist through crash and redeployed on stop and restart Store the templates in Azure for later App service plan for isolated network and deployment. deployment slots must be tested prior Enable versioning of the templates. production Manage access to the templates by using - Number of VM instances: 4 - you are Azure RBAC. not charged extra for deployment slots. Ensure that users have read-only access to - Pricing tier: Isolated - is a powerful the templates. feature offering of the Azure App Allow users to deploy the templates Service that gives network isolation and improved scale capabilities Configure Kubernetes Custom Resource Definitions (CRD) - Azure Function code: Deployment Report news events from a browser using - Polling interval: ScaledObject Azure Web PubSub - Azure Storage connection string: Secret CLI script that creates an Azure web app and - the client cert will be available in your app related services in Azure App Service and through a base64 encoded value in the "X- automatically deploy code from Github ARR-ClientCert" request header - Client certificate location – HTTP request header - Encoding type – Base64 Create a Web App for Containers 1. az group create 2. az appservice plan create 3. az webapp create Provision an App Service Web App to host this docker image and map the custom domain to the App Service web app 1. #bin/bash Azure Function Photo processing 2. az webapp create 1. NOT Azure Blob storage events or 3. az webapp config container set change feed 4. az webapp config hostname add 2. Move photo processing to an Azure Serverless application avoid cold starts, and Function triggered from the blob authentication to the Azure Key Vault upload. 1. Create Function app with Premium You enable auto swap on the Production plan type deployment slot. You need to ensure that 2. Create a system-assigned managed scripts run and resources are available before identity for the application a swap operation occurs. 3. Create an access policy in Azure Key - Update the web.config file to include Vault for the application identity the applicationInitialization configuration element. Specify Ensure that the website remains available custom initialization actions to run and responsive while minimizing cost the scripts - Update the app with a method named - Deploy the website to an App Service statuscheck to run the scripts. that uses the Standard service tier. Update the app settings for the app. Configure the App Service plan to Set the automatically scale when the CPU WEBSITE_SWAP_WARMUP_PING_PAT load is high. H and Deploy web app from Github. Initial code to WEBSITE_SWAP_WARMUP_PING_STA deployment slot named staging. TUSES with a path to the new method and appropriate response codes. TLS mutual authentication webapp validate client certificate Create Docker image document App service plan – Always On enabled Azure Resource Manager template for VMSS Stored procedure Tip Application 1. copyIndex 2. copy 3. dependsOn Longer processing Azure Function 1. Return the most recent patient status 1. Durable Function async pattern – Strong 2. Can also pass the HTTP trigger 2. Return health monitoring data that is payload into an Azure Service Bus no less one version behind – Bound queue to be processed by a queue Staleness trigger function and return an 3. After patient is discharged and all immediate HTTP success response charges are assessed, retrieve the correct billing data with the final Change feed support in Azure Blob Storage charges – Eventual - The purpose of the change feed is to Generalize the VM – Azure Powershell provide transaction logs of all the Store images – Azure Blob Storage changes that occur to the blobs and the blob metadata in your storage account. Deploy static content website Github to Azure Configure Appsetting to store diagnostic data Web App that persist in application restarts 1. Add a PreBuild target in the websites 1. WEBSITES_ENABLE_APP_SERVICE_S csproj project file that runs the static TORAGE- true content generation script. 2. DIAGDATA - /home 2. Create a file named.deployment in Azure Application Gateway for the web app the root of the repository that calls a script which generates the static 1. In the Azure Application Gateway's content and deploys the website HTTP setting, enable the Use for App service setting Create copy of Azure blob storage account in 2. In the Azure Application Gateway's another region HTTP setting, set the value of the 1. Export a Resource Manager template Override backend path option to 2. Create a new template deployment contoso22.azurewebsites.net 3. Modify the template by changing the OpenTelemetry compliant storage account name and region 4. Deploy the template to create a new - On the current SpanContext, set the storage account in the target region TraceId to the customer ID for the 5. Use AZCopy to copy the data to the signed in user new storage account Azure Function app not supported code Virtual machine Application with automatic language firewall and supporting services installed Configuration Configuration Value 1. Firewall configuration – Run Parameter Command Publish Code 2. Supporting services script – Custom Runtime stack Custom Handler Script Extension Version custom Enable managed identity for VM Fix VM that didn’t start / stuck in Windows - Update-AzVM -ResourceGroupName update “ContosoRG” -VM $vm - IdentityId: $SystemAssigned Azure Function App 1. Enable developers to write functions by using Rust language - Custom handler 2. Declaratively connect to an Azure Blob storage account – Extension bundle Implement Azure Durable Function and Azure Function with minimized latency voting monitoring console application system 1. await 1. [DurableClient] IDurableEntityClient context.CallEntityAsync(input[errinde 2. SignalEntityAsync x],"error") Azure Function with queue trigger at 2. Failed minimized cost 3. Input Configuration Configuration Value Azure Durable Function option Call external API Azure App Service Managed identity feature Example: online ordering process Azure App Service Basic 1. Orchestrator pricing tier 2. Entity Custom domain in Azure Container Apps Multiple actions run in specified order 1. Enable ingress Example: loan process 2. Add the custom domain name - Orchestrator 3. Validate the custom domain name 4. Bind the certificate Azure Resource Manager template 5. Add DNS records to the domain 1. Determine whether the templates provider follow recommended practices – Several microservices to run on Azure Azure Resource Manager test toolkit Container Apps and external HTTP ingress 2. Test and validate changes that traffic has been enabled for the microservices templates will make to the environment – What-if operation - Use a single environment for all containers Azure Function app that run until successful run / 10 attempts. Ensure delay run 20secs – Requirement Feature 15mins Single URL for test Revision labels - are users most useful when 1. retry the app is in 2. exponentialBackoff multiple revision 3. maxRetryCount mode. Web App Autoscaling Current Revision mode - A. Recurrence profile - is a type of microservice controls whether autoscaling configuration that allows activation only a single you to schedule scaling actions based revision or multiple on a recurring time schedule revisions of your container app can B. Fixed date profile - would be another be simultaneously way of achieving the same goal active. App hosting plan and the maximum amount 2. Developers receive authentication of time that the app function can take to errors to Service Bus when they debug respond to incoming requests locally. Configuration Value Configuration Value setting setting Hosting plan Premium App service plan Standard Timeout value 230 secs Code change Deployment slot validation feature Python app image rendering. Deploy to Linux container and stop image rending complete AcquireLeaseAsync - If null, an infinite lease will be acquired. If not null, this must be 15 to Environment Value 60 seconds Configuration Compute target Azure Container GetBlockBlobReference - gets a reference to Instances a block blob in this container Container Restart policy termination BreakLeaseAsync - initiates an asynchronous operation that breaks the current lease on this container Include custom claims in the user access token Archive access tier – between one to 15 hours of data retrieval - Add the roles to the appRoles attribute in the app manifest. High availability storage Enable revision mode – updates to the 1. Bounded staleness - the reads are microservice must not cause downtime guaranteed to honor the consistent- prefix az containerapp ingress – Azure Container 2. --enable-automatic-failover true - apps ensure traffic is routed to each revision whenever there is a regional disaster, Unable to access container app and scaled to Cosmos DB will automatically failover 0 instances. your account. 3. --locations'southcentralus=0 1. Enable ingress, create a custom scale eastus=1 westus=2 - need multi- rule, and apply the rule to the region container app. 2. Enable ingress and configure the Deploying python website to container same minimum replicas to 1 for the version using admin as username and container app. password Case study 1. sku B1 --is-linux -deployment- container-image-name 1. Internal staff report webpage load 2. images.azurecr.io/website:v1.0.0 sizes are large and take a long time to 3. container set --docker-registry-server- load. url https://images.azurecr.io -u admin -p admin Add a new rule that will continuously scale AzCopy - synchronously copy blobs, down the App Service as long as the scale up directories, and containers between storage condition is not met accounts. 1. Service bus queue - Azure App Code to retrieve an access token to access Service that scales based on the Azure Storage number of messages contained - url: 2. ActiveMessageCount - messages in http://169.254.169.254/metadata/ide the queue or subscription that are in ntity/oauth2/token the active state and ready for delivery - return: 3. Average JsonConvert.DeserializeObject(payload); 5. Decrease count by - import json return Update metadata blobs json.loads(response.read()) 1. FetchAttributesAsync compositeIndexes - can order by multiple 2. Metadata.Add properties in Cosmos DB 3. SetMetadataAsync 1. Helm – deploy solution Azure Event Grid - is not well suited for 2. KubeCtl - view cluster and external IP receiving data from thousands of devices and addressing storing them in Azure Blob storage. 3. Ingress Controller – implement a single, public IP endpoint that is QueueClient - receive a message when an routed to multiple microservices Azure virtual machine finishes processing, ensuring messages do not persist after being Correlation filters are suitable for routing handled. based on specific message properties Maintaining GPv1 Premium storage account SQL filters - offer more advanced filtering (data newer than three months must be capabilities, making them ideal for scenarios available immediately and older a year must requiring complex conditions or multiple be saved but does not need to be available criteria immediately Process of how the CDN and the Point of 1. Upgrade the Storage account to GPv2 Presence (POP) server will distribute the 2. Create a new GPV2 standard account image with default access level to cool 1. A user requests the image 3. Copy archive data to the GPV2 and 2. If no edge servers in the POP have the delete the data from original storage file in their cache, the POP requests account. the file from the origin server Connect to a No-SQL globally-distributed 3. The origin server returns the logo database by using the.NET API image 4. Subsequent requests for the file may - new CosmosClient(EndpointUri, be directed to the same POP using the PrimaryKey) CDN logo image URL. Partition key to scale Azure Cosmos DB daysAfterLastAccessTimeGreaterThan – workload evenly accessed 1. a concatenation of multiple property Azure Cosmos DB indexing values with a random suffix appended 1. Consistent - index is updated 2. a hash suffix appended to a property synchronously as you create, update value or delete items Monitored container – store the data from 2. None – disabled which the change feed is generated Support multi-region writes Cosmos DB Lease container – coordinate processing of 1. PreferredLocations property change feed across multiple workers 2. UseWriteMultipleLocations Host – use the change feed processor to Azure Blob index tags – search and filter by listen for changes customer identifier Delegate – handle each batch of changes Azure Cognitive Search – search information Data storage that retains copies of data in 5 inside documents years, minimize costs associated with storing Http header value – Etag - server returns this data that is over one year old, implement tag for a resource to ensure we operate on the Zone Redundant Storage same version of the resource in subsequent 1. Implement StorageV2 (general API calls purpose v2) Conditional header - If-Match - update is 2. Set a lifecycle management policy to processed by the server only if the ETag move blobs to the cool tier provided matches the latest resource version TableOperation.insertOrReplace – update old ETag records Delete all snapshots of the blob storage When moving azure storage account to a new account region – first export the Azure Storage account 1. DeleteSnapshotsOption Azure Resource Manager template 2. OnlySnapshots Partition key – must be unique Process each change made to the storage Cosmos DB API Core(SQL) - stores data in account document format. 1. GetChanges(x).AsPages() Change feed estimator - monitor the progress 2. ContinuationToken of the change feed processor DateTimeBin(c.whenFinished, ‘day’, 2) Dead-letter queue - prevent the change feed Time-based retention policy - stores blob processor from retrying the entire batch when data in a Write-Once, Read-Many (WORM) one document cannot be read format for a specified interval. Move to cool tier property Version level immutability – required before daysAfterModificationGreaterThan – modified time-based retention policy Kubernetes cluster with large amount of data collected and must be minimized latency Application requires the ability to update YAML config multiple documents for a username in a single ACID operation - kind: StorageClass - provisioner: azure-disk 1. Create an unsharded collection to - parameters: retain store documents - ensure that all documents are stored in the same Delivery service telemetry data logical partition - API: Core (SQL) 2. MongoDB API - supports multi- - Partition Key: Vehicle license plate document ACID transactions, which allow you to update multiple documents in a single atomic To configure web app authentication and operation. authorization, add identity provider first Create cosmos client first Azure Cosmos DB change feed - client = CosmosClient(endpoint, key) - App1 pull model – Continuation token - App2 push model – Lease container Azure Cosmos DB Consistency Level Azure BlobFuse - mount an Azure Blob - Consistent prefix – per request basis Storage container as a local file system on - Strong – multiple functions, multiple your Linux system, allowing your console azure regions, return most recent application to access and upload images version of an item without modification Get URL of blob storage Microservice storage -.blob.core. 1. Container file system - persist data windowws.net/?where=Status=’Final and the storage must be restricted to Azure Container Instance that access data by the amount of disk space available in using Server Message Block (SMB) protocol the container 2. Ephemeral volume - persist data for Configuration Configuration Value the lifetime of the replica and allow Setting multiple containers in the replica to External data value Azure File Share mount the same storage location. Container restart Never policy 3. Azure Files storage - persist data beyond the lifetime of the replica while allowing multiple containers to Implement static website on Azure Blob access the storage and enable per Storage object permissions. - Azure Content Delivery Network Azure Function app uses WebHook to read an (CDN) - for custom domain name, image from Azure Blob Storage and create a header values, SSL certificate new Azure Cosmos DB document - Trigger: HTTP refreshed without the need to restart - Input binding: Blob Storage the web app - Output binding: Azure Cosmos DB Loading application secrets with Azure web Azure Cosmos DB item limit is 2MB app and multiple Azure functions Cosmos DB Operator - lets you provision - Create a single user-assigned Azure Cosmos accounts, databases, and Managed Identity with permission to containers, but can't access the keys that are access Key Vault and configure each required to access the data App Service to use that Managed Identity. Configure authorization in Azure Web App - Azure AD application's manifest, set value of the groupMembershipClaims If the stored intake forms are downloaded option to All. from storage by a third party, the contents of the forms must not be compromised Azure API Management implements HSTS and every request must include valid HTTP header 1. Create an Azure Key Vault key named skey. 1. Basic Authentication 2. Encrypt the intake forms using the 2. Certificate Authentication - callers to public key portion of skey. the API must not send credentials to 3. Store the encrypted data in Azure the API Blob storage. Configure Azure AD Application so that user's Azure Disk Encryption CLI permissions can be used with the Azure Blob containers 1. az keyvault create 2. az keyvault key create API Permission Type 3. az vm create Azure User_impression Delegated 4. az vm encryption enable Storage 5. --volume-type all Microsoft User.read Delegated Graph Azure with two subscription. Retrieve storage account key from Azure Key Vault Validate users, Permits users and Update 1. Get-AzSubscription webapp to use feature without requiring a 2. Set-AzContext -SubscriptionId restart of the app 3. Get-AzStorageAccountKey 4. $secretvalue = ConvertTo- 1. App.UseAuthentication –Need to SecureString validate users before users are 5. Get-AzKeyVaultSecret allowed access to secure resources 2. App.UseAuthorization – Need to Ggant a virtual machine (VM) access to permit users to access secure specific resource groups in Azure Resource resources. Manager and obtain an Azure Resource 3. App.UseAzureAppConfiguration - Manager access token. ensure the configuration settings are - Run the Invoke-RestMethod cmdlet to Set-variable Inbound make a request to the local managed Cache-lookup- Inbound identity for Azure resources endpoint. variable Cache-store-value Inbound Implement an Azure CDN rule that ensures Find-and-replace Outbound that iPhone users are redirected to the app store Code to access keyvault 1. Odata.type: DeliveryRuleIsDeviceConditionParam - SecretClient eters - DefaultAzureCredential 2. matchValues: Mobile API must retrieve and update user profile 3. Odata.type: information stored in Azure Active Directory DeliveryRuleRequestHeaderConditio (Azure AD) nParameters 4. Selector: HTTP_User_Agent 1. Microsoft Graph API 5. matchValues: iPhone 2. Microsoft Authentication Library (MSAL) Application manifest authentication Revoke SAS - groupMembershipClaims – personalization of the website must 1. Revoke the delegation key be based on membership in Active 2. Remove the role assignment for the Directory groups security principle - oauth2AllowImplicitFlow - Azure AD Key Tranfer users must be able to login to the website. 1. Generate Key Exchange Key (KEK) 2. Retrieve the public key of the KEK Copy specific blobs from Container1 to 3. Generate a key transfer blob file by Container2 when a new video is uploaded using the HSM vendor-provided tool - Create an Event Grid topic that uses 4. Run the az keyvault key import the Start-AzureStorageBlobCopy command cmdlet Secure Logic App Cache purge - Create a user-assigned managed 1. Single Path – purge individual assets identity and assign role-based access 2. Wildcard – purge all folders, controls subfolders, and files Azure Cosmos DB 3. Root domain – purge the root of the endpoint 1. Push Model – Azure Functions automatically parallelizes change validate-jwt - policy to validate the OAuth processing token for every incoming request. 2. Pull Model – use FeedRange for Azure API Management response caching parallelization Policy Policy Section Minimum throughput for container = Max *.1 In-partition query MFA implementation web app - Querying device example: SELECT * 1. Azure AD Premium FROM c WHERE c.DeviceId = 'XMS- 2. In Azure AD, create a new conditional 0001’ access policy ConfidentialClientApplicationBuilder - code SAS Types to instantiate the confidential client Account-level Delegate access to application with a client secret resources in one or Third-party access more of the storage services 1. Registry authentication method – Service-level Delegate access to a. Service Principal - can as resource in a perform unattended, or single storage "headless," authentication service b. System-assigned Managed User-delegation Secure a resource Identity - managed by by using Azure AD Microsoft Entra ID and integration removed when the registry is deleted. ASP.NET Core app feature flags configuration 2. RBAC role a. ArcPush – provides push/pull Code Value permissions Controll FeatureGate b. ArcPull – least privilege only pull er attribute Validating an Azure AD request in the app Startup AddAzureAppConfiguration code method AppConf http://appfeatureflagstore.azco - ID token signature - ensure the ig nfig.io authenticity of the token endpoint Grant temporary access and set expiration setting time for blob storages - Generate a shared access signature Authenticate and access Microsoft Graph in (SAS) for the Azure Blob storage app manifest account and provide the SAS to all - Oauth2AllowImplicitFlow: true developers - requiredResourceAccess Register the application with an active Azure - signInAudience: AzureADMultipleOrgs Active Directory (Azure AD) tenant Stored access policies - give you the option to 1. Select the Azure AD instance revoke permissions without having to 2. In App Registrations, select New regenerate the storage account keys. registration Secure the application access to Azure Blob 3. Create a new application and provide storage name, account type and redirect URI - Application (Client) - Shared access 1. ID – identify users for the application signature (SAS) token by using JWT token that contains the - Azure Storage (Server) - Stored access claim policies 2. Access – identify the permissions granted by APIs by using a JWT token Retrieve a claim to uniquely identify a user that contains claims - oid (object identifier) 3. Refresh – provide the web app with long-term access to resources on Access token in Azure Function App behalf of users without requiring configuration interaction with those users - @Microsoft.KeyVault(SecretUri=https 4. SAML – provide XML representations ://mykeyvault.vault.azure.net/secrets/ of claims that can be consumed by token/) applications that use WS-Federation Implement single sign-on (SSO) for all Configure the routing for the web app applications that uses custom in-house (specific path first) identity providers 1. /manuals/new.html – contributors - Use Azure Active Directory B2C (Azure 2. /manuals* - authenticated AD B2C) with custom policies Scope Pass secret value to container - parameter used to specify the 1. Create an environment variable Set permissions that the web application the secureValue property to the secret is requesting to access the user's value resources, such as the calendar and 2. Mount a secret volume containing the the ability to send an email as the secret value in a secrets file. user Microsoft Graph data connect Microsoft Graph – API to access user properties - ensure that administrators have full control and consent over the data Microsoft Authentication Library (MSAL) – code library to interface to Azure AD B2C Load Configuration data from Azure app Managed identity App1 1. AddAzureAppConfiguration 2. ManagedIdentityCredential - grant App1 access to Vault1 and automatically rotate credentials Blob encryption without storing them in code 1. CustomerProvidedKey(key) Encrypt sensitive data 2. x.Encryption == verify 3. CustomerProvidedKey - Create a customer-managed key (CMK) and store the key in a new Authentication Token Claims Azure Key Vault instance. Microsoft Graph query that shows all Azure AD groups that are not of the type 'Unified' - ?filter=groupTypes/any/(s:s ne Security requirements with TLS/HTTPS, ‘Unified’)&$count=true restrict web content by region, least privilege Load configuration data from Azure App - Create an Azure Application Gateway Configuration with a Web Application Firewall (WAF). Configure end-to-end TLS - azure.identity and credential – encryption and the WAF DefaultAzureCredential - azure.app and client = Microsoft Graph config AddAzureAppConfiguration 1. Endpoint - /v1.0/me 1. 2. Permission – User.Read Configure key rotation and enable key expiry Site configuration notifications 1. Create a managed identity. 1. Create and configure a new Azure 2. Create an Azure App Configuration Event Grid instance. store. 2. Create and configure a key rotation 3. Update the role assignments for the policy during key creation. Azure App Configuration store Request token properties Azure Policy 1. Redirect URI - enforce a specific cryptographic 2. Application ID algorithm and key size for keys stored 3. Application Secret in the vault. Script to rotate keys to the customer Ensure webapp cpu < 85 and minimized cost 1. az keyvault key 1. Configure the web app to the 2. –encryption-key-source Standard App Service Tier Microsoft.Keyvault 2. Enable autoscaling Protect API (hide info, obscure tech stack) 3. Add a scale rule 4. Configure a scale condition - Configure and apply a new outbound policy scoped to the operation. Azure Cache for Redis Azure Blob Storage access - system-assigned - Share session state across all managed identity ASP.NET web applications - Support controlled, concurrent CORS: disable – disallow access from other access to the same session state data domains for multiple readers and a single Microsoft Entra admin center to support writer authentication - Save full HTTP responses for concurrent requests. 1. Create a user flow. 2. Add the app to the user flow. Invalidate cache when team data changed 3. Register the app in Microsoft Entra ID 1. IDatabase cache = connection.GetDatabase(); 2. cache.KeyDelete("teams") 1. Assign the value of the hazard message MessageId property to the IoT devices Logic app CorrelationId property. 1. Create a blank Logic app. 2. Assign the value of the hazard 2. Add a logical app trigger that fires message SessionID property to the when one or more messages arrive in ReplyToSessionId property the queue. System.InvalidOperationExceptions with the 3. Add an action that reads IoT following message: `Timeout expired. The temperature data from the Service timeout period elapsed prior to obtaining a Bus queue connection from the pool. 4. Add a condition that compares the temperature against the upper and - Fix: in the host.json file, decrease the lower thresholds. value of the batchSize option 5. Add an action that sends an email to Azure Monitor query determine on which specified personnel if the virtual machines (VMs) the errors are temperature is outside of those occurring thresholds - ago(1d) Azure Application Insights Usage Analysis - distinct ContainerID features - where ContainerID in (ContainerIDs) 1. Funnels - which pages visited by users - summarize count() by Computer most often correlate to a product Access the console logs generated from purchase inside the container 2. Impact – how does load time of the product display page affect a user’s - az webapp log config decision to purchase a product - --docker-container-logging 3. Retention – which events most - az webapp log tail influence a user’s decision to continue to use the application Three types of availability tests 4. User Flows – are there places in the 1. URL ping test application that users often perform 2. Multi-step web test repetitive actions 3. Custom track availability tests Access the news API by using an Azure API API Management policies for caching private Management service instance. data - Import-AzureRmApiManagementApi - 1. Caching-type – external Context $ApiMgmtContext - 2. Downstream-caching-type – private SpecificationFormat "Swagger" - 3. Authorization SpecificationPath $SwaggerPath - Path $Path URL Ping Test - Every five minutes, ensure websites are responsive and load within a Azure Service Bus reply trail auditing solution specified time, including dependent requests, generate alerts, and attempt to reload the site three times if it fails to load. Monitor the availability and responsiveness of 3. Channel – send messages through a the Azure Function App high-performance publisher/subscriber mechanism - Create a timer triggered function that calls TrackAvailability() and send the Telemetry property for dependency tracking results to Application Insights of calls to the third-party database Retrieve user profile information by using a 1. Telemetry.ID Microsoft Graph API call 2. Telemetry.Context.Operation.Id 1. Register the application with the Azure Front Door Service Microsoft identity platform 1. Support MIME type 2. Build a client by using the client app 2. Edge nodes must not purge cache ID assets 3. Create an authentication provider 3. Compression type is supported 4. Create a new instance of the GraphServiceClient Azure CDN caching rules 5. Invoke the request to the Microsoft http://www.contoso.com/ Graph API content.mp4?quality=1 withing 1 hour Azure Monitor logs and collect diagnostics Settings Action data for the Azure Logic App Caching behavior Override Cache expiration 1 Hour 1. Create a Log Analytics workspace duration 2. Install the Logic Apps Management Query string Cache every unique solution caching behavior URL 3. Add a diagnostic setting to the Azure Logic App Azure Monitor alert to detect server errors Azure Monitor to collect logs from the unrelated to the third-party service application 1. criterionType – 1. Create a Log Analytics workspace. DynamicThresholdCriterion 2. Add a VMInsights solution 2. metricName – Http5xx 3. Install agents on the VM and VM scale 3. alertSensitivity – Low set to be monitored 4. Create an Application Insights Azure Cache for Redis to optimize resource performance for the predicted usage pattern Azure Monitor logs and metrics – analyze app 1. allkeys-lru uptime and downtime 2. volatile-lru Azure Cache for Redis features Configure the web apps for Application Insights 1. Set - create a data structure for storing collection of related items 1. Create an Application Insights 2. List – create a data structure for the resource mostly recently accessed cache 2. Copy the connection string items 3. Configure the Application Insights 1. Sampling – reduce volume of SDK in the application telemetry without affecting statistics 2. Telemetry initializer – enrich telemetry AppServiceEnvironmentPlatformLogs with additional properties or override - handles the App Service Environment: existing ones scaling, configuration changes, and 3. Telementry processor – completely status logs. replace or discard telemetry item Application Insights tools Azure Cache for Redis command to receive seismic data 1. Live Metrics Stream - that validates the performance and failure counts of - XREAD BLOCK 0 STREAMS the web app in near real time seismicData $ 2. Smart detection - automatically Implement Dynamic configuration to warns you of potential performance application problems and failure anomalies in your web application. 1. Create and register a sentinel key in 3. Snapshot debugger – automatically the App Configuration store. Set the collect the state of the source code refreshAll parameter of the Register and variables when an exception is method to true. thrown from the web app 2. Register all keys in the App 4. Profiler – capture performance traces Configuration store. Set the refreshAll of the web app without negatively parameter of the Register method to affecting users of the web app false Azure Redis cache instance in case of an Log information on all client connections to Azure data center outage, metadata loss the Redis cache. must be kept to a minimum. 1. Store log information - Log Analytics 1. Configure Azure Redis with AOF workspace persistence. 2. Enable client connection logging – 2. Configure second storage account for Diagnostic setting persistence. Capture the telemetry and minimize cost and On-call developer is not paged during offline impact to users processing on-call developer is not paged 1. Enable Application Insights site during offline processing extensions - Add Azure Monitor alert processing 2. Enable the Always On setting for the rules to suppress notifications. app service – prevent cold start 3. Enable Snapshot debugger - LRU - should prioritize players based on how complete call stack and local recently they have moved variables for an exception that Volatile - should not prioritize the players who occurred in the web app logged out of game WebHook-Request-Origin Application Insights SDK features - Protects Azure Function against Developers receive authentication errors to misconfiguration and unauthorized Service Bus when they debug locally invocations 1. Azure role-based control (RBAC) role – Connect to Azure Redis Cache properties Contributor 2. Service Bus Scope – Queue 1. Access Key 2. SSL Port Azure Service Bus - which is used order 3. Host Name processing and financial transaction Monitor and diagnose the Azure Container Managing Logic Apps Apps 1. Enterprise Integration Pack – edit B2B 1. Log streaming – view console logs workflows from a container in near real-time 2. Code View Editor – edit definitions in 2. Container console – debug the JSON microservice from inside the 3. Logic Apps Designer – visually add container functionality rate-limit-by-key Create a Service Bus queue - minimize the possibility that the 1. Create resource group number of requests to the backend 2. Create namespace database from an individual IP 3. Create Service Bus queue address you specify exceeds the New - supported limit AzureRMServiceBusNamespace - ResourceGroupName fridge-rg - Metric alert using dynamic thresholds NamespaceName fridge-ns -Name - alert operators when a technical issue fridge-q -EnablePartitioning $False is preventing sales to camps. 4. Get connection string for the namespace TrackMetric QueueDescription.LockDuration property - implement an aggregate of telemetry values for distributor API calls. - gets or sets the duration of a peek lock Fix telemetry issue CDN PeekMessage method 1. Create an Azure Content Delivery Network profile - You can peek at the message in the 2. Create an Azure Content Delivery front of a queue without removing it Network endpoint from the queue 3. Configure Azure Content Delivery Queue size must not grow larger than 80 Network compression gigabytes (GB), Use first-in-first-out (FIFO) Farmers error 503 Site Unavailable – Scale up ordering of messages and minimize Azure the App Service Plan to Premium costs Distributors error 502 Bad Gateway – Restart - Create an Azure Function App that uses an the application from the App Service Azure Service Bus Queue trigger - Do not use VM - solution uses a publish-subscribe model and eliminates the need for - Do not use Azure Notification Hub constant polling. Create Service Bus queue subscriptionClient.RegisterMessageHandler( 1. Namespace ProcessMessagesAsync, 2. Topic messageHandlerOptions) 3. Subscription - receive messages continuously from Push notifications code the entity. It registers a message handler and begins a new thread to 1. NotificationHubClient hub = receive messages. This handler is NotificationHubClient.CreateClientFr waited on every time a new message omConnectionString is received by the receiver. 2. await hub.SendWindowsNativeNotification Policies in Azure API Management Async 1. inbound – support alternative input Azure Service Bus Queue and Topic parameters 2. outbound - remove formatting text - duplicate detection responses Configure back-end authentication for the API 3. backend – provide additional context Management to backend services 4. on-error - callers will receive 400 or 1. Target - HTTP(s) endpoint 500 HTTP response messages if an 2. Gateway credentials – Client cert error condition occurs. Configure Event Grid with a new event Return response subscription at the scope of your resource. The event must be invalidated after a specific 1. period of time 2. 3. 1. Webhook event delivery – SAS tokens 2. Topic Publishing – ValidationCode Sample code raw notifications handshake 1. Request.Headers.add(“ServerBusNot ification-Format”, “windows”); 2. Request.Content = new StringContent(payload, Encoding- UTF8, “application/octet-stream”); 1. XML in section Event hub can only have 1024 below partition 2. Error will occur > 512k Azure solution to process data 3. It will not retain new version since the requested is 9.1 Object Technology Event Source Azure Blob Storage Service Bus or Event Grid Event Receiver Azure Event Grid Event Handler Azure Logic App - is a collection of client applications that connect to an Event Hubs Store message when app initialize code namespace sharing a unique 1. CloudQueueClient pVar1 = identifying condition such as the storageAccount.CreateCloudQueueC security context lient - allow for per-road throttling 2. CloudQueue pVar2 = Handle the transient connection errors in pVar1.GetQueueReference code by implementing retries Azure Database Configure app service to run a single instance 1. Wait five seconds before repeating the of third party library connection attempt to the database. 1. PerSiteScaling $true 2. Set a maximum number of 2. $app.SiteConfig.NumberOfWorkers = connection attempts to 10 and report 1 an error on subsequent connections. 3. Increase connection repeat attempts Azure Service bus - guarantees first in first out exponentially up to 120 seconds. delivery and is used to send messages between components Update the user in Azure Active Directory (Azure AD) when they convert to a paying Logic app steps for archiving blobl storage customer 1. Recurrence - resetRedemption 2. Condition 3. If yes, process message queue API Management policies to ensure that 4. If no, put blob to archive tier images are processed correctly 5. List blob - participating retailers the event is recorded in - - Use publisher policies for retailers. Azure Event Grid Azure App Service Configuration 1. System topic – third-party system endpoint to send events 1. Autoscale rule – increase availability 2. Event domain – azure function app 2. Diagnostic settings – send logs endpoint to handle filtered events Obtain an access token that uses the VM's Policy fragment system-assigned managed identity 1. From the code on the VM, call Azure Resource Manager using an access token. 2. Use PowerShell on the VM to make a request to the local managed identity Service bus + event grid = premium tier for Azure resources endpoint. Access control = contributor Application group API with term of use - use revisions to make non-breaking API changes so you can model and - Create and publish product test changes safely Azure Events Hub SDK event processing HTTP verbs use the image Exif data as blob recovery metadata in the application 1. Offset – ensure that event process 1. PUT – store exif data clients mark the position within an 2. GET – retrieve exif data event sequence 2. Checkpoint – mark the vent processor Kubernetes Event-driven Autoscaling (KEDA) client position within a partition event trigger fields to scale the microservices by sequence using a custom scaling rule Configure a test API response 1. Metadata 2. Type 1. Policy – mock response 2. Policy section – inbound Implement Azure Event Grid. 3. HTTP response code – 200 - Publish events to an event domain. Inspect request processing of the APIs in Create a custom topic for each APIM customer - Publish events to a custom topic. 1. Enable the Allow tracing setting for Create an event subscription for each the subscription used to inspect the customer. API. - Not enable ingress 2. Add the Ocp-Apim-Trace header value - Not partner topic to the API call whit a value set to true. - Not system topic 3. Add the Ocp-Apim-Subscription-Key header value to the key for a Provide internal staff access to the subscription that allows access to the production site after a validation API. - /?x-ms-routing-name=self Reference the queue and blob name in the Use Azure Content Delivery Network (CDN) function.json file of the Azure Functions app. and ensure maximum performance for 1. Queue name - %input_queue% dynamic content while minimizing latency 2. Blob name – {queueTrigger} and costs. Complete the policy definition 1. Tier: Standard 2. Profile: Akamai 1. Target1 = 3. Optimization: Dynamic site 2. Target2 = acceleration @Context.Deployment.Region Azure Backup Add a new revision to the API - VM is critical and has not been backed up in the past Accelerated Networking - VM shows high network latency, jitter, Ensure user can review content using and high CPU utilization. ContentAnalysisService Acquiring access tokens 1. "oauth2AllowIdTokenImplicitFlow":tru e 1. AzureServiceTokenProvider() 2. "oauth2AllowImplicitFlow":true 2. tp.GetAccessTokenAsync("..") All websites and services must use SSL from Implementing disaster recovery a valid root certificate authority 1. new SingleTransferContect 1. SSL Certificate – Valid root certificate 2. context.ShouldOverwriteCallbackAsy nc Any web service accessible over the Internet 3. isServiceCopy: true must be protected from cross site scripting attacks, All Internal services must only be Changes to the Order data must reflect accessible from Internal Virtual Networks immediately across all partitions (VNets) - Consistency – Strong 1. Proxy Type – Azure Application Store delivery driver profile information in Gateway Azure Active Directory (Azure AD), YAML to ensure that the 1. Code Library – MSAL ContentUploadService can access Azure 2. API – Microsoft Graph Storage access keys Shared access signature (SAS) volumeMounts: - provides secure delegated access to - mountPath: /mnt/secrets resources in your storage account. name: accesskey Point-in-time restoration of the retail store volumes: location data - name: accesskey - Identify the delivery driver profile secret information 1. JSON web token (JWT) type – ID key: TXkgZmlyc3Qgc2VjcmV0IEZPTwo= 2. Payload claim value – oid Application manifest to ensure that the - Secure the Azure Functions requirement for manually reviewing content 1. Store the RSA-HSM key in Azure can be met. Key Vault with soft-delete and purge-protection features enabled - optionalClaims:[“sid”, “email”] 2. Create a standard tier Azure App - to review content, the user must Configuration instance with an authenticate to the website portion of assigned Azure AD managed the ContentAnalysisService using identity. their Azure AD credentials - all completed reviews must include Implement ContentReviewer Role the reviewer's email address for 1. allowedMemberTypes: User auditing purposes 2. value: ContentReviewer Shipping Function app: Implement secure Incoming Request and that should be function endpoints by using app-level done in Inbound section of the policy security and include Azure Active Directory of course (Azure AD). Authenticate the user 1. Authorization level: Function 1. ID token signature 2. User claims: JSON Web Token (JWT) 2. Azure AD endpoint URI 3. Trigger Type: HTTP Correct the Azure Logic app Bad Request The Shipping Logic App requires secure resources to the corporate VNet and use 1. Authentication level: anonymous dedicated storage resources with a fixed 2. Managed-identity: system-assigned costing model. Configure Azure Service Bus to Event Grid 1. Integration Service Environment (ISE) integration - A Service Bus Premium namespace with at least one Service Bus The database connection string is stored in queue or a Service Bus topic with at least one Azure Key Vault with the following attributes: subscription. Contributor access to the Azure Key Vault name: cpandlkeyvault Secret Service Bus namespace. name: PostgreSQLConn 1. Tier: Premium 1. https:// cpandlkeyvault. 2. RBAC role – contributor vault.azure.net/secrets/ PostgreSQLConn Get Blob container code 2. Environment – variable type to access Azure Key Vault secret values 1. Var key = await resolver.ResolveKeyAsync(keyBundle. Scenario: Corporate website - While testing KeyIdentifier.Identifier, the site, the following error message displays: CancellationToken.None); CryptographicException: The system cannot 2. Var x = new find the file specified. BlobEncryptionPolicy(key,resolver) 3. cloudBlobClient.DefaultRequestsOpti 1. Generate a certificate ons.EncryptionPolicy = x; 2. Upload the certificate to key vault Security Policy powershell All SSL certificates and credentials must be stored in Azure Key Vault - "PermissionsToKeys wrapkey, unwrapkey, get - for symmetric 1. Import the certificate to Azure App encryption - to encrypt the blobs Service 2. Add the certificate thumbprint to the Reduce read latency for the retail store WEBSITE_LOAD_CERTIFICATES app solution. setting 1. Create a new composite index for the API Management for authentication. store location data queries in Azure Cosmos DB. Modify the queries to 1. Policy – Validate JWT support parameterized SQL and 2. Policy section – Inbound - update the Azure Function app to call Authentication should be done on the new queries. 2. Provision an Azure Cosmos DB - Update the function to be stateful by dedicated gateway. Update the Azure using Durable Functions to process Function app connection string to use the request payload the new dedicated gateway endpoint. Complete the Azure Event Grid subscription Audit store sale transaction information 1. endpointType: WebHook nightly to validate data, process sales 2. filter: subjectBeginsWith: financials, and reconcile inventory blobServices/default/containers/logdr 1. Process the change feed logs of the op Azure Blob storage account by using 3. includedEventTypes: an Azure Function. Specify a time [“Microsoft.Storage.BlobCreated”] range for the change feed data. Policy service must use Application Insights 2. Subscribe to blob storage events by to automatically scale with the number of using an Azure Function and Azure policy actions that it is performing Event Grid. Filter the events by store location. - an Application Insights metric If VM Exclude non-user actions from Application Insights telemetry. - avg Percentage CPU > 800 1. Filter : ITelemetryProcessor If container 2. Item as RequestTelemetry - CPU Usage > 800 3. x?.Url.AbsolutePath == “/health” ContentCotainerService is hosted in container services. So the az command is Ensure that PolicyLib requirements 1. az container attach - public class IncludeEventId : ITelemetryInitializer public void Investigate the Azure Function app error Initialize (ITelemetry telemetry) message in the development environment telemetry.Context.Properties["EventId 1. Connect Live Metrics Stream from "] = EventgridController.EventId.Value Application Insights to the Azure Ensure receipt processing occurs correctly Function app and filter the metrics. - Use blob leases to prevent Azure CDN doesn't support authentication concurrency problems with managed identity Capacity issue: During busy periods, 1. Restrict file access: SAS token employees report long delays between the 2. File audition: change feed - provide time they upload the receipt and when it transaction logs of all the changes appears in the web application that occur to the blobs and the blob metadata in your storage account - Update the loop starting on line PC09 to process items in parallel RequestUserApproval Function app error - 'Timeout value of 00:10:00 exceeded by Log capacity issue: Developers report that the function: RequestUserApproval number of log message in the trace output for the processor is too high, resulting in lost log Scenario: The Shipping Logic app must meet messages the following requirements: - Implement Application Insights 1. Support the ocean transport and Sampling - recommended way to inland transport workflows by reduce telemetry traffic and storage, using a Logic App. while preserving a statistically correct 2. Support industry-standard analysis of application data. protocol X12 message format for Implement event routing for retail store various messages including vessel location data content details and arrival notices. Object Technology 3. Secure resources to the corporate Event Source Azure Blob Storage VNet and use dedicated storage Event Receiver Azure Event Grid resources with a fixed costing Event Handler Azure Function App model. 4. Maintain on-premises Scenario: The order workflow fails to run upon connectivity to support legacy initial deployment to Azure applications and final BizTalk migrations. 1. Review the run history. - On-premises Data Gateway 2. Review the trigger history. Configure the integration for Azure Service Calls to the Printer API App fail periodically Bus and Azure Event Grid. due to printer communication timeouts. Printer communication timeouts occur after - Az eventgrind event-subscription 10 seconds. The label printer must only create –source-resource-id $topicid – receive up to 5 attempts within one minute. name $name –endpoint-type servicebusqueue - retryPolicy: { - type: fixed Ensure that all messages from Azure Event - interval: PT10S means retry after 10 Grid are processed sec - Azure Service Bus queue - count: 5 Scenario, Log policy: All Azure App Service Support the message processing for the Web Apps must write logs to Azure Blob ocean transport workflow storage 1. Create an integration account in the - If { @event[“data”][“status”].ToString() Azure portal == “Succeeded” && 2. Link the Logic App to the integration @event[“data”][“operationName”].To account String() == 3. Add partners, schemas, certificates, “Microsoft.Web/sites/write” maps, and agreement 4. Update the Logic App to use the LoginEvent.cs to ensure that all partners, schemas, certificates, authentication events are processed maps, and agreement - Public string id - Public string eventType commerce web app to read the HTTP request - Public string dataVersion header values EnsureLogging method in Azure Functions must process data EventGridController.cs immediately when data is uploaded to Blob storage. Azure Functions must update Azure - DIAGNOSTICS_AZUREBLOBCONTAIN Cosmos DB by using native SQL language ERASURL, queries. BlobStoreAccountSAS(logdrop) - DIAGNOSTICS_AZUREBLOBRETENTI 1. Binding: Azure Cosmos DB ONINDAYS, 15 2. Binding Direction: Output - Client.WebApps.UpdateApplicationS 3. Trigger: Blob storage etting Standard tier – lowest cost with deployment Scenario: Notification latency: Users report slots that anomaly detection emails can Web App - is a web application that is hosted sometimes arrive several minutes after an in an App Service anomaly is detected Scenario: You must perform a point-in-time 1. Set Always On to true. restoration of the retail store location data 2. Ensure that the Azure Function is due to an unexpected and accidental deletion using an App Service plan. of data. Validation testing of new version image Prerequisites: 1. Event.eventType === ‘ImagePushed’ 1. Soft delete 2. Event.data.target.repository === 2. Change feed ‘contentanalysisservice’ 3. Versioning 3. Event.topic.contains(‘contosoimages) Azure Event Hub - is used for telemetry and Scenario: You must minimize costs for all distributed data streaming Azure services. All Internal services must only be accessible from internal Virtual Networks Scenario: You must create an Azure Function (VNets). named CheckUserContent to perform the content checks. - App Service Plan 1. QueueTrigger(“userContent”) string Deploy a new version of the LabelMaker content application to ACR. 2. Blob(“userContent/{name}”, 1. Build a new application image by FileAccess.Write) using dockerfile Private IP addresses start with the numbers 2. Create an alias if the image with the 10, 172.16, or 192.168. fully qualified path to the registry 3. Log in to the registry and push image Container group is only supported in Linux To access data from the user claim object in Scenario: Azure Storage blob will be used the e-commerce web app, first Update the e- Data storage costs must be minimized. Recommended for most scenarios using Azure Storage. - Account Kind: StorageV2 (general- purpose v2) - General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Scenario: Data must be replicated to a secondary region and three availability zones - Replication: Geo-redundant storage (GRS) Scenario: Data storage costs must be minimized - Access tier: Cool Hot - Optimized for storing data that is accessed frequently. Cool - Optimized for storing data that is infrequently accessed and stored for at least 30 days
