Document Details

PowerfulTechnetium

Uploaded by PowerfulTechnetium

Tags

Azure cloud computing network administration

Full Transcript

Storage Accounts: - To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-purpose v2 and premium block blobs. - Immutability policy is a timed-based retention policy or legal hold policies can be applied to block deletion. - Lifecycl...

Storage Accounts: - To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-purpose v2 and premium block blobs. - Immutability policy is a timed-based retention policy or legal hold policies can be applied to block deletion. - Lifecycle policy is when you want to apply policy to blob or container of what should happen after a period of time. - Access tracking should be enabled when using a lifecycle management rule to move or delete blobs automatically. The rule can be based on the time the blob was last modified or the time the blob was last accessed (read or write). - To enable POSIX-compliant access control lists, hierarchical namespace must be enabled - File shares can be configured to use Microsoft Entra Kerberos to provide identity-based access to data storage - Block blobs and append blobs support Immutable Storage, which prevents modification or deletion of data, ensuring data integrity and protection against accidental deletion or modification. Ports: - SMB Protocol - 445 - Health Information Microsoft Entra - 5671 Deletion locks - Cannot be applied to management groups - Can be applied to Resource Groups, Subscriptions, VM Azure Policies: - You must use the RemediationDescription field in the metadata section from properties to specify a custom recommendation. Microsoft Entra: - General Roles: - User Administrator - allows creation and management of users and groups, managing support tickets, and monitoring service health. - Billing Administrator is focused on financial aspects - Service Administrator is a classic role with full access to Azure services, which is not required for user and group management. - Cost Management Reader - View billing information and manage budgets - User Access administrator - grants permissions to manage resource locks - Not all Microsoft 365 services are available in all locations. Before a license can be assigned to a user, you must specify the Usage location. The attributes of First name, Last name, Other email address, and User type are not mandatory for license assignment. - Assigning licenses based on MS Entra ID attributes: - You must create dynamic groups and configure rules based on custom attributes - To sync automatically for assignment, the dynamic group must be added to a license group. Deployments: - TemplateUri - uri to template file - TemplateFile - local dir to file - TemplateSpecId - template saved to Azure - During template deployment you can specify the resource group App Service Plans: - Free - 0 instances and 1GB - Basic - 10GB and 3 instances - Standard - 50GB 10 instances - Premium - 250GB and 30 instances Useful commands: - Using netstat -an will list the ports that the server is listening on. - Test-NetConnection will perform a ping/ICMP test. - Nbtstat -c checks the NBT cache. - Get-AzVirtualNetwork gets the virtual networks in a resource group. Azure Metrics: - **Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services - Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. - Activity logs detect and address issues before users notice them proactivity. - Azure Advisor analyzes configuration and usage metrics but does not provide time-lapsed data. - Azure Cost only helps to optimize and reduce overall Azure spending. - Azure VM Insights - monitor health and performance of VMs - When working with load balancer and wanted to enable log analytics you need to create the log analytics resource and enable the diagnostics setting on the load balancer. VM general Info: - By default, backups of virtual machines are kept for 30 days - Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other configuration or management task - Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development infrastructure with configuration as code. - The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or perform disk-level maintenance. - VMs cannot be moved to another VNET. To connect a VM from a VNET to another VNET, you must delete VM and recreate VM to target new VNET - To create a VM in an availability zone, we must ensure we configure availability options and use manage disks. Alerts: - Email on event - alert rule and action group required DNS Resolvers: - virtual network link is used to add the virtual network to the zone. VNET to private DNS zone. - Azure DNS Private Resolver is used to proxy DNS queries between on-premises environments and Azure DNS. - A custom DNS server will work if you deploy a DNS server as a virtual machine or an appliance, however, this configuration does not work with a private DNS zone. Domain Name Records: - A record maps a domain name to an IP address - CNAME record maps a domain name to another domain name - NS record delegates sub domain Azure dashboard: - Data can be pinned for 14 days Network Peering: - IP Addresses must not overlap & location does not matter Azure Load Balancers: - Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only Basic SKU public IP - Standard Load Balancer is Zone Redundant but at a higher cost - To ensure that site users connect to the same web server for all requests made to application you must: - Set session persistence to ClientIP & Protocol - Basic Load Balancer - To be able to balance requests across VMs using a Basic Load balancer, they need to be part of a scale set or availability set. - Standard Load Balancer - To be able to balance requests across VMs using a Standard Load balancer, they need to be created as part of the same virtual network. Tokens: - SAS (Shared Access Signature) two parameters required are: - SignedServices (ss) - refers to blobs, queues tables and files - SignedResourceTypes (srt) - refers to services, objects, containers - SAS optional parameters: - SignedStart (SS) - refers to start time of validity - SignedIp - refers to Ip range Azure Instances: - Azure Spot Instance - This is used when trying to provision virtual machines at a reduced cost. But Azure will stop VMs when needed capacity for other workloads. Therefore, this would not be the right solution for SLA. Azure VMS: - Commands: - Add-AzVhd: Uploads an on-premises VHD to Azure - New-AzVM: Used to create a new virtual machine - New-AzDisk: Used to create a managed disk - New-AzDataShare: Used to create an Azure data share - General info: - VMs are associated to a subnet have a network interface attached. Therefore, if you want a VM to communicate with additional subnets, a solution would be to create additional network interfaces - Backups: - to restore backup on a VM you need to install Microsoft Azure Recovery Services Agent on the destination VM. - VM Connection insights: - To be able to record successful and failed requests you have to: - enable AZ network watcher in region of VM - create storage account - enable azure network watcher flow logs - Series: - A-series - VMs have CPU performance and memory configurations best suited for entry-level workloads such as development and test, code repositories etc - D-series - Azure VMs offer a combination of vCPUs, memory and temporary storage that are able to meet the requirements associated with most production workloads. - E-series - Azure VMs are optimised for heavy in-memory applications well-suited for memory-intensive enterprise applications, large relational database servers, in-memory analytics workloads etc. - F-series - VMs feature a higher CPU-to-memory ratio. - M-series - Optimised and ideal for memory-intensive workloads, making them suitable for database servers NSG: - Resources that can be associated with NSG are network interfaces, subnets Access restriction: - To restrict access to an Azure Blob Storage container to specific virtual networks or IP addresses, you need to set up virtual network service endpoints. Diagnostics: - To store all warnings or higher you need to enable Application Logging (Blob) [stored for more than a week] and set severity to Warning to store warning, error and critical log messages Azure Import/Export: - To transfer large amounts of data to an Azure Storage Account, you need either an Azure Blob Storage or Azure File Storage - Only container can be exported e.g. blobs Azure Password Security - For administrators, the password reset policy is different wherein they are not asked for security questions. - If Fraud feature is enabled, the account is blocked for 90 days or until an admin unblocks their account. SLA: - To achieve high availability (99.95%) of VMs, you need to define an availability set alongside a scale set. Azure AD: - When windows device connected to Azure AD using AD Join, Azure adds the following security principles to local administrators group: - AD Global Admin - AD Device Admin - User performing AD Join - Azure AD Authentication types: - Federated authentication - Pass-through authentication - Password hash synchronisation - Azure AD Access Reviews streamline the access review process by automating reminders, collecting reviewer input, and allowing for automatic actions (e.g., revoking access) based on review decisions. - Global administrators and device owners are granted local admin rights by default Azure File Sync: - (cloud premise) If you have a duplicate file on the file share and the file server, the file on the file server will have its name appended with the name of the server. - rename format - {{filename} {file server synced first} {file extension}} Application Insights: - Funnels - a way to monitor how users are using the application (flows) - Impact - a way to analyse load times and other properties influence conversion rates for various parts of the app. - Retention - a way to analyse how many people return to app. - User flows - a way to understand where people are repeating the same actions in app. - Azure Application Insights Availability Tests - built to simulate user traffic from different regions and measuring application responsiveness Connecting: - P2S (Point to Site) - virtual network to computer - Site to Site - connection between multiple networks Backup and restore app service: - Only available in Standard, premium, Isolated, App Service Linux SMB: - To enable user access to SMB file share from on premise servers, you need to: - Configure Azure AD Domain Services - Join the storage account. RDP/SSH using Bastion: - Benefits are: - Eliminated need for public IP addresses on VMs - Provides web-based RDP/SSH experience in Azure portal - Supports MFA - Provides secure RDP/SSH access over SSL - Seamless integration with Azure AD Azure Lighthouse (centrally manage and govern Azure resources across multiple customer tenants) Onboarding: - To onboard customer tenants to Azure Lighthouse and delegate access to specific resources to should publish manages services offers that include delegation definitions, streamlining the onboarding process for customers and providing granular access controls to resources or resource groups you want managed. Migrating on-premises identity provider to Azure AD: - Following ways include: - Azure AD Connect cloud sync - Password hash synchronization - Pass-through authentication - Staged migration WAF: - Create custom WAF rules to block specific patterns or keywords to protect your app from common web attacks Disaster recovery: - Using GRS, RA-GRS, and ZRS for Azure Storage ensures geographic redundancy and availability, enhancing disaster recovery and business continuity Hub and spoke model: - The hub-and-spoke model provides a scalable and modular architecture. The hub VNET acts as the central point of connectivity, housing shared services, while spoke VNETs contain specific workloads or applications. Peering and UDRs ensure efficient traffic routing. Azure Service Endpoints: - Most granular and secure way to restrict network access to a storage account to a specific virtual network. - You can allow traffic to specific services and block the rest, enhancing security and control over outbound connections. Managed identities: - To authenticate and authorize access to other Azure services: - system-assigned - tied to the lifecycle of the resource - user-assigned - which are independent resources that can be assigned to multiple services Azure Backup policy: - To ensure backups are stored for a required period, define the retention range in the backup policy Azure Resource graph: - Azure Resource Graph offers multiple ways to query resource data across subscriptions, including KQL, REST API, PowerShell, and Azure CLI. Azure security: - Azure Sentinel - for analysis of security threats and anomalies Alerts: - Alert Rate Limiting: - Rate limit thresholds: · SMS: No more than 1 SMS every 5 minutes. · Voice: No more than 1 Voice call every 5 minutes. · Email: No more than 100 emails in an hour. - To prepare subscription for alerts, you need to create a log analytics workspace Moving resources: - storage can be moved despite location - NIC that is attached to a VM cannot be moved - public IPs are region specific, so cannot be moved Virtual networks: - To connect 2 VNETs in different subscriptions, you should use a Virtual Network Gateway - (premise network Azure VNET) - to achieve a secure private connection between the two, you should use express route. self-service password reset (SSPR): - Following ways to enable SSPR: - mobile app notification - email - mobile app code - mobile phone - office phone - security questions - As an admin to enable SSPR, you must first configure the required permissions for password writeback, then enabling password writeback for Azure AD connect and SSPR Azure key vault: - To prepare key vault for backing up VM, you need to configure advanced access policies for access to keys or secrets to make them available for VM for booting and decrypting volumes MS 365 Licensing: - To assign a temp license to users for 365 access, you should create assigned and dynamic 365 groups.

Use Quizgecko on...
Browser
Browser