til

az-104

https://learn.microsoft.com/en-us/credentials/certifications/azure-administrator/

https://www.youtube.com/watch?v=YEKzldQ9N98 https://www.youtube.com/watch?v=wYUhumwOGrM&list=PLA_CqAntXBh4DPIYCcplBWLjT3AYl1822&index=2

https://github.com/undergroundwires/Azure-in-bullet-points/tree/master/AZ-104%20Microsoft%20Azure%20Administrator

https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2014 https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2016 https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%208

entra id

account is an identity, that has data associated with it you cannot have an account without an identity

editions: free, premium p1, premium p2

sspr - self service password reset - office phone number - security questions - mobile app notification

ad ds -> active directory domain services

entra id is a cloud based alternative to ad ds

p1 and p2:

• Self-service group management
• Advanced security reports and alerts
• Multi-factor authentication
• Microsoft Identity Manager (MIM) licensing
• Enterprise SLA of 99.9%
• Password reset with writeback (SSPR)
• Cloud App Discovery feature of Microsoft Entra ID
• Conditional Access based on device, group, or location
• Microsoft Entra Connect Health

p2 only:

• Microsoft Entra ID Protection
• Microsoft Entra Privileged Identity Management (PIM)

authentication and authorization

• Microsoft Entra ID doesn’t use Kerberos authentication (compared to Active Directory Domain Services)
• instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication
• and uses OAuth for authorization.

user accounts

types of user accounts:

• cloud identity
• directory-synchronized identity
• guest user

applications

application <-> service principal

Both represent applications in Microsoft Entra ID. An object in the Application class contains an application definition and an object in the servicePrincipal class constitutes its instance in the current Microsoft Entra tenant. Separating these two sets of characteristics allows you to define an application in one tenant and use it across multiple tenants by creating a service principal object for this application in each tenant. Microsoft Entra ID creates the service principal object when you register the corresponding application in that Microsoft Entra tenant.

arm

resource groups

• resources can only exist in one resource group
• resource groups cannot be renamed
• resource groups can have resources of many different types (services)
• resource groups can have resources from many different regions

When creating a resource group, you need to provide a location for that resource group. The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you’re specifying where that metadata is stored. -> this is different from the location of the resources themselves

rbac

concepts:

• security principal: An object that represents something that requests access to resources. e.g. user, group, service principal, managed identity
• role definition: A set of permissions that lists the allowed operations. Azure RBAC comes with built-in role definitions, but you can also create your own custom role definitions. Some built-in role definitions: Reader, Contributor, Owner, User Access Administrator
• scope: The boundary for the requested level of access, or “how much” access is granted. Management group, subscription, resource group, resource
• role assignment: An assignment attaches a role definition to a security principal at a particular scope. Users can grant the access described in a role definition by creating (attaching) an assignment for the role. e.g. Assign the User Access Administrator role to an admin group scoped to a management group. e.g. Assign the Contributor role to a user scoped to a subscription

scopes

examples:

• Scope a role as available for assignment in two subscriptions: "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e", "/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624"
• Scope a role as available for assignment only in the Network resource group: "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network"
• Scope a role as available for assignment for all requestors: "/"

azure roles vs microsoft entra roles

three types of roles:

• Classic subscription administrator roles (legacy) (Account Administrator, Service Administrator, and Co-Administrator)
• Azure role-based access control (RBAC) roles
• Microsoft Entra administrator roles (e.g. Global admin, Application admin, and Application developer)

Microsoft Entra admin roles are used to manage resources in Microsoft Entra ID, such as users, groups, and domains. These roles are defined for the Microsoft Entra tenant at the root level of the configuration.

Azure RBAC roles provide more granular access management for Azure resources. These roles are defined for a requestor or resource and can be applied at multiple levels: the root, management groups, subscriptions, resource groups, or resources.

Fundamental azure rbac roles:

• Owner: The Owner role has full access to all resources, including the right to delegate access to others. The Service Administrator and Co-Administrators roles are assigned the Owner role at the subscription scope.
• Contributor: The Contributor role can create and manage all types of Azure resources. This role can’t grant access to others.
• Reader: The Reader role can view existing Azure resources.
• User Access Administrator: The User Access Administrator role can manage user access to Azure resources.

virtual networks

• network virtual appliances
• service endpoints
• network security groups

• private links

• private vs public ip addresses

static ip addresses

• Virtual machine: NIC
• Load balancer: Front-end configuration
• VPN gateway: VPN gateway IP configuration
• Application gateway: Front-end configuration

Feature	Basic SKU	Standard SKU
IP assignment	Static or Dynamic	Static
Security	Open by default	Secure by default, closed to inbound traffic
Resources	Network interfaces, VPN gateways, Application gateways, and internet-facing load balancers	Network interfaces or public standard load balancers
Redundancy	Not zone redundant	Zone redundant by default

network security groups (NSGs)

can be associated to a subnet or a network interface

source: Identifies how the security rule controls inbound traffic. The value specifies a specific source IP address range that’s allowed or denied. The source filter can be any resource, an IP address range, an application security group, or a default tag.

destination: Identifies how the security rule controls outbound traffic. The value specifies a specific destination IP address range that’s allowed or denied. The destination filter value is similar to the source filter. The value can be any resource, an IP address range, an application security group, or a default tag.

service: Specifies the destination protocol and port range for the security rule. You can choose a predefined service like RDP or SSH or provide a custom port range. There are a large number of services to select from.

priority: Assigns the priority order value for the security rule. Rules are processed according to the priority order of all rules for a network security group, including a subnet and network interface. The lower the priority value, the higher priority for the rule.

application security groups

Application security groups work in the same way as network security groups, but they provide an application-centric way of looking at your infrastructure. You join your virtual machines to an application security group.

vnet peering

• regional and global

azure vpn gateway

• a virtual network can have only one VPN gateway
• gateway transit is support for regional and global network peering
• when you allow VPN gateway transit, the virtual network can communicate to resources outside the peering
• gateway transit allows peered virtual networks to share the gateway and get access to resources. With this implementation, you don’t need to deploy a VPN gateway in the peer virtual network
• peering status is either initiated, connected or updating
• virtual network peering is nontransitive
• extend peering capabilities with:
  • hub and spoke network (network virtual appliance (NVA) or Azure VPN gateway)
  • user-defined routes
  • service chaining

alternative connectivity methods

Virtual network peering is the least complex way to connect virtual networks together. Other methods focus primarily on connectivity between on-premises and Azure networks rather than connections between virtual networks.

ExpressRoute is a dedicated, private connection between an on-premises datacenter and the Azure backbone network. The virtual networks that connect to an ExpressRoute circuit are part of the same routing domain and can communicate with each other. ExpressRoute connections don’t go over the public internet, so your communications with Azure services are as secure as possible.

VPNs use the internet to connect your on-premises datacenter to the Azure backbone through an encrypted tunnel. You can use a site-to-site configuration to connect virtual networks together through VPN gateways. VPN gateways have higher latency than virtual network peering setups. They’re more complex and can cost more to manage.

routing

system routes user-defined routes next hop targets - virtual appliance - virtual network gateway - virtual network - internet - none

servivce endpoints

• A virtual network service endpoint provides the identity of your virtual network to the Azure service
• After service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources.
• Service endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.
• Virtual network rules can remove public internet access to resources, and allow traffic only from your virtual network.

private link

Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

FQDN - fully qualified domain name

Azure Private DNS allows for private name resolution between Azure virtual networks. Azure public DNS provides DNS for public access, such as name resolution for a publicly accessible website. Azure-provided name resolution does not support user-defined domain names and only supports a single virtual network. A DNS server on a virtual machine can also be used to achieve the goal but involves much more administrative effort to implement and maintain than using Azure Private DNS.

azure load balancer

• Azure Load Balancer can be used for inbound and outbound scenarios.
• You can implement a public or internal load balancer, or use both types in a combination configuration.
• To implement a load balancer, you configure four components:
  • Front-end IP configuration: specifies the public IP or internal IP that your load balancer responds to.
  • Back-end pools: are your services and resources, including Azure Virtual Machines or instances in Azure Virtual Machine Scale Sets.
  • Health probes: ensure the resources in the backend are healthy.
  • Load-balancing rules: determine how traffic is distributed to back-end resources.

Basic SKU vs Standard SKU

• The Basic SKU allows up to 300 pools, and the Standard SKU allows up to 1,000 pools.
• When you configure the back-end pools, you can connect to availability sets, virtual machines, or Azure Virtual Machine Scale Sets.
• For the Basic SKU, you can select virtual machines in a single availability set or virtual machines in an instance of Azure Virtual Machine Scale Sets.
• For the Standard SKU, you can select virtual machines or Virtual Machine Scale Sets in a single virtual network. Your configuration can include a combination of virtual machines, availability sets, and Virtual Machine Scale Sets.

The load balancer uses a five-tuple hash to map traffic to available servers:

• source IP
• source port
• destination IP
• destination port
• protocol type

azure application gateway

Azure Application Gateway is a load balancer for web traffic. The back-end pool can include Azure virtual machines, Azure Virtual Machine Scale Sets, Azure App Service, and even on-premises servers.

• Application layer routing
• Round-robin load balancing
• Session stickiness
• Supported protocols
• Firewall protection
• Encryption
• Load autoscaling

ip addressing

215.11.0.0 to 215.11.255.255 is routable on the internet

public ip addresses:

• basic sku
• standard sku

NSG - destinations? #TODO

virtual network link #TODO

application security group #TODO Application security groups allow you to group together the network interfaces from multiple virtual machines, and then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual network.

availability set #TODO

azure load balancer, incl. SKU #TODO Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.

A network interface is used to connect a virtual machine to a subnet.

For virtual network peering, both virtual networks must have non-overlapping IP addresses.

You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the access control list (ACL) rules apply to all virtual machine instances of that subnet.

storage

• standard storage: backed by HDDs
• premium storage: backed by SSDs

services

• azure blob storage (containers)
• azure files
• azure queue storage
• azure table storage

types

Standard general-purpose v2

• Supported services: Blob Storage (including Data Lake Storage), Queue Storage, Table Storage, and Azure Files
• Recommended usage: Standard storage account for most scenarios, including blobs, file shares, queues, tables, and disks (page blobs).

Premium block blobs

• Supported services: Blob Storage (including Data Lake Storage)
• Recommended usage: Premium storage account for block blobs and append blobs. Recommended for applications with high transaction rates. Use Premium block blobs if you work with smaller objects or require consistently low storage latency. This storage is designed to scale with your applications.

Premium file shares

• Supported services: Azure Files
• Recommended usage: Premium storage account for file shares only. Recommended for enterprise or high-performance scale applications. Use Premium file shares if you require support for both Server Message Block (SMB) and NFS file shares.

Premium page blobs

• Supported services: Page blobs only
• Recommended usage: Premium high-performance storage account for page blobs only. Page blobs are ideal for storing index-based and sparse data structures, such as operating systems, data disks for virtual machines, and databases.

replication

• Locally redundant storage (LRS)
• Zone redundant storage (ZRS)
• Geo-redundant storage (GRS)
  • Read-access geo-redundant storage (RA-GRS)
• Geo-zone-redundant storage (GZRS)
  • Read-access geo-zone-redundant storage (RA-GZRS)

blob storage access

• Private: (Default) Prohibit anonymous access to the container and blobs.
• Blob: Allow anonymous public read access for the blobs only.
• Container: Allow anonymous public read and list access to the entire container, including the blobs.

blob storage access tiers

• hot tier
• cool tier
• cold tier
• archive tier

blob object replication

• requires that blob versioning is enabled on both the source and destination storage accounts
• no support for archive tier, source and destination account can be in different tiers
• no support for blob snapshots

blob types

• block blob
• page blob
• append blob

authorization

• entra id
• shared key
• shared access signature (SAS)
• anonymous access to containers and blobs / public access

stored access policy

can be created for:

• blob containers
• file shares
• queues
• tables

identifier, start time, expiry time, permissions

azure file share

entra id authentication is not supported for file shares auto expansion is not supported for file shares

compute

host os vs guest os

azure virtual machines

• have at least two disks: operating system and virtual disk
• can also have one or more data disks
• all disks are stored as VHDs (virtual hard disks)
• premium storage: up to 256TB per vm, 80,000 IOPS, 2,000 MB/s

• RDP port: 3389

• os disk
  • registered as SATA drive
• temporary disk
  • on windows: D: drive
  • on linux: /dev/sdb (mounted to /mnt by the azure linux agent
• data disk
  • is a managed disk
  • registered as SCSI drive

availability sets

• virtual machines in an availability set should perform the identical set of functionalities
• virtual machines in an availability set should have the same software installed
• Azure ensures that virtual machines in an availability set run across multiple physical servers, compute racks, storage units, and network switches
• meaning, if a hardware or Azure software failure occurs, only a subset of the virtual machines in the availability set are affected
• each virtual machine in an availability set is placed in one update domain and one fault domain
  • update domain: a group of virtual machines and underlying physical hardware that can be updated and rebooted at the same time
  • fault domain: a group of virtual machines that share a common power source and network switch (represent a physical unit of failure)

availability zones

• an availability zone in an Azure region is a combination of a fault domain and an update domain
• unique physical locations within an Azure region
• each zone is made up of one or more datacenters
• minimum of three separate zones in all enabled regions
• zonal vs zone-redundant services

virtual machine scale sets

• can be used to deploy and manage a set of identical virtual machines
• true autoscaling
• support the use of Azure Load Balancer for basic layer-4 traffic distribution
• also support Azure Application Gateway for more advanced layer-7 traffic distribution and SSL termination
• support up to 1,000 VM instances and 600 if custom virtual machine images are used

azure app service

app service plans:

• Free: only offers 1 GB of disk size and 0 instances to host the app
• Basic: offers 10 GB of disk space and up to three virtual machines
• Standard: can host unlimited web apps, up to 50 GB of disk space, and up to 10 instances. will cost approximately $0.10/hour

• Premium: offers 250 GB of disk space and up to 30 instances, will cost approximately $0.20/hour

• free or shared tier:
  • run by receiving CPU minutes on a shared virtual machine instance
  • can’t scale out
• basic, standard, premium or isolated tier:
  • run on all virtual machine instances configured in the App Service plan
  • multiple applications in the same plan share the same virtual machine instances
  • if you have multiple deployment slots for an application, all deployment slots run on the same virtual machine instances
  • if you enable diagnostic logs, perform backups, or run WebJobs, these tasks use CPU cycles and memory on the same virtual machine instances

Feature	Free	Shared	Basic	Standard	Premium	Isolated
Disk space	1 GB	1 GB	10 GB	50 GB	250 GB	1 TB
Auto scale	n/a	n/a	n/a	Supported	Supported	Supported
Max instances	n/a	n/a	Up to 3	Up to 10	Up to 30	Up to 100

• app service name must be globally unique (webappces1.azurewebsites.net)
• deployment slots: own hostname, configuration can be swapped among each other
• custom domain name: either A record or CNAME record
• backup:
  • only available in standard and premium tiers
  • app configuration settings, file content, connected databases
  • partial or full backups
  • up to 10GB of app and database content
  • consists of a zip and xml file

Swapped settings	Slot-specific settings
General settings, such as framework version, 32/64-bit, web sockets	Custom domain names
App settings *	Nonpublic certificates and TLS/SSL settings
Connection strings *	Scale settings
Handler mappings	Always On
Public certificates	IP restrictions
WebJobs content	WebJobs schedulers
Hybrid connections **	Diagnostic settings
Service endpoints **	Cross-origin resource sharing (CORS)
Azure Content Delivery Network **	Virtual network integration
Path mapping	Managed identities
	Settings that end with the suffix _EXTENSION_VERSION

azure application insights

• feature of Azure Monitor

azure container instances

• fast startup time
• public ip connectivity and DNS names
• vnet deployment
• top-level resource in Azure Container Instances is the container group
  • a collection of containers that get scheduled on the same host machine
  • containers in a container group share a lifecycle, resources, local network, and storage volumes
  • similar to a pod in Kubernetes

azure container apps

types of containers:

• blob
• init
• privileged
• sidecar

Azure Container Apps doesn’t provide direct access to the underlying Kubernetes APIs. If you would like to build Kubernetes-style applications and don’t require direct access to all the native Kubernetes APIs and cluster management, Container Apps provides a fully managed experience based on best-practices.

Azure Container Instances (ACI) can be managed in several ways. Azure Container Apps (ACA) is one way, and Azure Kubernetes Service (AKS) is another.

• Containers provide lightweight isolation and use fewer system resources compared to virtual machines.
• Containers can be deployed individually using Docker or with an orchestrator like Azure Container Apps.
• Containers use Azure Disks or Azure Files for storage.
• A container group is a collection of containers that get scheduled on the same host machine.
• Containers can be rapidly recreated on another cluster node if a node fails.

unmanaged vs managed disks

With unmanaged disks, you’re responsible for the storage accounts that are used to hold the VHDs corresponding to your VM disks.

Managed disks are the newer (and recommended) disk-storage model. They elegantly solve the complexity of unmanaged disks by putting the burden of managing the storage accounts onto Azure. You specify the disk type (Premium or Standard) and the disk size, and Azure creates and manages both the disk and the storage it uses. You don’t have to worry about storage account limits, which makes them easier to scale out.

• Increased reliability: Azure ensures that VHDs associated with high-reliability VMs will be placed in different parts of Azure storage to provide similar levels of resilience.
• Better security: Managed disks are truly managed resources in the resource group. This means they can use role-based access control (RBAC) to restrict who can work with the VHD data.
• Snapshot support: You can use snapshots to create a read-only copy of a VHD. You have to shut down the owning VM, but creating the snapshot only takes a few seconds. Once it’s done, you can power on the VM and use the snapshot to create a duplicate VM to troubleshoot a production issue or roll back the VM to the point in time that the snapshot was taken.
• Backup support: You can automatically back up managed disks to different regions for disaster recovery with Azure Backup, all without affecting the service of the VM.

monitor

azure alerts The alert state is manually set by the user and does not have any automated logic behind it. The alert state can be either New, Acknowledged, or Closed.

azure monitor:

• monitor and visualize metrics
• query and analyze logs
• set up alerts and actions

tiers of monitoring data:

• application
• guest os
• azure resource
• azure subscription
• azure tenant

data types:

• The focus for metric-based data types is the numerical time-sensitive values that represent some aspect of the target resource.
• The focus for log-based data types is the querying of content data held in structured, record-based log files that are relevant to the target resource.

azure activity logs

• resource operations
• what, who, and when
• retention period: 90 days

categories:

• administrative
• service health
• resource health
• alert
• autoscale
• recommendation
• security
• policy

log analytics workspace

• KQL, e.g. summarize and render keywords

network watcher

• IP flow verify, properties:
  • Virtual machine and network interface
  • Local (source) port number
  • Remote (destination) IP address, and remote port number
  • Communication protocol (TCP or UDP)
  • Traffic direction (Inbound or Outbound)
• Next hop
  • Your subscription and resource group
  • Virtual machine and network interface
  • Source IP address
  • Destination IP address (If you want to confirm a specified target is reachable)
• VPN troubleshoot
• NSG diagnostics
• Connection troubleshoot

azure alerts

composition:

• resource
• condition
• actions
• alert details

azure monitor logs

layers:

• Host VM
• Guest operating system (OS)
• Client workloads
• Applications that run on the VM

backup

Recovery Time Objective (RTO) is the target time within which a business process must be restored after a disaster occurs to avoid unacceptable consequences. Recovery Point Objective (RPO) is the maximum amount of data loss, measured in time, that your organization can sustain during an event.

backup options:

• Azure Backup
  • scenarios: Back up Azure virtual machines running production workloads, Create application-consistent backups for both Windows and Linux virtual machines
  • description: Azure Backup takes a snapshot of your virtual machine and stores the data as recovery points in geo-redundant recovery vaults. When you restore from a recovery point, you can restore your entire virtual machine or specific files only.
• Azure Site Recovery
  • scenarios: Quickly and easily recover specific applications, Replicate to the Azure region of your choice
  • description: Azure Site Recovery protects your virtual machines from a major disaster scenario when a whole region experiences an outage due to a major natural disaster or widespread service interruption.
• Azure managed disks - snapshots
  • scenarios: Quickly and easily back up your virtual machines that use Azure managed disks at any point in time, Support development and test environments
  • description: An Azure managed disks snapshot is a read-only full copy of a managed disk stored as a standard managed disk by default. A snapshot exists independent of the source disk and can be used to create new managed disks. Each snapshot is billed based on the actual size used. If you create a snapshot of a managed disk with a capacity of 64 GB used only 10 GB, Azure bills you for 10 GB.
• Azure managed disks - image
  • scenarios: Create an image from your custom virtual hard disk (VHD) in an Azure storage account or directly from a generalized (via Sysprep) virtual machine, Create hundreds of virtual machines by using your custom image without copying or managing any storage account
  • description: Azure managed disks also support creating a managed custom image. This process captures a single image that contains all managed disks associated with a virtual machine, including both the operating system and data disks.

create recovery services vault (GRS is default, LRS is an option) -> define backup policy options -> back up your virtual machine Azure Backup extension requires Microsoft Azure Virtual Machine Agent to be present on the virtual machine

azure backup

aspects:

• Workload integration layer - Backup Extension. Integration with the actual workload (such as Azure VM or Azure Blobs) happens at this layer.
• Data Plane - Access Tiers. Three access tiers where the backups could be stored:
  • Snapshot tier
  • Standard tier
  • Archive tier
• Data Plane - Availability and Security. The backup data is replicated across zones or regions (based on the redundancy specified by the user).
• Management Plane – Recovery Services vault/Backup vault and Backup center. Vault provides an interface for the user to interact with the backup service.

misc:

• stores the backed-up data in Recovery Services vaults and Backup vaults.
• supports full backups and incremental backups

azure site recovery

Azure Site Recovery is a service that helps ensure business continuity by replicating workloads from a primary site to a secondary location

Azure recovery services vault #TODO

Azure site recovery #TODO

backup center #TODO

backup extensions #TODO

practice exams

azure import/export service: create dataset and driveset CSV file before LRS: 3 copies of data within a single physical location in the primary region storage net use: uses smb protocol and supports only account key for authentication

azure file sync has 3 fundamental management objects:

• azure file share
• server endpoint
• sync group

azure file sync has a conflict resolution strategy

DFS

First Action: Create a gateway subnet The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

Second Action: Create a VPN gateway The virtual network gateway uses the gateway subnet.

Third Action: Create a local network gateway A local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device.

Fourth Action: Create a VPN connection Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

TODO

azure registration network