AZ 104T00A ENU TrainerHandbook
AZ 104T00A ENU TrainerHandbook
AZ 104T00A ENU TrainerHandbook
Official
Course
AZ-104T00
Microsoft Azure
Administrator
AZ-104T00
Microsoft Azure Administrator
II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2019 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.
1 http://www.microsoft.com/trademarks
EULA III
13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for
the particular Microsoft Instructor-Led Courseware.
14. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator
validated as a Microsoft Learn for Educators – Validated Educator, and/or (iii) a MCT.
16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
●● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft Imagine Academy (MSIA) Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure each End User attending an Authorized Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Authorized Training Session,
3. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
EULA V
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
6. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
7. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc-
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course-
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or
control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Authorized Training Session has their
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of
the Authorized Training Session,
3. you will ensure that each End User provided with a hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
VI EULA
4. you will ensure that each MCT teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized
Training Sessions using MOC,
6. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
7. you will only provide access to the Trainer Content to MCTs.
3. If you are a MPN Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Private Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Private Training Session,
3. you will ensure that each End User provided with a hard copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
EULA VII
5. you will only use qualified Trainers who hold the applicable Microsoft Certification
credential that is the subject of the Microsoft Instructor-Led Courseware being taught
for all your Private Training Sessions,
6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden-
tial that is the subject of the MOC title being taught for all your Private Training Sessions
using MOC,
7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
8. you will only provide access to the Trainer Content to Trainers.
4. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you
may access the Microsoft Instructor-Led Courseware online using the unique redemption code
provided to you by the training provider and install and use one (1) copy of the Microsoft
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. If you are an MCT, you may customize the written portions of the Trainer Content that are
logically associated with instruction of a training session in accordance with the most recent
version of the MCT agreement.
3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any
use of “customize” refers only to changing the order of slides and content, and/or not using
all the slides or content, it does not mean changing or modifying any slide or content.
●● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you
may not separate their components and install them on different devices.
●● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights
above, you may not distribute any Licensed Content or any portion thereof (including any permit-
ted modifications) to any third parties without the express written permission of Microsoft.
●● 2.4 Third Party Notices. The Licensed Content may include third party code that Micro-
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party
code are included for your information only.
●● 2.5 Additional Terms. Some Licensed Content may contain components with additional
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions
and licenses also apply to your use of that respective component and supplements the terms
described in this agreement.
VIII EULA
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is provided “as is”, we are not obligated to
provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans-
mission received from any third party sites. Microsoft is providing these links to third party sites to
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft
of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
X EULA
Start Here
About this Course
Course Description
This course teaches IT Professionals how to manage their Azure subscriptions, secure identities, adminis-
ter the infrastructure, configure virtual networking, connect Azure and on-premises sites, manage
network traffic, implement storage solutions, create and scale virtual machines, implement web apps and
containers, back up and share data, and monitor your solution.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience in virtualization, networking, identity, and
storage.
●● Understanding on-premises virtualization technologies, including: VMs, virtual networking, and virtual
hard disks.
●● Understanding network configurations, including TCP/IP, Domain Name System (DNS), virtual private
networks (VPNs), firewalls, and encryption technologies.
●● Understanding Active Directory concepts, including users, groups, and role-based access control.
●● Understanding resilience and disaster recovery, including backup and restore operations.
2
You can gain the prerequisites and a better understanding of Azure by taking AZ-104: Prerequisites for
Azure Administrators1. This free online training will give you the experience you need to be successful in
this course.
Expected learning
●● Secure identities with Azure Active Directory and users and groups.
●● Manage subscriptions, accounts, Azure policies, and Role-Based Access Control.
●● Administer Azure using the Resource Manager, Azure portal, Cloud Shell, Azure PowerShell, CLI, and
ARM templates.
●● Configure virtual networks including planning, IP addressing, Azure DNS, Network Security Groups,
and Azure Firewall.
●● Configure intersite connectivity solutions like VNet Peering, virtual network gateways, and Site-to-Site
VPN connections.
●● Manage network traffic using network routing and service endpoints, Azure load balancer, and Azure
Application Gateway.
●● Implement, manage and secure Azure storage accounts, blob storage, and Azure files with File Sync.
●● Plan, create, and scale virtual machines.
●● Administer Azure App Service, Azure Container Instances, and Kubernetes.
●● Backup files, folders, and virtual machines.
●● Monitor the Azure infrastructure with Azure Monitor, Azure alerts, Log Analytics, and Network Watch-
er.
Syllabus
The course content includes a mix of content, demonstrations, hands-on labs, reference links, and
knowledge check questions.
Module 01 - Administer Identity
In this module, you will learn how to secure identities with Azure Active Directory, and implement users
and groups. This module includes:
●● Configure Azure Active Directory
●● Configure User and Group Accounts
●● Lab 01 - Manage Azure Active Directory Identities
Module 02 – Administer Governance and Compliance
In this module, you will learn about managing your subscriptions and accounts, implementing Azure
policies, and using Role-Based Access Control. This module includes:
●● Configure Subscriptions and Accounts
●● Configure Azure Policy
●● Configure Role-Based Access Control (RBAC)
●● Lab 02a - Manage Subscriptions and RBAC
●● Lab 02b - Manage Governance via Azure Policy
1 https://docs.microsoft.com/learn/paths/az-104-administrator-prerequisites/
3
2 https://docs.microsoft.com/learn/certifications/exams/az-104
3 https://docs.microsoft.com/learn/paths/az-104-administrator-prerequisites/
4 https://docs.microsoft.com/learn/paths/az-104-manage-identities-governance/
5 https://docs.microsoft.com/learn/paths/az-104-manage-storage/
6 https://docs.microsoft.com/learn/paths/az-104-manage-compute-resources/
7 https://docs.microsoft.com/learn/paths/az-104-manage-virtual-networks/
8 https://docs.microsoft.com/learn/paths/az-104-monitor-backup-resources/
9 https://azure.microsoft.com/support/community/
10 https://docs.microsoft.com/azure/
11 https://azure.microsoft.com/blog/
12 https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog
6
3. Copy down your Azure Pass and follow the directions for redeeming it.
4. Once you have created your trial Azure Subscription, you will need to follow the directions in each of
the Lab module in this course to launch the lab environment.
Note: You only need to click the “Obtain Azure Pass” button once. If you click the button again after
already being assigned an Azure Pass, our platform will recognize this and will present you with the same
Azure Pass number.**
Module 1 Administer Identity
Skills measured
Managing Azure Active Directory features is a part of Exam AZ-104: Microsoft Azure Administrator1.
Manage Azure identities and governance (15-20%)
Manage Azure AD objects
●● Configure Azure AD Join.
●● Configure Self-Service Password Reset.
Learning objectives
In this module, you will learn how to:
●● Identify the features and uses of Azure Active Directory.
●● Define the main Azure Active Directory components such as identity, account and tenant.
●● Compare Azure Active Directory to Azure Directory Domain Services.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
8
Prerequisites
None
●● Protect sensitive data and applications. You can enhance application access security with unique
identity protection capabilities. This includes a consolidated view into suspicious sign-in activities and
potential vulnerabilities. You can also take advantage of advanced security reports, notifications,
remediation recommendations, and risk-based policies.
●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as
resetting passwords and the creation and management of groups to your employees. Providing
self-service application access and password management through verification steps can reduce
helpdesk calls and enhance security.
Note: If you are a Microsoft 365, Azure, or Dynamics CRM Online customer, you might not realize that
you are already using Azure AD. Every Microsoft 365, Azure and Dynamics CRM tenant is already an
Azure AD tenant. Whenever you want you can start using that tenant to manage access to thousands of
other cloud applications Azure AD integrates with.
virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD
that make it different.
●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based
applications by using HTTP and HTTPS communications.
●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP.
Instead, Azure AD uses the REST API over HTTP and HTTPS.
●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos
authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID
Connect for authentication (and OAuth for authorization).
●● Federation Services. Azure AD includes federation services, and many third-party services (such as
Facebook).
●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organiza-
tional Units (OUs) or Group Policy Objects (GPOs).
Note: Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS
with virtual machines using Azure means that you manage the deployment, configuration, virtual ma-
chines, patching, and other backend tasks.
Azure Active Directory Free. Provides user and group management, on-premises directory synchroniza-
tion, basic reports, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
Azure Active Directory Microsoft 365 Apps. This edition is included with O365. In addition to the Free
features, this edition provides Identity & Access Management for Microsoft 365 apps including branding,
MFA, group access management, and self-service password reset for cloud users.
Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users
access both on-premises and cloud resources. It also supports advanced administration, such as dynamic
groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access
management suite) and cloud write-back capabilities, which allow self-service password reset for your
on-premises users.
Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active
Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical
company data. Privileged Identity Management is included to help discover, restrict, and monitor admin-
istrators and their access to resources and to provide just-in-time access when needed.
Note: The Azure Active Directory Pricing2 page has detailed information on what is included in each of
the editions. Based on the feature list which edition does your organization need?
Azure AD Join is designed to provide access to organizational apps and resources and to simplify Win-
dows deployments of work-owned devices. AD Join has these benefits.
●● Single-Sign-On (SSO) to your Azure-managed SaaS apps and services. Your users won't have
additional authentication prompts when accessing work resources. The SSO functionality is available
even when users are not connected to the domain network.
●● Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to
a Microsoft account (for example, Hotmail) to observe settings across devices.
●● Access to Microsoft Store for Business using an Azure AD account. Your users can choose from an
inventory of applications pre-selected by the organization.
●● Windows Hello support for secure and convenient access to work resources.
●● Restriction of access to apps from only devices that meet compliance policy.
2 https://azure.microsoft.com/pricing/details/active-directory
12
●● Seamless access to on-premise resources when the device has line of sight to the on-premises
domain controller.
Connection options
To get a device under the control of Azure AD, you have two options:
●● Registering a device to Azure AD enables you to manage a device’s identity. Azure AD device
registration provides the device with an identity that is used to authenticate the device when a user
signs-in to Azure AD. You can use the identity to enable or disable a device.
●● Joining a device is an extension to registering a device. Joining provides the benefits of registering
and changes the local state of a device. Changing the local state enables your users to sign-in to a
device using an organizational work or school account instead of a personal account.
Note: Registration combined with a mobile device management (MDM) solution such as Microsoft
Intune, provides additional device attributes in Azure AD. You can create conditional access rules that
enforce access from devices to meet your standards for security and compliance.
Note: Although AD Join is intended for organizations that do not have on-premises Windows Server
Active Directory infrastructure it can be used for other scenarios like branch offices.
The Selected option is useful for creating specific groups who have self-service password reset enabled.
You can create group for testing or proof of concept before deploying to a larger group. Once you are
ready to deploy this functionality to all users with accounts in your AD Tenant, you can change the setting
to All.
Authentication methods
After enabling password reset for user and groups, you pick the number of authentication methods
required to reset a password and the number of authentication methods available to users.
At least one authentication method is required to reset a password. It is a good idea to have other
methods available. You can choose from email notification, a text, or code sent to user’s mobile or office
phone, or a set of security questions.
13
You can require a security questions to be registered for the users in your AD tenant. You can also
configure how many correctly answered security questions are required for a successful password reset.
Security questions can be less secure than other methods because some people might know the answers
to another user's questions.
Note: Azure Administrator accounts can always reset their passwords no matter what options are
configured.
Knowledge check
Multiple choice
Your users want to sign-in to devices, apps, and services from anywhere. They want to sign-in using an
organizational work or school account instead of a personal account. You must ensure corporate assets are
protected and that devices meet standards for security and compliance. Specifically, you need to be able to
enable or disable a device. What should you do? Select one.
Enable the device in Azure AD.
Join the device to Azure AD.
Register the device with Azure AD.
14
Multiple choice
A dedicated and trusted instance of Azure AD is referred to as:
An Azure tenant
An Azure identity
An Azure account
Multiple choice
You are configuring Self-service Password Reset. Which of the following is not a validation method? Select
one.
An email notification.
A text or code sent to a user's mobile or office phone.
A paging service.
A set of security questions
Learn more
You can learn more by reviewing the following.
●● Azure Active Directory Documentation3
●● Azure AD device identity documentation4
●● Azure AD self-service password reset5
●● Learn - Allow users to reset their password with Azure Active Directory self-service password
reset6
3 https://docs.microsoft.com/azure/active-directory/
4 https://docs.microsoft.com/azure/active-directory/devices/
5 https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks
6 https://docs.microsoft.com/learn/modules/allow-users-reset-their-password/
15
●● Learn - Manage device identity with Azure AD join and Enterprise State Roaming7
7 https://docs.microsoft.com/learn/modules/manage-device-identity-ad-join/
16
Skills measured
Managing user and groups accounts is part of Exam AZ-104: Microsoft Azure Administrator8.
Manage Azure identities and governance (15-20%)
Manage Azure AD objects
●● Create users and groups.
●● Manage user and group properties.
●● Manage device settings.
●● Perform bulk user updates.
●● Manage guest accounts.
Learning objectives
In this module, you will learn how to:
●● Configure users accounts and user account properties.
●● Create new user accounts.
●● Import bulk user accounts with a template.
●● Configure group accounts and assignment types.
Prerequisites
None
8 https://docs.microsoft.com/learn/certifications/exams/az-104
17
Azure Portal
You can add new users through the Azure Portal. In addition to Name and User name, there is profile
information like Job Title and Department.
Example
Consider the example of a large university that's made up of many autonomous schools (School of
Business, School of Engineering, and so on). Each school has a team of IT admins who control access,
manage users, and set policies for their school.
A central administrator could:
●● Create a role with administrative permissions over only Azure AD users in the business school admin-
istrative unit.
●● Create an administrative unit for the School of Business.
●● Populate the administrative unit with only the business school students and staff.
●● Add the business school IT team to the role, along with its scope.
20
Considerations
●● You can manage administrative units by using the Azure portal, PowerShell cmdlets and scripts, or
Microsoft Graph.
●● In the portal, you can manage administrative units if you are a Global Administrator or a Privileged
Role Administrator.
●● Administrative units apply scope only to management permissions. They don't prevent members or
administrators from using their default user permissions to browse other users, groups, or resources
outside the administrative unit.
Knowledge check
Multiple choice
You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams
tenants and be able to assign other administrator roles? Select one.
Password administrator
Security administrator
Global administrator
Multiple choice
You would like to add a user who has a Microsoft account to your subscription. Which type of user account is
this? Select one.
Cloud identity
Directory-Synchronized identity
Guest User
Multiple choice
If you delete a user account by mistake, can it be restored? Select one.
When a user account is deleted, it's gone forever and can't be restored.
The user account can be restored, but only when it's created within the last 30 days.
The user account can be restored, but only when it's deleted within the last 30 days.
Multiple choice
Which of the following roles has full access to manage all resources but does not allow you to assign roles?
Select one.
Owner
Contributor
Reader
22
Learn more
You can learn more by reviewing the following.
●● Azure Active Directory fundamentals documentation9
●● Learn - Manage users and groups in Azure Active Directory10
●● Learn - Create Azure users and groups in Azure Active Directory11
9 https://docs.microsoft.com/azure/active-directory/fundamentals/
10 https://docs.microsoft.com/learn/modules/manage-users-and-groups-in-aad/
11 https://docs.microsoft.com/learn/modules/create-users-and-groups-in-azure-active-directory/
23
Module 01 Lab
Lab 01 - Manage Azure Active Directory Identi-
ties
Lab scenario
In order to allow Contoso users to authenticate by using Azure AD, you have been tasked with provision-
ing users and group accounts. Membership of the groups should be updated automatically based on the
user job titles. You also need to create a test Azure AD tenant with a test user account and grant that
account limited permissions to resources in the Contoso Azure subscription.
Objectives
In this lab, you will:
●● Task 1: Create and configure Azure AD users.
●● Task 2: Create Azure AD groups with assigned and dynamic membership.
●● Task 3: Create an Azure Active Directory (AD) tenant.
●● Task 4: Manage Azure AD guest users.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed)
24
Answers
Multiple choice
Your users want to sign-in to devices, apps, and services from anywhere. They want to sign-in using an
organizational work or school account instead of a personal account. You must ensure corporate assets
are protected and that devices meet standards for security and compliance. Specifically, you need to be
able to enable or disable a device. What should you do? Select one.
Enable the device in Azure AD.
■■ Join the device to Azure AD.
Register the device with Azure AD.
Explanation
Join the device to Azure AD. Joining a device is an extension to registering a device. This means, it provides
you with all the benefits of registering a device, like being able to enable or disable the device. In addition, it
also changes the local state of a device. Changing the local state enables your users to sign-in to a device
using an organizational work or school account instead of a personal account.
Multiple choice
A dedicated and trusted instance of Azure AD is referred to as:
■■ An Azure tenant
An Azure identity
An Azure account
Explanation
A dedicated and trusted instance of Azure AD is referred to as an Azure tenant or directory.
Multiple choice
You are configuring Self-service Password Reset. Which of the following is not a validation method?
Select one.
An email notification.
A text or code sent to a user's mobile or office phone.
■■ A paging service.
A set of security questions
Explanation
A paging service. At least one authentication method is required to reset a password. Choices include email
notification, a text or code sent to user’s mobile or office phone, or a set of security questions.
25
Multiple choice
You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams
tenants and be able to assign other administrator roles? Select one.
Password administrator
Security administrator
■■ Global administrator
Explanation
Global administrator. Only the global administrator can manage groups across tenants and assign other
administrator roles.
Multiple choice
You would like to add a user who has a Microsoft account to your subscription. Which type of user
account is this? Select one.
Cloud identity
Directory-Synchronized identity
■■ Guest User
Explanation
Guest user. Guest users are users added to Azure AD from a third party like Microsoft or Google.
Multiple choice
If you delete a user account by mistake, can it be restored? Select one.
When a user account is deleted, it's gone forever and can't be restored.
The user account can be restored, but only when it's created within the last 30 days.
■■ The user account can be restored, but only when it's deleted within the last 30 days.
Explanation
The user account can be restored, but only when it's deleted within the last 30 days. A user account can be
restored when it's deleted within the last 30 days.
Multiple choice
Which of the following roles has full access to manage all resources but does not allow you to assign
roles? Select one.
Owner
■■ Contributor
Reader
Explanation
Contributor. Grants full access to manage all resources, but does not allow you to assign roles.
Module 2 Administer Governance and Compli-
ance
Configure Subscriptions
Introduction
Scenario
Your company is moving to Azure. As a first step, they are need to obtain an Azure subscription.
You are responsible for obtaining an Azure subcription for your company. You are also responsible for
effective management of costs.
Skills measured
Managing Azure subscriptions is part of Exam AZ-104: Microsoft Azure Administrator1.
Manage Azure identities and governance (15-20%)
Manage subscriptions and governance
●● Apply tags.
●● Manage subscriptions.
●● Configure Cost Management.
Learning objectives
In this module, you will learn how to:
●● Determine the correct region to locate Azure services.
●● Identify features and usage cases for Azure subscriptions.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
28
Prerequisites
None
Identify Regions
Microsoft Azure is made up of datacenters located around the globe. These datacenters are organized
and made available to end users by region. A region2 is a geographical area on the planet containing at
least one, but potentially multiple datacenters. The datacenters are in close proximity and networked
together with a low-latency network.
A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West.
Azure is generally available in 60+ regions and available in 140 countries.
2 https://azure.microsoft.com/global-infrastructure/regions/
29
●● Some global Azure services that do not require you to select a region. These services include Azure
Active Directory, Microsoft Azure Traffic Manager, and Azure DNS.
●● Each Azure region is paired with another region within the same geography, together making a
regional pair. The exception is Brazil South, which is paired with a region outside its geography.
Note: View the latest Azure regions map.3
3 https://azure.microsoft.com/global-infrastructure/regions/
4 https://docs.microsoft.com/azure/best-practices-availability-paired-regions#what-are-paired-regions
30
Azure Accounts
Subscriptions have accounts. An Azure account is simply an identity in Azure Active Directory (Azure AD)
or in a directory that is trusted by Azure AD, such as a work or school organization. If you don't belong to
one of these organizations, you can sign up for an Azure account by using your Microsoft Account, which
is also trusted by Azure AD.
Obtain a Subscription
There are several ways to get an Azure subscription: Enterprise agreements, Microsoft resellers, Microsoft
partners, and a personal free account.
31
Enterprise agreements
Any Enterprise Agreement5 customer can add Azure to their agreement by making an upfront monetary
commitment to Azure. That commitment is consumed throughout the year by using any combination of
the wide variety of cloud services Azure offers. Enterprise agreements have a 99.95% monthly SLA.
Reseller
Buy Azure through the Open Licensing program6, which provides a simple, flexible way to purchase
cloud services from your Microsoft reseller. If you already purchased an Azure in Open license key,
activate a new subscription or add more credits now7.
Partners
Find a Microsoft partner8 who can design and implement your Azure cloud solution. These partners
have the business and technology expertise to recommend solutions that meet the unique needs of your
business.
5 https://azure.microsoft.com/pricing/enterprise-agreement/
6 https://www.microsoft.com/licensing/licensing-programs/open-license.aspx
7 https://azure.microsoft.com/offers/ms-azr-0111p/
8 https://azure.microsoft.com/partners/directory/
9 https://azure.microsoft.com/free/
32
Cost Management shows organizational cost and usage patterns with advanced analytics. Reports in Cost
Management show the usage-based costs consumed by Azure services and third-party Marketplace
offerings. Costs are based on negotiated prices and factor in reservation and Azure Hybrid Benefit
discounts. Collectively, the reports show your internal and external costs for usage and Azure Market-
33
place charges. Other charges, such as reservation purchases, support, and taxes are not yet shown in
reports. The reports help you understand your spending and resource use and can help find spending
anomalies. Predictive analytics are also available. Cost Management uses Azure management groups,
budgets, and recommendations to show clearly how your expenses are organized and how you might
reduce costs.
You can use the Azure portal or various APIs for export automation to integrate cost data with external
systems and processes. Automated billing data export and scheduled reports are also available.
Perhaps one of the best uses of tags is to group billing data. When you download the usage CSV for
services, the tags appear in the Tags column. You could then group virtual machines by cost center and
production environment.
Considerations
There are a few things to remember about tagging:
●● Each resource or resource group can have a maximum of 50 tag name/value pairs.
●● Tags applied to the resource group are not inherited by the resources in that resource group.
Note: When you need to create a lot of resource tags you will want to do that programmatically. You can
use PowerShell or the CLI.
The Pricing Calculator10 provides estimates in all areas of Azure including compute, networking, storage,
web, and databases.
Knowledge check
Multiple choice
Your company financial comptroller wants to be notified whenever the company is half-way to spending the
money allocated for cloud services. What should you do? Select one.
Create an Azure reservation.
Create a budget and a spending threshold.
Create a management group.
Enter workloads in the Total Cost of Ownership calculator.
Multiple choice
What tool can you use to gain greater visibility into your spending patterns? Select one.
Cost Insights
Cost Analysis
Your invoice
10 https://azure.microsoft.com/pricing/calculator/
36
Multiple choice
Your company is concerned about cost and provisioning too many virtual machines at once. What's the best
way to control resource provisioning? Select one.
Change your subscription to pay as you go.
Apply spending limits to the development team's Azure subscription.
Verbally give the managers a budget and hold them accountable for overages.
Multiple choice
The leadership team wants information on resource costs by departments. What's the best way to categorize
costs by department? Select one.
Apply a tag to each resource that identifies the appropriate billing department.
Split the cost evenly between departments.
Keep a spreadsheet that lists each team's resources.
Multiple choice
An Azure subscription ... Select one.
is a logical container used to provision resources in Azure
is associated with a single department or organization
represents a single domain
Learn more
You can learn more by reviewing the following.
●● What is Azure Cost Management + Billing?11
●● Create an additional Azure subscription12
●● Learn - Analyze costs and create budgets with Azure Cost Management13
●● Learn - Predict costs and optimize spending for Azure14
11 https://docs.microsoft.com/azure/cost-management-billing/cost-management-billing-overview
12 https://docs.microsoft.com/azure/cost-management-billing/manage/create-subscription
13 https://docs.microsoft.com/learn/modules/analyze-costs-create-budgets-azure-cost-management/
14 https://docs.microsoft.com/learn/modules/predict-costs-and-optimize-spending/
38
Skills measured
Azure policies is part of Exam AZ-104: Microsoft Azure Administrator15.
Manage Azure identities and governance (15–20%)
Manage subscriptions and governance
●● Configure Azure policies.
●● Configure management groups.
Learning objectives
In this module, you will learn how to:
●● Create management groups to target policies and spend budgets.
●● Implement Azure policy with policy and initiative definitions.
●● Scope Azure policies and determine compliance.
Prerequisites
None
15 https://docs.microsoft.com/learn/certifications/exams/az-104
39
All subscriptions within a management group automatically inherit the conditions applied to the manage-
ment group. For example, you can apply policies to a management group that limits the regions available
for virtual machine (VM) creation. This policy would be applied to all management groups, subscriptions,
and resources under that management group by only allowing VMs to be created in that region.
●● The Management Group ID is the directory unique identifier that is used to submit commands on
this management group. This identifier is not editable after creation as it is used throughout the Azure
system to identify this group.
●● The Display Name field is the name that is displayed within the Azure portal. A separate display
name is an optional field when creating the management group and can be changed at any time.
Note: Do you think you will use Management Groups? If so, how do you plan to implement them?
The main advantages of Azure policy are in the areas of enforcement and compliance, scaling, and
remediation.
●● Enforcement and compliance. Turn on built-in policies or build custom ones for all resource types.
Real-time policy evaluation and enforcement. Periodic and on-demand compliance evaluation.
●● Apply policies at scale. Apply policies to a Management Group with control across your entire
organization. Apply multiple policies and aggregate policy states with policy initiative. Define an
exclusion scope.
●● Remediation. Real-time remediation, and remediation on existing resources.
Azure Policy will be important to you if your team runs an environment where you need to govern:
●● Multiple engineering teams (deploying to and operating in the environment)
●● Multiple subscriptions
●● Need to standardize/enforce how cloud resources are configured
●● Manage regulatory compliance, cost control, security, or design consistency
Use Cases
●● Specify the resource types that your organization can deploy.
●● Specify a set of virtual machine SKUs that your organization can deploy.
●● Restrict the locations your organization can specify when deploying resources.
●● Enforce a required tag and its value.
●● Audit if Azure Backup service is enabled for all Virtual machines.
scope can be exempted from having policy rules affect it. Exclusions are handled individually for each
assignment.
Note: Even if you have only a few Policy Definitions, we recommend creating an Initiative Definition.
when there isn't an applicable policy you can add a new Policy Definition. You can import a policy
definitions from GitHub16. New Policy Definitions are added almost every day.
16 https://github.com/Azure/azure-policy/tree/master/samples
42
You can select the Subscription, and then optionally a Resource Group.
43
Determine Compliance
Once your policy is in place, you can use the Compliance blade to review non-compliant initiatives,
non-compliant policies, and non-compliant resources.
Policy conditions are evaluated against your existing resources. When the condition is met, those resourc-
es are marked as non-compliant. Although the portal does not show the evaluation logic, the compliance
state results are shown. The compliance state result is either compliant or non-compliant.
Note: Policy evaluation occurs about once an hour.
Knowledge check
Multiple choice
Your organization has several Azure policies that they would like to create and enforce for a new branch
office. What should you do? Select one.
Create a policy initiative
Create a management group
Create a new subscriptions
Multiple choice
You would like to categorize resources and billing for different departments like IT and HR. The billing needs
to be consolidated across multiple resource groups and you need to ensure everyone complies with the
solution. You have created tags for each department, like department:HR. What should you do next?
Create a billing group for each department
Create an Azure policy
Create a subscription account rule
Multiple choice
Your company wants to enure that only cost-effective virtual machine SKU sizes are deployed. What should
you do? Select one.
Periodically inspect the deployment to see which SKU sizes are used
Create an Azure RBAC role that defines the allowed virtual machine SKU sizes
Create a policy in Azure Policy that specifies the allowed SKU sizes
Multiple choice
Which of the following can be used to manage governance across multiple Azure subscriptions?
Azure initiatives
Resource groups
Management groups
Learn more
You can learn more by reviewing the following.
●● Azure Policy Documentation17
●● Learn - Apply and monitor infrastructure standards with Azure Policy18
●● Learn - Build a cloud governance strategy on Azure19
17 https://docs.microsoft.com/azure/azure-policy/
18 https://docs.microsoft.com/learn/modules/intro-to-governance/
19 https://docs.microsoft.com/learn/modules/analyze-costs-create-budgets-azure-cost-management/
47
Skills measured
Role- based access control is part of Exam AZ-104: Microsoft Azure Administrator20.
Manage Azure identities and governance (15-20%)
Manage role-based access control (RBAC)
●● Create a custom role.
●● Provide access to Azure resources by assigning roles at different scopes.
●● Interpret access assignments.
Learning objectives
In this module, you will learn how to:
●● Identify the features and usage cases for role-based access control.
●● List and create role definitions.
●● Create role assignments.
●● Identify the differences between Azure role-based access control and Azure Active Directory roles.
●● Manage access to subscriptions using role-based access control.
●● Review the built-in Azure role-based access control roles.
Prerequisites
None
20 https://docs.microsoft.com/learn/certifications/exams/az-104
48
Concepts
●● Security principal. Object that represents something that is requesting access to resources. Examples:
user, group, service principal, managed identity
●● Role definition. Collection of permissions that lists the operations that can be performed. Examples:
Reader, Contributor, Owner, User Access Administrator
●● Scope. Boundary for the level of access that is requested. Examples: management group, subscription,
resource group, resource
●● Assignment. Attaching a role definition to a security principal at a particular scope. Users can grant
access described in a role definition by creating an assignment. Deny assignments are currently
read-only and can only be set by Azure.
Considerations
Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to
users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your
Azure subscription or resources, you can allow only certain actions at a particular scope.
When planning your access control strategy, it's a best practice to grant users the least privilege to get
their work done. The following diagram shows a suggested pattern for using Azure RBAC.
In this example, the Owner role means all (asterisk) actions, no denied actions, and all (/) scopes.
Name: Owner
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65
IsCustom: False
Description: Manage everything, including access to resources
Actions: {*}
NotActions: {}
AssignableScopes: {/}
[resource]
Example 1
Make a role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/
e91d47c4-76f3-4271-a796-21b4ecfe3624”
Example 2
Makes a role available for assignment only in the Network resource group.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Net-
work”
Note: Do you understand how Azure AD Admin roles and Azure RBAC roles work together to authenti-
cate users?
Knowledge check
Multiple choice
Your company hires a new IT administrator. She needs to manage a resource group with first-tier web
servers including assigning permissions. However, she should not have access to other resource groups
inside the subscription. You need to configure role-based access. What should you do? Select one.
Assign her as a Subscription Contributor.
Assign her as a Resource Group Owner.
Assign her as a Resource Group Contributor.
Multiple choice
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new
employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your
solution must minimize administrative overhead. What should you do? Select one.
Assign the user to the Contributor role on the resource group.
Assign the user to the Contributor role on VM3.
Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
54
Multiple choice
Your company wants to allow some users to control the virtual machines in each environment. These users
should be prevented from modifying networking and other resources in the same resource group or Azure
subscription. What should you do? Select one.
Create a policy in Azure Policy that audits resource usage
Split the environment into separate resource groups
Create a role assignment through Azure RBAC
Multiple choice
Suppose a team member can't view resources in a resource group. Where would the administrator go to
check the team member's access? Select one.
Check the team member's permissions by going to their Azure profile > My permissions.
Go to the resource group and select Access control (IAM) > Role assignments.
Go to one of the resources in the resource group and select Role assignments.
Multiple choice
A user who had Owner access to a subscription is leaving the company. No one else has access to this
subscription. How can you grant another employee access to this subscription? Select one.
Use the Azure portal to elevate your own access.
Ask the former employee for their password.
Ask the former employee to sign in and select a different employee to grant their permissions to.
Multiple choice
What's included in a custom Azure role definition? Select one.
The assignment of the custom role
Operations allowed for Azure resources and the scope of permissions
Actions and DataActions operations that you can scope to the tenant level
Multiple choice
What information does an Action provide in a role definition? Select one.
An Action provides the allowed management capabilities for the role.
An Action determines what data the role can manipulate.
An Action decides what resource the role is applied to.
55
Multiple choice
How are NotActions used in a role definition? Select one.
NotActions are subtracted from the Actions to define the list of permissible operations.
NotActions are consulted after Actions to deny access to a specific operation.
NotActions allow you to specify a single operation that is not allowed.
Learn more
You can learn more by reviewing the following.
●● Azure RBAC documentation21
●● Learn - Create custom roles for Azure resources with role-based access control22
●● Learn - Manage access to an Azure subscription by using Azure role-based access control23
●● Learn - Secure your Azure resources with role-based access control24
21 https://docs.microsoft.com/azure/role-based-access-control/
22 https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/
23 https://docs.microsoft.com/learn/modules/manage-subscription-access-azure-rbac/
24 https://docs.microsoft.com/learn/modules/secure-azure-resources-with-rbac/
56
Module 02 Lab
Lab 02a - Manage Subscriptions and Azure
RBAC
Lab scenario
To improve the management of Azure resources in Contoso, you have been tasked with implementing
the following functionality:
●● using management groups for the Contoso's Azure subscriptions.
●● granting user permissions for submitting support requests. This user would only be able to create
support request tickets and view resource groups.
Objectives
In this lab, you will:
●● Task 1: Implement Management Groups.
●● Task 2: Create custom RBAC roles.
●● Task 3: Assign RBAC roles.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed)
●● ensuring that only properly tagged infrastructure resoures can be added to infrastructure resource
groups
●● remediating any non-compliant resources
Objectives
In this lab, we will:
●● Task 1: Create and assign tags via the Azure portal.
●● Task 2: Enforce tagging via an Azure policy.
●● Task 3: Apply tagging via an Azure policy.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
58
Answers
Multiple choice
Your company financial comptroller wants to be notified whenever the company is half-way to spending
the money allocated for cloud services. What should you do? Select one.
Create an Azure reservation.
■■ Create a budget and a spending threshold.
Create a management group.
Enter workloads in the Total Cost of Ownership calculator.
Explanation
Create a budget and a spending threshold. Billing Alerts help you monitor and manage billing activity for
your Azure accounts. You can set up a total of five billing alerts per subscription, with a different threshold
and up to two email recipients for each alert. Monthly budgets are evaluated against spending every four
hours. Budgets reset automatically at the end of a period.
Multiple choice
What tool can you use to gain greater visibility into your spending patterns? Select one.
Cost Insights
■■ Cost Analysis
Your invoice
Explanation
Cost analysis. Cost analysis is one of Azure Cost Management's primary tools to help you better understand
costs.
Multiple choice
Your company is concerned about cost and provisioning too many virtual machines at once. What's the
best way to control resource provisioning? Select one.
Change your subscription to pay as you go.
■■ Apply spending limits to the development team's Azure subscription.
Verbally give the managers a budget and hold them accountable for overages.
Explanation
Apply spending limits to the development team's Azure subscription. If you exceed your spending limit,
active resources are deallocated. You can then decide whether to increase your limit or provision fewer
resources.
59
Multiple choice
The leadership team wants information on resource costs by departments. What's the best way to
categorize costs by department? Select one.
■■ Apply a tag to each resource that identifies the appropriate billing department.
Split the cost evenly between departments.
Keep a spreadsheet that lists each team's resources.
Explanation
Apply a tag to each resource that identifies the appropriate billing department. You can apply tags to
groups of Azure resources to organize billing data.
Multiple choice
An Azure subscription ... Select one.
■■ is a logical container used to provision resources in Azure
is associated with a single department or organization
represents a single domain
Explanation
An Azure subscription is a logical container used to provision resources in Azure. A subscription might have
one or more tenants, directories, and domains associated with it.
Multiple choice
Your organization has several Azure policies that they would like to create and enforce for a new branch
office. What should you do? Select one.
■■ Create a policy initiative
Create a management group
Create a new subscriptions
Explanation
Create a policy initiative. A policy initiative would include all the policies of interest. Once your initiative is
created, you can assign the definition to establish its scope. A scope determines what resources or grouping
of resources the policy assignment gets enforced on.
Multiple choice
You would like to categorize resources and billing for different departments like IT and HR. The billing
needs to be consolidated across multiple resource groups and you need to ensure everyone complies
with the solution. You have created tags for each department, like department:HR. What should you do
next?
Create a billing group for each department
■■ Create an Azure policy
Create a subscription account rule
Explanation
Create tags for each department and create an Azure policy. You should create a tag with a key:value pair
like department:HR. You can then create an Azure policy which requires the tag be applied before a resource
is created.
60
Multiple choice
Your company wants to enure that only cost-effective virtual machine SKU sizes are deployed. What
should you do? Select one.
Periodically inspect the deployment to see which SKU sizes are used
Create an Azure RBAC role that defines the allowed virtual machine SKU sizes
■■ Create a policy in Azure Policy that specifies the allowed SKU sizes
Explanation
Create a policy in Azure Policy that specifies the allowed SKU sizes. After you enable this policy, that policy is
applied when you create new virtual machines or resize existing ones.
Multiple choice
Which of the following can be used to manage governance across multiple Azure subscriptions?
Azure initiatives
Resource groups
■■ Management groups
Explanation
Management groups. Management groups facilitate the hierarchical ordering of Azure resources into
collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each
management group, with Azure Policy and Azure role-based access controls, to manage Azure subscriptions
effectively. The resources and subscriptions assigned to a management group automatically inherit the
conditions applied to the management group.
Multiple choice
Your company hires a new IT administrator. She needs to manage a resource group with first-tier web
servers including assigning permissions. However, she should not have access to other resource groups
inside the subscription. You need to configure role-based access. What should you do? Select one.
Assign her as a Subscription Contributor.
■■ Assign her as a Resource Group Owner.
Assign her as a Resource Group Contributor.
Explanation
Assign her as a Resource Group owner. The new IT administrator needs to be able to assign permissions.
Multiple choice
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new
employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2.
Your solution must minimize administrative overhead. What should you do? Select one.
Assign the user to the Contributor role on the resource group.
■■ Assign the user to the Contributor role on VM3.
Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
Explanation
Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2.
The Contributor role will allow the user to change the settings on VM1.
61
Multiple choice
Your company wants to allow some users to control the virtual machines in each environment. These
users should be prevented from modifying networking and other resources in the same resource group
or Azure subscription. What should you do? Select one.
Create a policy in Azure Policy that audits resource usage
Split the environment into separate resource groups
■■ Create a role assignment through Azure RBAC
Explanation
Create a role assignment through Azure RBAC. Azure RBAC enables you to create roles that define access
permissions. You might create one role that limits access only to virtual machines and a second role that
provides administrators with access to everything.
Multiple choice
Suppose a team member can't view resources in a resource group. Where would the administrator go to
check the team member's access? Select one.
Check the team member's permissions by going to their Azure profile > My permissions.
■■ Go to the resource group and select Access control (IAM) > Role assignments.
Go to one of the resources in the resource group and select Role assignments.
Explanation
Go to the resource group and select Access control (IAM) > Role assignments. Find the list of role of assign-
ments on the resource group.
Multiple choice
A user who had Owner access to a subscription is leaving the company. No one else has access to this
subscription. How can you grant another employee access to this subscription? Select one.
■■ Use the Azure portal to elevate your own access.
Ask the former employee for their password.
Ask the former employee to sign in and select a different employee to grant their permissions to.
Explanation
Use the Azure portal to elevate your own access. Temporarily elevate your own access to assign the Owner
role to another user.
Multiple choice
What's included in a custom Azure role definition? Select one.
The assignment of the custom role
■■ Operations allowed for Azure resources and the scope of permissions
Actions and DataActions operations that you can scope to the tenant level
Explanation
Operations allowed for Azure resources and the scope of permissions. A custom role definition includes the
operations allowed such as read, write, and delete for Azure resources and the scope of those permissions.
62
Multiple choice
What information does an Action provide in a role definition? Select one.
■■ An Action provides the allowed management capabilities for the role.
An Action determines what data the role can manipulate.
An Action decides what resource the role is applied to.
Explanation
An Action provides the allowed management capabilities for the role. The Action provides what the role can
do.
Multiple choice
How are NotActions used in a role definition? Select one.
■■ NotActions are subtracted from the Actions to define the list of permissible operations.
NotActions are consulted after Actions to deny access to a specific operation.
NotActions allow you to specify a single operation that is not allowed.
Explanation
NotActions are subtracted from the Actions to define the list of permissible operations.
Module 3 Administer Azure Resources
Skills measured
These administrative tools are not directly tested on Exam AZ-104: Microsoft Azure Administrator1.
However, may be used during performance-based testing.
Learning objectives
In this module, you will learn how to:
●● Manage resources with the Azure portal.
●● Manage resources with Azure Cloud Shell.
●● Manage resources with Azure PowerShell.
●● Manage resources with Azure CLI.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
64
Prerequisites
None
Azure PowerShell is also available two ways: inside a browser via the Azure Cloud Shell, or with a local
installation on Linux, macOS, or the Windows operating system. In both cases, you have two modes from
with to choose: you can use it in interactive mode in which you manually issue one command at a time,
or in scripting mode where you execute a script that consists of multiple commands.
What is the Az module?
Az is the formal name for the Azure PowerShell module containing cmdlets to work with Azure features.
It contains hundreds of cmdlets that let you control nearly every aspect of every Azure resource. You can
work with the following features, and more:
●● Resource groups
●● Storage
●● VMs
●● Azure AD
●● Containers
●● Machine learning
This module is an open-source component available on GitHub2.
Note: You might have seen or used Azure PowerShell commands that used an -AzureRM format. In
December 2018 Microsoft released for general availability the AzureRM module replacement with the Az
module. This new module has several features, notably a shortened cmdlet noun prefix of -Az, which
replaces AzureRM. The Az module ships with backwards compatibility for the AzureRM module, so the
-AzureRM cmdlet format will work.
Note: Bookmark the Azure PowerShell Reference3
2 https://github.com/Azure/azure-powershell
3 https://docs.microsoft.com/powershell/module/az.compute/get-azvm?view=azps-3.3.0
68
through the Install-Module command. You need an elevated PowerShell shell prompt to install modules
from the PowerShell Gallery.
Note: If at any time you receive errors about running scripts is disabled be sure to set the execution
policy:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Note: You may need to run this code in PowerShell to enable TLSv2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProto-
colType]::Tls12
Create resources
1. Create a new resource group. Provide a different location if you like. The name must be unique within
your subscription. The location determines where the metadata for your resource group will be stored.
You use strings like “West US”, "North Europe", or “West India” to specify the location; alternatively,
you can use single word equivalents, such as westus, northeurope, or westindia. The core syntax is:
New-AzResourceGroup -name <name> -location <location>
Azure CLI provides cross-platform command-line tools for managing Azure resources. You can install this
locally on computers running the Linux, macOS, or Windows operating systems. You can also use Azure
CLI from a browser through Azure Cloud Shell.
In both cases, Azure CLI can be used interactively or through scripts:
●● Interactive. First, for Windows operating systems, launch a shell such as cmd.exe, or for Linux or
macOS, use Bash. Then issue the command at the shell prompt.
●● Scripted. Assemble the Azure CLI commands into a shell script using the script syntax of your chosen
shell. Then execute the script.
Azure CLI lets you control nearly every aspect of every Azure resource. You can work with resource
groups, storage, VMs, Azure Active Directory (Azure AD), containers, machine learning, and so on.
Commands in the CLI are structured in groups and subgroups. Each group represents a service provided
by Azure, and the subgroups divide commands for these services into logical groupings. For example, the
storage group contains subgroups including account, blob, storage, and queue.
So, how do you find the particular commands you need? One way is to use az find. For example, if you
want to find commands that might help you manage a storage blob, you can use the following find
command:
az find blob
If you already know the name of the command you want, the --help argument for that command will
get you more detailed information on the command, and for a command group, a list of the available
subcommands. For example, here's how you can get a list of the subgroups and commands for managing
blob storage:
70
Note: Running Azure CLI from PowerShell has some advantages over running Azure CLI from the Win-
dows command prompt. PowerShell provides more tab completion features than the command prompt.
Login to Azure
1. Because you're working with a local Azure CLI installation, you'll need to authenticate before you can
execute Azure commands. You do this by using the Azure CLI login command:
az login
2. Azure CLI will typically launch your default browser to open the Azure sign-in page. If this doesn't
work, follow the command-line instructions and enter an authorization code at https://aka.ms/
devicelogin.
3. After a successful sign in, you'll be connected to your Azure subscription.
Create a resource group
1. You'll often need to create a new resource group before you create a new Azure service, so we'll use
resource groups as an example to show how to create Azure resources from the CLI.
2. Azure CLI group create command creates a resource group. You must specify a name and location.
The name must be unique within your subscription. The location determines where the metadata for
your resource group will be stored. You use strings like “West US”, "North Europe", or “West India” to
specify the location; alternatively, you can use single word equivalents, such as westus, northeurope,
or westindia. The core syntax is:
az group create --name <name> --location <location>
4 https://docs.microsoft.com/cli/azure/?view=azure-cli-latest
71
2. To get a more concise view, you can format the output as a simple table:
az group list --output table
3. If you have several items in the group list, you can filter the return values by adding a query option.
Try this command:
az group list --query "[?name == '<rg name>']"
Knowledge check
Multiple choice
Which of the following is not true about the Cloud Shell?
Authenticates automatically for instant access to your resources.
Cloud Shell is assigned multiple machines per user account.
Provides both Bash and PowerShell sessions.
Multiple choice
You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which of
the following commands would you do first?
Connect-AzAccount
Get-AzResourceGroup
Get-AzSubscription
Multiple choice
What do you need to install on your machine so you can execute Azure CLI commands locally? Select one.
The Azure cloud shell
The Azure CLI and Azure PowerShell
Only the Azure CLI
72
Multiple choice
Which parameter can you add to most CLI commands to get concise, formatted output? Select one.
list
table
group
Multiple choice
What needs to be installed on your machine to let you execute Azure PowerShell cmdlets locally? Select one.
The Azure cloud shell
The Azure CLI and Azure PowerShell
The base PowerShell product and the AZ module
Multiple choice
Suppose you are building a video-editing application that will offer online storage for user-generated video
content. You will store the videos in Azure Blobs, so you need to create an Azure storage account to contain
the blobs. Once the storage account is in place, it is unlikely you would remove and recreate it because this
would delete all the user videos. Which tool is likely to offer the quickest and easiest way to create the
storage account? Select one.
Azure portal
Azure CLI
Azure PowerShell
Learn more
You can learn more by reviewing the following.
●● Azure portal documentation5
5 https://docs.microsoft.com/azure/azure-portal/
73
6 https://docs.microsoft.com/azure/cloud-shell/overview
7 https://docs.microsoft.com/powershell/module/az.compute/get-azvm?view=azps-3.3.0
8 https://docs.microsoft.com/cli/azure/?view=azure-cli-latest
9 https://docs.microsoft.com/learn/modules/tour-azure-portal/
10 https://docs.microsoft.com/learn/modules/introduction-to-powershell/
11 https://docs.microsoft.com/learn/modules/automate-azure-tasks-with-powershell/
12 https://docs.microsoft.com/learn/modules/control-azure-services-with-cli/
74
Skills measured
Managing resources is part of Exam AZ-104: Microsoft Azure Administrator13.
Manage Azure identities and governance (15–20%)
Manage subscriptions and governance
●● Configure resource locks.
●● Manage resource groups.
Deploy and manage Azure compute resources (20–25%)
Configure VMs
●● Move VMs from one resource group to another.
Learning objectives
In this module, you will learn how to:
●● Identify the features and usage cases for Azure Resource Manager.
●● Describe each Azure Resource Manager component and its usage.
●● Organize your Azure resources with resource groups.
●● Apply Azure Resource Manager locks.
●● Move Azure resources between groups, subscriptions, and regions.
●● Remove resources and resource groups.
●● Apply and track resource limits.
Prerequisites
None
13 https://docs.microsoft.com/learn/certifications/exams/az-104
75
services. These components are not separate entities, instead they are related and interdependent parts
of a single entity. You want to deploy, manage, and monitor them as a group.
Azure Resource Manager enables you to work with the resources in your solution as a group. You can
deploy, update, or delete all the resources for your solution in a single, coordinated operation. You use a
template for deployment and that template can work for different environments such as testing, staging,
and production. Resource Manager provides security, auditing, and tagging features to help you manage
your resources after deployment.
Benefits
Resource Manager provides several benefits:
●● You can deploy, manage, and monitor all the resources for your solution as a group, rather than
handling these resources individually.
●● You can repeatedly deploy your solution throughout the development lifecycle and have confidence
your resources are deployed in a consistent state.
●● You can manage your infrastructure through declarative templates rather than scripts.
●● You can define the dependencies between resources so they're deployed in the correct order.
●● You can apply access control to all services in your resource group because Role-Based Access Control
(RBAC) is natively integrated into the management platform.
●● You can apply tags to resources to logically organize all the resources in your subscription.
●● You can clarify your organization's billing by viewing costs for a group of resources sharing the same
tag.
76
Guidance
The following suggestions help you take full advantage of Resource Manager when working with your
solutions.
●● Define and deploy your infrastructure through the declarative syntax in Resource Manager templates,
rather than through imperative commands.
●● Define all deployment and configuration steps in the template. You should have no manual steps for
setting up your solution.
●● Run imperative commands to manage your resources, such as to start or stop an app or machine.
●● Arrange resources with the same lifecycle in a resource group. Use tags for all other organizing of
resources.
Resource providers
Each resource provider offers a set of resources and operations for working with an Azure service. For
example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider.
This resource provider offers a resource type called vaults for creating the key vault.
The name of a resource type is in the format: {resource-provider}/{resource-type}. For example, the key
vault type is Microsoft.KeyVault/vaults.
Note: Before deploying your resources, you should gain an understanding of the available resource
providers. Knowing the names of resource providers and resources helps you define resources you want
to deploy to Azure. Also, you need to know the valid locations and API versions for each resource type.
77
Considerations
Resource Groups are at their simplest a logical collection of resources. There are a couple of small rules
for resource groups.
●● Resources can only exist in one resource group.
●● Resource Groups cannot be renamed.
●● Resource Groups can have resources of many different types (services).
●● Resource Groups can have resources from many different regions.
Lock types
There are two types of resource locks.
●● Read-Only locks, which prevent any changes to the resource.
●● Delete locks, which prevent deletion.
Note: Only the Owner and User Access Administrator roles can create or delete management locks.
When moving resources, both the source group and the target group are locked during the operation.
Write and delete operations are blocked on the resource groups until the move completes. This lock
means you can't add, update, or delete resources in the resource groups. Locks don't mean the resources
79
aren't available. For example, if you move a virtual machine to a new resource group, an application can
still access the virtual machine.
Limitations
Before beginning this process be sure to read the Move operation support for resources14 page. This
page details what resources can be moved between resources group, subscriptions, and regions.
Implementation
To move resources, select the resource group containing those resources, and then select the Move
button. Select the resources to move and the destination resource group. Acknowledge that you need to
update scripts.
Note: Just because a service can be moved doesn’t mean there aren’t restrictions. For example, you can
move a virtual network, but you must also move its dependent resources, like gateways.
Removing Resources
You can also delete individual resources within a resource group. For example, here we are deleting a
virtual network. Notice you can change the resource group on this page.
14 https://docs.microsoft.com/azure/azure-resource-manager/management/move-support-resources
80
15 https://docs.microsoft.com/azure/azure-subscription-service-limits?toc=%2fazure%2fnetworking%2ftoc.json
81
4. To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently
selected resource inherits the lock from the parent. For example, you could lock the resource group to
apply a lock to all its resources.
5. Give the lock a name and lock type. Optionally, you can add notes that describe the lock.
6. To delete the lock, select the ellipsis and Delete from the available options.
Optional - Manage resource groups with PowerShell
1. Access the Cloud Shell.
2. Create the resource lock and confirm your action.
New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -Resource-
GroupName <resourceGroupName>
3. View resource lock information. Notice the LockId that will be used in the next step to delete the lock.
Get-AzResourceLock
Knowledge check
Multiple choice
You have a new Azure subscription and need to move resoures to that subscription. Which of the following
resources cannot be moved? Select one.
Key vault
Storage account
Tenant
Multiple choice
You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual
machines in the US East region. Which of the following provides the easiest solution? Select one.
Add another resource group
Change your subscription plan
Request support increase your limit
82
Multiple choice
Which of the following would be good example of when to use a resource lock? Select one.
A ExpressRoute circuit with connectivity back to your on-premises network.
A non-production virtual machine used to test occasional application builds.
A storage account used to temporarily store images processed in a development environment.
Multiple choice
Your manager asks you to explain how Azure uses resource groups. You provide all of the following informa-
tion, except? Select one.
Resources can be in only one resource group.
Resources can be moved from one resource group to another resource group.
Resource groups can be nested.
Learn more
You can learn more by reviewing the following.
●● Azure Resource Manager documentation16
●● Learn - Control and organize Azure resources with Azure Resource Manager17
16 https://docs.microsoft.com/azure/azure-resource-manager/management/overview
17 https://docs.microsoft.com/learn/modules/control-and-organize-with-azure-resource-manager/
83
Skills measured
Deploying resources using Azure Resource Manager templates is part of Exam AZ-104: Microsoft Azure
Administrator18.
Deploy and manage Azure compute resources (20–25%)
Automate deployment of virtual machines (VMs) by using Azure Resource Manager templates
●● Modify an Azure Resource Manager template.
●● Deploy from a template.
●● Save a deployment as an Azure Resource Manager template.
Learning objectives
In this module, you will learn how to:
●● List the advantages of Azure templates.
●● Identify the Azure template schema components.
●● Specify Azure template parameters.
●● Locate and use Azure QuickStart templates.
Prerequisites
None
18 https://docs.microsoft.com/learn/certifications/exams/az-104
84
Template Benefits
●● Templates improve consistency. Resource Manager templates provide a common language for you
and others to describe your deployments. Regardless of the tool or SDK that you use to deploy the
template, the structure, format, and expressions inside the template remain the same.
●● Templates help express complex deployments. Templates enable you to deploy multiple resources
in the correct order. For example, you wouldn't want to deploy a virtual machine prior to creating an
operating system (OS) disk or network interface. Resource Manager maps out each resource and its
dependent resources, and creates dependent resources first. Dependency mapping helps ensure that
the deployment is carried out in the correct order.
●● Templates reduce manual, error-prone tasks. Manually creating and connecting resources can be
time consuming, and it's easy to make mistakes. Resource Manager ensures that the deployment
happens the same way every time.
●● Templates are code. Templates express your requirements through code. Think of a template as a
type of Infrastructure as Code that can be shared, tested, and versioned similar to any other piece of
software. Also, because templates are code, you can create a “paper trail” that you can follow. The
template code documents the deployment. Most users maintain their templates under some kind of
revision control, such as GIT. When you change the template, its revision history also documents how
the template (and your deployment) has evolved over time.
●● Templates promote reuse. Your template can contain parameters that are filled in when the template
runs. A parameter can define a username or password, a domain name, and so on. Template parame-
ters enable you to create multiple versions of your infrastructure, such as staging and production,
while still using the exact same template.
●● Templates are linkable. You can link Resource Manager templates together to make the templates
themselves modular. You can write small templates that each define a piece of a solution, and then
combine them to create a complete system.
●● Templates simplify orchestration. You only need to deploy the template to deploy all of your
resources. Normally this would take multiple operations.
"variables": {},
"functions": [],
"resources": [],
"outputs": {}
}
Here's an example that illustrates two parameters: one for a virtual machine's username, and one for its
password:
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
}
Note: You're limited to 256 parameters in a template. You can reduce the number of parameters by using
objects that contain multiple properties.
Templates provide everything you need to deploy your solution, while others might serve as a starting
point for your template. Either way, you can study these templates to learn how to best author and
structure your own templates.
●● The README.md file provides an overview of what the template does.
19 https://azure.microsoft.com/resources/templates/
87
20 https://azure.microsoft.com/resources/templates?azure-portal=true
88
Note: You will need the template link in the next demonstration.
2. After successfully signing in, your account and subscription details should display in the PowerShell
console window. You must now select either a subscription or context, in which you will deploy your
resources. If only one subscription is present it will set the context to that subscription by default.
Otherwise you can specify the subscription to deploy resources into by running the following com-
mands in sequence:
Get-AzContext
Set-AzContext -subscription < your subscription ID >
3. To make scripts free of manual input, you can create a .ps1 file, and then enter all the commands and
inputs. You could use parameter values in the script to define the username, password and dnslabel-
prefix values, and then run the PowerShell file without input. Use the file build.ps121 as an example of
how you can do this.
Note: In the previous example, we called a publicly available template on GitHub. You could also call a
local template or a secure storage location, and you could define the template filename and location as a
variable for use in the script. You can also specify the mode of deployment, including incremental or
complete.
Verify the template deployed
1. Once you have successfully deployed the template, you need to verify the deployment. To do this, run
the following commands:
Get-AzVM
2. Notice the VM name, then run the following command to obtain additional VM details:
Get-AzVM -Name < your VM name i.e. SimpleWinVM > -resourcegroupname < your
resource group name >
3. You can also list the VMs in your subscription with the Get-AzVM -Status command. This can also
specify a VM with the -Name property. In the following example, we assign it to a PowerShell variable:
$vm = Get-AzVM -Name < your VM name i.e. SimpleWinVM > -ResourceGroupName
< your resource group name >
4. The interesting thing is that this is an object you can interact with. For example, you can take that
object, make changes, and then push changes back to Azure with the Update-AzVM command:
$ResourceGroupName = "ExerciseResources"
$vm = Get-AzVM -Name MyVM -ResourceGroupName $ResourceGroupName
$vm.HardwareProfile.vmSize = "Standard_A3"
Note: Depending on your datacenter location, you could receive an error related to the VM size not
being available in your region. You can modify the vmSize value to one that is available in your region.
Note: PowerShell's interactive mode is appropriate for one-off tasks. In our example, we'll likely use the
same resource group for the lifetime of the project, which means that creating it interactively is reasona-
ble. Interactive mode is often quicker and easier for this task than writing a script and then executing it
only once.
Knowledge check
21 https://github.com/Microsoft/PartsUnlimited/blob/master/build.ps1?azure-portal=true
90
Multiple choice
Which of the following is not an element in the template schema? Select one.
Functions
Inputs
Outputs
Multiple choice
Which of the following best describes the format of an Azure Resource Manager template? Select one.
A JSON document with key-value pairs
A TXT document with key-value pairs
An XML document with element-value pairs
Multiple choice
Azure Resource Manager templates are idempotent. This means that if you run a template with no changes
a second time ... Select one.
Azure Resource Manager will deploy new resources as copies of the previously deployed resources.
Azure Resource Manager won't make any changes to the deployed resources.
Azure Resource Manager will delete the previously deployed resources and redeploy them.
Learn more
You can learn more by reviewing the following.
●● ARM template documentation22
22 https://docs.microsoft.com/azure/azure-resource-manager/templates/
91
23 https://azure.microsoft.com/resources/templates/
24 https://docs.microsoft.com/learn/modules/build-azure-vm-templates/
25 https://docs.microsoft.com/learn/modules/create-azure-resource-manager-template-vs-code/
26 https://docs.microsoft.com/learn/modules/extend-resource-manager-template-deployment-scripts/
27 https://docs.microsoft.com/learn/modules/extend-resource-manager-template-deployment-scripts/
92
Module 03 Lab
Lab 03a - Manage Azure Resources using the
Portal
Lab scenario
You need to explore the basic Azure administration capabilities associated with provisioning resources
and organizing them based on resource groups, including moving resources between resource groups.
You also want to explore options for protecting disk resources from being accidentally deleted, while still
allowing for modifying their performance characteristics and size.
Objectives
In this lab, we will:
●● Task 1: Create resource groups and deploy resources to resource groups.
●● Task 2: Move resources between resource groups.
●● Task 3: Implement and test resource locks.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
93
Objectives
In this lab, you will:
●● Task 1: Review an ARM template for deployment of an Azure managed disk.
●● Task 2: Create an Azure managed disk by using an ARM template.
●● Task 3: Review the ARM template-based deployment of the managed disk.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
Objectives
In this lab, you will:
●● Task 1: Start a PowerShell session in Azure Cloud Shell.
94
●● Task 2: Create a resource group and an Azure managed disk by using Azure PowerShell.
●● Task 3: Configure the managed disk by using Azure PowerShell.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
Objectives
In this lab, you will:
●● Task 1: Start a Bash session in Azure Cloud Shell.
●● Task 2: Create a resource group and an Azure managed disk by using Azure CLI.
●● Task 3: Configure the managed disk by using Azure CLI.
95
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
96
Answers
Multiple choice
Which of the following is not true about the Cloud Shell?
Authenticates automatically for instant access to your resources.
■■ Cloud Shell is assigned multiple machines per user account.
Provides both Bash and PowerShell sessions.
Explanation
Cloud Shell is assigned multiple machines per user account, is not true. The cloud shell is assigned one
machine per user account.
Multiple choice
You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which
of the following commands would you do first?
■■ Connect-AzAccount
Get-AzResourceGroup
Get-AzSubscription
Explanation
Connect-AzAccount. When you are working locally you are not automatically logged in to Azure. So, the
first thing you should do is to connect to Azure and provide your credentials.
Multiple choice
What do you need to install on your machine so you can execute Azure CLI commands locally? Select
one.
The Azure cloud shell
The Azure CLI and Azure PowerShell
■■ Only the Azure CLI
Explanation
Only the Azure CLI. You only need to install the Azure CLI. You will use a shell to issue the CLI commands,
but every platform has at least one built-in shell.
Multiple choice
Which parameter can you add to most CLI commands to get concise, formatted output? Select one.
list
■■ table
group
Explanation
Table. The table parameter formats the output as a table. This can make things much more readable for
commands that produce a large amount of output.
97
Multiple choice
What needs to be installed on your machine to let you execute Azure PowerShell cmdlets locally? Select
one.
The Azure cloud shell
The Azure CLI and Azure PowerShell
■■ The base PowerShell product and the AZ module
Explanation
The base PowerShell product and the Az module. You need both the base PowerShell product and the Az
module. The base product gives you the shell itself, a few core commands, and programming constructs like
loops, variables, etc. The Az modules adds the cmdlets you need to work with Azure resources.
Multiple choice
Suppose you are building a video-editing application that will offer online storage for user-generated
video content. You will store the videos in Azure Blobs, so you need to create an Azure storage account
to contain the blobs. Once the storage account is in place, it is unlikely you would remove and recreate it
because this would delete all the user videos. Which tool is likely to offer the quickest and easiest way to
create the storage account? Select one.
■■ Azure portal
Azure CLI
Azure PowerShell
Explanation
Azure portal. The portal is a good choice for one-off operations like creating a long-lived storage account.
The portal gives you a GUI containing all the storage-account properties and provides tool tips to help you
select the right options for your needs.
Multiple choice
You have a new Azure subscription and need to move resoures to that subscription. Which of the follow-
ing resources cannot be moved? Select one.
Key vault
Storage account
■■ Tenant
Explanation
Tenant. A tenant cannot be moved between subscriptions.
Multiple choice
You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual
machines in the US East region. Which of the following provides the easiest solution? Select one.
Add another resource group
Change your subscription plan
■■ Request support increase your limit
Explanation
Request support increase your limit. If you need to increase a default limit, there is a Request Increase link.
You will complete and submit the support request.
98
Multiple choice
Which of the following would be good example of when to use a resource lock? Select one.
■■ A ExpressRoute circuit with connectivity back to your on-premises network.
A non-production virtual machine used to test occasional application builds.
A storage account used to temporarily store images processed in a development environment.
Explanation
An ExpressRoute circuit with connectivity back to your on-premises network. Resource locks prevent other
users in your organization from accidentally deleting or modifying critical resources.
Multiple choice
Your manager asks you to explain how Azure uses resource groups. You provide all of the following
information, except? Select one.
Resources can be in only one resource group.
Resources can be moved from one resource group to another resource group.
■■ Resource groups can be nested.
Explanation
Resource groups cannot be nested. You should carefully plan your resource group deployments.
Multiple choice
Which of the following is not an element in the template schema? Select one.
Functions
■■ Inputs
Outputs
Explanation
Inputs. Inputs is not a part of the template schema. The elements of an Azure Resource Manager template
are schema, contentVersion, apiProfile, parameters, variables, functions, resources, and output.
Multiple choice
Which of the following best describes the format of an Azure Resource Manager template? Select one.
■■ A JSON document with key-value pairs
A TXT document with key-value pairs
An XML document with element-value pairs
Explanation
A JSON document with key-value pairs. An Azure Resource Template is a JSON document with key-value
pairs.
99
Multiple choice
Azure Resource Manager templates are idempotent. This means that if you run a template with no
changes a second time ... Select one.
Azure Resource Manager will deploy new resources as copies of the previously deployed resources.
■■ Azure Resource Manager won't make any changes to the deployed resources.
Azure Resource Manager will delete the previously deployed resources and redeploy them.
Explanation
Azure Resource Manager won't make any changes to the deployed resources. If the resource already exists
and no change is detected in the properties, no action is taken. If the resource already exists and a property
has changed, the resource is updated. If the resource doesn't exist, it's created.
Module 4 Administer Virtual Networking
Skills measured
Virtual network and subnets are part of Exam AZ-104: Microsoft Azure Administrator1.
Configure and manage virtual networking (25–30%)
Implement and manage virtual networking
●● Create and configure virtual networks.
●● Implement subnets.
●● Configure private and public IP addresses.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
102
Learning objectives
In this module, you will learn how to:
●● Describe virtual network features and components.
●● Identify features and usage cases for subnets and subnetting.
●● Identify usage cases for private and public IP addresses.
●● Create and determine which resources require public IP addresses.
●● Create and determine which resources require private IP addresses.
●● Create virtual networks.
Prerequisites
●● Familiarity with IP address formats and subnetting.
Implementation
An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical
isolation of the Azure cloud dedicated to your subscription. You can use VNets to provision and manage
virtual private networks (VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with
your on-premises IT infrastructure to create hybrid or cross-premises solutions. Each VNet you create has
its own CIDR block and can be linked to other VNets and on-premises networks if the CIDR blocks do not
overlap. You also have control of DNS server settings for VNets, and segmentation of the VNet into
subnets.
Create Subnets
A virtual network can be segmented into one or more subnets. Subnets provide logical divisions within
your network. Subnets can help improve security, increase performance, and make it easier to manage
the network.
Each subnet contains a range of IP addresses that fall within the virtual network address space. The range
must be unique within the address space for the virtual network. The range can't overlap with other
subnet address ranges within the virtual network. The address space must be specified by using Classless
Inter-Domain Routing (CIDR) notation.
104
Considerations
●● Service requirements. Each service directly deployed into virtual network has specific requirements
for routing and the types of traffic that must be allowed into and out of subnets. A service may
require, or create, their own subnet, so there must be enough unallocated space for them to do so.
For example, if you connect a virtual network to an on-premises network using an Azure VPN Gate-
way, the virtual network must have a dedicated subnet for the gateway.
●● Virtual appliances. Azure routes network traffic between all subnets in a virtual network, by default.
You can override Azure's default routing to prevent Azure routing between subnets, or to route traffic
between subnets through a network virtual appliance. So, if you require that traffic between resources
in the same virtual network flow through a network virtual appliance (NVA), deploy the resources to
different subnets.
●● Service endpoints. You can limit access to Azure resources such as an Azure storage account or
Azure SQL database, to specific subnets with a virtual network service endpoint. Further, you can deny
access to the resources from the internet. You may create multiple subnets, and enable a service
endpoint for some subnets, but not others.
●● Network security groups. You can associate zero or one network security group to each subnet in a
virtual network. You can associate the same, or a different, network security group to each subnet.
Each network security group contains rules, which allow or deny traffic to and from sources and
destinations.
Note: There any restrictions on using IP addresses. Azure reserves five IP addresses within each subnet.
●● x.x.x.0: Network address
●● x.x.x.1: Reserved by Azure for the default gateway
●● x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
●● x.x.x.255: Network broadcast address
Note: Plan to use an address space that is not already in use in your organization, either on-premises or
in the cloud. Even if you plan for cloud-only virtual networks, you may later decide to connect an
on-premises site.
Plan IP Addressing
You can assign IP addresses to Azure resources to communicate with other Azure resources, your
on-premises network, and the Internet. There are two types of Azure IP addresses: public and private IP
addresses.
1. Private IP addresses: Used for communication within an Azure virtual network (VNet), and your
on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to
Azure.
2. Public IP addresses: Used for communication with the Internet, including Azure public-facing
services.
Note: IP Addresses are never managed from within a virtual machine.
IP Version. Select IPv4 or IPv6 or Both. Selecting Both will result in two Public IP addresses being create-
one IPv4 address and one IPv6 address.
SKU. You cannot change the SKU after the public IP address is created. A standalone virtual machine,
virtual machines within an availability set, or virtual machine scale sets can use Basic or Standard SKUs.
Mixing SKUs between virtual machines within availability sets or scale sets or standalone VMs is not
allowed.
Name. The name must be unique within the resource group you select.
IP address assignment
●● Dynamic. Dynamic addresses are assigned only after a public IP address is associated to an Azure
resource, and the resource is started for the first time. Dynamic addresses can change if they're
assigned to a resource, such as a virtual machine, and the virtual machine is stopped (deallocated),
and then restarted. The address remains the same if a virtual machine is rebooted or stopped (but not
deallocated). Dynamic addresses are released when a public IP address resource is dissociated from a
resource.
●● Static. Static addresses are assigned when a public IP address is created. Static addresses aren't
released until a public IP address resource is deleted. If the address isn't associated to a resource, you
can change the assignment method after the address is created. If the address is associated to a
resource, you may not be able to change the assignment method. If you select IPv6 for the IP version,
the assignment method must be Dynamic for Basic SKU. Standard SKU addresses are Static for both
IPv4 and IPv6.
Address SKUs
When you create a public IP address, you are given a SKU choice of either Basic or Standard. Your SKU
choice affects the IP assignment method, security, available resources, and redundancy. This table
summarizes the differences.
6. Return to the portal and verify your new virtual network with subnet was created.
Knowledge check
Multiple choice
Your company has implemented Firewall rules to deny traffic based on IP address ranges. In this situation,
what should you do?
Use dynamically assigned IP addresses.
Use statically assigned IP addresses.
Use IP addresses in the reserved range.
109
Multiple choice
You are planning your Azure network implementation to support your company's migration to Azure. Your
first task is to prepare for the deployment of the first set of VMs. For these machines, consumers on the
internet must be able to communicate directly with the web application on the VMs. Also, the IP configura-
tion must be zone redundant. You should minimize costs, whenever possible, while still meeting the require-
ments. What should you do? Select one.
Create a standard public IP address. During the creation of the first VM, associate the public IP
address with the VM's NIC.
Create a standard public IP address. After the first VM is created, remove the private IP address and
assign the public IP address to the NIC.
Create a basic public IP address. During the creation of the first VM, associate the public IP address
with the VM.
Multiple choice
You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2 is
connected to the 10.20.8.0/24 subnet. You plan enable direct communication from the internet to TCP port
443. You would like to maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24 subnets.
To support the new functionality and keep things simple. What should you do? Select one.
Remove the private IP address from NIC2 and then assign a public IP address to it. Then, create an
inbound security rule.
Associate a public IP address to NIC2 and create an inbound security rule.
Create an inbound security rule for TCP port 443.
Learn more
You can learn more by reviewing the following.
●● Virtual Network Documentation2.
●● Public IP Addresses3
●● Private IP Addresses4
●● Learn - Networking Fundamentals Principals5
●● Learn - Design an IP addressing schema for your Azure deployment6
●● Learn - Implement Windows Server IaaS VM IP addressing and routing7
2 https://docs.microsoft.com/azure/virtual-network/
3 https://docs.microsoft.com/azure/virtual-network/public-ip-addresses
4 https://docs.microsoft.com/azure/virtual-network/private-ip-addresses
5 https://docs.microsoft.com/learn/modules/network-fundamentals/
6 https://docs.microsoft.com/learn/modules/design-ip-addressing-for-azure/
7 https://docs.microsoft.com/learn/modules/implement-windows-server-iaas-virtual-machine-ip-addressing-routing/
111
Skills measured
Network security groups are part of Exam AZ-104: Microsoft Azure Administrator8.
Configure and manage virtual networking (25–30%)
Secure access to virtual networks
●● Create security rules.
●● Associate a network security group (NSG) to a subnet or network interface.
●● Evaluate effective security rules.
Learning objectives
In this module, you will learn how to:
●● Determine when to use network security groups.
●● Implement network security group rules.
●● Evaluate network security group effective rules.
Prerequisites
None
8 https://docs.microsoft.com/learn/certifications/exams/az-104
112
Subnets
You can assign NSGs to subnets and create protected screened subnets (also called a DMZ). These NSGs
can restrict traffic flow to all the machines that reside within that subnet. Each subnet can have zero, or
one, associated network security groups.
Network Interfaces
You can assign NSGs to a NIC so that all the traffic that flows through that NIC is controlled by NSG rules.
Each network interface that exists in a subnet can have zero, or one, associated network security groups.
Associations
When you create an NSG the Overview blade provides information about the NSG such as, associated
subnets, associated network interfaces, and security rules.
Inbound rules
There are three default inbound security rules. The rules deny all inbound traffic except from the virtual
network and Azure load balancers.
113
Outbound rules
There are three default outbound security rules. The rules only allow outbound traffic to the Internet and
the virtual network.
In the above example, if there was incoming traffic on port 80, you would need to have the NSG at the
subnet level ALLOW port 80. You would also need another NSG with an ALLOW rule on port 80 at the NIC
level.
For incoming traffic, the NSG set at the subnet level is evaluated first, then the NSG set at the NIC level is
evaluated. For outgoing traffic, it is the reverse.
114
If you have several NSGs and are not sure which security rules are being applied, you can use the Effec-
tive security rules link. For example, you could verify the security rules being applied to a network
interface.
Service. Service specifies the destination protocol and port range for this rule. You can choose a prede-
fined service, like HTTPS and SSH. When you select a service, the Port range is automatically completed.
Choose custom to provide your own port range.
Port ranges. Port ranges can include a single port, a port range, or a comma-separated list of ports. The
ports designate the traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic on
any port.
Priority. Rules are processed in priority order. The lower the number, the higher the priority. We recom-
mend leaving gaps between rules to make it easier to add new rules. The value is between 100-4096 and
unique for all security rules within the network security group.
Note: Will you need to create rules? Which services will you need to control the network traffic?
Demonstration - NSGs
In this demonstration, you will explore NSGs and service endpoints.
Access the NSGs blade
1. Access the Azure Portal.
2. Search for and access the Network Security Groups blade.
3. If you have virtual machines, you may already have NSGs. Notice the ability to filter the list.
115
Knowledge check
Multiple choice
Your company has two NSG security rules for inbound traffic to your web servers. There is an allow rule with
a priority of 200. And, there is a deny rule with a priority of 150. Which rule takes precedence? Select one.
The allow rule takes precedence
The deny rule takes precedence
The rule that was created first takes precedence.
116
Multiple choice
Which of the following is a default inbound security rule? Select one.
Allow inbound coming from any VM to any other VM within the subnet.
Allow inbound coming from any VM to any other VM within the virtual network.
Allow traffic from any external source to any of the VMs.
Multiple choice
Your company wants to simplify network security group rules by using service tags. Which of the following is
a valid service tag? Select one.
VirtualNetwork
VPNGateway
Database
Learn more
You can learn more by reviewing the following.
●● Network Security Groups documentation9.
●● Learn - Secure and isolate access to Azure resources by using network security groups and
service endpoints10
9 https://docs.microsoft.com/azure/virtual-network/security-overview
10 https://docs.microsoft.com/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/
117
Skills measured
Implementing Azure Firewall is part of Exam AZ-104: Microsoft Azure Administrator11.
Configure and manage virtual networking (25–30%)
Secure access to virtual networks
●● Implement Azure Firewall.
Learning objectives
In this module, you will learn how to:
●● Determine when to use Azure Firewall.
●● Implement Azure Firewall including firewall rules.
Prerequisites
None
11 https://docs.microsoft.com/learn/certifications/exams/az-104
118
NAT Rules
You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter
inbound traffic to your subnets. Each rule in the NAT rule collection is used to translate your firewall
public IP and port to a private IP and port. Scenarios where NAT rules might be helpful are publishing
SSH, RDP, or non-HTTP/S applications to the Internet. A NAT rule that routes traffic must be accompa-
nied by a matching network rule to allow the traffic. Configuration settings include:
●● Name: A label for the rule.
●● Protocol: TCP or UDP.
120
Network Rules
Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule. For
example, if resources in one subnet must communicate with resources in another subnet, then you would
configure a network rule from the source to the destination. Configuration settings include:
●● Name: A friendly label for the rule.
●● Protocol: TCP, UDP, ICMP (ping and traceroute) or Any.
●● Source Address: The address or CIDR block of the source.
●● Destination Addresses: The addresses or CIDR blocks of the destination(s).
●● Destination Ports: The destination port of the traffic.
Application Rules
Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. For
example, specify the Windows Update network traffic through the firewall. Configuration settings include:
●● Name: A friendly label for the rule.
●● Source Addresses: The IP address of the source.
●● Protocol:Port: HTTP/HTTPS and the port that the web server is listening on.
●● Target FQDNs: The domain name of the service, such as www.contoso.com. Wildcards can be used.
An FQDN tag represents a group of FQDNs associated with well known Microsoft services. Example
FQDN tags include Windows Update, App Service Environment, and Azure Backup.
Rule Processing
When a packet is being inspected to determine if it is allowed or not, the rules are processed in this
order:
1. Network Rules
2. Application Rules (network and application)
Once a rule is found that allows the traffic through, no more rules are checked.
Knowledge check
Multiple choice
You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the
firewall. Which of the following should you use? Select one.
Application rules
Destination inbound rules
Network rules
Multiple choice
Your company wants to allow external users to access an Azure virtual server with a remote desktop
connection. Which one of the following items would you implement on Azure Firewall to allow these
connections? Select one.
Service tag
Source network address translation
Destination network address translation
Multiple choice
Your company wants to allow access to an Azure SQL Database instance. Which of the following network
rules types should they use to configure Azure Firewall? Select one.
Application
Network
NAT
Learn more
You can learn more by reviewing the following.
●● Azure Firewall documentation12
●● Learn - Introduction to Azure Firewall13
12 https://docs.microsoft.com/azure/firewall/
13 https://docs.microsoft.com/learn/modules/introduction-azure-firewall/
122
14 https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-firewall-manager/
123
Skills measured
Configuring Azure DNS is part of Exam AZ-104: Microsoft Azure Administrator15.
Configure and manage virtual networking (25–30%)
Implement and manage virtual networking
●● Configure Azure DNS, including custom DNS settings and private or public DNS zones.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for domains, custom domains, and private zones.
●● Verify custom domain names using DNS records.
●● Implement DNS zones, DNS delegation, and DNS record sets.
Prerequisites
●● Familiarity with DNS including record sets, delegation, and zones.
15 https://docs.microsoft.com/learn/certifications/exams/az-104
124
Considerations
●● The name of the zone must be unique within the resource group, and the zone must not exist already.
●● The same zone name can be reused in a different resource group or a different Azure subscription.
●● Where multiple zones share the same name, each instance is assigned different name server address-
es.
●● Root/Parent domain is registered at the registrar and pointed to Azure NS.
●● Child domains are registered in AzureDNS directly.
Note: You do not have to own a domain name to create a DNS zone with that domain name in Azure
DNS. However, you do need to own the domain to configure the domain.
The easiest way to locate the name servers assigned to your zone is through the Azure portal. In this
example, the zone ‘contoso.net’ has been assigned four name servers: ‘ns1-01.azure-dns.com’, ‘ns2-01.
azure-dns.net’, ‘ns3-01.azure-dns.org’, and ‘ns4-01.azure-dns.info’:
Once the DNS zone is created, and you have the name servers, you need to update the parent domain.
Each registrar has their own DNS management tools to change the name server records for a domain. In
the registrar’s DNS management page, edit the NS records and replace the NS records with the ones
Azure DNS created.
Note: When delegating a domain to Azure DNS, you must use the name server names provided by Azure
DNS. You should always use all four name server names, regardless of the name of your domain.
Child Domains
If you want to set up a separate child zone, you can delegate a subdomain in Azure DNS. For example,
after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.
contoso.com.
Setting up a subdomain follows the same process as typical delegation. The only difference is that NS
records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain
registrar.
Note: The parent and child zones can be in the same or different resource group. Notice that the record
set name in the parent zone matches the child zone name, in this case partners.
A record set cannot contain two identical records. Empty record sets (with zero records) can be created,
but do not appear on the Azure DNS name servers. Record sets of type CNAME can contain one record at
most.
The Add record set page will change depending on the type of record you select. For an A record, you
will need the TTL (Time to Live) and IP address. The time to live, or TTL, specifies how long each record is
cached by clients before being requeried.
The DNS records for the private zone are not viewable or retrievable. But, the DNS records are registered
and will resolve successfully.
In the above diagram, VNET1 contains two VMs (VM1 and VM2). Each VM has a private IP address. When
you create and a Private Zone (contoso.lab) to the Registration virtual network, Azure DNS will
automatically create two A records in the zone. DNS queries from VM1 to resolve VM2.contoso.lab
will receive a DNS response that contains the Private IP of VM2. Amd, a Reverse DNS query (PTR) for the
Private IP of VM1 (10.0.0.4) issued from VM2 will receive a DNS response that contains the FQDN of VM1,
as expected.
In this configuration:
1. DNS queries across the virtual networks are resolved. A DNS query from a VM in the Resolution
VNet, for a VM in the Registration VNet, will receive a DNS response containing the Private IP of VM.
2. Reverse DNS queries are scoped to the same virtual network. A Reverse DNS (PTR) query from a
VM in the Resolution virtual network, for a VM in the Registration VNet, will receive a DNS response
containing the FQDN of the VM. But, a reverse DNS query from a VM in the Resolution VNet, for a VM
in the same VNet, will receive NXDOMAIN.
Knowledge Check
16 https://docs.microsoft.com/windows-server/administration/windows-commands/nslookup
133
Multiple choice
What does Azure DNS allow you to do?
Manage the security and access to your website.
Register new domain names, removing the need to use a domain registrar.
Manage and host your registered domain and associated records.
Multiple choice
What type of DNS record should you create to map one or more IP addresses against a single domain?
CNAME
A or AAAA
SOA
Multiple choice
To perform Azure domain management tasks you must be a?
Global Administrator
User Administrator
Network Administrator
Learn more
You can learn more by reviewing the following.
●● Azure DNS documentation17
●● Learn - Host your domain on Azure DNS18
●● Learn - Implement DNS for Windows Server IaaS VMs19
17 https://docs.microsoft.com/azure/dns/
18 https://docs.microsoft.com/learn/modules/host-domain-azure-dns/
19 https://docs.microsoft.com/learn/modules/implement-dns-for-windows-server-iaas-virtual-machines/
134
20 https://docs.microsoft.com/learn/modules/secure-windows-server-domain-name-system/
135
Module 04 Lab
Lab 04 - Implement Virtual Networking
Lab scenario
You need to explore Azure virtual networking capabilities. To start, you plan to create a virtual network in
Azure that will host a couple of Azure virtual machines. Since you intend to implement network-based
segmentation, you will deploy them into different subnets of the virtual network. You also want to make
sure that their private and public IP addresses will not change over time. To comply with Contoso security
requirements, you need to protect public endpoints of Azure virtual machines accessible from Internet.
Finally, you need to implement DNS name resolution for Azure virtual machines both within the virtual
network and from Internet.
Objectives
In this lab, you will:
●● Task 1: Create and configure a virtual network.
●● Task 2: Deploy virtual machines into the virtual network.
●● Task 3: Configure private and public IP addresses of Azure VMs.
●● Task 4: Configure network security groups.
●● Task 5: Configure Azure DNS for internal name resolution.
●● Task 6: Configure Azure DNS for external name resolution.
136
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
137
Answers
Multiple choice
Your company has implemented Firewall rules to deny traffic based on IP address ranges. In this situation,
what should you do?
Use dynamically assigned IP addresses.
■■ Use statically assigned IP addresses.
Use IP addresses in the reserved range.
Explanation
In this situation, use statically assigned IP addresses to avoid having to change the Firewall rules.
Multiple choice
You are planning your Azure network implementation to support your company's migration to Azure.
Your first task is to prepare for the deployment of the first set of VMs. For these machines, consumers on
the internet must be able to communicate directly with the web application on the VMs. Also, the IP
configuration must be zone redundant. You should minimize costs, whenever possible, while still meeting
the requirements. What should you do? Select one.
■■ Create a standard public IP address. During the creation of the first VM, associate the public IP
address with the VM's NIC.
Create a standard public IP address. After the first VM is created, remove the private IP address and
assign the public IP address to the NIC.
Create a basic public IP address. During the creation of the first VM, associate the public IP address
with the VM.
Explanation
To meet the requirement of communicating directly with consumers on the internet, you must use a public
IP address. To meet the requirement of having a zone redundant configuration, you must use a standard
public IP address. Of the answer choices, only the answer that creates the standard public IP address first,
then associates it during VM creation, functions and meets the requirements. You cannot configure a VM
with only a public IP address. Instead, all VMs have a private IP address and can optionally have one or
more public IP addresses.
Multiple choice
You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2
is connected to the 10.20.8.0/24 subnet. You plan enable direct communication from the internet to TCP
port 443. You would like to maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24
subnets. To support the new functionality and keep things simple. What should you do? Select one.
Remove the private IP address from NIC2 and then assign a public IP address to it. Then, create an
inbound security rule.
■■ Associate a public IP address to NIC2 and create an inbound security rule.
Create an inbound security rule for TCP port 443.
Explanation
To enable direct communication from the internet to the VM, you must have a public IP address. You also
need an inbound security rule. You can associate the public IP address with NIC1 or NIC2, although this
scenario only presents an option to associate it with NIC2 so that is the correct answer.
138
Multiple choice
Your company has two NSG security rules for inbound traffic to your web servers. There is an allow rule
with a priority of 200. And, there is a deny rule with a priority of 150. Which rule takes precedence? Select
one.
The allow rule takes precedence
■■ The deny rule takes precedence
The rule that was created first takes precedence.
Explanation
The deny rule takes precedence because it's processed first. The rule with priority 150 is processed before the
rule with priority 200.
Multiple choice
Which of the following is a default inbound security rule? Select one.
■■ Allow inbound coming from any VM to any other VM within the subnet.
Allow inbound coming from any VM to any other VM within the virtual network.
Allow traffic from any external source to any of the VMs.
Explanation
By default, inbound security rules allow traffic from any VM to any other VM within the subnet.
Multiple choice
Your company wants to simplify network security group rules by using service tags. Which of the follow-
ing is a valid service tag? Select one.
■■ VirtualNetwork
VPNGateway
Database
Explanation
VirtualNetwork. Service tags represent a group of IP addresses. For resources that you can specify by using a
tag, you don't need to know the IP address or port details. Other valid service tags are Internet, SQL,
Storage, AzureLoadBalancer, and AzureTrafficManager.
Multiple choice
You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the
firewall. Which of the following should you use? Select one.
■■ Application rules
Destination inbound rules
Network rules
Explanation
Application rules. Application rules define fully qualified domain names (FQDNs) that can be accessed from
a subnet. That would be appropriate to allow Windows Update network traffic.
139
Multiple choice
Your company wants to allow external users to access an Azure virtual server with a remote desktop
connection. Which one of the following items would you implement on Azure Firewall to allow these
connections? Select one.
Service tag
Source network address translation
■■ Destination network address translation
Explanation
Destination network address translation (DNAT). You use DNAT to translate Azure Firewall's public IP
address to the private IP address of the virtual server.
Multiple choice
Your company wants to allow access to an Azure SQL Database instance. Which of the following network
rules types should they use to configure Azure Firewall? Select one.
■■ Application
Network
NAT
Explanation
Application. You use an application rule to filter traffic based on an FQDN such as server1.database.
windows.net.
Multiple choice
What does Azure DNS allow you to do?
Manage the security and access to your website.
Register new domain names, removing the need to use a domain registrar.
■■ Manage and host your registered domain and associated records.
Explanation
Azure DNS allows you to host your registered domains. You can control and configure the domain records,
like A, CNAME, MX, and setup alias records.
Multiple choice
What type of DNS record should you create to map one or more IP addresses against a single domain?
CNAME
■■ A or AAAA
SOA
Explanation
The A or AAAA record maps an IP address to a domain. Multiple IP addresses are known as a record set.
140
Multiple choice
To perform Azure domain management tasks you must be a?
■■ Global Administrator
User Administrator
Network Administrator
Explanation
To perform Azure domain management tasks you must be a Global Administrator.
Module 5 Administer Intersite Connectivity
Skills measured
Configuring virtual network peering is part of Exam AZ-104: Microsoft Azure Administrator1.
Configure and manage virtual networking (25–30%)
Implement and manage virtual networking
●● Create and configure virtual networks, including peering.
Learning objectives
In this module, you will learn how to:
●● Identify usage cases and product features of virtual network peering.
●● Configure gateway transit, connectivity, and service chaining.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
142
Prerequisites
None.
When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.
For example, the subnet gateway could:
●● Use a site-to-site VPN to connect to an on-premises network.
●● Use a VNet-to-VNet connection to another virtual network.
●● Use a point-to-site VPN to connect to a client.
In these scenarios, gateway transit allows peered virtual networks to share the gateway and get access to
resources. This means you do not need to deploy a VPN gateway in the peer virtual network.
Note: Network security groups can be applied in either virtual network to block access to other virtual
networks or subnets. When configuring virtual network peering, you can either open or close the network
security group rules between the virtual networks.
Note: When you add a peering on one virtual network, the second virtual network configuration is
automatically added.
Checking connectivity
You can check the status of the VNet peering.
●● Initiated: When you create the peering to the second virtual network from the first virtual network,
the peering status is Initiated.
●● Connected: When you create the peering from the second virtual network to the first virtual network,
its peering status is Connected. When you view the peering status for the first virtual network, you see
its status changed from Initiated to Connected. The peering is not successfully established until the
peering status for both virtual network peerings is Connected.
Knowledge check
Multiple choice
You want to connect different VNets in the same region as well as different regions and decide to use VNet
peering to accomplish this. Which of the following statements is not true about VNet peering? Select one.
The virtual networks can only exist in the same azure cloud region.
Network traffic between peered virtual networks is private.
Peering is easy to configure and manage, requiring little to no downtime.
Multiple choice
You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are
configuring the VPN Gateways. You want VNET2 to be able to use to VNET1's gateway to get to resources
outside the peering. What should you do? Select one.
Select allow gateway transit on VNET1 and use remote gateways on VNET2.
Select allow gateway transit on VNET2 and use remote gateways on VNET1.
Select allow gateway transit and use remote gateways on both VNET1 and VNET2.
Multiple choice
The traffic between virtual machines in peered virtual networks is routed ... Select one.
directly through the Microsoft backbone infrastructure
through a VPN gateway
through the public Internet
Learn more
You can learn more by reviewing the following.
●● Virtual network peering documentation2
●● Learn - Distribute your services across Azure virtual networks and integrate them by using
virtual network peering3
2 https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview
3 https://docs.microsoft.com/learn/modules/integrate-vnets-with-vnet-peering/
147
Skills measured
Configuring VPN Gateways is part of Exam AZ-104: Microsoft Azure Administrator4.
Configure and manage virtual networking (25–30%)
Integrate an on-premises network with an Azure virtual network
●● Create and configure Azure VPN gateway.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for VPN gateways.
●● Implement high availability scenarios.
●● Configure site-to-site VPN connections using a VPN gateway.
Prerequisites
None.
4 https://docs.microsoft.com/learn/certifications/exams/az-104
148
Create VNets and subnets. By now you should be familiar with creating virtual networks and subnets.
Remember for this VNet to connect to an on-premises location. Contact your on-premises network
administrator to reserve an IP address range for this virtual network.
Specify the DNS server (optional). DNS is not required to create a Site-to-Site connection. However, if
you need name resolution for resources that are deployed to your virtual network, you should specify a
DNS server in the virtual network configuration.
Note: Take time to carefully plan your network configuration. If a duplicate IP address range exists on
both sides of the VPN connection, traffic will not route the way you may expect it to.
149
●● Route-based VPNs. Route-based VPNs use routes in the IP forwarding or routing table to direct
packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the
packets in and out of the tunnels. The policy (or traffic selector) for Route-based VPNs are configured
as any-to-any (or wild cards).
●● Policy-based VPNs. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on
the IPsec policies configured with the combinations of address prefixes between your on-premises
network and the Azure VNet. The policy (or traffic selector) is defined as an access list in the VPN
device configuration. When using a Policy-based VPN, keep in mind the following limitations:
●● Policy-Based VPNs can only be used on the Basic gateway SKU and is not compatible with other
gateway SKUs.
●● You can have only one tunnel when using a Policy-based VPN.
●● You can only use Policy-based VPNs for S2S connections, and only for certain configurations. Most
VPN Gateway configurations require a Route-based VPN.
Note: Once a virtual network gateway has been created, you can't change the VPN type.
5 https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-download-vpndevicescript
153
Active/active
You can now create an Azure VPN gateway in an active-active configuration, where both instances of the
gateway VMs will establish S2S VPN tunnels to your on-premises VPN device.
In this configuration, each Azure gateway instance will have a unique public IP address, and each will
establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network
gateway and connection. Both VPN tunnels are actually part of the same connection. You will still need to
configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure
VPN gateway public IP addresses.
When in active-active configuration, the traffic from your Azure virtual network to your on-premises
network will be routed through both tunnels simultaneously. The same TCP or UDP flow will always
traverse the same tunnel or path, unless a maintenance event happens on one of the instances.
When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel
from that instance to your on-premises VPN device will be disconnected. The corresponding routes on
your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over
to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the
affected instance to the active instance.
Knowledge check
Multiple choice
Your company is preparing to implement a Site-to-Site VPN to Microsoft Azure. You do all the following,
except? Select one.
Obtain a VPN device for the on-premises environment.
Obtain a VPN device for the Azure environment.
Create a virtual network gateway (VPN) and the local network gateway in Azure.
Multiple choice
Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a
single site, headquarters, which has an on-premises data center. The company requires the onnectivity be
persistent. Connectivity must provide for the entire on-premises site. You need to implement a connectivity
solution to meet the requirements. What should you do? Select one.
Implement a Site-to-Site VPN.
Implement a Virtual Private Cloud (VPC).
Implement a VNet-to-VNet VPN.
Multiple choice
You are configuring a site-to-site VPN connection between your on-premises network and your Azure
network. The on-premises network uses a Cisco ASA VPN device. Before starting the configuration, you
ensure you have all the following, except? Select one.
The shared access signature key for the recovery services vault.
The shared key you provided when you created your site-to-site VPN connection.
The public IP address of your virtual network gateway.
Multiple choice
Your VPN gateway works with ExpressRoute. Which VPN type should you select? Select one.
Path-based
Route-based
SKU-based
Multiple choice
You are creating a connection between two virtual networks. Performance is a key concern. Which of the
following will most influence performance? Select one.
Ensuring you select a route-based VPN.
Ensuring you select a policy-based VPN.
Ensuring you select an appropriate Gateway SKU.
157
Learn more
You can learn more by reviewing the following.
●● VPN Gateway documentation6
●● Validated VPN devices list7
●● Learn - Connect your on-premises network to Azure with VPN Gateway8
6 https://docs.microsoft.com/azure/vpn-gateway/
7 https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-devices
8 https://docs.microsoft.com/learn/modules/connect-on-premises-network-with-vpn-gateway/
158
Skills measured
ExpressRoute and Virtual WAN are part of Exam AZ-104: Microsoft Azure Administrator9.
Configure and manage virtual networking (25–30%)
Integrate an on-premises network with an Azure virtual network
●● Create and configure Azure ExpressRoute.
●● Configure Azure Virtual WAN.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for ExpressRoute.
●● Coexist site-to-site and ExpressRoute networks.
●● Identify features and usage cases for virtual WAN.
Prerequisites
None.
9 https://docs.microsoft.com/learn/certifications/exams/az-104
159
ExpressRoute benefits
Layer 3 connectivity
Microsoft uses BGP to exchange routes between your on-premises network, your instances in Azure, and
Microsoft public addresses. Multiple BGP sessions are created for different traffic profiles.
Redundancy
Each ExpressRoute circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs)
from the connectivity provider/your network edge. Microsoft requires dual BGP connection from the
connectivity provider/your network edge – one to each MSEE.
Connectivity to Microsoft cloud services
ExpressRoute connections enable access to Microsoft Azure services, Microsoft 365 services, and Micro-
soft Dynamics 365. Microsoft 365 was created to be accessed securely and reliably via the Internet, so
ExpressRoute requires Microsoft authorization.
Connectivity to all regions within a geopolitical region
You connect to Microsoft in one of our peering locations and access regions within the geopolitical
region. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you'll have access
to all Microsoft cloud services hosted in Northern and Western Europe.
Global connectivity with ExpressRoute premium add-on
You enable the ExpressRoute premium add-on feature to extend connectivity across geopolitical bounda-
ries. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you will have access
to all Microsoft cloud services hosted in all regions across the world, except national clouds.
Across on-premises connectivity with ExpressRoute Global Reach
You enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting
your ExpressRoute circuits. For example, if you have a private data center in California connected to
ExpressRoute in Silicon Valley, and another private data center in Texas connected to ExpressRoute in
161
Dallas, with ExpressRoute Global Reach, you can connect your private data centers together through two
ExpressRoute circuits. Your cross-data-center traffic will traverse through Microsoft's network.
Bandwidth options
You purchase ExpressRoute circuits for a wide range of bandwidths from 50 Mbps to 100 Gbit. Be sure to
check with your connectivity provider to determine the bandwidths they support.
Flexible billing models
You pick a billing model that works best for you. Choose between the billing models listed below.
●● Unlimited data. Billing is based on a monthly fee; all inbound and outbound data transfer is included
free of charge.
●● Metered data. Billing is based on a monthly fee; all inbound data transfer is free of charge. Outbound
data transfer is charged per GB of data transfer. Data transfer rates vary by region.
●● ExpressRoute premium add-on. This add-on includes increased routing table limits, increased
number of VNets, global connectivity, and connections to Microsoft 365 and Dynamics 365.
Knowledge Check
Multiple choice
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual machines
in another virtual network. You need to install an Azure load balancer to direct traffic between the virtual
networks. What should you do? Select one.
Install an external load balancer.
Install an internal load balancer.
Install a network load balancer.
Multiple choice
Your company has a popular regional web site. The company plans to move it to Azure and host it in the
Canada East region. Ten Azure VMs have been configured to handle the web requests. The traffic should be
evenly distributed across the machines. The machines should provide good performance even during peak
times. Your solution should minimize complexity and ongoing costs. Which of the following would you select
in this scenario? Select one.
Azure Traffic Manager
Azure Load Balancer
Azure Application Gateway
Multiple choice
What is the default distribution type for traffic through a load balancer? Select one.
Source IP affinity
Five-tuple hash
Three-tuple hash
Multiple choice
Which configuration is required to configure an internal load balancer?
Virtual machines should be in the same virtual network
Virtual machines must be publicly accessible
Virtual machines must be in an availability set
165
Multiple choice
Which of the following statement about external load balancers is correct?
They have a private, front-facing IP address.
They don't have a listener IP address.
They have a public IP address.
Summary
Azure ExpressRoute can be used to connect your on-premises networks to the Microsoft cloud infrastruc-
ture. ExpressRoute works with an approved connectivity provider to establish the connections via a
dedicated circuit.
Azure Virtual WAN can also be used to establish network connections. Azure Virtual WAN provides
any-to-any connectivity, custom routing, and security.
You should now be able to:
●● Identify features and usage cases for ExpressRoute.
●● Coexist site-to-site and ExpressRoute networks.
●● Identify features and usage cases for virtual WAN.
Learn more
You can learn more by reviewing the following.
●● ExpressRoute documentation10
●● Azure Virtual WAN documentation11
●● Learn - Connect your on-premises network to the Microsoft global network by using Express-
Route12
●● Learn - Configure the network for your virtual machines13
●● Learn - Introduction to Azure Virtual WAN14
10 https://docs.microsoft.com/azure/expressroute/
11 https://docs.microsoft.com/azure/virtual-wan/
12 https://docs.microsoft.com/learn/modules/connect-on-premises-network-with-expressroute/
13 https://docs.microsoft.com/learn/modules/configure-network-for-azure-virtual-machines/
14 https://docs.microsoft.com/learn/modules/introduction-azure-virtual-wan/
166
Module 05 Lab
Lab 05 - Implement Intersite Connectivity
Lab scenario
Contoso has its datacenters in Boston, New York, and Seattle offices connected via a mesh wide-area
network links, with full connectivity between them. You need to implement a lab environment that will
reflect the the topology of the Contoso's on-premises networks and verify its functionality.
Objectives
In this lab, you will:
●● Task 1: Provision the lab environment.
●● Task 2: Configure local and global virtual network peering.
●● Task 3: Test intersite connectivity.
Architecture Diagram
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
167
Answers
Multiple choice
You want to connect different VNets in the same region as well as different regions and decide to use
VNet peering to accomplish this. Which of the following statements is not true about VNet peering?
Select one.
■■ The virtual networks can only exist in the same azure cloud region.
Network traffic between peered virtual networks is private.
Peering is easy to configure and manage, requiring little to no downtime.
Explanation
The virtual networks can exist in any Azure cloud region.
Multiple choice
You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are
configuring the VPN Gateways. You want VNET2 to be able to use to VNET1's gateway to get to resources
outside the peering. What should you do? Select one.
■■ Select allow gateway transit on VNET1 and use remote gateways on VNET2.
Select allow gateway transit on VNET2 and use remote gateways on VNET1.
Select allow gateway transit and use remote gateways on both VNET1 and VNET2.
Explanation
Select allow gateway transit on VNET1 and use remote gateways on VNET2. VNET1 will allow VNET2 to
transit external resources, and VNET2 will expect to use a remote gateway.
Multiple choice
The traffic between virtual machines in peered virtual networks is routed ... Select one.
■■ directly through the Microsoft backbone infrastructure
through a VPN gateway
through the public Internet
Explanation
The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft
backbone infrastructure.
Multiple choice
Your company is preparing to implement a Site-to-Site VPN to Microsoft Azure. You do all the following,
except? Select one.
Obtain a VPN device for the on-premises environment.
■■ Obtain a VPN device for the Azure environment.
Create a virtual network gateway (VPN) and the local network gateway in Azure.
Explanation
Obtain a VPN device for the Azure environment. Azure does not require a VPN device.
168
Multiple choice
Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a
single site, headquarters, which has an on-premises data center. The company requires the onnectivity be
persistent. Connectivity must provide for the entire on-premises site. You need to implement a connectiv-
ity solution to meet the requirements. What should you do? Select one.
■■ Implement a Site-to-Site VPN.
Implement a Virtual Private Cloud (VPC).
Implement a VNet-to-VNet VPN.
Explanation
Implement a Site-to-Site VPN.
Multiple choice
You are configuring a site-to-site VPN connection between your on-premises network and your Azure
network. The on-premises network uses a Cisco ASA VPN device. Before starting the configuration, you
ensure you have all the following, except? Select one.
■■ The shared access signature key for the recovery services vault.
The shared key you provided when you created your site-to-site VPN connection.
The public IP address of your virtual network gateway.
Explanation
You only need the shared key and public IP address of the gateway.
Multiple choice
Your VPN gateway works with ExpressRoute. Which VPN type should you select? Select one.
Path-based
■■ Route-based
SKU-based
Explanation
Route-based. Typical route-based gateway scenarios include point-to-site, inter-virtual network, or multiple
site-to-site connections. Route-based is also selected when you coexist with an ExpressRoute gateway or if
you need to use IKEv2.
Multiple choice
You are creating a connection between two virtual networks. Performance is a key concern. Which of the
following will most influence performance? Select one.
Ensuring you select a route-based VPN.
Ensuring you select a policy-based VPN.
■■ Ensuring you select an appropriate Gateway SKU.
Explanation
Select the appropriate Gateway SKU to ensure performance.
169
Multiple choice
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual
machines in another virtual network. You need to install an Azure load balancer to direct traffic between
the virtual networks. What should you do? Select one.
Install an external load balancer.
■■ Install an internal load balancer.
Install a network load balancer.
Explanation
Install an internal load balancer. Azure has two types of load balancers: public and internal. An internal load
balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure
infrastructure.
Multiple choice
Your company has a popular regional web site. The company plans to move it to Azure and host it in the
Canada East region. Ten Azure VMs have been configured to handle the web requests. The traffic should
be evenly distributed across the machines. The machines should provide good performance even during
peak times. Your solution should minimize complexity and ongoing costs. Which of the following would
you select in this scenario? Select one.
Azure Traffic Manager
■■ Azure Load Balancer
Azure Application Gateway
Explanation
Azure Load Balancer. In this scenario, the requirements call for load balancing of a web site with minimal
complexity and costs. The web site is in a single region, which rules out Azure Traffic Manager (which is
geared toward a distributed web application). Azure CDN is complex and expensive, and it best suited for
delivering static web content at various locations worldwide (with maximum performance). Azure Cloud
Services are suited for applications and APIs, not for this scenario.
Multiple choice
What is the default distribution type for traffic through a load balancer? Select one.
Source IP affinity
■■ Five-tuple hash
Three-tuple hash
Explanation
Five-tuple hash. The hash includes Source IP, Source port, Destination IP, Destination port, and Protocol
type.
170
Multiple choice
Which configuration is required to configure an internal load balancer?
■■ Virtual machines should be in the same virtual network
Virtual machines must be publicly accessible
Virtual machines must be in an availability set
Explanation
Virtual machines should be in the same virtual network. The virtual machines that you use a load balancer
to distribute a load to must be in the same virtual network.
Multiple choice
Which of the following statement about external load balancers is correct?
They have a private, front-facing IP address.
They don't have a listener IP address.
■■ They have a public IP address.
Explanation
They have a public IP address. External load balancers have public IP addresses.
Module 6 Adminster Network Traffic
Skills measured
Configure routing methods and endpoints is part of Exam AZ-104: Microsoft Azure Administrator1.
Configure and manage virtual networking (25–30%)
Implement and manage virtual networking
●● Configure user-defined network routes.
●● Configure endpoints on subnets.
●● Configure private endpoints.
Learning objectives
In this module, you will learn how to:
●● Implement system routes and user-defined routes.
●● Configure a custom route.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
172
Prerequisites
●● Familiarity with network routing.
Note: Information about the system routes is recorded in a route table. A route table contains a set of
rules, called routes, that specifies how packets should be routed in a virtual network. Route tables are
associated to subnets, and each packet leaving a subnet is handled based on the associated route table.
Packets are matched to routes using the destination. The destination can be an IP address, a virtual
network gateway, a virtual appliance, or the internet. If a matching route can't be found, then the packet
is dropped.
In these situations, you can configure user-defined routes (UDRs). UDRs control network traffic by
defining routes that specify the next hop of the traffic flow. The hop can be a virtual network gateway,
virtual network, internet, or virtual appliance.
Each route table can be associated to multiple subnets, but a subnet can only be associated to a single
route table.
There are no charges for creating route tables in Microsoft Azure.
Note: Will you need to create custom routes?
Routes are automatically added to the route table for all subnets with Virtual network gateway propaga-
tion enabled. When you are using ExpressRoute, propagation ensures all subnets get the routing infor-
mation.
In summary, this route applies to any address prefixes in 10.0.1.0/24 (private subnet). Traffic headed to
these addresses will be sent to the virtual appliance with a 10.0.2.4 address.
Note: By default, using system routes traffic would go directly to the private subnet. However, with a
user-defined route you can force the traffic through the virtual appliance.
Note: In this example, the virtual appliance shouldn't have a public IP address and IP forwarding should
be enabled.
176
your virtual network by adding a virtual network rule. The rule improves security by fully removing
public Internet access to resources, and allowing traffic only from your virtual network.
●● Optimal routing for Azure service traffic from your virtual network. Today, any routes in your
virtual network that force Internet traffic to your premises and/or virtual appliances, known as
forced-tunneling, also force Azure service traffic to take the same route as the Internet traffic. Service
endpoints provide optimal routing for Azure traffic.
●● Endpoints always take service traffic directly from your virtual network to the service on the
Microsoft Azure backbone network. Keeping traffic on the Azure backbone network allows you to
continue auditing and monitoring outbound Internet traffic from your virtual networks, through
forced-tunneling, without impacting service traffic. Learn more about user-defined routes and
forced-tunneling.
●● Simple to set up with less management overhead. You no longer need reserved, public IP address-
es in your virtual networks to secure Azure resources through IP firewall. There are no NAT or gateway
devices required to set up the service endpoints. Service endpoints are configured through the
subnet. There is no additional overhead to maintaining the endpoints.
Note: With service endpoints, the virtual machine IP addresses switches from public to private IPv4
addresses. Existing Azure service firewall rules using Azure public IP addresses will stop working with this
switch. Ensure Azure service firewall rules allow for this switch before setting up service endpoints. You
may also experience temporary interruption to service traffic from this subnet while configuring service
endpoints.
Azure Storage. Generally available in all Azure regions. This endpoint gives traffic an optimal route to the
Azure Storage service. Each storage account supports up to 100 virtual network rules.
Azure SQL Database and Azure SQL Data Warehouse. Generally available in all Azure regions. A
firewall security feature that controls whether the database server for your single databases and elastic
pool in Azure SQL Database or for your databases in SQL Data Warehouse accepts communications that
are sent from particular subnets in virtual networks.
Azure Database for PostgreSQL server and MySQL. Generally available in Azure regions where data-
base service is available. Virtual Network (VNet) services endpoints and rules extend the private address
space of a Virtual Network to your Azure Database for PostgreSQL server and MySQL server.
Azure Cosmos DB. Generally available in all Azure regions. You can configure the Azure Cosmos account
to allow access only from a specific subnet of virtual network (VNet). By enabling Service endpoint to
access Azure Cosmos DB on the subnet within a virtual network, the traffic from that subnet is sent to
Azure Cosmos DB with the identity of the subnet and Virtual Network. Once the Azure Cosmos DB service
endpoint is enabled, you can limit access to the subnet by adding it to your Azure Cosmos account.
Azure Key Vault. Generally available in all Azure regions. The virtual network service endpoints for Azure
Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to
restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your
key vault from outside those sources is denied access.
Azure Service Bus and Azure Event Hubs. Generally available in all Azure regions. The integration of
Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabili-
ties from workloads like virtual machines that are bound to virtual networks, with the network traffic path
being secured on both ends.
Note: Adding service endpoints can take up to 15 minutes to complete. Each service endpoint integra-
tion has its own Azure documentation page.
Azure Private Link provides private connectivity from a virtual network to Azure platform as a service
(PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures
the connection between endpoints in Azure by eliminating data exposure to the public internet.
●● Private connectivity to services on Azure. Traffic remains on the Microsoft network, with no public
internet access. Connect privately to services running in other Azure regions. Private Link is global and
has no regional restrictions.
●● Integration with on-premises and peered networks. Access private endpoints over private peering
or VPN tunnels from on-premises or peered virtual networks. Microsoft hosts the traffic, so you don’t
need to set up public peering or use the internet to migrate your workloads to the cloud.
180
●● Protection against data exfiltration for Azure resources. Use Private Link to map private endpoints
to Azure PaaS resources. When there is a security incident within your network, only the mapped
resource would be accessible, eliminating the threat of data exfiltration.
●● Services delivered directly to your customers’ virtual networks. Privately consume Azure PaaS,
Microsoft partner, and your own services in your virtual networks on Azure. Private Link works across
Azure Active Directory (Azure AD) tenants to help unify your experience across services. Send, ap-
prove, or reject requests directly, without permissions or role-based access controls.
How it works
Use Private Link to bring services delivered on Azure into your private virtual network by mapping it to a
private endpoint. Or privately deliver your own services in your customers’ virtual networks. All traffic to
the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or
VPN connections, or public IP addresses are needed. Private Link keeps traffic on the Microsoft global
network.
Knowledge Check
Multiple choice
Your company wants to redirect Internet traffic to your company's on-premises servers for packet inspection.
Which of the following is not used for this? Select one.
User Defined Routes
Forced Tunneling
System Routes
Multiple choice
Why would you use a custom route in a virtual network? Select one.
To load balance the traffic within your virtual network.
To connect to resources in another virtual network hosted in Azure.
To control the flow of traffic within your Azure virtual network.
Multiple choice
When creating user-defined routes, you can specify any of these next hop types, except? Select one.
Internet
Load Balancer
Virtual Appliance
181
Multiple choice
Your company needs to extend thier private address space in Azure by by providing a direct connection to
your Azure resources. They implement which of the following? Select one.
User-defined route
Virtual appliance
Virtual network endpoint
Multiple choice
What is the main benefit of using a network virtual appliance?
To control who can access Azure resources from the perimeter network.
To control incoming traffic from the perimeter network and allow only traffic that meets security
requirements to pass through.
To control outbound access to the internet
Learn more
You can learn more by reviewing the following.
●● Virtual network traffic routing documenation2
●● Learn - Manage and control traffic flow in your Azure deployment with routes3
2 https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview
3 https://docs.microsoft.com/learn/modules/control-network-traffic-flow-with-routes/
182
Skills measured
Configuring load-balancing is part of Exam AZ-104: Microsoft Azure Administrator4.
Configure and manage virtual networking (25–30%)
Configure load balancing
●● Configure an internal or public load balancer.
●● Troubleshoot load-balancing.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for Azure load balancer.
●● Implement public and internal Azure load balancers.
●● Configure load balancer SKUs, backend pools, session persistence, and health probes.
Prerequisites
None.
4 https://docs.microsoft.com/learn/certifications/exams/az-104
183
The Load Balancer can be used for inbound and outbound scenarios and scales up to millions of TCP and
UDP application flows.
Note: Keep this diagram in mind since it covers the four components that must be configured for your
load balancer: Frontend IP configuration, Backend pools, Health probes, and Load-balancing rules.
●● For multi-tier applications. Load balancing for internet-facing multi-tier applications where the
backend tiers are not internet-facing. The backend tiers require traffic load-balancing from the
internet-facing tier.
●● For line-of-business applications. Load balancing for line-of-business applications that are hosted in
Azure without additional load balancer hardware or software. This scenario includes on-premises
servers that are in the set of computers whose traffic is load-balanced.
Note: A public load balancer could be placed in front of the internal load balancer to create a multi-tier
application.
Capabilities
Feature Basic SKU Standard SKU
Backend pools Up to 300 instances Up to 1000 instances
Health probes HTTP, TCP HTTPS, HTTP, TCP
Availability zones Not available Zone-redundant and zonal
frontends for inbound and
outbound traffic.
Multiple front ends Inbound only Inbound and outbound
186
How you configure the backend pool depends on whether you are using the Standard or Basic SKU.
Note: In the Standard SKU, you can have up to 1000 instances in the backend pool. In the Basic SKU, you
can have up to 300 instances.
TCP connections to a set of backend web (port 80) servers. The rule uses a health probe that checks on
HTTP port 80.
Load balancing rules can be used in combination with NAT rules. For example, you could use NAT from
the load balancer’s public address to TCP 3389 on a specific virtual machine. This allows remote desktop
access from outside of Azure.
Session persistence specifies how traffic from a client should be handled. The default behavior (None) is
that successive requests from a client may be handled by any virtual machine. You can change this
behavior.
●● None (default) specifies any virtual machine can handle the request.
●● Client IP specifies that successive requests from the same client IP address will be handled by the
same virtual machine.
●● Client IP and protocol specifies that successive requests from the same client IP address and proto-
col combination will be handled by the same virtual machine.
Note: Keeping session persistence information is important in applications that use a shopping cart. Can
you think of any other applications?
HTTP custom probe. The load balancer regularly probes your endpoint (every 15 seconds, by default).
The instance is healthy if it responds with an HTTP 200 within the timeout period (default of 31 seconds).
Any status other than HTTP 200 causes the probe to fail. You can specify the port (Port), the URI for
requesting the health status from the backend (URI), amount of time between probe attempts (Interval),
and the number of failures that must occur for the instance to be considered unhealthy (Unhealthy
threshold).
TCP custom probe. This probe relies on establishing a successful TCP session to a defined probe port. If
the specified listener on the VM exists, the probe succeeds. If the connection is refused, the probe fails.
You can specify the Port, Interval, and Unhealthy threshold.
Note: There is also a guest agent probe. This probe uses the guest agent inside the VM. It is not recom-
mended when HTTP or TCP custom probe configurations are possible.
189
Knowledge Check
Multiple choice
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual machines
in another virtual network. You need to install an Azure load balancer to direct traffic between the virtual
networks. What should you do? Select one.
Install an external load balancer.
Install an internal load balancer.
Install a public load balancer.
Multiple choice
Your company has a popular regional web site. The company plans to move it to Microsoft Azure and host it
in the Canada East region. The web team has established the following requirements for managing the web
traffic: -Evenly distribute incoming web requests across a farm of 10 Azure VMs. -Support many incoming
requests, including spikes during peak times. -Minimize complexity. -Minimize ongoing costs. Which of the
following would you select for this scenario? Select one.
Azure Traffic Manager
Azure Load Balancer
Azure Application Gateway
Multiple choice
What is the default distribution type for traffic through a load balancer? Select one.
Source IP affinity
Five-tuple hash
Three-tuple hash
Multiple choice
Which configuration is required to configure an internal load balancer?
Virtual machines should be in the same virtual network.
Virtual machines must be publicly accessible.
Virtual machines must be in an availability set.
190
Multiple choice
Which of the following statement about external load balancers is correct?
They have a private, front-facing IP address.
They don't have a listener IP address.
They have a public IP address.
Learn more
You can learn more by reviewing the following.
●● Load Balancer documentation5.
●● Learn - Improve application scalability and resiliency by using Azure Load Balancer6
5 https://docs.microsoft.com/azure/load-balancer/
6 https://docs.microsoft.com/learn/modules/improve-app-scalability-resiliency-with-load-balancer/
191
Skills measured
Configure the Azure Application Gateway is part of Exam AZ-104: Microsoft Azure Administrator7.
Configure and manage virtual networking (25–30%)
Configure load balancing
●● Configure Azure Application gateway.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for Azure Application Gateway.
●● Implement Azure Application Gateway, including selecting a routing method.
●● Configure gateway features such as routing rules.
Prerequisites
None.
7 https://docs.microsoft.com/learn/certifications/exams/az-104
192
The Application Gateway uses round robin to send load balance requests to the servers in each back-end
pool. The Application Gateway provides session stickiness. Use session stickiness to ensure client requests
in the same session are routed to the same back-end server.
Load-balancing works in the OSI Layer 7. Load-balancing requests use the routing parameters (host
names and paths) in the Application Gateway rules. In comparison, the Azure Load Balancer, functions at
the OSI Layer 4 level. This means the Azure Load Balancer distributes traffic based on the IP address of
the target of a request.
Additional features
●● Support for the HTTP, HTTPS, HTTP/2 and WebSocket protocols.
●● A web application firewall to protect against web application vulnerabilities.
●● End-to-end request encryption.
●● Autoscaling, to dynamically adjust capacity as your web traffic load change.
Path-based routing
Path-based routing sends requests with different URL paths different pools of back-end servers. For
example, you could direct requests with the path /video/* to a back-end pool containing servers that are
optimized to handle video streaming, and direct /images/* requests to a pool of servers that handle
image retrieval.
193
Multi-site configurations are useful for supporting multi-tenant applications, where each tenant has its
own set of virtual machines or other resources hosting a web application.
Other features
●● Redirection. Redirection can be used to another site, or from HTTP to HTTPS.
●● Rewrite HTTP headers. HTTP headers allow the client and server to pass parameter information with
the request or the response.
●● Custom error pages. Application Gateway allows you to create custom error pages instead of
displaying default error pages. You can use your own branding and layout using a custom error page.
194
Front-end IP address
Client requests are received through a front-end IP address. You can configure Application Gateway to
have a public IP address, a private IP address, or both. Application Gateway can't have more than one
public and one private IP address.
Listeners
Application Gateway uses one or more listeners to receive incoming requests. A listener accepts traffic
arriving on a specified combination of protocol, port, host, and IP address. Each listener routes requests
to a back-end pool of servers following routing rules that you specify. A listener can be Basic or Mul-
ti-site. A Basic listener only routes a request based on the path in the URL. A Multi-site listener can also
route requests using the hostname element of the URL.
Listeners also handle TLS/SSL certificates for securing your application between the user and Application
Gateway.
Routing rules
A routing rule binds a listener to the back-end pools. A rule specifies how to interpret the hostname and
path elements in the URL of a request, and then direct the request to the appropriate back-end pool. A
routing rule also has an associated set of HTTP settings. These HTTP settings indicate whether (and how)
traffic is encrypted between Application Gateway and the back-end servers. Other configuration informa-
tion includes Protocol, Session stickiness, Connection draining, Request timeout period, and Health
probes.
195
Back-end pools
A back-end pool references a collection of web servers. You provide the IP address of each web server
and the port on which it listens for requests when configuring the pool. Each pool can specify a fixed set
of virtual machines, a virtual machine scale-set, an app hosted by Azure App Services, or a collection of
on-premises servers. Each back-end pool has an associated load balancer that distributes work across the
pool
Health probes
Health probes determine which servers are available for load-balancing in a back-end pool. The Applica-
tion Gateway uses a health probe to send a request to a server. When the server returns an HTTP re-
sponse with a status code between 200 and 399, the server is considered healthy.
If you don't configure a health probe, Application Gateway creates a default probe that waits for 30
seconds before deciding that a server is unavailable.
Knowledge check
Multiple choice
Which criteria does Application Gateway use to route requests to a web server? Select one.
The hostname, port, and path in the URL of the request.
The region in which the servers hosting the web application are located.
The users authentication information.
196
Multiple choice
Which load balancing strategy does the Application Gateway implement? Select one.
Distributes requests to each available server in a backend pool in turn, round-robin.
Distributes requests to the server in the backend pool with the lightest load.
Polls each server in the backend pool in turn, and sends the request to the first server that responds.
Multiple choice
Your company has a website that allows users to customize their experience by downloading an app.
Demand for the app has increased so you have added another virtual network with two virtual machines.
These machines are dedicated to serving the app downloads. You need to ensure the additional download
requests do not affect the website performance. Your solution must route all download requests to the two
new servers you have installed. What action will you recommend? Select one.
Add a user-defined route.
Create a local network gateway.
Add an application gateway.
Multiple choice
You are deploying the Application Gateway and want to ensure incoming requests are checked for common
security threats like cross-site scripting and crawlers. To address your concerns what should you do? Select
one.
Install an internal load balancer
Install Azure Firewall
Install the Web Application Firewall
Learn more
You can learn more by reviewing the following.
●● What is Azure Application Gateway8.
●● Learn - Load balance your web service traffic with Application Gateway9
●● Learn - Introduction to Azure Web Application Firewall10
8 https://docs.microsoft.com/azure/application-gateway/overview
9 https://docs.microsoft.com/learn/modules/load-balance-web-traffic-with-application-gateway/
10 https://docs.microsoft.com/en-us/learn/modules/introduction-azure-web-application-firewall/
198
Module 06 Lab
Lab 06 - Implement Traffic Management
Lab scenario
You were tasked with testing managing network traffic targeting Azure virtual machines in the hub and
spoke network topology, which Contoso considers implementing in its Azure environment (instead of
creating the mesh topology, which you tested in the previous lab). This testing needs to include imple-
menting connectivity between spokes by relying on user defined routes that force traffic to flow via the
hub, as well as traffic distribution across virtual machines by using layer 4 and layer 7 load balancers. For
this purpose, you intend to use Azure Load Balancer (layer 4) and Azure Application Gateway (layer 7).
Objectives
In this lab, you will:
●● Task 1: Provision the lab environment.
●● Task 2: Configure the hub and spoke network topology.
●● Task 3: Test transitivity of virtual network peering.
●● Task 4: Configure routing in the hub and spoke topology.
●● Task 5: Implement Azure Load Balancer.
●● Task 6: Implement Azure Application Gateway.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
199
Answers
Multiple choice
Your company wants to redirect Internet traffic to your company's on-premises servers for packet
inspection. Which of the following is not used for this? Select one.
User Defined Routes
Forced Tunneling
■■ System Routes
Explanation
System routes. Forced tunneling can redirect internet bound traffic back to the company's on-premises
infrastructure. The redirection can be used to implement packet inspection or corporate audits. Forced
tunneling in Azure is configured via virtual network user defined routes.
Multiple choice
Why would you use a custom route in a virtual network? Select one.
To load balance the traffic within your virtual network.
To connect to resources in another virtual network hosted in Azure.
■■ To control the flow of traffic within your Azure virtual network.
Explanation
To control the flow of traffic within your Azure virtual network. Custom routes are used to override the
default Azure routing so that you can route traffic through a network virtual appliance.
Multiple choice
When creating user-defined routes, you can specify any of these next hop types, except? Select one.
Internet
■■ Load Balancer
Virtual Appliance
Explanation
Load balancer. The valid next hop choices are virtual appliance. virtual network gateway, virtual network,
internet, and none.
Multiple choice
Your company needs to extend thier private address space in Azure by by providing a direct connection
to your Azure resources. They implement which of the following? Select one.
User-defined route
Virtual appliance
■■ Virtual network endpoint
Explanation
Virtual network endpoint. Virtual network endpoints extend your private address space in Azure. Endpoints
restrict the flow of traffic. As you enable service endpoints, Azure creates routes in the route table to direct
this traffic.
200
Multiple choice
What is the main benefit of using a network virtual appliance?
To control who can access Azure resources from the perimeter network.
■■ To control incoming traffic from the perimeter network and allow only traffic that meets security
requirements to pass through.
To control outbound access to the internet
Explanation
To control incoming traffic from the perimeter network and allow only traffic that meets security require-
ments to pass through. A network virtual appliance acts like a firewall. It checks all inbound and outbound
traffic, and it secures your environment by allowing or denying the traffic.
Multiple choice
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual
machines in another virtual network. You need to install an Azure load balancer to direct traffic between
the virtual networks. What should you do? Select one.
Install an external load balancer.
■■ Install an internal load balancer.
Install a public load balancer.
Explanation
Install an internal load balancer. Azure has two types of load balancers: public and internal. An internal load
balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure
infrastructure.
Multiple choice
Your company has a popular regional web site. The company plans to move it to Microsoft Azure and
host it in the Canada East region. The web team has established the following requirements for managing
the web traffic: -Evenly distribute incoming web requests across a farm of 10 Azure VMs. -Support many
incoming requests, including spikes during peak times. -Minimize complexity. -Minimize ongoing costs.
Which of the following would you select for this scenario? Select one.
Azure Traffic Manager
■■ Azure Load Balancer
Azure Application Gateway
Explanation
Azure Load Balancer. In this scenario, the requirements call for load balancing of a web site with minimal
complexity and costs.
Multiple choice
What is the default distribution type for traffic through a load balancer? Select one.
Source IP affinity
■■ Five-tuple hash
Three-tuple hash
Explanation
Five-tuple hash. The hash includes Source IP, Source port, Destination IP, Destination port, and Protocol
type.
201
Multiple choice
Which configuration is required to configure an internal load balancer?
■■ Virtual machines should be in the same virtual network.
Virtual machines must be publicly accessible.
Virtual machines must be in an availability set.
Explanation
Virtual machines should be in the same virtual network. The virtual machines that you use a load balancer
to distribute a load to must be in the same virtual network.
Multiple choice
Which of the following statement about external load balancers is correct?
They have a private, front-facing IP address.
They don't have a listener IP address.
■■ They have a public IP address.
Explanation
They have a public IP address. External load balancers have public IP addresses.
Multiple choice
Which criteria does Application Gateway use to route requests to a web server? Select one.
■■ The hostname, port, and path in the URL of the request.
The region in which the servers hosting the web application are located.
The users authentication information.
Explanation
The hostname, port, and path in the URL of the request.
Multiple choice
Which load balancing strategy does the Application Gateway implement? Select one.
■■ Distributes requests to each available server in a backend pool in turn, round-robin.
Distributes requests to the server in the backend pool with the lightest load.
Polls each server in the backend pool in turn, and sends the request to the first server that responds.
Explanation
The Application Gateway distributes requests to each available server in the backend pool using the
round-robin method.
202
Multiple choice
Your company has a website that allows users to customize their experience by downloading an app.
Demand for the app has increased so you have added another virtual network with two virtual machines.
These machines are dedicated to serving the app downloads. You need to ensure the additional down-
load requests do not affect the website performance. Your solution must route all download requests to
the two new servers you have installed. What action will you recommend? Select one.
Add a user-defined route.
Create a local network gateway.
■■ Add an application gateway.
Explanation
Application gateway. Application Gateway lets you control the distribution of user traffic to your endpoints
running in different datacenters around the world.
Multiple choice
You are deploying the Application Gateway and want to ensure incoming requests are checked for
common security threats like cross-site scripting and crawlers. To address your concerns what should you
do? Select one.
Install an internal load balancer
Install Azure Firewall
■■ Install the Web Application Firewall
Explanation
Install the Web Application Firewall. The web application firewall (WAF) is an optional component that
handles incoming requests before they reach a listener. The web application firewall checks each request for
many common threats, based on the Open Web Application Security Project (OWASP).
Module 7 Administer Azure Storage
Skills measured
Configuring storage accounts is part of Exam AZ-104: Microsoft Azure Administrator1.
Implement and manage storage (15–20%)
Secure storage
●● Create and configure storage accounts.
●● Configure network access to storage accounts.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for Azure storage accounts.
●● Select between different types of storage and storage accounts.
●● Select a storage replication strategy.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
204
Prerequisites
None.
Azure Files
Azure Files enables you to set up highly available network file shares that can be accessed by using the
standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files
with both read and write access. You can also read the files using the REST interface or the storage client
libraries.
One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files
from anywhere in the world using a URL that points to the file and includes a shared access signature
(SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific
amount of time.
File shares can be used for many common scenarios:
●● Many on-premises applications use file shares. This feature makes it easier to migrate those applica-
tions that share data to Azure. If you mount the file share to the same drive letter that the on-premis-
es application uses, the part of your application that accesses the file share should work with minimal,
if any, changes.
●● Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities
used by multiple developers in a group can be stored on a file share, ensuring that everybody can find
them, and that they use the same version.
●● Diagnostic logs, metrics, and crash dumps are just three examples of data that can be written to a file
share and processed or analyzed later.
At this time, Active Directory-based authentication and access control lists (ACLs) are not supported, but
they will be at some time in the future. The storage account credentials are used to provide authentica-
206
tion for access to the file share. This means anybody with the share mounted will have full read/write
access to the share.
Queue storage
The Azure Queue service is used to store and retrieve messages. Queue messages can be up to 64 KB in
size, and a queue can contain millions of messages. Queues are used to store lists of messages to be
processed asynchronously.
For example, if you want your customers to be able to upload pictures, and you want to create thumb-
nails for each picture. You could have your customer wait for you to create the thumbnails while upload-
ing the pictures. An alternative would be to use a queue. When the customer finishes the upload, write a
message to the queue. Then have an Azure Function retrieve the message from the queue and create the
thumbnails. Each of the processing parts can be scaled separately, giving you more control when tuning
it for your usage.
Table storage
Azure Table storage is now part of Azure Cosmos DB. In addition to the existing Azure Table storage
service, there is a new Azure Cosmos DB Table API offering that provides throughput-optimized tables,
global distribution, and automatic secondary indexes. Table storage is ideal for storing structured, non-re-
lational data.
●● Changing to ZRS from another data replication option requires the physical data movement from a
single storage stamp to multiple stamps within a region.
●● ZRS may not protect your data against a regional disaster where multiple zones are permanently
affected. Instead, ZRS offers resiliency for your data.
Geo-redundant storage
Geo-redundant storage (GRS) replicates your data to a secondary region (hundreds of miles away from
the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of
durability for your data, even if there is a regional outage. GRS is designed to provide at least
99.99999999999999% (16 9's) durability. When your storage account has GRS enabled, then your data is
durable even when there is a complete regional outage or a disaster where the primary region isn't
recoverable.
For a storage account with GRS or RA-GRS enabled, all data is first replicated with locally redundant
storage (LRS). An update is first committed to the primary location and replicated using LRS. The update
is then replicated asynchronously to the secondary region using GRS. When data is written to the second-
ary location, it's also replicated within that location using LRS. Both the primary and secondary regions
manage replicas across separate fault domains and upgrade domains within a storage scale unit. The
storage scale unit is the basic replication unit within the datacenter. Replication at this level is provided by
LRS. If you opt for GRS, you have two related options to choose from:
●● GRS replicates your data to another data center in a secondary region, but that data is available to be
read only if Microsoft initiates a failover from the primary to secondary region.
●● Read-access geo-redundant storage (RA-GRS) is based on GRS. RA-GRS replicates your data to
another data center in a secondary region, and also provides you with the option to read from the
secondary region. With RA-GRS, you can read from the secondary regardless of whether Microsoft
initiates a failover from the primary to the secondary.
Access Storage
Every object that you store in Azure Storage has a unique URL address. The storage account name forms
the subdomain of that address. The combination of subdomain and domain name, which is specific to
each service, forms an endpoint for your storage account.
For example, if your storage account is named mystorageaccount, then the default endpoints for your
storage account are:
●● Container service: http://mystorageaccount.blob.core.windows.net
●● Table service: http://mystorageaccount.table.core.windows.net
●● Queue service: http://mystorageaccount.queue.core.windows.net
●● File service: http://mystorageaccount.file.core.windows.net
The URL for accessing an object in a storage account is built by appending the object's location in the
storage account to the endpoint. For example, to access myblob in the mycontainer, use this format:
http://mystorageaccount.blob.core.windows.net/mycontainer/myblob.
●● Firewalls and Virtual Networks restricts access to the Storage Account from specific Subnets on Virtual
Networks or public IPs.
●● Subnets and Virtual Networks must exist in the same Azure Region or Region Pair as the Storage
Account.
Note: Be sure to test the service endpoint and verify the endpoint is limiting access as expected.
10. If you have time, review the PowerShell and CLI code at the end of this demonstration.
Upload a file to the storage account
1. Within the Storage Account, create a file share, and upload a file.
2. For the Storage Account, use the Shared Access Signature blade to Generate SAS and connection
string.
3. Use Storage Explorer and the connection string to access the file share.
4. Ensure you can view your uploaded file.
Note: This part of the demonstration requires a virtual network with a subnet.
Create a subnet service endpoint
1. Select your virtual network, and then select a subnet in the virtual network.
2. Under Service Endpoints, view the Services drop-down and the different services that can be
secured with an endpoint.
3. Check the Microsoft.Storage option.
4. Save your changes.
Secure the storage to the service endpoint
1. Return to your storage account.
2. Select Firewalls and virtual networks.
3. Change to Selected networks.
4. Add existing virtual network, verify your subnet with the new service endpoint is listed.
5. Save your changes.
Test the storage endpoint
1. Return to the Storage Explorer.
2. Refresh the storage account.
3. You should now have an access error similar to this one:
Note: If you plan to use the storage account in other scenarios be sure to return the account to All
networks in the Firewalls and virtual networks blade.
Knowledge check
Multiple choice
Which of the following replicates your data to a secondary region, maintains six copies of your data, and is
the default replication option? Select one.
Locally-redundant storage
Read-access geo-redundant storage
Zone-redundant storage
Multiple choice
You have two video files stored as blobs. One of the videos is business-critical and requires a replication
policy that creates multiple copies across geographically diverse datacenters. The other video is non-critical,
and a local replication policy is sufficient. Which of the following options would satisfy both data diversity
and cost sensitivity consideration?
Create a single storage account that makes use of Local-redundant storage (LRS) and host both
videos from here.
Create a single storage account that makes use of Geo-redundant storage (GRS) and host both videos
from here.
Create two storage accounts. The first account makes use of Geo-redundant storage (GRS) and hosts
the business-critical video content. The second account makes use of Local-redundant storage (LRS)
and hosts the non-critical video content.
Multiple choice
The name of a storage account must be:
Unique within the containing resource group.
Unique within your Azure subscription.
Globally unique.
213
Multiple choice
In a typical project, when would you create your storage account(s)?
At the beginning, during project setup.
After deployment, when the project is running.
At the end, during resource cleanup.
Multiple choice
A manufacturing company has several sensors that record time-relative data. Only the most recent data is
useful. The company wants the lowest cost storage for this data. What is the best kind of storage account for
them?
LRS
GRS
ZRS
Learn more
You can learn more by reviewing the following.
●● Azure Storage documentation2.
●● Learn - Create an Azure Storage account3
●● Learn - Make your application storage highly available with read-access geo-redundant stor-
age4
●● Learn - Provide disaster recovery by replicating storage data across regions and failing over to
secondary location5
2 https://docs.microsoft.com/azure/storage/
3 https://docs.microsoft.com/learn/modules/create-azure-storage-account/
4 https://docs.microsoft.com/learn/modules/ha-application-storage-with-grs/
5 https://docs.microsoft.com/learn/modules/provide-disaster-recovery-replicate-storage-data/
214
Skills measured
Configuring Blob storage is part of the Exam AZ-104: Microsoft Azure Administrator6.
Implement and manage storage (15–20%)
Configure Azure files and Azure Blob Storage
●● Configure Azure Blob Storage.
●● Configure storage tiers for Azure Blob storage.
●● Configure Blob lifecycle management.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for Azure Blob storage.
●● Configure Blob storage and Blob access tiers.
●● Configure Blob lifecycle management rules.
●● Configure Blob object replication.
●● Upload and price Blob storage.
Prerequisites
None.
6 https://docs.microsoft.com/learn/certifications/exams/az-104
215
Note: Within the storage account, you can group as many blobs as needed in a container.
Name: The name may only contain lowercase letters, numbers, and hyphens, and must begin with a letter
or a number. The name must also be between 3 and 63 characters long.
216
Public access level: Specifies whether data in the container may be accessed publicly. By default, con-
tainer data is private to the account owner.
●● Use Private to ensure there is no anonymous access to the container and blobs.
●● Use Blob to allow anonymous public read access for blobs only.
●● Use Container to allow anonymous public read and list access to the entire container, including the
blobs.
Note: You can also create the Blob container with PowerShell using the New-AzStorageContainer
command. How will you organize your Blob containers?
●● Hot. The Hot tier is optimized for frequent access of objects in the storage account. Accessing data in
the Hot tier is most cost-effective, while storage costs are higher. New storage accounts are created in
the Hot tier by default.
●● Cool. The Cool tier is optimized for storing large amounts of data that is infrequently accessed and
stored for at least 30 days. Storing data in the Cool tier is more cost-effective, but accessing that data
may be more expensive than accessing data in the Hot tier.
●● Archive. The Archive tier is optimized for data that can tolerate several hours of retrieval latency and
will remain in the Archive tier for at least 180 days. The Archive tier is the most cost-effective option
for storing data, but accessing that data is more expensive than accessing data in the Hot or Cool
tiers.
Note: When data usage changes, you can switch access tiers at any time.
217
Data sets have unique lifecycles. Early in the lifecycle, people access some data often. But the need for
access drops drastically as the data ages. Some data stays idle in the cloud and is rarely accessed once
stored. Some data expires days or months after creation, while other data sets are actively read and
modified throughout their lifetimes. Azure Blob storage lifecycle management offers a rich, rule-based
policy for GPv2 and Blob storage accounts. Use the policy to transition your data to the appropriate
access tiers or expire at the end of the data's lifecycle.
The lifecycle management policy lets you:
●● Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for
performance and cost.
●● Delete blobs at the end of their lifecycles.
●● Define rules to be run once per day at the storage account level.
●● Apply rules to containers or a subset of blobs.
Consider a scenario where data gets frequent access during the early stages of the lifecycle, but only
occasionally after two weeks. Beyond the first month, the data set is rarely accessed. In this scenario, hot
storage is best during the early stages. Cool storage is most appropriate for occasional access. Archive
storage is the best tier option after the data ages over a month. By adjusting storage tiers in respect to
the age of data, you can design the least expensive storage options for your needs. To achieve this
transition, lifecycle management policy rules are available to move aging data to cooler tiers.
218
Object replication asynchronously copies block blobs in a container according to rules that you configure.
The contents of the blob, any versions associated with the blob, and the blob's metadata and properties
are all copied from the source container to the destination container.
Scenarios
●● Minimizing latency. Object replication can reduce latency for read requests by enabling clients to
consume data from a region that is in closer physical proximity.
●● Increase efficiency for compute workloads. With object replication, compute workloads can process
the same sets of block blobs in different regions.
●● Optimizing data distribution. You can process or analyze data in a single location and then replicate
just the results to other regions.
●● Optimizing costs. After your data has been replicated, you can reduce costs by moving it to the
archive tier using life-cycle management policies.
Considerations
●● Object replication requires that blob versioning is enabled on both the source and destination
accounts.
●● Object replication doesn't support blob snapshots. Any snapshots on a blob in the source account are
not replicated to the destination account.
●● Object replication is supported when the source and destination accounts are in the hot or cool tier.
The source and destination accounts may be in different tiers.
●● When you configure object replication, you create a replication policy that specifies the source
storage account and the destination account. A replication policy includes one or more rules that
specify a source container and a destination container and indicate which block blobs in the source
container will be replicated.
Upload Blobs
A blob can be any type and size file. Azure Storage offers three types of blobs: block blobs, page blobs,
and append blobs. You specify the blob type and access tier when you create the blob.
219
●● Block blobs (default) consist of blocks of data assembled to make a blob. Most scenarios using Blob
storage employ block blobs. Block blobs are ideal for storing text and binary data in the cloud, like
files, images, and videos.
●● Append blobs are like block blobs in that they are made up of blocks, but they are optimized for
append operations, so they are useful for logging scenarios.
●● Page blobs can be up to 8 TB in size and are more efficient for frequent read/write operations. Azure
virtual machines use page blobs as OS and data disks.
Note: Once the blob has been created, its type cannot be changed.
Box Disk to request solid-state disks (SSDs) from Microsoft. You can then copy your data to those
disks and ship them back to Microsoft to be uploaded into Blob storage.
●● The Azure Import/Export service provides a way to export large amounts of data from your storage
account to hard drives that you provide and that Microsoft then ships back to you with your data.
Note: And, you can always use Azure Storage Explorer.
Knowledge check
Multiple choice
Which of these changes between access tiers will happen immediately?
Hot to Cool
Archive to Cool
Archive to Hot
Multiple choice
You work for an open-source development company. You use Microsoft Azure for a variety of storage needs.
Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each block blob
is in its own container. Each container is set to default settings. In total, you have 50 block blobs. The
company has decided to provide read access to the data in the block blobs, as part of releasing more
information about their open-source development efforts. All block blobs must be readable by anonymous
internet users. You need to configure the storage to meet the requirements. What should you do? Select one.
Create a new container, move all the blobs to the new container, and then set the public access level
to Blob.
Set the public access level to Blob on all the existing containers.
Create a new access key for the storage account and then provide the connection string in the storage
connectivity information to the public.
222
Multiple choice
Your company provides cloud software to audit administrative access in Microsoft Azure resources. The
software logs all administrative actions (including all clicks and text input) to log files. The software is about
to be released from beta and the company is concerned about storage performance. You need to deploy a
storage solution for the log files to maximize performance. What should you do? Select one.
Deploy Azure Files using SMB 3.0.
Deploy blob storage using block blobs.
Deploy blob storage using append blobs.
Multiple choice
Your company is building an app in Azure. The storage must be reachable programmatically through a
REST API. The storage must be globally redundant. The storage must be accessible privately within the
company's Azure environment. The storage must be optimal for unstructured data. Which type of Azure
storage should you use for the app? Select one.
Azure Table Storage
Azure Blob Storage
Azure File Storage
Multiple choice
You are using blob storage. Which of the following is true? Select one.
The cool access tier is for frequent access of objects in the storage account.
The hot access tier is for storing large amounts of data that is infrequently accessed.
You can switch between hot and cool performance tiers at any time.
Learn more
You can learn more by reviewing the following.
●● Azure Blob storage documentation7.
●● Object blob replication overview8
●● Access tiers for Azure Blob Storage - hot, cool, and archive9
●● Learn - Optimize storage performance and costs using Blob storage tiers10
●● Learn - Gather metrics from your Azure Blob Storage containers11
7 https://docs.microsoft.com/azure/storage/blobs/
8 https://docs.microsoft.com/azure/storage/blobs/object-replication-overview
9 https://docs.microsoft.com/azure/storage/blobs/storage-blob-storage-tiers
10 https://docs.microsoft.com/learn/modules/optimize-archive-costs-blob-storage/
11 https://docs.microsoft.com/learn/modules/gather-metrics-blob-storage/
224
Skills measured
Providing secure access to Azure storage is part of Exam AZ-104: Microsoft Azure Administrator12.
Implement and manage storage (15–20%)
Secure storage
●● Generate shared access signature (SAS) tokens.
●● Manage access keys.
●● Configure Azure AD authentication for a storage account.
Learning objectives
In this module, you will learn how to:
●● Configure shared access signatures including URI and SAS parameters.
●● Configure storage service encryption.
●● Implement customer-managed keys.
●● Recommend opportunities to improve storage security.
Prerequisites
None.
12 https://docs.microsoft.com/learn/certifications/exams/az-104
225
●● Azure AD integration is supported for data operations on the Blob and Queue services.
●● Data in transit. Data can be secured in transit between an application and Azure by using Client-Side
Encryption, HTTPS, or SMB 3.0.
●● Disk encryption. OS and data disks used by Azure virtual machines can be encrypted using Azure
Disk Encryption.
●● Shared Access Signatures. Delegated access to the data objects in Azure Storage can be granted
using Shared Access Signatures.
Authorization options
Every request made against a secured resource in the Blob, File, Queue, or Table service must be author-
ized. Authorization ensures that resources in your storage account are accessible only when you want
them to be, and only to those users or applications to whom you grant access. Options for authorizing
requests to Azure Storage include:
●● Azure Active Directory (Azure AD). Azure AD is Microsoft's cloud-based identity and access man-
agement service. With Azure AD, you can assign fine-grained access to users, groups, or applications
via role-based access control (RBAC).
●● Shared Key. Shared Key authorization relies on your account access keys and other parameters to
produce an encrypted signature string that is passed on the request in the Authorization header.
●● Shared access signatures. Shared access signatures (SAS) delegate access to a particular resource in
your account with specified permissions and over a specified time interval.
●● Anonymous access to containers and blobs. You can optionally make blob resources public at the
container or blob level. A public container or blob is accessible to any user for anonymous read
access. Read requests to public containers and blobs do not require authorization.
A SAS gives you granular control over the type of access you grant to clients who have the SAS, includ-
ing:
●● An account-level SAS can delegate access to multiple storage services. For example, blob, file, queue,
and table.
●● An interval over which the SAS is valid, including the start time and the expiry time.
●● The permissions granted by the SAS. For example, a SAS for a blob might grant read and write
permissions to that blob, but not delete permissions.
Note: There are two types of SAS: account and service. The account SAS delegates access to resources
in one or more of the storage services. The service SAS delegates access to a resource in just one of the
storage services.
Optionally, you can also:
●● Specify an IP address or range of IP addresses from which Azure Storage will accept the SAS. For
example, you might specify a range of IP addresses belonging to your organization.
●● The protocol over which Azure Storage will accept the SAS. You can use this optional parameter to
restrict access to clients using HTTPS.
Note: A stored access policy can provide another level of control over service-level SAS on the server
side. You can group shared access signatures and provide other restrictions by using policy.
Note: SSE is enabled for all new and existing storage accounts and cannot be disabled. Because your
data is secured by default, you don't need to modify your code or applications.
Note: Customer-managed keys can be used with SSE. You can use either a new or existing key vault and
key. The storage account and the key vault must be in the same region, but they can be in different
subscriptions.
230
Recommendations
The following recommendations for using shared access signatures can help mitigate risks.
●● Always use HTTPS to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an
attacker could intercept and use the SAS. These man-in-the-middle attacks can compromisesensitive
data or allowfor data corruption by the malicious user.
●● Reference stored access policies where possible. Stored access policies give you the option to
revoke permissions without having to regenerate the storage account keys. Set the storage account
key expiration date far out in the future.
●● Use near-term expiration times on an unplanned SAS. In this way, even if a SAS is compromised,
it's valid only for a short time. This practice is important if you can't reference a stored access policy.
Near-term expiration times also limit the amount of data that can be written to a blob by limiting the
time available to upload to it.
●● Have clients automatically renew the SAS if necessary. Clients should renew the SAS well before
the expiration date. Renewing early allows time for retries if the service providing the SAS is unavaila-
ble.
●● Be careful with SAS start time. If you set the start time for a SAS to now, then due to clock skew
(differences in current time according to different machines), failures may be observed intermittently
for the first few minutes. In general, set the start time to be at least 15 minutes in the past. Or, don't
set it at all, which will make it valid immediately in all cases. The same generally applies to expiry time
as well - remember that you may observe up to 15 minutes of clock skew in either direction on any
request. For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that
does not reference a stored access policy is 1 hour, and any policies specifying longer term than that
will fail.
●● Be specific with the resource to be accessed. A security best practice is to provide a user with the
minimum required privileges. If a user only needs read access to a single entity, then grant them read
access to that single entity, and not read/write/delete access to all entities. This also helps lessen the
damage if a SAS is compromised because the SAS has less power in the hands of an attacker
●● Understand that your account will be billed for any usage, including that done with SAS. If you
provide write access to a blob, a user may choose to upload a 200-GB blob. If you've given them read
access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. Again,
provide limited permissions to help mitigate the potential actions of malicious users. Use short-lived
SAS to reduce this threat (but be mindful of clock skew on the end time).
●● Validate data written using SAS. When a client application writes data to your storage account, keep
in mind that there can be problems with that data. If your application requires that data be validated
or authorized before it is ready to use, you should perform this validation after the data is written and
before it is used by your application. This practice also protects against corrupt or malicious data
231
being written to your account, either by a user who properly acquired the SAS, or by a user exploiting
a leaked SAS.
●● Don't assume SAS is always the correct choice. Sometimes the risks associated with a particular
operation against your storage account outweigh the benefits of SAS. For such operations, create a
middle-tier service that writes to your storage account after performing business rule validation,
authentication, and auditing. Also, sometimes it's simpler to manage access in other ways. For
example, if you want to make all blobs in a container publicly readable, you can make the container
Public, rather than providing a SAS to every client for access.
●● Use Storage Analytics to monitor your application. You can use logging and metrics to observe any
spike in authentication failures due to an outage in your SAS provider service or to the inadvertent
removal of a stored access policy.
Knowledge check
Multiple choice
You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create
containers to store each type of file and want to limit access to those files for specific periods. Additionally,
the files can only be accessed through shared access signatures (SAS). You need the ability to revoke access
to the files and to change the period for which users can access the files. What should you do to accomplish
this in the most simple and effective way? Select one.
Create an SAS for each user and delete the SAS when you want to prevent access.
Implement stored access policies for each container to enable revocation of access or change of
duration.
Periodically regenerate the account key to control access to the files.
Multiple choice
You need to provide a contingent staff employee temporary read-only access to the contents of an Azure
storage account container named media. It is important that you grant access while adhering to the security
principle of least-privilege. What should you do? Select one.
Set the public access level to Container.
Generate a shared access signature (SAS) token for the container.
Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account.
232
Multiple choice
You are planning a delegation model for your Azure storage. The company has issued the following require-
ment for Azure storage access: -Apps in the non-production environment must have automated time-limit-
ed access. You need to configure storage access to meet the requirements. What should you do?
Use shared access signatures for the non-production apps.
Use access keys for the non-production apps.
Use Stored Access Policies for the production apps..
Multiple choice
You are planning a delegation model for your Azure storage. The company requires apps in the production
environment to have unrestricted access to storage resources You need to configure storage access to meet
the requirements. What should you do?
Use shared access signatures for the production apps.
Use access keys for the production apps.
Use Stored Access Policies for the production apps.
Multiple choice
When configuring network access to your Azure Storage Account, what is the default network rule?
To allow all connections from all networks
To allow all connection from a private IP address range
To deny all connections from all networks
Multiple choice
Your organization has data stored in hard drives. It wants to move this data into a secure Azure storage
solution. What solution would allow you to encrypt this data with minimal effort?
Azure Disk Encryption.
Azure Storage Service Encryption.
Client-side encryption with Azure.
Learn more
You can learn more by reviewing the following.
●● What is a shared access signature?13.
●● Azure Storage encryption for data at rest14
●● Learn - Secure your Azure Storage15
●● Learn - Control access to Azure Storage with shared access signatures16
●● Learn - Introduction to securing data at rest on Azure17
13 https://docs.microsoft.com/azure/storage/common/storage-dotnet-shared-access-signature-part-1?toc=%2fazure%2fstorage%2fblobs%2f
toc.json
14 https://docs.microsoft.com/azure/storage/common/storage-service-encryption
15 https://docs.microsoft.com/learn/modules/secure-azure-storage-account/
16 https://docs.microsoft.com/learn/modules/control-access-to-azure-storage-with-sas/
17 https://docs.microsoft.com/learn/modules/secure-data-at-rest/
234
Skills measured
Configure Azure Files and Azure File Sync is part of Exam AZ-104: Microsoft Azure Administrator18.
Implement and manage storage (15–20%)
Configure Azure files and Azure Blob Storage
●● Create an Azure file share.
●● Create and configure Azure File Sync.
Learning objectives
In this module, you will learn how to:
●● Identify when to use Azure files versus Azure Blobs.
●● Configure Azure file shares and file share snapshots.
●● Identify features and usage cases of Azure File Sync.
●● Identify File Sync components and configuration steps.
Prerequisites
None.
18 https://docs.microsoft.com/learn/certifications/exams/az-104
19 https://docs.microsoft.com/azure/storage/files/storage-files-introduction
20 https://msdn.microsoft.com/library/windows/desktop/aa365233.aspx
235
Note: Ensure port 445 is open. Azure Files uses SMB protocol. SMB communicates over TCP port 445.
Also, ensure your firewall is not blocking TCP ports 445 from the client machine.
237
Azure file shares can be mounted in Linux distributions using the CIFS kernel client. File mounting can be
done on-demand with the mount command or on-boot (persistent) by creating an entry in /etc/fstab.
Share snapshot capability is provided at the file share level. Retrieval is provided at the individual file
level, to allow for restoring individual files. You cannot delete a share that has share snapshots unless you
delete all the share snapshots first.
Share snapshots are incremental in nature. Only the data that has changed after your most recent share
snapshot is saved. Incremental snapshots minimizes the time required to create the share snapshot and
saves on storage costs. Even though share snapshots are saved incrementally, you need to retain only the
most recent share snapshot in order to restore the share.
3. Create a context for your storage account and key. The context encapsulates the storage account
name and account key.
$storageContext = New-AzStorageContext -StorageAccountName "YourStorageAc-
countName" -StorageAccountKey $storageAccountKeys[0].value
4. Create the file share. The name of your file share must be all lowercase.
$share = New-AzStorageShare "YourFileShareName" -Context $storageContext
# These commands require you to be logged into your Azure account, run
Login-AzAccount if you haven't
# already logged in.
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupN-
ame -Name $storageAccountName
$storageAccountKeys = Get-AzStorageAccountKey -ResourceGroupName $resource-
GroupName -Name $storageAccountName
$fileShare = Get-AzStorageShare -Context $storageAccount.Context | Where-Ob-
ject {
$_.Name -eq $fileShareName -and $_.IsSnapshot -eq $false
}
# The value given to the root parameter of the New-PSDrive cmdlet is the
host address for the storage account,
# storage-account.file.core.windows.net for Azure Public Regions. $fileShare.
StorageUri.PrimaryUri.Host is
# used because non-Public Azure regions, such as sovereign clouds or Azure
Stack deployments, will have different
# hosts for Azure file shares (and other storage resources).
$password = ConvertTo-SecureString -String $storageAccountKeys[0].Value
-AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -Argu-
mentList "AZURE\$($storageAccount.StorageAccountName)", $password
New-PSDrive -Name desired-drive-letter -PSProvider FileSystem -Root
"\\$($fileShare.StorageUri.PrimaryUri.Host)\$($fileShare.Name)" -Credential
$credential -Persist
When finished, you can dismount the file share by running the following command:
240
Storage Sync Service. The Storage Sync Service is the top-level Azure resource for Azure File Sync. The
Storage Sync Service resource is a peer of the storage account resource, and can similarly be deployed to
Azure resource groups. A distinct top-level resource from the storage account resource is required
because the Storage Sync Service can create sync relationships with multiple storage accounts via
multiple sync groups. A subscription can have multiple Storage Sync Service resources deployed.
Sync group. A sync group defines the sync topology for a set of files. Endpoints within a sync group are
kept in sync with each other. If for example, you have two distinct sets of files that you want to manage
with Azure File Sync, you would create two sync groups and add different endpoints to each sync group.
A Storage Sync Service can host as many sync groups as you need.
Registered server. The registered server object represents a trust relationship between your server (or
cluster) and the Storage Sync Service. You can register as many servers to a Storage Sync Service instance
as you want. However, a server (or cluster) can be registered with only one Storage Sync Service at a time.
Azure File Sync agent. The Azure File Sync agent is a downloadable package that enables Windows
Server to be synced with an Azure file share. The Azure File Sync agent has three main components:
●● FileSyncSvc.exe: The background Windows service that is responsible for monitoring changes on
server endpoints, and for initiating sync sessions to Azure.
●● StorageSync.sys: The Azure File Sync file system filter, which is responsible for tiering files to Azure
Files (when cloud tiering is enabled).
●● PowerShell management cmdlets: PowerShell cmdlets that you use to interact with the Microsoft.
StorageSync Azure resource provider. You can find these at the following (default) locations:
●● C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
●● C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll
Server endpoint. A server endpoint represents a specific location on a registered server, such as a folder
on a server volume. Multiple server endpoints can exist on the same volume if their namespaces do not
overlap (for example, F:\sync1 and F:\sync2). You can configure cloud tiering policies individually for each
server endpoint. You can create a server endpoint via a mountpoint. Note, mountpoints within the server
endpoint are skipped. You can create a server endpoint on the system volume but, there are two limita-
tions if you do so:
●● Cloud tiering cannot be enabled.
242
●● Rapid namespace restore (where the system quickly brings down the entire namespace and then
starts to recall content) is not performed.
Cloud endpoint. A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file
share syncs, and an Azure file share can be a member of only one cloud endpoint. Therefore, an Azure file
share can be a member of only one sync group. If you add an Azure file share that has an existing set of
files as a cloud endpoint to a sync group, the existing files are merged with any other files that are
already on other endpoints in the sync group.
1. Deploy the Storage Sync Service. The Storage Sync Service can be deployed from the Azure portal.
You will need to provide Name, Subscription, Resource Group, and Location.
2. Prepare Windows Server to use with Azure File Sync. For each server that you intend to use with
Azure File Sync, including server nodes in a Failover Cluster, you will need to configure the server.
Preparation steps include temporarily disabling Internet Explorer Enhanced Security and ensuring you
have latest PowerShell version.
3. Install the Azure File Sync Agent. The Azure File Sync agent is a downloadable package that enables
Windows Server to be synced with an Azure file share. The Azure File Sync agent installation package
should install relatively quickly. We recommend that you keep the default installation path and that
you enable Microsoft Update to keep Azure File Sync up to date.
4. Register Windows Server with Storage Sync Service. When the Azure File Sync agent installation is
finished, the Server Registration UI automatically opens. Registering Windows Server with a Storage
Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync
243
Service. Registration requires your Subscription ID, Resource Group, and Storage Sync Service (created
in step 1). A server (or cluster) can be registered with only one Storage Sync Service at a time.
Note: Once File Sync is configured you will need to configure file synchronization.
Knowledge check
Multiple choice
Your company is planning to store log data, crash dump files, and other diagnostic data for Azure VMs in
Azure. Company administrators must be able to browse to the data in File Explorer. Access over SMB 3.0
must be supported. and the storage must support quotas. You need to choose the storage type to meet the
requirements. Which storage type should you use? Select one.
Azure Files
Table storage
Blob storage
Multiple choice
Your company has a file server named FS01. The server has a single shared folder that users' access to
shared files. The company wants to make the same files available from Microsoft Azure. Files deleted on
either side (on-premises or cloud) should be automatically updated. You need to implement a solution to
meet the requirements. What should you do? Select one.
Install and use AZCopy.
Deploy Azure File Sync.
Deploy storage tiering.
244
Multiple choice
You've been asked by a local manufacturing company that runs dedicated software in their warehouse to
keep track of stock. The software needs to run on machines in the warehouse, but the management team
wants to access the output from the head office. The limited bandwidth available in the warehouse caused
them problems in the past when they tried to use cloud-based solutions. You recommend that they use
Azure Files. Which is the best method to sync the files with the cloud?
Create an Azure Files share and directly mount shares on the machines in the warehouse.
Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the
rest of the warehouse.
Install Azure File Sync on every machine in the warehouse and head office.
Multiple choice
What is the Azure File Sync agent?
It's installed on a server to enable Azure File Sync replication between the local file share and an Azure
file share.
It's installed on a server to set NTFS permissions on files and folders.
It's installed on an Azure file share to control on-premises file and folder replication traffic.
Multiple choice
In what order do you create the Azure resources needed to support Azure File Sync?
Storage Sync Service, storage account, file share, and then the sync group.
Storage account, file share, Storage Sync Service, and then the sync group.
Storage account, file share, sync group, and then Storage Sync Service.
Multiple choice
What is cloud tiering in Azure File Sync?
It's a feature that archives infrequently accessed files to free up space on the local file share.
It's a policy you create that prioritizes the sync order of file shares.
It's a policy that sets the frequency at which the sync job runs.
Multiple choice
What's the deployment process for Azure File Sync?
Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent,
register the on-premises server, and create the server endpoint.
Create the Azure resources, install the Azure File Sync agent, register the on-premises server, and
create the server endpoint.
Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent on a
virtual machine, register the on-premises server, and create the server endpoint.
245
Learn more
You can learn more by reviewing the following.
●● Azure Files documentation21
●● Planning for an Azure File Sync deployment22
●● Learn - Store and share files in your app with Azure Files23
●● Learn - Extend your on-premises file share capacity using Azure File Sync24
21 https://docs.microsoft.com/azure/storage/files/
22 https://docs.microsoft.com/azure/storage/files/storage-sync-files-planning
23 https://docs.microsoft.com/learn/modules/store-and-share-with-azure-files/
24 https://docs.microsoft.com/learn/modules/extend-share-capacity-with-azure-file-sync/
246
Skills measured
Storage management tools are part of Exam AZ-104: Microsoft Azure Administrator25.
Implement and manage storage (15–20%)
Manage storage
●● Export from Azure job.
●● Import into Azure job.
●● Install and use Azure Storage Explorer.
●● Copy data by using AZCopy.
Learning objectives
In this module, you will learn how to:
●● Configure and use Storage Explorer.
●● Configure the Import and Export Service.
●● Configure and use AZCopy.
Prerequisites
None.
25 https://docs.microsoft.com/learn/certifications/exams/az-104
247
To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource
Manager) and data layer permissions. This means that you need Azure Active Directory (Azure AD)
permissions, which give you access to your storage account, the containers in the account, and the data
in the containers.
Connecting to storage
●● Connect to storage accounts associated with your Azure subscriptions.
●● Connect to storage accounts and services that are shared from other Azure subscriptions.
●● Connect to and manage local storage by using the Azure Storage Emulator.
In addition, you can work with storage accounts in global and national Azure:
●● Connect to an Azure subscription. Manage storage resources that belong to your Azure subscrip-
tion.
●● Work with local development storage. Manage local storage by using the Azure Storage Emulator.
●● Attach to external storage. Manage storage resources that belong to another Azure subscription or
that are under national Azure clouds by using the storage account's name, key, and endpoints (shown
below.)
●● Attach a storage account by using an SAS. Manage storage resources that belong to another Azure
subscription by using a shared access signature (SAS).
●● Attach a service by using an SAS. Manage a specific storage service (blob container, queue, or table)
that belongs to another Azure subscription by using an SAS.
248
To use a name and key from a national cloud, use the Storage endpoints domain drop-down to select
Other and then enter the custom storage endpoint domain.
Note: Access keys provide access to the entire storage account. Store your access keys securely. We
recommend regenerating your access keys regularly. You are provided two access keys so that you can
maintain connections using one key while regenerating the other.
When you regenerate your access keys, you must update any Azure resources and applications that
access this storage account to use the new keys. This action will not interrupt access to disks from your
virtual machines.
Usage Cases
Consider using Azure Import/Export service when uploading or downloading data over the network is too
slow or getting more network bandwidth is cost-prohibitive. Scenarios where this would be useful
include:
●● Migrating data to the cloud. Move large amounts of data to Azure quickly and cost effectively.
●● Content distribution. Quickly send data to your customer sites.
●● Backup. Take backups of your on-premises data to store in Azure blob storage.
249
●● Data recovery. Recover large amount of data stored in blob storage and have it delivered to your
on-premises location.
Import Jobs
An Import job securely transfers large amounts of data to Azure Blob storage (block and page blobs) and
Azure Files by shipping disk drives to an Azure datacenter. In this case, you will be shipping hard drives
containing your data.
Export Jobs
Export jobs transfer data from Azure storage to hard disk drives and ship to your on-premise sites.
●● Use the Azure portal to create an export job referencing the Azure Storage account. As part of the job
definition, specify the blobs you want to export, the return address, and your carrier account number.
Microsoft will ship your disks back to you after the export process is complete.
●● Ship the required number of disks to the Azure region hosting the storage account. Update the job by
providing the shipment tracking number.
●● Once the disks arrive at the destination, Azure datacenter staff will carry out data copy from the
storage account to the disks that you provided, encrypt the volumes on the disks by using BitLocker,
and ship them back to you. The BitLocker keys will be available in the Azure portal, allowing you to
decrypt the content of the disks and copy them to your on-premises storage.
Use AzCopy
An alternative method for transferring data is AzCopy. AzCopy v10 is the next-generation command-line
utility for copying data to/from Microsoft Azure Blob and File storage, which offers a redesigned com-
mand-line interface and new architecture for high-performance reliable data transfers. Using AzCopy, you
can copy data between a file system and a storage account, or between storage accounts.
New features
Synchronize a file system to Azure Blob or vice versa. Ideal for incremental copy scenarios.
●● Supports Azure Data Lake Storage Gen2 APIs.
●● Supports copying an entire account (Blob service only) to another account.
●● Account to account copy is now using the new Put from URL APIs. No data transfer to the client is
needed which makes the transfer faster.
●● List/Remove files and blobs in a given path.
●● Supports wildcard patterns in a path, –include flags, and –exclude flags.
251
●● Improved resiliency: every AzCopy instance will create a job order and a related log file. You can view
and restart previous jobs and resume failed jobs. AzCopy will also automatically retry a transfer after a
failure.
●● General performance improvements.
Authentication options
●● Azure Active Directory (Supported for Blob and ADLS Gen2 services). Use .\azcopy login to sign in
using Azure Active Directory. The user should have Storage Blob Data Contributor role assigned to
write to Blob storage using Azure Active Directory authentication.
●● SAS tokens (supported for Blob and File services). Append the SAS token to the blob path on the
command line to use it.
Getting started
AzCopy has a simple self-documented syntax. Here's how you can get a list of available commands:
AzCopy /?
5. After you successfully sign in with an Azure account, the account and the Azure subscriptions associ-
ated with that account are added to the left pane.
6. Select the Azure subscriptions that you want to work with, and then select Apply.
7. The left pane displays the storage accounts associated with the selected Azure subscriptions.
Note: This next section requires an Azure storage account.
Attach an Azure storage account
1. Access the Azure portal, and your storage account.
2. Explore the choice for Storage Explorer.
3. Select Access keys and read the information about using the keys.
4. To connect in Storage Explorer, you will need the Storage account name and Key1 information.
5. In Storage Explorer, Add an account.
6. Paste your account name in the Account name text box, paste your account key (the key1 value from
the Azure portal) into the Account key text box, and then select Next.
7. Verify your storage account is available in the navigation pane. You may need to refresh the page.
8. Right-click your storage account and notice the choices including Open in portal, Copy primary key,
and Add to Quick Access.
Generate a SAS connection string for the account you want to share
1. In Storage Explorer, right-click the storage account you want share, and then select Get Shared
Access Signature.
2. Specify the time frame and permissions that you want for the account, and then click the Create
button.
3. Next to the Connection String text box, select Copy to copy it to your clipboard, and then click Close.
Attach to a storage account by using a SAS Connection string
1. In Storage Explorer, open the Connect Dialog.
2. Choose Use a connection string and then click Next.
3. Paste your connection string into the Connection string: field. The Display name: field should
populate. Click the Next button.
4. Verify the information is correct and select Connect.
5. After the storage account has successfully been attached, the storage account is displayed in the
Local and Attached node with (SAS) appended to its name.
Demonstration - AzCopy
In this demonstration, we will explore AzCopy.
Install the AzCopy tool
1. Download your version of AZCopy - Get started with AZCopy26
2. Install and launch the tool.
26 https://docs.microsoft.com/azure/storage/common/storage-use-azcopy-v10
253
2. Scroll to the top of the Help information and read about the Common options, like: source, destina-
tion, source key, and destination key.
3. Scroll down the Samples section. We will be trying several of these examples. Are any of these
examples particularly interesting to you?
Download a blob from Blob storage to the file system
Note: This example requires an Azure storage account with blob container and blob file. You will also
need to capture parameters in a text editor like Notepad.
1. Access the Azure portal.
2. Access your storage account with the blob you want to download.
3. Select Access keys and copy the Key Key1 value. This will be the sourcekey: value.
4. Drill down to the blob of interest, and view the file Properties.
5. Copy the URL information. This will be the source: value.
6. Locate a local destination directory. This will be the dest: value. A filename is also required.
7. Construct the command using your values.
azcopy /source:sourceURL /dest:destinationdirectoryandfilename /source-
key:"key"
Knowledge Check
Multiple choice
The manufacturing company's finance department wants to control how the data is being transferred to
Azure Files. They want a graphical tool to manage the process, but they don't want to use the Azure portal.
What tool do you recommend they use?
Azure Data Box
Robocopy
Azure Storage Explorer
Multiple choice
You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new
storage account. You need to move half of the data from the existing storage account to the new storage
account. What tool should you use? Select one.
Use the Azure portal
Use the Robocopy command-line tool
Use the AzCopy command-line tool
Multiple choice
You want to quickly upload the data in a collection of small files held in a local folder to blob storage. This is
a one-off request. You don't want to overwrite blobs that have been modified in the last two days. Which
tool should you use?
Azure CLI
AzCopy
Azure Storage Explorer
Multiple choice
You want to transfer a series of large files to blob storage. It may take several hours to upload each file, and
you're concerned that if a transfer fails, it shouldn't have to restart from the beginning. Which tool is the
most appropriate to do this task?
Azure CLI
AzCopy
Azure Storage Explorer
255
Learn more
You can learn more by reviewing the following.
●● Get started with Storage Explorer27
●● Azure Import and Export Service28
●● Get started with AZCopy29
●● Learn - Upload, download, and manage data with Azure Storage Explorer30
●● Learn - Copy and move blobs from one container or storage account to another from the
command line and in code31
●● Learn - Monitor, diagnose, and troubleshoot your Azure storage32
●● Learn - Export large amounts of data from Azure by using Azure Import/Export33
27 https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
28 https://azure.microsoft.com/documentation/articles/storage-import-export-service/
29 https://docs.microsoft.com/azure/storage/common/storage-use-azcopy
30 https://docs.microsoft.com/learn/modules/upload-download-and-manage-data-with-azure-storage-explorer/
31 https://docs.microsoft.com/learn/modules/copy-blobs-from-command-line-and-code/
32 https://docs.microsoft.com/learn/modules/monitor-diagnose-and-troubleshoot-azure-storage/
33 https://docs.microsoft.com/learn/modules/export-data-with-azure-import-export/
256
Module 07 Lab
Lab 07 - Manage Azure Storage
Lab scenario
You need to evaluate the use of Azure storage for storing files residing currently in on-premises data
stores. While majority of these files are not accessed frequently, there are some exceptions. You would
like to minimize cost of storage by placing less frequently accessed files in lower-priced storage tiers. You
also plan to explore different protection mechanisms that Azure Storage offers, including network access,
authentication, authorization, and replication. Finally, you want to determine to what extent Azure Files
service might be suitable for hosting your on-premises file shares.
Objectives
In this lab, you will:
●● Task 1: Provision the lab environment.
●● Task 2: Create and configure Azure Storage accounts.
●● Task 3: Manage blob storage.
●● Task 4: Manage authentication and authorization for Azure Storage.
●● Task 5: Create and configure an Azure Files shares.
●● Task 6: Manage network access for Azure Storage.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
257
Answers
Multiple choice
Which of the following replicates your data to a secondary region, maintains six copies of your data, and
is the default replication option? Select one.
Locally-redundant storage
■■ Read-access geo-redundant storage
Zone-redundant storage
Explanation
Read-access geo-redundant storage (GRS) is the default replication option.
Multiple choice
You have two video files stored as blobs. One of the videos is business-critical and requires a replication
policy that creates multiple copies across geographically diverse datacenters. The other video is non-criti-
cal, and a local replication policy is sufficient. Which of the following options would satisfy both data
diversity and cost sensitivity consideration?
Create a single storage account that makes use of Local-redundant storage (LRS) and host both
videos from here.
Create a single storage account that makes use of Geo-redundant storage (GRS) and host both videos
from here.
■■ Create two storage accounts. The first account makes use of Geo-redundant storage (GRS) and hosts
the business-critical video content. The second account makes use of Local-redundant storage (LRS)
and hosts the non-critical video content.
Explanation
Create two storage accounts. The first account makes use of Geo-redundant storage (GRS) and hosts the
business-critical video content. The second account makes use of Local-redundant storage (LRS) and hosts
the non-critical video content. In general, increased diversity means an increased number of storage
accounts. A storage account by itself has no financial cost. However, the settings you choose for the account
do influence the cost of services in the account. Use multiple storage accounts to reduce costs.
Multiple choice
The name of a storage account must be:
Unique within the containing resource group.
Unique within your Azure subscription.
■■ Globally unique.
Explanation
Globally unique. The storage account name is used as part of the URI for API access, so it must be globally
unique.
258
Multiple choice
In a typical project, when would you create your storage account(s)?
■■ At the beginning, during project setup.
After deployment, when the project is running.
At the end, during resource cleanup.
Explanation
At the beginning, during project setup. Storage accounts are stable for the lifetime of a project. It's common
to create them at the start of a project.
Multiple choice
A manufacturing company has several sensors that record time-relative data. Only the most recent data is
useful. The company wants the lowest cost storage for this data. What is the best kind of storage account
for them?
■■ LRS
GRS
ZRS
Explanation
LRS. This option is the best because it's the lowest cost, the data is being continuously created, and data loss
isn't an issue.
Multiple choice
Which of these changes between access tiers will happen immediately?
■■ Hot to Cool
Archive to Cool
Archive to Hot
Explanation
Hot to Cool. Changes between Hot and Cool, and to Archive, happen immediately.
259
Multiple choice
You work for an open-source development company. You use Microsoft Azure for a variety of storage
needs. Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each
block blob is in its own container. Each container is set to default settings. In total, you have 50 block
blobs. The company has decided to provide read access to the data in the block blobs, as part of releas-
ing more information about their open-source development efforts. All block blobs must be readable by
anonymous internet users. You need to configure the storage to meet the requirements. What should you
do? Select one.
■■ Create a new container, move all the blobs to the new container, and then set the public access level
to Blob.
Set the public access level to Blob on all the existing containers.
Create a new access key for the storage account and then provide the connection string in the storage
connectivity information to the public.
Explanation
Create a new container, move all the blobs to the new container, and then set the public access level to
Blob. You should create a new container, move the existing blobs, and then set the public access level to
Blob. In the future, when access changes are required, you can configure the single container (which would
contain all blobs).
Multiple choice
Your company provides cloud software to audit administrative access in Microsoft Azure resources. The
software logs all administrative actions (including all clicks and text input) to log files. The software is
about to be released from beta and the company is concerned about storage performance. You need to
deploy a storage solution for the log files to maximize performance. What should you do? Select one.
Deploy Azure Files using SMB 3.0.
Deploy blob storage using block blobs.
■■ Deploy blob storage using append blobs.
Explanation
Deploy blob storage using append blobs. Append blobs optimize append operations (writes adding onto a
log file, for example). The company needs to write data to log files, most often appending data (until a new
log file is generated).
Multiple choice
Your company is building an app in Azure. The storage must be reachable programmatically through a
REST API. The storage must be globally redundant. The storage must be accessible privately within the
company's Azure environment. The storage must be optimal for unstructured data. Which type of Azure
storage should you use for the app? Select one.
Azure Table Storage
■■ Azure Blob Storage
Azure File Storage
Explanation
Azure Blob Storage. Azure Blob Storage is optimal for unstructured data and meets the requirements for the
company's app.
260
Multiple choice
You are using blob storage. Which of the following is true? Select one.
The cool access tier is for frequent access of objects in the storage account.
The hot access tier is for storing large amounts of data that is infrequently accessed.
■■ You can switch between hot and cool performance tiers at any time.
Explanation
You can switch between peformance tiers at any time. Changing the account storage tier from cool to hot
incurs a charge equal to reading all the data existing in the storage account. However, changing the
account storage tier from hot to cool incurs a charge equal to writing all the data into the cool tier (GPv2
accounts only).
Multiple choice
You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create
containers to store each type of file and want to limit access to those files for specific periods. Additional-
ly, the files can only be accessed through shared access signatures (SAS). You need the ability to revoke
access to the files and to change the period for which users can access the files. What should you do to
accomplish this in the most simple and effective way? Select one.
Create an SAS for each user and delete the SAS when you want to prevent access.
■■ Implement stored access policies for each container to enable revocation of access or change of
duration.
Periodically regenerate the account key to control access to the files.
Explanation
You should implement stored access policies which will let you change access based on permissions or
duration by replacing the policy with a new one or deleting it altogether to revoke access. While Azure RMS
would protect the files, there would be administrative complexity involved whereas stored access policies
achieve the goal in the simplest way. Creating a SAS for each user would also involve a great amount of
administrative overhead. Regenerating keys would prevent all users from accessing all files at the same
time.
Multiple choice
You need to provide a contingent staff employee temporary read-only access to the contents of an Azure
storage account container named media. It is important that you grant access while adhering to the
security principle of least-privilege. What should you do? Select one.
Set the public access level to Container.
■■ Generate a shared access signature (SAS) token for the container.
Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account.
Explanation
You should generate a SAS token for the container which provides access either to entire containers or
blobs. You should not share the Etag with the contingent staff member. Azure uses Etags to control concur-
rent access to resources and do not deliver the appropriate security controls. Setting the public access level
to Container would not conform to the principle of least privilege as the container now becomes open to
public connections with no time limitation. CORS is a Hypertest Transfer Protocol (HTTP) mechanism that
enables cross-domain resource access but does not provide security-based resource access control.
261
Multiple choice
You are planning a delegation model for your Azure storage. The company has issued the following
requirement for Azure storage access: -Apps in the non-production environment must have automated
time-limited access. You need to configure storage access to meet the requirements. What should you
do?
■■ Use shared access signatures for the non-production apps.
Use access keys for the non-production apps.
Use Stored Access Policies for the production apps..
Explanation
Use shared access signatures for the non-production apps. Shared access signatures provide a way to
provide more granular storage access than access keys. For example, you can limit access to “read only” and
you can limit the services and types of resources. Shared access signatures can be configured for a specified
amount of time, which meets the scenario’s requirements.
Multiple choice
You are planning a delegation model for your Azure storage. The company requires apps in the produc-
tion environment to have unrestricted access to storage resources You need to configure storage access
to meet the requirements. What should you do?
Use shared access signatures for the production apps.
■■ Use access keys for the production apps.
Use Stored Access Policies for the production apps.
Explanation
Access keys provide unrestricted access to the storage resources, which is the requirement for production
apps in this scenario.
Multiple choice
When configuring network access to your Azure Storage Account, what is the default network rule?
■■ To allow all connections from all networks
To allow all connection from a private IP address range
To deny all connections from all networks
Explanation
To allow all connections from all networks. The default network rule is to allow all connections from all
networks.
Multiple choice
Your organization has data stored in hard drives. It wants to move this data into a secure Azure storage
solution. What solution would allow you to encrypt this data with minimal effort?
Azure Disk Encryption.
■■ Azure Storage Service Encryption.
Client-side encryption with Azure.
Explanation
Azure Storage Service Encryption. Storage Service Encryption allows encryption on all data stored on
storage accounts. Encryption is enabled by default.
262
Multiple choice
Your company is planning to store log data, crash dump files, and other diagnostic data for Azure VMs in
Azure. Company administrators must be able to browse to the data in File Explorer. Access over SMB 3.0
must be supported. and the storage must support quotas. You need to choose the storage type to meet
the requirements. Which storage type should you use? Select one.
■■ Azure Files
Table storage
Blob storage
Explanation
Azure Files supports SMB 3.0, is reachable via File Explorer, and supports quotas. The other storage types do
not support the requirements. While blob storage is good for unstructured data, it cannot be accessed over
SMB 3.0.
Multiple choice
Your company has a file server named FS01. The server has a single shared folder that users' access to
shared files. The company wants to make the same files available from Microsoft Azure. Files deleted on
either side (on-premises or cloud) should be automatically updated. You need to implement a solution to
meet the requirements. What should you do? Select one.
Install and use AZCopy.
■■ Deploy Azure File Sync.
Deploy storage tiering.
Explanation
In this scenario, only Azure File sync can keep FS01 and Azure synced up and maintaining the same data.
While AZCopy can copy data, it isn't a sync solution to have both sources maintain the exact same files.
Storage tiering is used for internal tiering (SSD and HDD, for example). While DFS Replication could fit here,
DFS Namespace doesn't offer the replication component. Storage Explorer is a tool for managing different
storage platforms.
Multiple choice
You've been asked by a local manufacturing company that runs dedicated software in their warehouse to
keep track of stock. The software needs to run on machines in the warehouse, but the management team
wants to access the output from the head office. The limited bandwidth available in the warehouse
caused them problems in the past when they tried to use cloud-based solutions. You recommend that
they use Azure Files. Which is the best method to sync the files with the cloud?
Create an Azure Files share and directly mount shares on the machines in the warehouse.
■■ Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the
rest of the warehouse.
Install Azure File Sync on every machine in the warehouse and head office.
Explanation
Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the rest
of the warehouse. This answer is the best because the low bandwidth means Azure File Sync will handle the
updating and syncing of files efficiently over the low-bandwidth network.
263
Multiple choice
What is the Azure File Sync agent?
■■ It's installed on a server to enable Azure File Sync replication between the local file share and an Azure
file share.
It's installed on a server to set NTFS permissions on files and folders.
It's installed on an Azure file share to control on-premises file and folder replication traffic.
Explanation
It's installed on a server to enable Azure File Sync replication between the local file share and an Azure file
share. Azure File Sync agent is a downloadable package that enables a Windows Server file share to be
synced with an Azure file share.
Multiple choice
In what order do you create the Azure resources needed to support Azure File Sync?
Storage Sync Service, storage account, file share, and then the sync group.
■■ Storage account, file share, Storage Sync Service, and then the sync group.
Storage account, file share, sync group, and then Storage Sync Service.
Explanation
Storage account, file share, Storage Sync Service, and then the sync group. Create the storage account, and
then create a file share within the storage account. Create the Storage Sync Service, and then create the
sync group within the Storage Sync Service.
Multiple choice
What is cloud tiering in Azure File Sync?
■■ It's a feature that archives infrequently accessed files to free up space on the local file share.
It's a policy you create that prioritizes the sync order of file shares.
It's a policy that sets the frequency at which the sync job runs.
Explanation
It's a feature that archives infrequently accessed files to free up space on the local file share. Cloud tiering
allows frequently accessed files to be cached on the local server. Infrequently accessed files are tiered, or
archived, to the Azure file share according to the policy you create.
Multiple choice
What's the deployment process for Azure File Sync?
■■ Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent,
register the on-premises server, and create the server endpoint.
Create the Azure resources, install the Azure File Sync agent, register the on-premises server, and
create the server endpoint.
Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent on a
virtual machine, register the on-premises server, and create the server endpoint.
Explanation
Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent, register the
on-premises server, and create the server endpoint. Verify that your on-premises server's OS and file system
are supported. Then create the required resources in Azure. On the local server, install the Azure File Sync
agent and register the server. Finally, create the server endpoint in Azure.
264
Multiple choice
The manufacturing company's finance department wants to control how the data is being transferred to
Azure Files. They want a graphical tool to manage the process, but they don't want to use the Azure
portal. What tool do you recommend they use?
Azure Data Box
Robocopy
■■ Azure Storage Explorer
Explanation
Azure Storage Explorer. This option is the best if the finance department doesn't want to use the Azure
portal.
Multiple choice
You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new
storage account. You need to move half of the data from the existing storage account to the new storage
account. What tool should you use? Select one.
Use the Azure portal
Use the Robocopy command-line tool
■■ Use the AzCopy command-line tool
Explanation
Use the AzCopy command-line tool. The key in this scenario is that you need to move data between storage
accounts. The AzCopy tool can work with two different storage accounts. The other tools do not copy data
between storage accounts. Alternatively, although not one of the answer choices, you can use Storage
Explorer to copy data between storage accounts.
Multiple choice
You want to quickly upload the data in a collection of small files held in a local folder to blob storage.
This is a one-off request. You don't want to overwrite blobs that have been modified in the last two days.
Which tool should you use?
■■ Azure CLI
AzCopy
Azure Storage Explorer
Explanation
Azure CLI. The Azure CLI is great choice for one-off file transfers and can be used to check the last modified
date.
265
Multiple choice
You want to transfer a series of large files to blob storage. It may take several hours to upload each file,
and you're concerned that if a transfer fails, it shouldn't have to restart from the beginning. Which tool is
the most appropriate to do this task?
Azure CLI
■■ AzCopy
Azure Storage Explorer
Explanation
AzCopy. AzCopy is ideal for transferring large files as it can run in the background, and you can monitor the
status AzCopy jobs.
Module 8 Adminster Azure Virtual Machines
Skills measured
Deploying virtual machine is part of Exam AZ-104: Microsoft Azure Administrator1.
Deploy and manage Azure compute resources (20–25%)
Configure VMs
●● Move VMs from one resource group to another.
●● Manage VM sizes.
●● Add data disks.
●● Configure networking.
●● Redeploy VMs.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
268
Learning objectives
In this module, you will learn how to:
●● Create a virtual machine planning checklist.
●● Determine virtual machine locations and pricing models.
●● Determine the correct virtual machine size.
●● Configure virtual machine storage.
Prerequisites
None.
Name the VM
One piece of information people often don't put much thought into is the name of the VM. The VM
name is used as the computer name, which is configured as part of the operating system. You can specify
a name of up to 15 characters on a Windows VM and 64 characters on a Linux VM.
This name also defines a manageable Azure resource, and it's not trivial to change later. That means you
should choose names that are meaningful and consistent, so you can easily identify what the VM does. A
good convention is to include the following information in the name:
270
You're able to choose from two payment options for compute costs:
1. Consumption-based - With the consumption-based option, you pay for compute capacity by the
second. You're able to increase or decrease compute capacity on demand and start or stop at any
time. Use this option if you run applications with short-term or unpredictable workloads that cannot
be interrupted. For example, if you are doing a quick test, or developing an app in a VM, this would be
the appropriate option.
2. Reserved Virtual Machine Instances - The Reserved Virtual Machine Instances (RI) option is an
advance purchase of a virtual machine for one or three years in a specified region. The commitment is
made up front, and in return, you get up to 72% price savings compared to pay-as-you-go pricing. RIs
are flexible and can easily be exchanged or returned for an early termination fee. Use this option if the
VM has to run continuously, or you need budget predictability, and you can commit to using the VM
for at least a year.
Temporary Disk
Every VM contains a temporary disk, which is not a managed disk. The temporary disk provides short-
term storage for applications and processes and is intended to only store data such as page or swap files.
Data on the temporary disk may be lost during a maintenance event or when you redeploy a VM. During
a standard reboot of the VM, the data on the temporary drive should persist. However, there are cases
where the data may not persist, such as moving to a new host. Therefore, any data on the temp drive
should not be data that is critical to the system.
●● On Windows virtual machines, this disk is labeled as the D: drive by default and it used for storing
pagefile.sys.
●● On Linux virtual machines, the disk is typically /dev/sdb and is formatted and mounted to /mnt by the
Azure Linux Agent.
274
Note: Don’t store data on the temporary disk. It provides temporary storage for applications and pro-
cesses and is intended to only store data such as page or swap files.
Data Disks
A data disk is a managed disk that's attached to a virtual machine to store application data, or other data
you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose.
Each data disk has a maximum capacity of 4,095 gibibytes (GiB). The size of the virtual machine deter-
mines how many data disks you can attach to it and the type of storage you can use to host the disks.
Unmanaged disks
The original method is to use unmanaged disks. In an unmanaged disk, you manage the storage ac-
counts that you use to store the virtual hard disk (VHD) files that correspond to your VM disks. VHD files
are stored as page blobs in Azure storage accounts.
Managed disks
An Azure-managed disk is a virtual hard disk (VHD). You can think of it like a physical disk in an on-prem-
ises server but, virtualized. Azure-managed disks are stored as page blobs, which are a random IO
storage object in Azure. We call a managed disk ‘managed’ because it is an abstraction over page blobs,
blob containers, and Azure storage accounts. With managed disks, all you have to do is provision the
disk, and Azure takes care of the rest. When you select to use Azure-managed disks with your workloads,
Azure creates and manages the disk for you. The available types of disks are Ultra Solid State Drives
(SSD), Premium SSD, Standard SSD, and Standard Hard Disk Drives (HDD).
For the best performance for your application, we recommend that you migrate any VM disk that re-
quires high IOPS to Premium Storage. If your disk does not require high IOPS, you can help limit costs by
keeping it in standard Azure Storage. In standard storage, VM disk data is stored on hard disk drives
(HDDs) instead of on SSDs.
Note: Managed disks are required for the single instance virtual machine SLA (99.95%).
5. Under Administrator account, provide a username, such as azureuser and a password. The password
must be at least 12 characters long and meet the defined complexity requirements.
6. Under Inbound port rules, choose Allow selected ports and then select RDP (3389) and HTTP
from the drop-down.
7. Move to the Management tab, and under Monitoring turn Off Boot Diagnostics. This will eliminate
validation errors.
8. Leave the remaining defaults and then select the Review + create button at the bottom of the page.
Wait for the validation, then click Create.
Connect to the virtual machine
Create a remote desktop connection to the virtual machine. These directions tell you how to connect to
your VM from a Windows computer. On a Mac, you need to install an RDP client from the Mac App Store.
1. Select the Connect button on the virtual machine properties page.
2. In the Connect to virtual machine page, keep the default options to connect by DNS name over port
3389 and click Download RDP file.
3. Open the downloaded RDP file and select Connect when prompted.
4. In the Windows Security window, select More choices and then Use a different account. Type the
username as localhost\username, enter password you created for the virtual machine, and then select
OK.
5. You may receive a certificate warning during the sign-in process. Select Yes or Continue to create the
connection.
Install web server
1. To observe your VM in action, install the IIS web server. Open a PowerShell prompt on the VM and run
the following command:
Install-WindowsFeature -name Web-Server -IncludeManagementTools
2. After IIS has installed, close the RDP connection to the VM.
View the IIS welcome page
1. In the portal, select the VM and in the overview of the VM, use the Click to copy button to the right
of the public IP address to copy it and paste it into a browser tab.
2. The default IIS welcome page will open.
Note: When no longer needed, you can delete the resource group, virtual machine, and all related
resources. To do so, select the resource group for the virtual machine, select Delete, then confirm the
name of the resource group to delete.
Bastion Connections
The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your
virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in
the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a
public IP address.
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it is provi-
sioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside
world while still providing secure access using RDP/SSH. With Azure Bastion, you connect to the virtual
machine directly from the Azure portal. You don't need an additional client, agent, or piece of software.
credentials for the virtual machine. The Azure PowerShell Get-AzRemoteDesktopFile cmdlet provides
the same functionality.
SSH connections
SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is
the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypt-
ed connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force
279
attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH
is by using a public-private key pair, also known as SSH keys.
●● The public key is placed on your Linux VM, or any other service that you wish to use with public-key
cryptography.
●● The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests
the client to make sure it possesses the private key. If the client has the private key, it's granted access to
the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to
access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service
you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should
possess your private key.
Note: Azure currently requires at least a 2048-bit key length and the SSH-RSA format for public and
private keys.
Knowledge check
Multiple choice
You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs
must use an authentication system other than passwords. You need to deploy an authentication method for
the Linux VMs to meet the requirement. Which authentication method should you use? Select one.
SSH key pair
Access keys
Shared access signature
Multiple choice
Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need to
connect to an Azure Linux virtual machine to install software. What should you do? Select one.
Configure the Bastion service
Configure a Guest configuration on the virtual machine
Create a custom script extension
281
Multiple choice
What is the effect of the default network security settings for a new virtual machine?
Neither outbound nor inbound requests are allowed.
Outbound request is allowed. Inbound traffic is only allowed from within the virtual network.
There are no restrictions: all outbound and inbound requests are allowed.
Multiple choice
You have several Linux virtual machines hosted in Azure. You will administer these VMs remotely over SSH
from three dedicated machines in your corporate headquarters. Which of the following authentication
methods would typically be considered best-practice for this situation?
Username and password
Private key
Private key with passphrase
Multiple choice
You want to run a network appliance on a virtual machine. Which workload option should you choose?
Compute optimized
Memory optimized
Storage optimized
Learn more
You can learn more by reviewing the following.
●● Azure Virtual Machine documentation2
●● Linux virtual machines documentation3
●● Learn - Introduction to Azure virtual machines4
●● Learn - Deploy Azure virtual machines from VHD templates5
●● Learn - Choose the right disk storage for your virtual machine workload6
●● Learn - Add and size disks in Azure virtual machines7
●● Learn - Create a Linux virtual machine in Azure8
●● Learn - Create a Windows virtual machine in Azure9
●● Learn - Connect to virtual machines through the Azure portal by using Azure Bastion10
2 https://docs.microsoft.com/azure/virtual-machines/
3 https://docs.microsoft.com/azure/virtual-machines/linux/
4 https://docs.microsoft.com/learn/modules/intro-to-azure-virtual-machines/
5 https://docs.microsoft.com/learn/modules/deploy-vms-from-vhd-templates/
6 https://docs.microsoft.com/learn/modules/choose-the-right-disk-storage-for-vm-workload/
7 https://docs.microsoft.com/learn/modules/add-and-size-disks-in-azure-virtual-machines/
8 https://docs.microsoft.com/learn/modules/create-linux-virtual-machine-in-azure/
9 https://docs.microsoft.com/learn/modules/create-windows-virtual-machine-in-azure/
10 https://docs.microsoft.com/learn/modules/connect-vm-with-azure-bastion/
283
Skills measured
High availability and scaling of virtual machine is part of Exam AZ-104: Microsoft Azure Administra-
tor11.
Deploy and manage Azure compute resources (20–25%)
Configure VMs
●● Configure high availability.
●● Deploy and configure scale sets.
Learning objectives
In this module, you will learn how to:
●● Implement availability sets and availability zones.
●● Implement update and fault domains.
●● Implement virtual machine scale sets.
●● Autoscale virtual machines.
Prerequisites
None.
11 https://docs.microsoft.com/learn/certifications/exams/az-104
284
An Unplanned Hardware Maintenance event occurs when the Azure platform predicts that the hard-
ware or any platform component associated to a physical machine, is about to fail. When the platform
predicts a failure, it will issue an unplanned hardware maintenance event. Azure uses Live Migration
technology to migrate the Virtual Machines from the failing hardware to a healthy physical machine. Live
Migration is a VM preserving operation that only pauses the Virtual Machine for a short time, but perfor-
mance might be reduced before and/or after the event.
Unexpected Downtime is when the hardware or the physical infrastructure for the virtual machine fails
unexpectedly. Unexpected downtime can include local network failures, local disk failures, or other rack
level failures. When detected, the Azure platform automatically migrates (heals) your virtual machine to a
healthy physical machine in the same datacenter. During the healing procedure, virtual machines experi-
ence downtime (reboot) and in some cases loss of the temporary drive.
Planned Maintenance events are periodic updates made by Microsoft to the underlying Azure platform
to improve overall reliability, performance, and security of the platform infrastructure that your virtual
machines run on. Most of these updates are performed without any impact upon your Virtual Machines
or Cloud Services.
Note: Microsoft does not automatically update your VM's OS or software. You have complete control and
responsibility for that. However, the underlying software host and hardware are periodically patched to
ensure reliability and high performance.
Note: What plans do you have to minimize the effect of downtime?
Update domains
An upgrade domain (UD) is a group of nodes that are upgraded together during the process of a
service upgrade (rollout). An update domain allows Azure to perform incremental or rolling upgrades
across a deployment. Each update domain contains a set of virtual machines and associated physical
hardware that can be updated and rebooted at the same time. During planned maintenance, only one
286
update domain is rebooted at a time. By default, there are five (non-user-configurable) update domains,
but you configure up to 20 update domains.
Fault domains
A fault domain (FD) is a group of nodes that represent a physical unit of failure. A fault domain defines a
group of virtual machines that share a common set of hardware, switches, that share a single point of
failure. For example, a server rack serviced by a set of power or networking switches. VMs in an availabili-
ty set are placed in at least two fault domains. Two fault domains mitigate against hardware failures,
network outages, power interruptions, or software updates. Think of a fault domain as nodes belonging
to the same physical rack.
Note: Placing your virtual machines into an availability set does not protect your application from
operating system or application-specific failures. For that, you need to review other disaster recovery and
backup techniques.
Considerations
●● Availability Zones are unique physical locations within an Azure region.
●● Each zone is made up of one or more datacenters equipped with independent power, cooling, and
networking.
●● To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
●● The physical separation of Availability Zones within a region protects applications and data from
datacenter failures.
●● Zone-redundant services replicate your applications and data across Availability Zones to protect from
single-points-of-failure.
287
●● With Availability Zones, Azure offers industry best 99.99% VM uptime SLA.
Implementation
An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For
example, if you create three or more VMs across three zones in an Azure region, your VMs are effectively
distributed across three fault domains and three update domains. The Azure platform recognizes this
distribution across update domains to make sure that VMs in different zones are not updated at the same
time. Build high-availability into your application architecture by colocating your compute, storage,
networking, and data resources within a zone and replicating in other zones.
Azure services that support Availability Zones fall into two categories:
●● Zonal services. Pin the resource to a specific zone (for example, virtual machines, managed disks,
Standard IP addresses), or
●● Zone-redundant services. Platform replicates automatically across zones (for example, zone-redun-
dant storage, SQL Database).
Note: To achieve comprehensive business continuity on Azure, build your application architecture using
the combination of Availability Zones with Azure region pairs.
Vertical scaling
Vertical scaling, also known as scale up and scale down, means increasing or decreasing virtual machine
sizes in response to a workload. Vertical scaling makes the virtual machines more (scale up) or less (scale
down) powerful. Vertical scaling can be useful when:
●● A service built on virtual machines is under-utilized (for example at weekends). Reducing the virtual
machine size can reduce monthly costs.
●● Increasing virtual machine size to cope with larger demand without creating additional virtual ma-
chines.
288
Horizontal scaling
Horizontal scaling, also referred to as scale out and scale in, where the number of VMs is altered depend-
ing on the workload. In this case, there is an increase (scale out) or decrease (scale in) in the number of
virtual machine instances.
Considerations
●● Vertical scaling generally has more limitations. Vertical scaling dependent on the availability of larger
hardware, which quickly hits an upper limit and can vary by region. Vertical scaling also usually
requires a virtual machine to stop and restart.
●● Horizontal scaling is more flexible in a cloud situation as it allows you to run potentially thousands of
virtual machines to handle load.
●● Reprovisioning means removing an existing virtual machine and replacing it with a new one. Do you
need to retain your data?
●● Initial instance count. Number of virtual machines in the scale set (0 to 1000).
●● Instance size. The size of each virtual machine in the scale set.
●● Azure spot instance. Low-priority VMs are allocated from Microsoft Azure's excess compute capacity.
Spot instances enable several types of workloads to run at a reduced cost.
●● Use managed disks. Managed disks hide the underlying storage accounts and instead shows the
abstraction of a disk. Unmanaged disks expose the underlying storage accounts and VHD blobs.
●● Enable scaling beyond 100 instances. If No, the scale set will be limited to one placement group
with a max capacity of 100. If Yes, the scale set can span multiple placement groups. This allows for
capacity to be up to 1,000 but changes the availability characteristics of the scale set.
●● Spreading algorithm. We recommend deploying with max spreading for most workloads. This
approach provides the best spreading.
Implement Autoscale
An Azure virtual machine scale set can automatically increase or decrease the number of VM instances
that run your application. This means you can dynamically scale to meet changing demand.
Autoscale benefits
●● Automatically adjust capacity. Let’s you create rules that define the acceptable performance for a
positive customer experience. When those defined thresholds are met, autoscale rules act to adjust
the capacity of your scale set.
290
●● Scale out. If your application demand increases, the load on the VM instances in your scale set
increases. If this increased load is consistent, rather than just a brief demand, you can configure
autoscale rules to increase the number of VM instances in the scale set.
●● Scale in. On an evening or weekend, your application demand may decrease. If this decreased load is
consistent over a period of time, you can configure autoscale rules to decrease the number of VM
instances in the scale set. This scale-in action reduces the cost to run your scale set as you only run
the number of instances required to meet the current demand.
●● Schedule events. Schedule events to automatically increase or decrease the capacity of your scale set
at fixed times.
●● Less overhead. Reduces the management overhead to monitor and optimize the performance of your
application.
Note: Autoscale minimizes the number of unnecessary VM instances that run your application when
demand is low, while customers continue to receive an acceptable level of performance as demand grows
and additional VM instances are automatically added.
Configure Autoscale
When you create a scale set you can enable Autoscale. You should also define a minimum, maximum, and
default number of VM instances. When your autoscale rules are applied, these instance limits make sure
that you do not scale out beyond the maximum number of instances or scale in beyond the minimum of
instances.
●● Minimum number of VMs. The minimum value for autoscale on this scale set.
●● Maximum number of VMs. The maximum value for autoscale on this scale set.
●● Scale out CPU threshold. The CPU usage percentage threshold for triggering the scale out autoscale
rule.
291
●● Number of VMs to increase by. The number of virtual machines to add to the scale set when the
scale out autoscale rule is triggered.
●● Scale in CPU threshold. The CPU usage percentage threshold for triggering the scale in autoscale
rule.
●● Number of VMs to decrease by. The number of virtual machines to remove to the scale set when the
scale in autoscale rule is triggered.
12 https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-portal
13 https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/5-exercise-configure-virtual-machine-scale-set
292
2. Create a rule with a Criteria and Action. The Criteria is when the CPU Percentage is less than 50% for
10 minutes. The Action is to decrease the instance count by 1.
●● Metric name: Percentage CPU
●● Operator: Less than
●● Threshold: 50
●● Duration: 10
●● Operation: Decrease count by
●● Instance count: 1
3. Your default scale condition now contains two scale rules. One rule scales the number of instances
out. Another rule scales the number of instances back in.
Knowledge check
Multiple choice
Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the
VMs are all running at max capacity with the CPU being fully consumed. However, additional VMs are not
deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75%
consumed. What should you do? Select one.
Enable the autoscale option.
Increase the instance count.
Add the scale set automation script to the library.
Multiple choice
You're part of the DevOps team for a large food delivery company. Friday night is typically your busiest time.
Conversely, 7 AM on Wednesday is generally your quietest time. What should you implement? Select one.
autoscale
metric-based rules
schedule-based rules
293
Multiple choice
Your company is preparing to deploy an application to Azure. The app is a self-contained unit that runs
independently on several servers. The company is moving the app to the cloud to provide better perfor-
mance. The team requests if the CPU across the servers goes above 85%, a new VM should be deployed. If
the CPU across the servers drops below 15%, an Azure VM running the app should be decommissioned to
reduce costs. You need to deploy a solution to meet the requirements while minimizing the administrative
overhead to implement and manage the solution. What should you do? Select one.
Deploy the app in a virtual machine scale set.
Deploy the app in a virtual machine availability set.
Deploy the app by using a resource manager template.
Multiple choice
Your company is deploying a critical business application to Azure. The uptime of the application is of
utmost importance. The application has two web servers, two application servers, and two database servers.
Each VM in a tier must run on different hardware and uptime must be maximized. What should you do?
Select one.
Deploy 1 VM from each tier into one availability set and the remaining VMs into a separate availability
set.
Deploy the VMs from each tier into a dedicated availability set for the tier.
Deploy the application and database VMs in one availability set and the web VMs into a separate
availability set.
Learn more
You can learn more by reviewing the following.
●● Availability options for Azure Virtual Machines14
●● Learn - Build a scalable application with virtual machine scale sets15
14 https://docs.microsoft.com/azure/virtual-machines/availability
15 https://docs.microsoft.com/learn/modules/build-app-with-scale-sets/
294
●● Learn - Implement scale and high availability with Windows Server VM16
16 https://docs.microsoft.com/learn/modules/implement-high-availability-of-windows-server-vms/
295
Skills measured
Automating virtual machine deployments is part of Exam AZ-104: Microsoft Azure Administrator17.
Deploy and manage Azure compute resources (20–25%)
Automate deployment of virtual machines (VMs) by using Azure Resource Manager templates
●● Deploy virtual machine extensions.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for virtual machine extensions.
●● Identify features and usage cases for custom script extensions.
●● Identify features and usage cases for desired state configuration.
Prerequisites
None.
17 https://docs.microsoft.com/learn/certifications/exams/az-104
296
There are different extensions for Windows and Linux machines and a large choice of first and third-party
extensions.
You could also use the PowerShell Set-AzVmCustomScriptExtension command. This command requires
the URI for the script in the blob container.
Set-AzVmCustomScriptExtension -FileUri https://scriptstore.blob.core.
windows.net/scripts/Install_IIS.ps1 -Run "PowerShell.exe" -VmName vmName
-ResourceGroupName resourceGroup -Location "location"
297
Considerations
●● Timeout. Custom Script extensions have 90 minutes to run. If your deployment exceeds this time, it is
marked as a timeout. Keep this in mind when designing your script. Your virtual machine must be
running to perform the tasks.
●● Dependencies. If your extension requires networking or storage access, make sure that content is
available.
●● Failure events. Be sure to account for any errors that might occur when running your script. For
example, running out of disk space, or security and access restrictions. What will the script do if there
is an error?
●● Sensitive data. Your extension may need sensitive information such as credentials, storage account
names, and storage account access keys. How will you protect/encrypt this information?
Note: Can you think of any custom script extensions that you might want to create?
The DSC script consists of a Configuration block, Node block, and one or more resource blocks.
●● The Configuration block. This is the outermost script block. You define it by using the Configuration
keyword and providing a name. In the example, the name of the configuration is IISInstall.
●● One or more Node blocks. Node blocks define the computers or VMs that you are configuring. In the
example, there is one Node block that targets a computer named “localhost”.
●● One or more resource blocks. Resource blocks configure the resource properties. In the example,
there is one resource block that uses WindowsFeature. WindowsFeature indicates the name
(Web-Server) of the role or feature that you want to ensure is added or removed. Ensure indicates if
the role or feature is added. Your choices are Present and Absent.
298
Note: The Windows PowerShell DSC comes with a set of built-in configuration resources. For example,
File Resource, Log Resource, and User Resource.
Note: You could also use the PowerShell Set-AzVmCustomScriptExtension command to deploy the
extension. You would need to upload the script to blob container and use the URI. We will do this in the
next demonstration.
Knowledge check
Multiple choice
What is Azure Automation State Configuration?
A declarative management platform to configure, deploy, and control systems.
A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configu-
rations, import DSC resources, and assign configurations to target nodes.
A service that manages the state configuration on each destination, or node.
Multiple choice
A PowerShell DSC script ______________.
contains the steps required to configure a virtual machine to get it into a specified state.
can only be run in push mode.
describes the desired state.
Multiple choice
Why should you use pull mode instead of push mode for DSC?
Pull mode is best for complex environments that need redundancy and scale.
Pull mode is easy to set up and doesn't need its own dedicated infrastructure.
Pull mode uses the local configuration manager (LCM) to make sure that the state on each node
matches the state specified by the configuration.
Learn more
You can learn more by reviewing the following.
●● Virtual machine extensions and features for Windows18
●● Virtual machine extensions and features for Linux19.
18 https://docs.microsoft.com/azure/virtual-machines/extensions/features-windows?toc=%2Fazure%2Fvirtual-machines%2Fwindows%2Ftoc.
json
19 https://docs.microsoft.com/azure/virtual-machines/extensions/features-linux
300
20 https://docs.microsoft.com/learn/modules/automate-configuration-of-windows-server-iaas-virtual-machines/
21 https://docs.microsoft.com/learn/modules/protect-vm-settings-with-dsc/
301
Module 08 Lab
Lab 08 - Manage Virtual Machines
Lab scenario
You were tasked with identifying different options for deploying and configuring Azure virtual machines.
First, you need to determine different compute and storage resiliency and scalability options you can
implement when using Azure virtual machines. Next, you need to investigate compute and storage
resiliency and scalability options that are available when using Azure virtual machine scale sets. You also
want to explore the ability to automatically configure virtual machines and virtual machine scale sets by
using the Azure Virtual Machine Custom Script extension.
Objectives
In this lab, you will:
●● Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal and an Azure Resource
Manager template.
●● Task 2: Configure Azure virtual machines by using virtual machine extensions.
●● Task 3: Scale compute and storage for Azure virtual machines.
●● Task 4: Register the Microsoft.Insights and Microsoft.AlertsManagement resource providers
●● Task 5: Deploy zone-resilient Azure virtual machine scale sets by using the Azure portal
●● Task 6: Configure Azure virtual machine scale sets by using virtual machine extensions
●● Task 7: Scale compute and storage for Azure virtual machine scale sets (optional)
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
302
Answers
Multiple choice
You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs
must use an authentication system other than passwords. You need to deploy an authentication method
for the Linux VMs to meet the requirement. Which authentication method should you use? Select one.
■■ SSH key pair
Access keys
Shared access signature
Explanation
Azure supports two authentication methods for Linux VMs - passwords and SSH (via an SSH key pair).
Access keys and shared access signatures are access methods for Azure storage, not for Azure VMs. In this
scenario, you need to use an SSH key pair to meet the requirement.
Multiple choice
Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need
to connect to an Azure Linux virtual machine to install software. What should you do? Select one.
■■ Configure the Bastion service
Configure a Guest configuration on the virtual machine
Create a custom script extension
Explanation
Configure the Bastion service. The Azure Bastion service is a new fully platform-managed PaaS service that
you provision inside your virtual network. It provides secure and seamless RDP and SSH connectivity to your
virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual
machines do not need a public IP address. Bastion provides secure RDP and SSH connectivity to all VMs in
the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from
exposing RDP and SSH ports to the outside world while still providing secure access using RDP and SSH.
With Azure Bastion, you connect to the virtual machine directly from the Azure portal. You don't need an
additional client, agent, or piece of software.
Multiple choice
What is the effect of the default network security settings for a new virtual machine?
Neither outbound nor inbound requests are allowed.
■■ Outbound request is allowed. Inbound traffic is only allowed from within the virtual network.
There are no restrictions: all outbound and inbound requests are allowed.
Explanation
Outbound request is allowed. Inbound traffic is only allowed from within the virtual network. Outbound
requests are considered low risk, so they are allowed by default. Inbound traffic from within the virtual
network is allowed. By placing a VM in a virtual network, the VM owner is implicitly opting-in to communi-
cation among the resources in the virtual network.
303
Multiple choice
You have several Linux virtual machines hosted in Azure. You will administer these VMs remotely over SSH
from three dedicated machines in your corporate headquarters. Which of the following authentication
methods would typically be considered best-practice for this situation?
Username and password
Private key
■■ Private key with passphrase
Explanation
Private key with passphrase. Private key access with a passphrase is the most secure option. Even if an
attacker acquires your private key, they will be unable to use it without the passphrase.
Multiple choice
You want to run a network appliance on a virtual machine. Which workload option should you choose?
■■ Compute optimized
Memory optimized
Storage optimized
Explanation
Compute optimized. Compute optimized virtual machines are designed to have a high CPU-to-memory
ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers.
Multiple choice
Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the
VMs are all running at max capacity with the CPU being fully consumed. However, additional VMs are not
deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75%
consumed. What should you do? Select one.
■■ Enable the autoscale option.
Increase the instance count.
Add the scale set automation script to the library.
Explanation
When you have a scale set, you can enable automatic scaling with the autoscale option. When you enable
the option, you define the parameters for when to scale. To meet the requirements of this scenario, you
need to enable the autoscale option so that additional VMs are created when the CPU is 75% consumed.
Note that the automation script is used to automate the deployment of scale sets and not related to
automating the building of additional VMs in the scale set.
304
Multiple choice
You're part of the DevOps team for a large food delivery company. Friday night is typically your busiest
time. Conversely, 7 AM on Wednesday is generally your quietest time. What should you implement?
Select one.
autoscale
metric-based rules
■■ schedule-based rules
Explanation
Schedule-based rules. You can proactively schedule the scale set to deploy one or N number of additional
instances to accommodate a spike in traffic and then scale back down when the spike ends.
Multiple choice
Your company is preparing to deploy an application to Azure. The app is a self-contained unit that runs
independently on several servers. The company is moving the app to the cloud to provide better perfor-
mance. The team requests if the CPU across the servers goes above 85%, a new VM should be deployed.
If the CPU across the servers drops below 15%, an Azure VM running the app should be decommissioned
to reduce costs. You need to deploy a solution to meet the requirements while minimizing the adminis-
trative overhead to implement and manage the solution. What should you do? Select one.
■■ Deploy the app in a virtual machine scale set.
Deploy the app in a virtual machine availability set.
Deploy the app by using a resource manager template.
Explanation
In this scenario, you should use a scale set for the VMs. Scale sets can scale up or down, based on defined
criteria (such as the existing set of VMs using a large percentage of the available CPU). This meets the
scenario’s requirements.
Multiple choice
Your company is deploying a critical business application to Azure. The uptime of the application is of
utmost importance. The application has two web servers, two application servers, and two database
servers. Each VM in a tier must run on different hardware and uptime must be maximized. What should
you do? Select one.
Deploy 1 VM from each tier into one availability set and the remaining VMs into a separate availability
set.
■■ Deploy the VMs from each tier into a dedicated availability set for the tier.
Deploy the application and database VMs in one availability set and the web VMs into a separate
availability set.
Explanation
An availability set should hold VMs in the same tier because that ensures that the VMs are not dependent
on the same physical hardware. If you deploy VMs in a single tier across multiple availability sets, then you
have a chance of a tier becoming unavailable due to a hardware issue. In this scenario, each tier should
have a dedicated availability set (Web availability set, app availability set, database availability set).
305
Multiple choice
What is Azure Automation State Configuration?
A declarative management platform to configure, deploy, and control systems.
■■ A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configu-
rations, import DSC resources, and assign configurations to target nodes.
A service that manages the state configuration on each destination, or node.
Explanation
A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations,
import DSC resources, and assign configurations to target nodes.
Multiple choice
A PowerShell DSC script ______________.
contains the steps required to configure a virtual machine to get it into a specified state.
can only be run in push mode.
■■ describes the desired state.
Explanation
Describes the desired state. A PowerShell DSC script is declarative. It describes the desired state but doesn't
include the steps necessary to achieve that state.
Multiple choice
Why should you use pull mode instead of push mode for DSC?
■■ Pull mode is best for complex environments that need redundancy and scale.
Pull mode is easy to set up and doesn't need its own dedicated infrastructure.
Pull mode uses the local configuration manager (LCM) to make sure that the state on each node
matches the state specified by the configuration.
Explanation
Pull mode is best for complex environments that need redundancy and scale. Each node automatically polls
the pull server at regular intervals to get the latest configuration details. In push mode, an administrator
manually sends the configurations toward the nodes.
Module 9 Administer PaaS Compute Options
Skills measured
App Service plans and scaling are part of Exam AZ-104: Microsoft Azure Administrator1.
Deploy and manage Azure compute resources (20–25%)
Create and configure Azure App Service
●● Create an App Service plan.
●● Configure scaling settings in an App Service plan.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
308
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases of the Azure App Service.
●● Select an appropriate Azure App Service plan pricing tier.
●● Scale the App Service Plan.
●● Scale out the App Service Plan.
Prerequisites
None.
Considerations
Since you pay for the computing resources your App Service plan allocates, you can potentially save
money by putting multiple apps into one App Service plan. You can continue to add apps to an existing
plan as long as the plan has enough resources to handle the load. However, keep in mind that apps in
the same App Service plan all share the same compute resources. To determine whether the new app has
the necessary resources, you need to understand the capacity of the existing App Service plan, and the
309
expected load for the new app. Overloading an App Service plan can potentially cause downtime for your
new and existing apps. Isolate your app into a new App Service plan when:
●● The app is resource-intensive.
●● You want to scale the app independently from the other apps in the existing plan.
●● The app needs resource in a different geographical region.
double the memory-to-core ratio compared to Standard. The private environment used with an
Isolated plan is called the App Service Environment. The plan can scale to 100 instances with more
available upon request.
Scale up. Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs),
custom domains and certificates, staging slots, autoscaling, and more. You scale up by changing the
pricing tier of the App Service plan that your app belongs to.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30
instances, depending on your pricing tier. App Service Environments in Isolated tier further increases your
scale-out count to 100 instances. The scale instance count can be configured manually or automatically
(autoscale). Autoscale is based on predefined rules and schedules.
Other considerations
●● The scale settings take only seconds to apply and affect all apps in your App Service plan. They don't
require you to change your code or redeploy your application.
●● If your app depends on other services, such as Azure SQL Database or Azure Storage, you can scale up
these resources separately. These resources aren't managed by the App Service plan.
remove VMs automatically based on a set of rules. When rule conditions are met, one or more autoscale
actions are triggered.
Autoscale settings
An autoscale setting is read by the autoscale engine to determine whether to scale up or down. Autoscale
settings are grouped into profiles.
Rules include a trigger and a scale action (up or down). The trigger can be metric-based or time-based.
●● Metric-based. Metric-based rules measure application load and add or remove VMs based on that
load. For example, do this action when CPU usage is above 50%. Examples of metrics are CPU time,
Average response time, and Requests.
●● Time-based. Time-based (schedule-based) rules allow you to scale when you see time patterns in
your load and want to scale before a possible load increase or decrease occurs. For example, trigger a
webhook every 8am on Saturday in a given time zone.
Considerations
●● Having a minimum instance count makes sure your application is always running even under no load.
●● Having a maximum instance count limits your total possible hourly cost.
●● You can automatically scale between the minimum and maximum using rules you create.
●● Ensure the maximum and minimum values are different and have an adequate margin between them.
●● Always use a scale-out and scale-in rule combination that performs an increase and decrease.
●● Choose the appropriate statistic for your diagnostics metric (Average, Minimum, Maximum and Total).
●● Always select a safe default instance count. The default instance count is important because autoscale
scales your service to that count when metrics are not available.
●● Always configure autoscale notifications.
Notification settings
A notification setting defines what notifications should occur when an autoscale event occurs based on
satisfying the criteria of one of the autoscale setting’s profiles. Autoscale can notify one or more email
addresses or make calls to one or more webhooks.
312
Setting Value
Subscription Choose your subscription
Resource Group myRGAppServices (create new)
Name AppServicePlan1
Operating System Windows
Region East US
4. Click Review + Create and then Create.
5. Wait for your new App Service plan to deploy.
Review Pricing Tiers
1. Locate your new App Service plan.
2. Under Settings, click Scale up (App Service Plan).
3. Notice there are three tiers: Dev/Test, Production, and Isolated.
4. Click each tier and review the included features and included hardware.
5. How do the tiers compare?
Review autoscaling
1. Under Settings click Scale out (App Service Plan).
2. Notice the default is Manual scale.
3. Notice you can specify an instance count depending on your App Service plan selection.
4. Click Custom autoscale.
5. Notice two scale modes: Scale based on a metric and Scale to a specific instance count.
6. Click Add a rule to automatically add an instance when the CPU percentages is greater than 80% for
10 minutes.
Setting Value
Time aggregation Average
Metric name CPU percentage
Operator Greater than
Threshold 80
Duration 10 minutes
Operation Increase count by
Instance count 1
2 http://portal.azure.com/
313
Setting Value
Cool down 5 minutes
7. Add your rule changes.
8. Review the Instance limits: Minimum, Maximum, and Default.
9. Notice that you can add a Schedule and Specify start/end dates and Repeat specific days.
10. Do you see how you can create different App Service plans for your apps?
Knowledge check
Multiple choice
You are administering a production web app. The app requires scaling to five instances, 40GB of storage,
and a custom domain name. Which App Service Plan should you select? Select one.
Basic
Standard
Premium
Multiple choice
Which of the following is not true of the App Service plan? Select one.
The App Service plan is a set of virtual server resources that run App Service apps.
The App Service pland etermines the performance characteristics of the virtual servers.
The App Service plan hosts a single App Service web app.
Multiple choice
To get more CPU, memory, or disk space you should? Select one.
Scale up
Scale out
Multiple choice
To configure an autoscale trigger based on average response time, you should select ... Select one.
Metric-based
Time-based
User-based
314
Learn more
You can learn more by reviewing the following.
●● Azure App Service plan overview3
●● Scale up an app in Azure App Service4
●● Learn - Scale an App Service web app to efficiently meet demand with App Service scale up and
scale out5
3 https://docs.microsoft.com/azure/app-service/overview-hosting-plans
4 https://docs.microsoft.com/azure/app-service/manage-scale-up
5 https://docs.microsoft.com/learn/modules/app-service-scale-up-scale-out/
315
Skills measured
Configuring the Azure App Service is part of Exam AZ-104: Microsoft Azure Administrator6.
Deploy and manage Azure compute resources (20–25%)
Create and configure Azure App Service
●● Create an App Service.
●● Secure an App Service.
●● Configure custom domain names.
●● Configure backup for an App Service.
●● Configure networking settings.
●● Configure deployment settings.
Monitor and back up Azure resources (10–15%)
Monitor resources by using Azure Monitor
●● Configure Application Insights.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for the the Azure App Service.
●● Create an App Service.
●● Configure deployment settings, specifically deployment slots.
●● Secure the App Service.
●● Configure custom domain names
●● Backup the App Service.
●● Configure Application Insights.
6 https://docs.microsoft.com/learn/certifications/exams/az-104
316
Prerequisites
None.
●● Name. The name must be unique and will be used to locate your app. For example, webappces1.
azurewebsites.net. You can map a custom domain name, if you prefer to use that instead.
●● Publish. The App service can host either Code or a Docker Container.
●● Runtime stack. The software stack to run the app, including the language and SDK versions. For Linux
apps and custom container apps, you can also set an optional start-up command or file. Choices
include: .NET Core, .NET Framework, Node.js, PHP, Python, and Ruby. Various versions of each are
available.
●● Operating system. Choices are Linux and Windows.
●● Region. Your choice will affect app service plan availability.
Application settings
Once your app service is created, additional configuration information is available.
Certain configuration settings can be included in the developer's code or configurated in the app service.
Here are a few interesting settings.
●● Always On. Keep the app loaded even when there's no traffic. It's required for continuous WebJobs or
for WebJobs that are triggered using a CRON expression.
●● ARR affinity. In a multi-instance deployment, ensure that the client is routed to the same instance for
the life of the session. You can set this option to Off for stateless application,
●● Connection strings. Connection strings are encrypted at rest and transmitted over an encrypted
channel.
318
Automated deployment
Automated deployment, or continuous integration, is a process used to push out new features and bug
fixes in a fast and repetitive pattern with minimal impact on end users. Azure supports automated
deployment directly from several sources. The following options are available:
●● Azure DevOps: You can push your code to Azure DevOps (previously known as Visual Studio Team
Services), build your code in the cloud, run the tests, generate a release from the code, and finally,
push your code to an Azure Web App.
●● GitHub: Azure supports automated deployment directly from GitHub. When you connect your GitHub
repository to Azure for automated deployment, any changes you push to your production branch on
GitHub will be automatically deployed for you.
●● Bitbucket: With its similarities to GitHub, you can configure an automated deployment with Bitbuck-
et.
Manual deployment
There are a few options that you can use to manually push your code to Azure:
●● Git: App Service web apps feature a Git URL that you can add as a remote repository. Pushing to the
remote repository will deploy your app.
●● CLI: webapp up is a feature of the az command-line interface that packages your app and deploys it.
Unlike other deployment methods, az webapp up can create a new App Service web app for you if
you haven't already created one.
319
●● Zipdeploy: Use curl or a similar HTTP utility to send a ZIP of your application files to App Service.
●● Visual Studio: Visual Studio features an App Service deployment wizard that can walk you through
the deployment process.
●● FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including
App Service.
How it works
The authentication and authorization module runs in the same sandbox as your application code. When
it's enabled, every incoming HTTP request passes through it before being handled by your application
code. This module handles several things for your app:
●● Authenticates users with the specified provider.
●● Validates, stores, and refreshes tokens.
●● Manages the authenticated session.
●● Injects identity information into request headers.
The module runs separately from your application code and is configured using app settings. No SDKs,
specific languages, or changes to your application code are required.
Authorization behavior
In the Azure portal, you can configure App Service authorization with a number of behaviors:
1. Allow Anonymous requests (no action): This option defers authorization of unauthenticated traffic
to your application code. For authenticated requests, App Service also passes along authentication
information in the HTTP headers.This option provides more flexibility in handling anonymous re-
quests. It lets you present multiple sign-in providers to your users.
2. Allow only authenticated requests: The option is Log in with <provider>. App Service redirects all
anonymous requests to /.auth/login/<provider> for the provider you choose. If the anony-
mous request comes from a native mobile app, the returned response is an HTTP 401 Unauthor-
ized. With this option, you don't need to write any authentication code in your app.
322
Note: Restricting access in this way applies to all calls to your app, which may not be desirable for apps
wanting a publicly available home page, as in many single-page applications.
Configuration steps
1. Reserve your domain name. If you haven't already registered for an external domain name (i.e. not
*.azurewebsites.net) already, the easiest way to set up a custom domain is to buy one directly in the
Azure portal. The process enables you to manage your web app's domain name directly in the Portal
instead of going to a third-party site to manage it. Likewise, configuring the domain name in your
web app is greatly simplified. If you do not use the portal, you can use any domain registrar. When
you sign up, the registration site will help you through the process.
2. Create DNS records that map the domain to your Azure web app. The Domain Name System
(DNS) uses data records to map domain names into IP addresses. There are several types of DNS
records. For web apps, you’ll create either an A record or a CNAME record. If the IP address changes, a
CNAME entry is still valid, whereas an A record must be updated. However, some domain registrars do
not allow CNAME records for the root domain or for wildcard domains. In that case, you must use an
A record.
●● An A (Address) record maps a domain name to an IP address.
●● A CNAME (Canonical Name) record maps a domain name to another domain name. DNS uses the
second name to look up the address. Users still see the first domain name in their browser. For
example, you could map contoso.com to yourwebapp.azurewebsites.net.
323
3. Enable the custom domain. After obtaining your domain and creating your DNS record, you can use
the portal to validate the custom domain and add it to your web app. Be sure to test.
Note: To map a custom DNS name to a web app, the web app's App Service plan must be a paid tier.
Considerations
●● The Backup and Restore feature requires the App Service plan to be in the Standard tier or Premium
tier.
●● You can configure backups manually or on a schedule.
●● You need an Azure storage account and container in the same subscription as the app that you want
to back up. After you have made one or more backups for your app, the backups are visible on the
324
Containers page of your storage account, and your app. In the storage account, each backup consists
of a.zip file that contains the backup data and an .xml file that contains a manifest of the .zip file
contents. You can unzip and browse these files if you want to access your backups without actually
performing an app restore.
●● Full backups are the default. When a full backup is restored, all content on the site is replaced with
whatever is in the backup. If a file is on the site, but not in the backup it gets deleted.
●● Partial backups are supported. Partial backups allow you choose exactly which files you want to back
up. When a partial backup is restored, any content that is located in one of the excluded directories,
or any excluded file, is left as is. You restore partial backups of your site the same way you would
restore a regular backup.
●● You can exclude files and folders you do not want in the backup.
●● Backups can be up to 10 GB of app and database content.
●● Using a firewall enabled storage account as the destination for your backups is not supported.
●● Dependency rates, response times, and failure rates - Find out whether external services are
slowing you down.
●● Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace
and related requests. Both server and browser exceptions are reported.
●● Page views and load performance - reported by your users' browsers.
●● User and session counts.
●● Performance counters from your Windows or Linux server machines, such as CPU, memory, and
network usage.
●● Host diagnostics from Docker or Azure.
●● Diagnostic trace logs from your app - so that you can correlate trace events with requests.
●● Custom events and metrics that you write yourself in the client or server code, to track business
events such as items sold or games won.
Setting Value
Subscription Choose your subscription
Resource Group myRGWebApp1 (create new)
Name myLinuxWebAppxxxx (unique)
Publish Docker Container
Operating System Linux
Region East US (ignore any service plan availability
warnings)
4. Click Next > Docker and configure the container information. The startup command is optional and
not needed in this exercise.
Setting Value
Options Single container
7 http://portal.azure.com/
326
Setting Value
Image Source Quickstart
Sample Python Hello World
5. Click Review + create, and then click Create.
Test the Web App
In this task, we will test the Web App.
1. Wait for the Web App to deploy.
2. From Notifications click Go to resource.
3. On the Overview blade, locate the URL entry.
4. Click on the URL to open the new browser tab and display the “Hello World, App Service!” page.
5. Switch back to the Overview blade of your web app and notice that it includes several charts. If you
repeat step 4 a few times, you should be able to see corresponding telemetry being displayed in the
charts. This includes number of requests and average response time.
Configure Deployment Slots
In this task, we will configure Deployment Slots for the Web App.
1. From the Web App blade, click Deployment Slots.
2. On the Deployment Slots blade, click + Add Slot
3. From the Add a slot blade, configure the following settings.
Setting Value
Name DEVELOPMENT
Clone Settings From myLinuxWebAppXXXX
4. Click Add.
5. If the Add a slot blade remains open, click Close.
6. From the Deployment Slots blade, notice the Names, their Status, and the Traffic % of each Deploy-
ment Slot.
7. Click the newly created Deployment Slot mylinuxwebappXXXX-DEVELOPMENT. This will take you to
the Overview blade of the new Deployment Slot.
8. From the Overview blade of the DEVELOPMENT Deployment Slot, locate the URL entry.
9. Click on the URL to open the new browser tab and display the “Hello World, App Service!” page.
Note: The process of cloning the Web App settings to the new Deployment Slot, includes cloning the
base Docker Image from the initial deployment.
10. Click the X in the top right corner of the DEVELOPMENT Deployment Slot blade. This will return you
to the Deployment Slots blade of the myLinuxWebAppXXXX Web App.
Configure Backup
1. From the Web App blade, click Backups.
2. On the Backups blade, click Configure. This will open up the Backup Configuration blade.
3. From the Backup Configuration blade, under Backup Storage, click Storage not configured to
configure a Storage Account for backups.
327
Setting Value
Name webappxxxxstorage (unique)
Account kind Storage (general purpose v1)
Performance Standard
Replication Locally-redundant storage (LRS)
Location (US) East US)
6. Click OK.
7. On the Storage accounts blade, click the Storage Account, webappxxxxstorage, that you created in
the previous step.
8. From the Containers blade, click + Container, enter backups for the name of the New Container, and
set the Public access level to Private (no anonymous access).
9. Click OK.
10. From the Containers blade, click backups, and click Select to choose the newly created Container.
This will take you back to the Backup Configuration blade.
11. On the Backup Configuration blade, click On next to Scheduled backup, and configure the follow-
ing settings.
Setting Value
Backup Every 1 Hours
Start backup schedule from Configure custom start time
Retention (Days) 30
Keep at least one backup Yes
12. Click Save.
Knowledge check
Multiple choice
Which of the following settings is not swapped when you swap an an app? Select one.
Framework version
Public certificates
Scale settings
328
Multiple choice
Which of the following is not true about App Service backups? Select one.
Incremental backups are the default.
You can configure backups manually or on a schedule.
You can exclude files and folders you do not want in the backup.
Multiple choice
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an
app? Select one.
Credentials that are stored in the browser.
Pass-through authentication.
Redirection to a provider endpoint.
Multiple choice
Which of the following isn't a valid automated deployment source? Select one.
Azure DevOps
GitHub
SharePoint
Learn more
You can learn more by reviewing the following.
●● Azure App Service Overview
329
●● Application Insights8
●● Learn - Host a web application with Azure App Service9
●● Learn - Stage a web app deployment for testing and rollback by using App Service deployment
slots10
●● Learn - Capture and view page load times in your Azure web app with Application Insights11
●● Learn - Dynamically meet changing web app performance requirements with autoscale rules12
8 https://docs.microsoft.com/Azure/azure-monitor/app/app-insights-overview
9 https://docs.microsoft.com/learn/modules/host-a-web-app-with-azure-app-service/
10 https://docs.microsoft.com/learn/modules/stage-deploy-app-service-deployment-slots/
11 https://docs.microsoft.com/learn/modules/capture-page-load-times-application-insights/
12 https://docs.microsoft.com/learn/modules/app-service-autoscale-rules/
330
Skills measured
Azure Container Instances is part of Exam AZ-104: Microsoft Azure Administrator13.
Deploy and manage Azure compute resources (20–25%)
Create and configure containers
●● Configure sizing and scaling for Azure Container Instances.
●● Configure container groups for Azure Container Instances.
Learning objectives
In this module, you will learn how to:
●● Identify when to use containers versus virtual machines.
●● Identify the features and usage cases of Azure Container Instances.
●● Implement Azure Container Groups.
Prerequisites
None.
13 https://docs.microsoft.com/learn/certifications/exams/az-104
331
Container advantages
Containers offer several advantages over physical and virtual machines, including:
●● Increased flexibility and speed when developing and sharing the application code.
●● Simplified application testing.
●● Streamlined and accelerated application deployment.
●● Higher workload density, resulting in improved resource utilization.
Feature Description
Fast Startup Times Containers can start in seconds without the need
to provision and manage virtual machines.
Public IP Connectivity and DNS Names Containers can be directly exposed to the internet
with an IP address and FQDN.
Hypervisor-level Security Container applications are as isolated in a contain-
er as they would be in a virtual machine.
Custom Sizes Container nodes can be scaled dynamically to
match actual resource demands for an application.
Persistent Storage Containers support direct mounting of Azure File
Shares.
Linux and Windows Containers Container instances supports scheduling of
multi-container groups that share host machine
resources.
Coscheduled Groups Container instances supports scheduling of
multi-container groups that share host machine
resources.
Virtual Network Deployment Container instances can be deployed into an Azure
virtual network.
Deployment options
Here are two common ways to deploy a multi-container group: use a Resource Manager template or a
YAML file. A Resource Manager template is recommended when you need to deploy additional Azure
service resources (for example, an Azure Files share) when you deploy the container instances. Due to the
YAML format's more concise nature, a YAML file is recommended when your deployment includes only
container instances.
Resource allocation
Azure Container Instances allocates resources such as CPUs, memory, and optionally GPUs to a mul-
ti-container group by adding the resource requests of the instances in the group. Taking CPU resources
as an example, if you create a container group with two container instances, each requesting one CPU,
then the container group is allocated 2 CPUs.
Networking
Container groups can share an external-facing IP address, one or more ports on that IP address, and a
DNS label with a fully qualified domain name (FQDN). To enable external clients to reach a container
within the group, you must expose the port on the IP address and from the container. Because containers
within the group share a port namespace, port mapping isn't supported. A container group's IP address
and FQDN will be released when the container group is deleted.
334
Common scenarios
Multi-container groups are useful in cases where you want to divide a single functional task into a small
number of container images. These images can then be delivered by different teams and have separate
resource requirements. Example usage could include:
●● A container serving a web application and a container pulling the latest content from source control.
●● An application container and a logging container. The logging container collects the logs and metrics
output by the main application and writes them to long-term storage.
●● An application container and a monitoring container. The monitoring container periodically makes a
request to the application to ensure that it's running and responding correctly, and raises an alert if
it's not.
●● A front-end container and a back-end container. The front end might serve a web application, with
the back end running a service to retrieve data.
A container is essentially a standalone package that contains everything that is needed to execute a piece
of software. The package includes:
●● The application executable code.
●● The runtime environment (such as .NET Core).
●● System tools.
●● Settings.
The Docker platform is available on both Linux and Windows and can be hosted on Azure. The key thing
that Docker provides is the guarantee that the containerized software will always run the same. It doesn't
matter if the code is run locally on Windows, Linux or in the cloud on Azure. The software can be devel-
oped locally within a Docker container, shared with Quality Assurance resources for testing. and then
deployed to production in the Azure Cloud. Once deployed, the application can easily be scaled up and
down using the Azure Container Instances (ACI).
335
Docker terminology
You should be familiar with the following key terms before using Docker and Container Instances to
create, build, and test containers:
●● Container. Container is an instance of a Docker image. It represents the execution of a single applica-
tion, process, or service. It consists of the contents of a Docker image, an execution environment, and
a standard set of instructions. When scaling a service, you create multiple instances of a container
from the same image. Or a batch job can create multiple containers from the same image, passing dif-
ferent parameters to each instance.
●● Container image. Container image refers to a package with all the dependencies and information
required to create a container. The dependencies include frameworks and the deployment and
execution configuration that a container runtime uses. Usually, an image derives from multiple base
images that are layers stacked on top of each other to form the container's file system. An image is
immutable once it has been created.
●● Build. Build refers to the action of building a container image based on the information and context
provided by the Dockerfile. The build also includes any other files that are needed. You build images
by using the Docker docker build command.
●● Pull. Pull refers to the process of downloading a container image from a container registry.
●● Push. Push refers to the process of uploading a container image to a container registry.
●● Dockerfile. Dockerfile refers to a text file that contains instructions on how to build a Docker image.
The Dockerfile is like a batch script. The first line identifies the base image. The rest of the file includes
the build actions.
Setting Value
Subscription Use default supplied
Resource group Create new resource group
Container name mycontainer
Region (US) East US
Image source Docker Hub or other registry
Image type Public
Image microsoft/aci-helloworld
336
Setting Value
OS type Linux
Size Leave at the default
4. Configure the Networking tab (replace xxxxx with letters and digits such that the name is globally
unique). Leave all other settings at their default values.
Setting Value
DNS name label mycontainerdnsxxxxx
Note: Your container will be publicly reachable at dns-name-label.region.azurecontainer.io. If you receive
a DNS name label not available error message following the deployment, specify a different DNS name
label (replacing the xxxxx) and re-deploy.
5. Click Review and Create to start the automatic validation process.
6. Click Create to create the container instance.
7. Monitor the deployment page and the Notifications page.
Verify deployment of the container instance
In this task, we verify that the container instance is running by ensuring that the welcome page displays.
1. After the deployment is complete, click the Go to resource link the deployment blade or the link to
the resource in the Notification area.
2. On the Overview blade of mycontainer, ensure your container Status is Running.
3. Locate the Fully Qualified Domain Name (FQDN).
4. Copy the container's FQDN into a new web browser tab and press Enter. The Welcome page should
display.
Note: To avoid additional costs, you can remove this resource group. Search for resource groups, click
your resource group, and then click Delete resource group. Verify the name of the resource group and
then click Delete. Monitor the Notifications to see how the delete is proceeding.
Knowledge Check
Multiple choice
Which of the following is not true about container groups?
Are scheduled on multiple host machines.
Consists of two containers.
Exposes a single public IP address, with one exposed port.
337
Multiple choice
Which of the following is a reason to select virtual machines over containers?
Virtual machines provide complete isolation from the host operating system and other VMs.
Virtual machines run the user mode portion of an operating system and can be tailored to contain just
the needed services for your app.
Virtual machines use Azure Disks for local storage for a single node.
Multiple choice
All the following are true about Azure Container Instances, except?
You are billed only when the container is in use.
Containers launch is seconds.
Container storage uses Azure blobs.
Learn more
You can learn more by reviewing the following.
●● Containers vs Virtual Machines14
●● Azure Container Instances documentation15
●● Learn - Introduction to Docker containers16
●● Learn - Run Docker containers with Azure Container Instances17
●● Learn - Build a containerized web application with Docker18
14 https://docs.microsoft.com/virtualization/windowscontainers/about/containers-vs-vm
15 https://docs.microsoft.com/azure/container-instances/
16 https://docs.microsoft.com/learn/modules/intro-to-docker-containers/
17 https://docs.microsoft.com/learn/modules/run-docker-with-azure-container-instances/
18 https://docs.microsoft.com/learn/modules/intro-to-containers/
338
Skills measured
The Azure Kubernetes Service is part of Exam AZ-104: Microsoft Azure Administrator19.
Deploy and manage Azure compute resources (20–25%)
Create and configure containers
●● Configure storage for Azure Kubernetes Service (AKS).
●● Configure scaling for AKS.
●● Configure network connections for AKS.
●● Upgrade an AKS cluster.
Learning objectives
In this module, you will learn how to:
●● Identify AKS components including pods, clusters, and nodes.
●● Configure network connections for AKS.
●● Configure storage options for AKS.
●● Implement security options for AKS.
●● Scale AKS including adding Azure Container Instances.
Prerequisites
None.
19 https://docs.microsoft.com/learn/certifications/exams/az-104
339
Azure-managed node
When you create an AKS cluster, a cluster node is automatically created and configured. This node is
provided as a managed Azure resource abstracted from the user. You pay only for running agent nodes
340
Services
To simplify the network configuration for application workloads, Kubernetes uses Services to logically
group a set of pods together and provide network connectivity. The following Service types are available:
●● Cluster IP - Creates an internal IP address for use within the AKS cluster. Good for internal-only
●● NodePort - Creates a port mapping on the underlying node that allows the application to be ac-
the application, load-balancing rules are created on the desired ports. For additional control and
routing of the inbound traffic, you may instead use an Ingress controller.
●● ExternalName - Creates a specific DNS entry for easier application access.
The IP address for load balancers and services can be dynamically assigned, or you can specify an existing
static IP address to use. Both internal and external static IP addresses can be assigned. This existing static
IP address is often tied to a DNS entry.
Both internal and external load balancers can be created. Internal load balancers are only assigned a
private IP address, so can't be accessed from the Internet.
Pods
Kubernetes uses pods to run an instance of your application. A pod represents a single instance of your
application. Pods typically have a 1:1 mapping with a container, although there are advanced scenarios
where a pod might contain multiple containers. These multi-container pods are scheduled together on
the same node, and allow containers to share related resources.
When you create a pod, you can define resource limits to request a certain amount of CPU or memory
resources. The Kubernetes Scheduler attempts to schedule the pods to run on a node with available
resources to meet the request. You can also specify maximum resource limits that prevent a given pod
from consuming too much compute resource from the underlying node.
Note: A best practice is to include resource limits for all pods to help the Kubernetes Scheduler under-
stand what resources are needed and permitted.
A pod is a logical resource, but the container (or containers) is where the application workloads run. Pods
are typically ephemeral, disposable resources. Therefore, individually scheduled pods miss some of the
high availability and redundancy features Kubernetes provides. Instead, pods are usually deployed and
managed by Kubernetes controllers, such as the Deployment controller.
This section introduces the core concepts that provide storage to your applications in AKS:
●● Volumes
●● Persistent volumes
●● Storage classes
●● Persistent volume claims
Volumes
Applications often need to be able to store and retrieve data. As Kubernetes typically treats individual
pods as ephemeral, disposable resources, different approaches are available for applications use and
persist data as necessary. A volume represents a way to store, retrieve, and persist data across pods and
through the application lifecycle.
Traditional volumes to store and retrieve data are created as Kubernetes resources backed by Azure
Storage. You can manually create these data volumes to be assigned to pods directly, or have Kubernetes
automatically create them. These data volumes can use Azure Disks or Azure Files:
●● Azure Disks can be used to create a Kubernetes DataDisk resource. Disks can use Azure Premium
storage, backed by high-performance SSDs, or Azure Standard storage, backed by regular HDDs. For
most production and development workloads, use Premium storage. Azure Disks are mounted as
ReadWriteOnce, so are only available to a single node. For storage volumes that can be accessed by
multiple nodes simultaneously, use Azure Files.
●● Azure Files can be used to mount an SMB 3.0 share backed by an Azure Storage account to pods. Files
let you share data across multiple nodes and pods. Files can use Azure Standard storage backed by
regular HDDs, or Azure Premium storage, backed by high-performance SSDs.
Persistent volumes
Volumes are defined and created as part of the pod lifecycle only exist until the pod is deleted. Pods
often expect their storage to remain if a pod is rescheduled on a different host during a maintenance
event, especially in StatefulSets. A persistent volume (PV) is a storage resource created and managed by
the Kubernetes API that can exist beyond the lifetime of an individual pod.
343
Azure Disks or Files are used to provide the PersistentVolume. As noted in the previous section on
Volumes, the choice of Disks or Files is often determined by the need for concurrent access to the data or
the performance tier.
A PersistentVolume can be statically created by a cluster administrator, or dynamically created by the
Kubernetes API server. If a pod is scheduled and requests storage that is not currently available, Kuber-
netes can create the underlying Azure Disk or Files storage and attach it to the pod. Dynamic provision-
ing uses a StorageClass to identify what type of Azure storage needs to be created.
Storage classes
To define different tiers of storage, such as Premium and Standard, you can create a StorageClass. The
StorageClass also defines the reclaimPolicy. This reclaimPolicy controls the behavior of the underlying
Azure storage resource when the pod is deleted and the persistent volume may no longer be required.
The underlying storage resource can be deleted, or retained for use with a future pod.
In AKS, four initial StorageClasses are created for cluster using the in-tree storage plugins:
●● default - Uses Azure StandardSSD storage to create a Managed Disk. The reclaim policy ensures that
the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
●● managed-premium - Uses Azure Premium storage to create a Managed Disk. The reclaim policy again
ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
●● azurefile - Uses Azure Standard storage to create an Azure File Share. The reclaim policy ensures that
the underlying Azure File Share is deleted when the persistent volume that used it is deleted.
●● azurefile-premium - Uses Azure Premium storage to create an Azure File Share. The reclaim policy
ensures that the underlying Azure File Share is deleted when the persistent volume that used it is
deleted.
If no StorageClass is specified for a persistent volume, the default StorageClass is used. Take care when
requesting persistent volumes so that they use the appropriate storage you need. You can create a
StorageClass for additional needs using kubectl.
You may need to tune these cooldown values. The default cooldown values may give the impression that
the horizontal pod autoscaler isn't scaling the replica count quickly enough. For example, to more quickly
increase the number of replicas in use, reduce the --horizontal-pod-autoscaler-upscale-de-
lay when you create your horizontal pod autoscaler definitions using kubectl.
Cluster autoscaler
To respond to changing pod demands, Kubernetes has a cluster autoscaler that adjusts the number of
nodes based on the requested compute resources in the node pool. By default, the cluster autoscaler
checks the API server every 10 seconds for any required changes in node count. If the cluster autoscale
determines that a change is required, the number of nodes in your AKS cluster is increased or decreased
accordingly. The cluster autoscaler works with RBAC-enabled AKS clusters that run Kubernetes 1.10.x or
higher.
Cluster autoscaler is typically used alongside the horizontal pod autoscaler. When combined, the horizon-
tal pod autoscaler increases or decreases the number of pods based on application demand, and the
cluster autoscaler adjusts the number of nodes as needed to run those additional pods accordingly.
Scale up events
If a node does not have sufficient compute resources to run a requested pod, that pod cannot progress
through the scheduling process. The pod cannot start unless other compute resources are available
within the node pool.
When the cluster autoscaler notices pods that cannot be scheduled due to node pool resource con-
straints, the number of nodes within the node pool is increased to provide the extra compute resources.
When those additional nodes are successfully deployed and available for use within the node pool, the
pods are then scheduled to run on them.
If your application needs to scale rapidly, some pods may remain in a state waiting to be scheduled until
the new nodes deployed by the cluster autoscaler can accept the scheduled pods. For applications that
have high burst demands, you can scale with virtual nodes and Azure Container Instances.
To rapidly scale your AKS cluster, you can integrate with Azure Container Instances (ACI). Kubernetes has
built-in components to scale the replica and node count. However, if your application needs to rapidly
scale, the horizontal pod autoscaler may schedule more pods than can be provided by the existing
compute resources in the node pool. If configured, this scenario would then trigger the cluster autoscaler
to deploy additional nodes in the node pool. It may take a few minutes for those nodes to successfully
provision.
ACI lets you quickly deploy container instances without more infrastructure overhead. When you connect
with AKS, ACI becomes a secured, logical extension of your AKS cluster. The Virtual Kubelet component is
installed in your AKS cluster that presents ACI as a virtual Kubernetes node. Kubernetes can then sched-
ule pods that run as ACI instances through virtual nodes, not as pods on VM nodes directly in your AKS
cluster.
Your application requires no modification to use virtual nodes. Deployments can scale across AKS and
ACI. There is no delay when the cluster autoscaler deploys new nodes in your AKS cluster.
Virtual nodes are deployed to another subnet in the same virtual network as your AKS cluster. This virtual
network configuration allows the traffic between ACI and AKS to be secured. Like an AKS cluster, an ACI
instance is a secure, logical compute resource that is isolated from other users.
20 http://portal.azure.com/
347
4. Verify the connection to your clusterand return a list of the cluster nodes. Make sure that the status of
the nodes is Ready.
kubectl get nodes
4. Ensure there are no errors and the output shows the Deployments and Services created successfully.
Test the application
1. When the application runs, a Kubernetes service exposes the application front end to the internet. This
process can take a few minutes to complete.
2. Continue in the cloud shell to monitor the progress of the deployment.
kubectl get service azure-vote-front --watch
3. Wait until the EXTERNAL-IP address changes from pending to an actual public IP address. Use Ctrl + C
to break out of the command.
4. To see the Azure Vote app in action, open a web browser to the external IP address of your service.
21 https://docs.microsoft.com/azure/aks/kubernetes-walkthrough-portal#run-the-application
348
Knowledge check
Multiple choice
You decide to move all your services to Azure Kubernetes service. Which of the following components will
contribute to your monthly Azure charge? Select one.
Azure managed node
Pods
Customer node virtual machines
Multiple choice
Which of the following is the Kubernetes agent that processes the orchestration requests and schedules
running the requested containers? Select one.
controller
kube-proxy
kubelet
Multiple choice
You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming
direct traffic to the pods? Select one.
AKS node
ClusterIP
NodePort
Learn more
You can learn more by reviewing the following.
●● Azure Kubernetes Service documentation22
●● Learn - Introduction to Kubernetes23
22 https://docs.microsoft.com/azure/aks/intro-kubernetes
23 https://docs.microsoft.com/learn/modules/intro-to-kubernetes/
350
Module 09 Lab
Lab 09a - Implement Web Apps
Lab scenario
You need to evaluate the use of Azure Web apps for hosting Contoso's web sites, hosted currently in the
company's on-premises data centers. The web sites are running on Windows servers using PHP runtime
stack. You also need to determine how you can implement DevOps practices by leveraging Azure web
apps deployment slots.
Objectives
In this lab, you will:
●● Task 1: Create an Azure web app.
●● Task 2: Create a staging deployment slot.
●● Task 3: Configure web app deployment settings.
●● Task 4: Deploy code to the staging deployment slot.
●● Task 5: Swap the staging slots.
●● Task 6: Configure and test autoscaling of the Azure web app.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
351
Objectives
In this lab, you will:
●● Task 1: Deploy a Docker image by using the Azure Container Instance
●● Task 2: Review the functionality of the Azure Container Instance
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
Objectives
In this lab, you will:
●● Task 1: Deploy an Azure Kubernetes Service cluster
●● Task 2: Deploy pods into the Azure Kubernetes Service cluster
●● Task 3: Scale containerized workloads in the Azure Kubernetes service cluster
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
353
Answers
Multiple choice
You are administering a production web app. The app requires scaling to five instances, 40GB of storage,
and a custom domain name. Which App Service Plan should you select? Select one.
Basic
■■ Standard
Premium
Explanation
Standard. The Standard App Service Plan meets the requirements at the least cost.
Multiple choice
Which of the following is not true of the App Service plan? Select one.
The App Service plan is a set of virtual server resources that run App Service apps.
The App Service pland etermines the performance characteristics of the virtual servers.
■■ The App Service plan hosts a single App Service web app.
Explanation
The App Service plan hosts a single App Service web app. A single App Service plan can host multiple App
Service web apps. In most cases, the number of apps you can run on a single plan will be limited by the
performance characteristics of the apps and the resource limitations of the plan.
Multiple choice
To get more CPU, memory, or disk space you should? Select one.
■■ Scale up
Scale out
Explanation
Scale up. Scale up gives you more CPU, memory, disk space, and more. You scale up by changing the
pricing tier of the App Service plan that your app belongs to.
Multiple choice
To configure an autoscale trigger based on average response time, you should select ... Select one.
■■ Metric-based
Time-based
User-based
Explanation
Metric-based. Metric-based rules measure application load and add or remove VMs based on that load. For
example, do this action when CPU usage is above 50%. Examples of metrics are CPU time, Average re-
sponse time, and Requests.
354
Multiple choice
Which of the following settings is not swapped when you swap an an app? Select one.
Framework version
Public certificates
■■ Scale settings
Explanation
Scale settings. Scale settings are not swapped.
Multiple choice
Which of the following is not true about App Service backups? Select one.
■■ Incremental backups are the default.
You can configure backups manually or on a schedule.
You can exclude files and folders you do not want in the backup.
Explanation
Incremental backups are the default. Full backups are the default.
Multiple choice
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access
an app? Select one.
Credentials that are stored in the browser.
Pass-through authentication.
■■ Redirection to a provider endpoint.
Explanation
Redirection to a provider endpoint. Microsoft Azure App Service apps redirect requests to an endpoint that
signs in users for that provider. The App Service can automatically direct all unauthenticated users to the
endpoint that signs in users. Course: Module 4
Multiple choice
Which of the following isn't a valid automated deployment source? Select one.
Azure DevOps
GitHub
■■ SharePoint
Explanation
SharePoint. Azure currently supports Azure DevOps, GitHub, Bitbucket, OneDrive, Dropbox, and external Git
repositories.
355
Multiple choice
Which of the following is not true about container groups?
■■ Are scheduled on multiple host machines.
Consists of two containers.
Exposes a single public IP address, with one exposed port.
Explanation
Are scheduled on a multiple host machines is not correct. A container group is scheduled on a single host
machine.
Multiple choice
Which of the following is a reason to select virtual machines over containers?
■■ Virtual machines provide complete isolation from the host operating system and other VMs.
Virtual machines run the user mode portion of an operating system and can be tailored to contain just
the needed services for your app.
Virtual machines use Azure Disks for local storage for a single node.
Explanation
That's correct. Containers only provide lightweight isolation from the host and other containers but doesn't
provide as strong a security boundary as a virtual machine.
Multiple choice
All the following are true about Azure Container Instances, except?
You are billed only when the container is in use.
Containers launch is seconds.
■■ Container storage uses Azure blobs.
Explanation
ACI uses persistent storage. You can mount Azure Files shares directly to a container to retrieve and persist
state.
Multiple choice
You decide to move all your services to Azure Kubernetes service. Which of the following components will
contribute to your monthly Azure charge? Select one.
Azure managed node
Pods
■■ Customer node virtual machines
Explanation
Customer node virtual machines. You only pay for the virtual machines instances, storage, and networking
resources consumed by your Kubernetes cluster.
356
Multiple choice
Which of the following is the Kubernetes agent that processes the orchestration requests and schedules
running the requested containers? Select one.
controller
kube-proxy
■■ kubelet
Explanation
kubelet. The kubelet process the orchestration requests and schedules running the requested containers.
Multiple choice
You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming
direct traffic to the pods? Select one.
AKS node
ClusterIP
■■ NodePort
Explanation
NodePort. NodePort maps incoming direct traffic to the pods.
Module 10 Administer Data Protection
Skills measured
Backup and recovery are part of Exam AZ-104: Microsoft Azure Administrator1.
Monitor and back up Azure resources (10–15%)
Implement backup and recovery
●● Create a Recovery Services vault.
●● Create and configure backup policy.
●● Perform backup and restore operations by using Azure Backup.
●● Configure and review backup reports.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for Azure Backup.
●● Configure Recovery Services Vault backup options.
1 https://docs.microsoft.com/learn/certifications/exams/az-104
358
Prerequisites
None.
Key benefits
●● Offload on-premises backup. Azure Backup offers a simple solution for backing up your on-premises
resources to the cloud. Get short and long-term backup without the need to deploy complex
on-premises backup solutions.
●● Back up Azure IaaS VMs. Azure Backup provides independent and isolated backups to guard against
accidental destruction of original data. Backups are stored in a Recovery Services vault with built-in
management of recovery points. Configuration and scalability is simple, backups are optimized, and
you can easily restore as needed.
●● Get unlimited data transfer. Azure Backup does not limit the amount of inbound or outbound data
you transfer, or charge for the data that is transferred. Outbound data refers to data transferred from
a Recovery Services vault during a restore operation. If you perform an offline initial backup using the
Azure Import/Export service to import large amounts of data, there is a cost associated with inbound
data.
●● Keep data secure. Data encryption allows for secure transmission and storage of your data in the
public cloud. You store the encryption passphrase locally, and it is never transmitted or stored in
Azure. If it is necessary to restore any of the data, only you have encryption passphrase, or key.
●● Get app-consistent backups. An application-consistent backup means a recovery point has all
required data to restore the backup copy. Azure Backup provides application-consistent backups,
which ensure additional fixes are not required to restore the data. Restoring application-consistent
data reduces the restoration time, allowing you to quickly return to a running state.
●● Retain short and long-term data. You can use Recovery Services vaults for short-term and long-term
data retention. Azure doesn't limit the length of time data can remain in a Recovery Services vault. You
can keep it for as long as you like. Azure Backup has a limit of 9999 recovery points per protected
instance.
●● Automatic storage management. Hybrid environments often require heterogeneous storage - some
on-premises and some in the cloud. With Azure Backup, there is no cost for using on-premises
storage devices. Azure Backup automatically allocates and manages backup storage, and it uses a
pay-as-you-use model, so that you only pay for the storage you consume.
359
●● Multiple storage options. Azure Backup offers two types of replication to keep your storage/data
highly available.
●● Locally redundant storage (LRS) replicates your data three times (it creates three copies of your
data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS
is a low-cost option for protecting your data from local hardware failures.
●● Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates
your data to a secondary region (hundreds of miles away from the primary location of the source
data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if
there is a regional outage.
Note: What are some of the reasons your organization might choose Azure Backup? Is your organization
using Azure Backup?
you govern your backups. It uses Azure workbooks and Azure Monitor Logs to help you view detailed
reports on backups. So you don't need to learn any new principles to use the varied features that
Backup Center offers. You can also discover community resources from the Backup Center.
Supported scenarios
Backup Center is currently supported for Azure VM backup, SQL in Azure VM backup, SAP HANA in Azure
VM backup, Azure Files backup, Azure Blobs backup, Azure-managed disks backup, and Azure Database
for PostgreSQL Server backup.
Get started
To get started with using Backup Center, search for Backup Center in the Azure portal and navigate to the
Backup Center dashboard.
●● The Recovery Services vault can be used to back up Azure file shares.
361
●● The Recovery Services vault can also be used to back up on-premises files and folders.
Note: Within an Azure subscription, you can create up to 25 Recovery Services vaults per region.
1. Create the recovery services vault. Within your Azure subscription, you will need to create a recov-
ery services vault for the backups.
2. Download the agent and credential file. The recovery services vault provides a link to download the
Azure Backup Agent. The Backup Agent will be installed on the local machine. There is also a creden-
tials file that is required during the installation of the agent. You must have the latest version of the
agent. Versions of the agent below 2.0.9083.0 must be upgraded by uninstalling and reinstalling the
agent.
3. Install and register agent. The installer provides a wizard to configure the installation location, proxy
server, and passphrase information. The downloaded credential file will be used to register the agent.
4. Configure the backup. Use the agent to create a backup policy including when to backup, what to
backup, how long to retain items, and settings like network throttling.
The MARS agent is a full featured agent that has many features.
●● Back up files and folders on physical or virtual Windows OS (VMs can be on-premises or in Azure).
●● No separate backup server required.
●● Not application aware; file, folder, and volume-level restore only.
●● Back up and restore content.
7. Return to your recovery services vault, check the box Already downloaded or using the latest
recovery services agent.
8. Click Download. After the vault credentials finish downloading, a pop-up asking if you want to open
or save the credentials. Click Save. If you accidentally click Open, let the dialog that attempts to open
the vault credentials, fail. You cannot open the vault credentials. Proceed to the next step. The vault
credentials are in the Downloads folder.
Note: You must have the latest version of the MARS agent. Versions of the agent below 2.0.9083.0 must
be upgraded by uninstalling and reinstalling the agent.
Install and register the agent
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved
location). The installer provides a series of messages as it extracts, installs, and registers the Recovery
Services agent.
2. To complete the wizard, you need to:
●● Choose a location for the installation and cache folder.
●● Provide your proxy server info if you use a proxy server to connect to the internet.
●● Provide your user name and password details if you use an authenticated proxy.
●● If prompted, install any missing software.
●● Provide the downloaded vault credentials
●● Enter and save the encryption passphrase in a secure location.
3. Wait for the server registration to complete. This could take a couple of minutes.
4. The agent is now installed and your machine is registered to the vault. You're ready to configure and
schedule your backup.
Create the backup policy
1. Open the Microsoft Azure Recovery Services agent. You can find it by searching your machine for
Microsoft Azure Recovery Services.
2. If this is the first time you are using the agent there will be a Warning to create a backup policy. The
backup policy is the schedule when recovery points are taken, and the length of time the recovery
points are retained.
3. Click Schedule Backup to launch the Schedule Backup Wizard.
●● Read the Getting Started page.
●● Add items to include files and folders that you want to protect. Select just a few sample files.
Notice you can exclude files from the backup.
●● Specify the backup schedule. You can schedule daily (at a maximum rate of three times per day)
or weekly backups.
●● Select your retention policy settings. The retention policy specifies the duration for which the
backup is stored. Rather than just specifying a “flat policy” for all backup points, you can specify
different retention policies based on when the backup occurs. You can modify the daily, weekly,
monthly, and yearly retention policies to meet your needs.
●● Choose your initial backup type page as Automatically. Notice there is a choice for offline
backup.
●● Confirm your choices and Finish the wizard.
366
Knowledge check
Multiple choice
You need to backup files and folders to Azure. Which of these steps would you do first?
Download, install and register the backup agent.
Back up files and folders.
Create a recovery services vault.
Multiple choice
You are responsible for implementing server workload backups. You need to implement on-premises
backups to an Azure Recovery Vault service. What should you do? Select one.
Download and install the MARS agent, and then register the server by installing the vault credentials.
Just download and install the MARS agent.
Don't do anything. Windows Servers contain the required agent for inclusion in the Recovery Vault
service.
Multiple choice
You have created the Recovery Vault service. Now you decide to change the storage replication type to
locally redundant. In which situations can Larissa change the storage replication type?
You can change this setting at any time.
You can change this setting, but only before a Recovery Vault service starts providing protection for
items.
You cannot change this setting at any time.
Learn more
You can learn more by reviewing the following.
●● What is the Azure Backup service?2
●● About Azure file share backup3
●● Learn - Implement hybrid backup and recovery with Windows Server IaaS4
2 https://docs.microsoft.com/azure/backup/backup-overview
3 https://docs.microsoft.com/azure/backup/azure-file-share-backup-overview
4 https://docs.microsoft.com/learn/modules/implement-hybrid-backup-recovery-windows-server-iaas/
369
Skills measured
Backup and recovery are part of Exam AZ-104: Microsoft Azure Administrator5.
Monitor and back up Azure resources (10–15%)
Implement backup and recovery
●● Create a Recovery Services vault.
●● Create and configure backup policy.
●● Perform backup and restore operations by using Azure Backup.
●● Perform site-to-site recovery by using Azure Site Recovery.
●● Configure and review backup reports.
Learning objectives
In this module, you will learn how to:
●● Identify features and usage cases for different Azure backup methods.
●● Configure virtual machine snapshots and backup options.
●● Implement virtual machine backup and restore, including soft delete.
●● Compare the Azure Backup (MARS) agent to the Azure Backup Server (MABS).
●● Perform site-to-site recovery by using Azure Site Recovery.
Prerequisites
None.
5 https://docs.microsoft.com/learn/certifications/exams/az-104
370
Azure Backup
For backing up Azure VMs running production workloads, use Azure Backup. Azure Backup supports
application-consistent backups for both Windows and Linux VMs. Azure Backup creates recovery points
that are stored in geo-redundant recovery vaults. When you restore from a recovery point, you can
restore the whole VM or just specific files.
Images
Managed disks also support creating a managed custom image. You can create an image from your
custom VHD in a storage account or directly from a generalized (sysprepped) VM. This process captures a
single image. This image contains all managed disks associated with a VM, including both the OS and
data disks. This managed custom image enables creating hundreds of VMs using your custom image
without the need to copy or manage any storage accounts.
A recovery point is considered created only after both steps are completed. As a part of the upgrade, a
recovery point is created as soon as the snapshot is finished. This recovery point is used to perform a
restore. You can identify the recovery point in the Azure portal by using “snapshot” as the recovery point
type. After the snapshot is transferred to the vault, the recovery point type changes to “snapshot and
vault”.
Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows
Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup
data, while minimizing management overhead.
●● The Recovery Services vault can be used to backup Azure virtual machines.
●● The Recovery Services vault can be used to backup on-premises virtual machines including: Hyper-V,
1. Create a recovery services vault. To back up your files and folders, you need to create a Recovery
Services vault in the region where you want to store the data. You also need to determine how you
want your storage replicated, either geo-redundant (default) or locally redundant. By default, your
vault has geo-redundant storage. If you are using Azure as a primary backup storage endpoint, use
373
the default geo-redundant storage. If you are using Azure as a non-primary backup storage endpoint,
then choose locally redundant storage, which will reduce the cost of storing data in Azure.
2. Use the Portal to define the backup. Protect your data by taking snapshots of your data at defined
intervals. These snapshots are known as recovery points, and they are stored in recovery services
vaults. If or when it is necessary to repair or rebuild a VM, you can restore the VM from any of the
saved recovery points. A backup policy defines a matrix of when the data snapshots are taken, and
how long those snapshots are retained. When defining a policy for backing up a VM, you can trigger a
backup job once a day.
3. Backup the virtual machine. The Azure VM Agent must be installed on the Azure virtual machine for
the Backup extension to work. However, if your VM was created from the Azure gallery, then the VM
Agent is already present on the virtual machine. VMs that are migrated from on-premises data centers
would not have the VM Agent installed. In such a case, the VM Agent needs to be installed.
Once you trigger the restore operation, the Backup service creates a job for tracking the restore opera-
tion. The Backup service also creates and temporarily displays notifications, so you monitor how the
backup is proceeding.
Advantages
The advantages of backing up machines and apps to MABS/DPM storage, and then backing up DPM/
MABS storage to a vault are as follows:
●● Backing up to MABS/DPM provides app-aware backups optimized for common apps. These apps
include SQL Server, Exchange, and SharePoint. Also, file/folder/volume backups, and machine state
backups. Machine state backups can be bare-metal, or system state.
●● For on-premises machines, you don't need to install the MARS agent on each machine you want to
back up. Each machine runs the DPM/MABS protection agent, and the MARS agent runs on the
MABS/DPM only.
●● You have more flexibility and granular scheduling options for running backups.
●● You can manage backups for multiple machines that you gather into protection groups in a single
console. Grouping machines is useful when apps are tiered over multiple machines and you want to
back them up at the same time.
Backup steps
1. Install the DPM or MABS protection agent on machines you want to protect. You then add the
machines to a DPM protection group.
2. To protect on-premises machines, the DPM or MABS server must be located on-premises.
3. To protect Azure VMs, the MABS server must be located in Azure, running as an Azure VM.
4. With DPM/MABS, you can protect backup volumes, shares, files, and folders. You can also protect a
machine's system state (bare metal), and you can protect specific apps with app-aware backup
settings.
5. When you set up protection for a machine or app in DPM/MABS, you select to back up to the MABS/
DPM local disk for short-term storage and to Azure for online protection. You also specify when the
backup to local DPM/MABS storage should run and when the online backup to Azure should run.
6. The disk of the protected workload is backed up to the local MABS/DPM disks, according to the
schedule you specified.
7. The DPM/MABS disks are backed up to the vault by the MARS agent that's running on the DPM/
MABS server.
4. To restore the soft-deleted VM, it must first be undeleted. To undelete, choose the soft-deleted VM,
and then select the option Undelete. At this point, you can also restore the VM by selecting Restore
VM from the chosen restore point.
5. After the undelete process is completed, the status will return to Stop backup with retain data and
then you can choose Resume backup. The Resume backup operation brings back the backup item in
the active state, associated with a backup policy selected by the user defining the backup and reten-
tion schedules.
Note: Soft delete only protects deleted backup data. If a VM is deleted without a backup, the soft-delete
feature won't preserve the data. All resources should be protected with Azure Backup to ensure full
resilience.
Replications Scenarios
●● Replicate Azure VMs from one Azure region to another.
●● Replicate on-premises VMware VMs, Hyper-V VMs, physical servers (Windows and Linux), Azure Stack
VMs to Azure.
●● Replicate AWS Windows instances to Azure.
●● Replicate on-premises VMware VMs, Hyper-V VMs managed by System Center VMM, and physical
servers to a secondary site.
Features
●● Using Site Recovery, you can set up and manage replication, failover, and failback from a single
location in the Azure portal.
377
●● Replication to Azure eliminates the cost and complexity of maintaining a secondary datacenter.
●● Site Recovery orchestrates replication without intercepting application data. When you replicate to
Azure, data is stored in Azure storage, with the resilience that provides. When failover occurs, Azure
VMs are created, based on the replicated data.
●● Site Recovery provides continuous replication for Azure VMs and VMware VMs, and replication
frequency as low as 30 seconds for Hyper-V.
●● You can replicate using recovery points with application-consistent snapshots. These snapshots
capture disk data, all data in memory, and all transactions in process.
●● You can run planned failovers for expected outages with zero-data loss, or unplanned failovers with
minimal data loss (depending on replication frequency) for unexpected disasters. You can easily fail
back to your primary site when it's available again.
●● Site Recovery integrates with Azure for simple application network management, including reserving
IP addresses, configuring load-balancers, and integrating Azure Traffic Manager for efficient network
switchovers.
Note: Are you considering using Azure Site Recovery and are you interested in any of these specific
features? Which one is most important to you?
Knowledge Check
Multiple choice
You are responsible for creating a disaster recovery plan for your data center. You must be able to recreate
virtual machines from scratch. This includes the Operating System, its configuration/ settings, and patches.
Which of the following will provide a bare metal backup of your machines? Select one.
Azure Backup (MARS) agent
Enable disk snapshots
Azure Backup Server
Multiple choice
You have several Azure VMs that are currently running production workloads. You have a mix of Windows
Server and Linux servers and you need to implement a backup strategy for your production workloads.
Which feature should you use in this case? Select one.
Managed snapshots.
Azure Backup.
Azure Site Recovery.
Multiple choice
You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup.
What is the first thing you need to do? Select one.
Create a Recovery Services vault.
Create a Backup policy.
Install the Azure VM Agent.
379
Multiple choice
You deploy several virtual machines to Azure. You are responsible for backing up all data processed by the
VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these options
would you recommend to restore a database used for development on a data disk? Select one.
Virtual machine backup
Azure Site Recovery
Disk snapshot
Multiple choice
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore the entire virtual machine or files on the virtual machine? Select
one.
Virtual machine backup
Disk image backup
Disk snapshot
Multiple choice
Your organization needs a way to create application aware snapshots, and backup Linux virtual machines
and VMware virtual machines. You have files, folders, volumes, and workloads to protect. You recommend
which of the following solutions? Select one.
Azure Backup Server
Enable disk snapshots
Enable backup for individual Azure VMs
Learn more
You can learn more by reviewing the following.
●● An overview of Azure VM backup6
●● Azure Backup Center7
●● Azure Site Recovery documentation8.
●● Learn - Protect your virtual machines by using Azure Backup9
●● Learn - Implement hybrid backup and recovery with Windows Server IaaS10
●● Learn - Protect your Azure infrastructure with Azure Site Recovery11
●● Learn - Protect your on-premises infrastructure from disasters with Azure Site Recovery12
6 https://docs.microsoft.com/azure/backup/backup-azure-vms-introduction
7 https://docs.microsoft.com/azure/backup/backup-center-overview
8 https://docs.microsoft.com/azure/site-recovery/site-recovery-overview
9 https://docs.microsoft.com/learn/modules/protect-virtual-machines-with-azure-backup/
10 https://docs.microsoft.com/learn/modules/implement-hybrid-backup-recovery-windows-server-iaas/
11 https://docs.microsoft.com/learn/modules/protect-infrastructure-with-site-recovery/
12 https://docs.microsoft.com/learn/modules/protect-on-premises-infrastructure-with-azure-site-recovery/
381
Module 10 Lab
Lab 10 - Backup virtual machines
Lab scenario
You have been tasked with evaluating the use of Azure Recovery Services for backup and restore of files
hosted on Azure virtual machines and on-premises computers. In addition, you want to identify methods
of protecting data stored in the Recovery Services vault from accidental or malicious data loss.
Objectives
In this lab, you will:
●● Task 1: Provision the lab environment.
●● Task 2: Create a Recovery Services vault.
●● Task 3: Implement Azure virtual machine-level backup.
●● Task 4: Implement File and Folder backup.
●● Task 5: Perform file recovery by using Azure Recovery Services agent.
●● Task 6: Perform file recovery by using Azure virtual machine snapshots.
●● Task 7: Review the Azure Recovery Services soft delete functionality.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
382
383
Answers
Multiple choice
You need to backup files and folders to Azure. Which of these steps would you do first?
Download, install and register the backup agent.
Back up files and folders.
■■ Create a recovery services vault.
Explanation
First, create a recovery services vault. Second, download, install and register the backup agent. Lastly,
backup your files and folders.
Multiple choice
You are responsible for implementing server workload backups. You need to implement on-premises
backups to an Azure Recovery Vault service. What should you do? Select one.
■■ Download and install the MARS agent, and then register the server by installing the vault credentials.
Just download and install the MARS agent.
Don't do anything. Windows Servers contain the required agent for inclusion in the Recovery Vault
service.
Explanation
Download and install the MARS agent, and then register the server by installing the vault credentials. You
can download all the required components direct from the Azure portal.
Multiple choice
You have created the Recovery Vault service. Now you decide to change the storage replication type to
locally redundant. In which situations can Larissa change the storage replication type?
You can change this setting at any time.
■■ You can change this setting, but only before a Recovery Vault service starts providing protection for
items.
You cannot change this setting at any time.
Explanation
You can change this setting, but only before a Recovery Vault service starts providing protection for items.
Multiple choice
You are responsible for creating a disaster recovery plan for your data center. You must be able to
recreate virtual machines from scratch. This includes the Operating System, its configuration/ settings,
and patches. Which of the following will provide a bare metal backup of your machines? Select one.
Azure Backup (MARS) agent
Enable disk snapshots
■■ Azure Backup Server
Explanation
Azure Backup Server provides a bare metal backup capability.
384
Multiple choice
You have several Azure VMs that are currently running production workloads. You have a mix of Windows
Server and Linux servers and you need to implement a backup strategy for your production workloads.
Which feature should you use in this case? Select one.
Managed snapshots.
■■ Azure Backup.
Azure Site Recovery.
Explanation
Azure Backup is the best option for your production workloads.
Multiple choice
You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup.
What is the first thing you need to do? Select one.
■■ Create a Recovery Services vault.
Create a Backup policy.
Install the Azure VM Agent.
Explanation
Create Recovery Services vault. When performing a virtual machine backup, you must first create a Recov-
ery Services vault in the region where you want to store the data. Recovery points are stored in the Recovery
Services vault. While creating a backup policy is a good practice, it is not a dependency to creating a
backup. The Azure VM agent is required on an Azure virtual machine for the Backup extension to work.
However, if the VM was created from the Azure gallery, then the VM Agent is already present on the virtual
machine.
Multiple choice
You deploy several virtual machines to Azure. You are responsible for backing up all data processed by
the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore a database used for development on a data disk? Select one.
Virtual machine backup
Azure Site Recovery
■■ Disk snapshot
Explanation
Disk snapshot. You can use snapshots to quickly restore the database data disks.
385
Multiple choice
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore the entire virtual machine or files on the virtual machine?
Select one.
■■ Virtual machine backup
Disk image backup
Disk snapshot
Explanation
Use Azure Backup to restore a VM to a specific point in time, and to restore individual files. Azure Backup
supports application-consistent backups for both Windows and Linux VMs.
Multiple choice
Your organization needs a way to create application aware snapshots, and backup Linux virtual machines
and VMware virtual machines. You have files, folders, volumes, and workloads to protect. You recommend
which of the following solutions? Select one.
■■ Azure Backup Server
Enable disk snapshots
Enable backup for individual Azure VMs
Explanation
Azure backup server provides app aware snapshots, support for Linux virtual machines and VMware virtual
machines. Backup server can protect files, folders, volumes, and workloads.
Module 11 Administer Monitoring
Skills measured
Azure Monitor is part of Exam AZ-104: Microsoft Azure Administrator1.
Monitor and back up Azure resources (10–15%)
Monitor resources by using Azure Monitor
●● Configure and interpret metrics
●● Configure Azure Monitor logs
1 https://docs.microsoft.com/learn/certifications/exams/az-104
388
Learning objectives
In this module, you will learn how to:
●● Identify the features and usage cases for Azure Monitor.
●● Configure and interpret metrics and logs.
●● Identify the Azure Monitor components and data types.
●● Configure the Activity Log.
Prerequisites
None.
●● Monitor and visualize metrics. Metrics are numerical values available from Azure resources helping
you understand the health, operation and performance of your system.
●● Query and analyze logs. Logs are activity logs, diagnostic logs, and telemetry from monitoring
solutions; analytics queries help with troubleshooting and visualizations.
●● Setup alerts and actions. Alerts notify you of critical conditions and potentially take automated
corrective actions based on triggers from metrics or logs.
On the right side of the diagram, are the different functions that Azure Monitor performs with this
collected data such as analysis, alerting, and streaming to external systems.
Metrics
For many Azure resources, the data collected by Azure Monitor is displayed on the Overview page in the
Azure portal. For example, virtual machines have several charts displaying performance metrics. Click on
any of the graphs to open the data in Metric explorer in the Azure portal, which allows you to chart the
values of multiple metrics over time. You can view the charts interactively or pin them to a dashboard to
view them with other visualizations.
2 https://docs.microsoft.com/azure/azure-monitor/platform/data-collection
390
Logs
Log data collected by Azure Monitor is stored in Log Analytics which includes a rich query language3 to
quickly retrieve, consolidate, and analyze collected data. You can create and test queries using the Log
Analytics page in the Azure portal. You can use the query results to directly analyze the data. save queries,
visualize the data, or create alert rules.
Azure Monitor uses a version of the Data Explorer4 query language that is suitable for simple log queries
but also includes advanced functionality such as aggregations, joins, and smart analytics. You can quickly
learn the query language using multiple lessons. Particular guidance is provided to users who are already
familiar with SQL and Splunk.
3 https://docs.microsoft.com/azure/azure-monitor/log-query/log-query-overview
4 https://docs.microsoft.com/azure/kusto/query/
391
Azure Monitor starts collecting data as soon as you create an Azure subscription and add resources.
Activity Logs record when resources are created or modified. Metrics tell you how the resource is per-
forming and the resources it is consuming.
Extend the data you're collecting into the actual operation of the resources by enabling diagnostics and
adding an agent to compute resources. Extending your data sources will collect data for the internal
operation of the resource. It will also let you configure different data sources to collect logs and metrics
from Windows and Linux guest operating systems.
Note: Azure Monitor can collect log data from any REST client using the Data Collector API. The Data
Collector API lets you create custom monitoring scenarios and extend monitoring to resources that don't
expose data through other sources.
Note: Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date
isn't more than 90 days in the past. You can retrieve events from your Activity Log using the Azure portal,
CLI, PowerShell cmdlets, and Azure Monitor REST API.
392
Event categories
●● Administrative. This category contains the record of all create, update, delete, and action operations
performed through Resource Manager. Examples of the types of events you would observe in this
category include “create virtual machine” and "delete network security group". The Administrative
category also includes any changes to role-based access control in a subscription.
●● Service Health. This category contains the record of any service health incidents that have occurred
in Azure. An example of the type of event you would observe in this category is “SQL Azure in East US
is experiencing downtime.” Service health events come in five varieties: Action Required, Assisted
Recovery, Incident, Maintenance, Information, or Security.
●● Resource Health. This category contains the record of any resource health events that have occurred
to your Azure resources. An example of the type of event you would see in this category is “Virtual
Machine health status changed to unavailable.” Resource health events can represent one of four
health statuses: Available, Unavailable, Degraded, and Unknown.
●● Alert. This category contains the record of all activations of Azure alerts. An example of the type of
event you would observe in this category is “CPU % on myVM has been over 80 for the past 5 min-
utes.”
●● Autoscale. This category contains the record of any events related to the operation of the autoscale
engine based on any autoscale settings you have defined in your subscription. An example of the type
of event you would observe in this category is “Autoscale scale up action failed.”
393
●● Recommendation. This category contains recommendation events from certain resource types, such
as web sites and SQL servers. These events offer recommendations for how to better utilize your
resources.
●● Security. This category contains the record of any alerts generated by Azure Defender for Servers. An
example of the type of event you would observe in this category is “Suspicious double extension file
executed.”
●● Policy. This category contains records of all effect action operations performed by Azure Policy.
Examples of the types of events you would see in this category include Audit and Deny.
Note: Once you have defined a set of filters, you can pin the filtered state to the dashboard or download
the search results as a CSV file.
Knowledge check
Multiple choice
You need to determine who deleted a network security group through Resource Manager. You are viewing
the Activity Log when another Azure Administrator says you should use this event category to narrow your
search. Select one.
Administrative
Service Health
Policy
Multiple choice
What is the shared underlying logging data platform for Azure Sentinel and Azure Security Center?
Activity Logs
Azure Monitor Logs
Diagnostic Settings
Multiple choice
What data does Azure Monitor collect?
Data from a variety of sources, such as the application event log, the operating system (Windows and
Linux), Azure resources, and custom data sources
Azure billing details
Backups of database transaction logs
394
Multiple choice
What two fundamental types of data does Azure Monitor collect?
Metrics and logs
Username and password
Email notifications and errors
Learn more
You can learn more by reviewing the following.
●● Azure Monitor documentation5
●● Learn - Monitor and report on security events in Azure AD6
●● Learn - Monitor performance of virtual machines by using Azure Monitor for VMs7
●● Learn - Monitor, diagnose, and troubleshoot your Azure storage8
●● Learn - Design a holistic monitoring strategy on Azure9
5 https://docs.microsoft.com/azure/azure-monitor/
6 https://docs.microsoft.com/learn/modules/monitor-report-aad-security-events/
7 https://docs.microsoft.com/learn/modules/monitor-performance-using-azure-monitor-for-vms/
8 https://docs.microsoft.com/learn/modules/monitor-diagnose-and-troubleshoot-azure-storage/
9 https://docs.microsoft.com/learn/modules/design-monitoring-strategy-on-azure/
395
Skills measured
Configuring alerts and actions is part of the Exam AZ-104: Microsoft Azure Administrator10.
Monitor and back up Azure resources (10–15%)
Monitor resources by using Azure Monitor
●● Set up alerts and actions.
Learning objectives
In this module, you will learn how to:
●● Configure Azure Monitor alerts.
●● Create alert rules and action groups.
Prerequisites
None.
10 https://docs.microsoft.com/learn/certifications/exams/az-104
396
Managing Alerts
You can alert on metrics and logs as described in monitoring data sources. These include but are not
limited to:
●● Metric values
●● Log search queries
●● Activity Log events
●● Health of the underlying Azure platform
●● Tests for web site availability
Alert states
You can set the state of an alert to specify where it is in the resolution process. When the criteria specified
in the alert rule is met, an alert is created or fired, it has a status of New. You can change the status when
you acknowledge an alert and when you close it. All state changes are stored in the history of the alert.
The following alert states are supported.
397
State Description
New The issue has been detected and has not yet been
reviewed.
Acknowledged An administrator has reviewed the alert and
started working on it.
Closed The issue has been resolved. After an alert has
been closed, you can reopen it by changing it to
another state.
Note: Alert state is different and independent of the monitor condition. Alert state is set by the user.
Monitor condition is set by the system. When an alert fires, the alert's monitor condition is set to fired.
When the underlying condition that caused the alert to fire clears, the monitor condition is set to re-
solved. The alert state isn't changed until the user changes it.
Alert rules are separated from alerts and the actions that are taken when an alert fires. The alert rule
captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts
only fire when enabled. The key attributes of an alert rule are:
●● Target Resource – Defines the scope and signals available for alerting. A target can be any Azure
resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log
Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines),
you can specify multiple resources as the target of the alert rule.
●● Signal – Signals are emitted by the target resource and can be of several types. Metric, Activity log,
Application Insights, and Log.
398
●● Criteria – Criteria is a combination of Signal and Logic applied on a Target resource. Examples: *
Percentage CPU > 70%; Server Response Time > 4 ms; and Result count of a log query > 100.
●● Alert Name – A specific name for the alert rule configured by the user.
●● Alert Description – A description for the alert rule configured by the user.
●● Severity – The severity of the alert once the criteria specified in the alert rule is met. Severity can
range from 0 to 4.
●● Action – A specific action taken when the alert is fired.
●● Email Azure Resource Manager role – Send email to the members of the subscription's role. Email
will only be sent to Azure AD user members of the role. Email will not be sent to Azure AD groups or
service principals.
●● Email/SMS message/Push/Voice - Specify any email, SMS, push, or voice actions.
Actions configure the method in which actions are performed when the action group triggers.
●● Automation runbook - An automation runbook is the ability to define, build, orchestrate, manage,
and report on workflows that support system and network operational processes. A runbook workflow
can potentially interact with all types of infrastructure elements, such as applications, databases, and
hardware.
399
●● Azure Function – Azure functions is a serverless compute service that lets you run event-triggered
code without having to explicitly provision or manage infrastructure.
●● ITSM – Connect Azure and a supported IT Service Management (ITSM) product/service. This requires
an ITSM Connection.
●● Logic App – Logic apps connect your business-critical apps and services by automating your work-
flows.
●● Webhook – A webhook is a HTTPS or HTTP endpoint that allows external applications to communi-
cate with your system.
Demonstration - Alerts
In this demonstration, we will create an alert rule.
Create an alert rule
1. In Azure portal, click on Monitor. The Monitor blade consolidates all your monitoring settings and
data in one view.
2. Click Alerts then click + New alert rule. As most resource blades also have Alerts in their resource
menu under Monitoring, you could create alerts from there as well.
Explore alert targets
1. Click Select under Target, to select a target resource that you want to alert on. Use Subscription and
Resource type drop-downs to find the resource you want to monitor. You can also use the search bar
to find your resource.
2. If the selected resource has metrics you can create alerts on, Available signals on the bottom right will
include metrics. You can view the full list of resource types supported for metric alerts in this article.
3. Click Done when you have made your selection.
Explore alert conditions
1. Once you have selected a target resource, click on Add condition.
2. You will observe a list of signals supported for the resource, select the metric you want to create an
alert on.
3. Optionally, refine the metric by adjusting Period and Aggregation. If the metric has dimensions, the
Dimensions table will be presented.
4. Observe a chart for the metric for the last 6 hours. Adjust the Show history drop-down.
5. Define the Alert logic. This will determine the logic which the metric alert rule will evaluate.
6. If you are using a static threshold, the metric chart can help determine what might be a reasonable
threshold. If you are using a Dynamic Thresholds, the metric chart will display the calculated thresh-
olds based on recent data.
7. Click Done.
8. Optionally, add another criteria if you want to monitor a complex alert rule.
Explore alert details
1. Fill in Alert details like Alert Rule Name, Description and Severity.
2. Add an action group to the alert either by selecting an existing action group or creating a new action
group.
400
Knowledge check
Multiple choice
Your organization has an app that is used across the business. The performance of this app is critical to
day-to-day operations. Because the app is so important, four IT administrators have been identified to
address any issues. You have configured an alert and need to ensure the administrators are notified if there
is a problem. In which area of the portal will you provide the administrator email addresses? Select one.
Activity log
Performance group
Action Group
Multiple choice
You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean? Select
one.
An administrator has reviewed the alert and started working on it.
The issue has been resolved.
The issue has been closed.
Multiple choice
What's the composition of an alert rule? Select one.
Resource, condition, log, alert type
Metrics, logs, application, operating system
Resource, condition, actions, alert details
Multiple choice
Which of the following is an example of a log data type?
HTTP response records
Percentage of CPU over time
Website requests per hour
401
Learn more
You can learn more by reviewing the following.
●● The new alerts experience in Azure Monitor11
●● Learn - Improve incident response with alerting on Azure12
●● Learn - Manage alerts and incidents in Microsoft Defender for Endpoint13
●● Learn - Configure alerts and detections in Microsoft Defender for Endpoint14
●● Learn - Monitor the health of your Azure virtual machine by using Azure Metrics Explorer and
metric alerts15
11 https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-unified-alerts
12 https://docs.microsoft.com/learn/modules/incident-response-with-alerting-on-azure/
13 https://docs.microsoft.com/learn/modules/manage-alerts-incidents-microsoft-defender-for-endpoints/
14 https://docs.microsoft.com/learn/modules/incident-response-with-alerting-on-azure/
15 https://docs.microsoft.com/learn/modules/monitor-azure-vm-using-diagnostic-data/
402
Skills measured
Log Analytics querying is part of Exam AZ-104: Microsoft Azure Administrator16.
Monitor and back up Azure resources (10–15%)
Monitor resources by using Azure Monitor
●● Query and analyze logs.
Learning objectives
In this module, you will learn how to:
●● Identify the features and usage cases for Log Analytics.
●● Create a Log Analytics workspace and configure connected and data sources.
●● Structure a Log Analytics query and review results.
Prerequisites
None.
16 https://docs.microsoft.com/learn/certifications/exams/az-104
403
Create a Workspace
To get started with Log Analytics you need to add a workspace.
404
This following diagram shows how Connected Sources flow data to the Log Analytics service.
17 https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents
18 https://docs.microsoft.com/azure/log-analytics/log-analytics-linux-agents
19 https://docs.microsoft.com/azure/log-analytics/log-analytics-om-agents
20 https://docs.microsoft.com/azure/log-analytics/log-analytics-azure-storage
405
When you configure the Log Analytics settings, the available data sources are shown. Data sources
include: Windows Event Logs, Windows Performance Counters, Linux Performance Counters, IIS Logs,
Custom Fields, Custom Logs, and Syslog. Each data source has additional configuration options. For
example, the Windows Event Log can be configured to forward Error, Warning, or Informational messag-
es.
406
To give a quick graphical view of the health of your overall environment, you can add visualizations for
saved log searches to your dashboard. To analyze data outside of Log Analytics, you can export the data
from the repository into tools such as Power BI or Excel. You can also use the Log Search API to build
custom solutions.
Some common query tables are: Event, Syslog, Heartbeat, and Alert.
The basic structure of a query is a source table followed by a series of operators separated by a pipe
character |. You can chain together multiple operators to refine the data and perform advanced functions.
For example, this query returns a count of the top 10 errors in the Event log during the last day. The
results are in descending order.
Event
| where (EventLevelName == "Error")
| where (TimeGenerated > ago(1days))
| summarize ErrorCount = count() by Computer
| top 10 by ErrorCount desc
●● summarize - Produces a table that aggregates the content of the input table.
T | summarize count(), avg(price) by fruit, supplier
21 https://docs.microsoft.com/azure/azure-monitor/log-query/query-language
408
Knowledge check
Multiple choice
How does Azure Monitor organize log data for queries?
Azure Monitor organizes log data into tables.
Azure Monitor organizes log data into tabular operators.
Azure Monitor organizes log data into the Kusto Query Language.
Multiple choice
Your organization has a very large web farm with more than 100 virtual machines. You would like to use
Log Analytics to ensure these machines are responding to requests. You plan to automate the process, so
you create a search query. You begin the query by identifying the source table. Which source table do you
use? Select one.
Event
SysLog
Heartbeat
22 https://portal.loganalytics.io/demo
409
Multiple choice
Your organization has several Linux virtual machines. You would like to use Log Analytics to retrieve error
messages for these machines. You plan to automate the process, so you create a search query. You begin the
query by identifying the source table. Which source table do you use? Select one.
SysLog
Heartbeat
Alert
Learn more
You can learn more by reviewing the following.
●● Overview of Log Analytics in Azure Monitor23
●● Log Analytics tutorial24
●● Learn - Analyze your Azure infrastructure by using Azure Monitor logs25
●● Learn - Monitor performance of virtual machines by using Azure Monitor for VMs26
23 https://docs.microsoft.com/azure/azure-monitor/logs/log-analytics-overview
24 https://docs.microsoft.com/azure/azure-monitor/logs/log-analytics-tutorial
25 https://docs.microsoft.com/learn/modules/analyze-infrastructure-with-azure-monitor-logs/
26 https://docs.microsoft.com/en-us/learn/modules/monitor-performance-using-azure-monitor-for-vms/
410
Skills measured
Network watcher is part of Exam AZ-104: Microsoft Azure Administrator27.
Configure and manage virtual networking (25–30%)
Monitor and troubleshoot virtual networking
●● Configure and use Network Performance Monitor.
●● Configure Azure Network Watcher.
Learning objectives
In this module, you will learn how to:
●● Identify the features and usage cases for Azure Network Watcher.
●● Configure diagnostic capabilities like IP Flow Verify, Next Hop, and Network Topology.
Prerequisites
None.
27 https://docs.microsoft.com/learn/certifications/exams/az-104
411
capture by setting alerts, and gain access to real-time performance information at the packet level.
When you observe an issue, you can investigate in detail for better diagnoses.
●● Gain insight into your network traffic using flow logs. Build a deeper understanding of your
network traffic pattern using Network Security Group flow logs. Information provided by flow logs
helps you gather data for compliance, auditing and monitoring your network security profile.
●● Diagnose VPN connectivity issues. Network Watcher provides you the ability to diagnose your most
common VPN Gateway and Connections issues. Allowing you, not only, to identify the issue but also
to use the detailed logs created to help further investigate.
Verify IP Flow: Quickly diagnose connectivity issues from or to the internet and from or to the on-prem-
ises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from
a virtual machine. IP flow verify is ideal for making sure security rules are being correctly applied. When
used for troubleshooting, if IP flow verify doesn’t show a problem, you will need to explore other areas
such as firewall restrictions.
Next Hop: To determine if traffic is being directed to the intended destination by showing the next hop.
This will help determine if networking routing is correctly configured. Next hop also returns the route
table associated with the next hop. If the route is defined as a user-defined route, that route is returned.
Otherwise, next hop returns System Route. Depending on your situation the next hop could be Internet,
Virtual Appliance, Virtual Network Gateway, VNet Local, VNet Peering, or None. None lets you know that
while there may be a valid system route to the destination, there is no next hop to route the traffic to the
destination. When you create a virtual network, Azure creates several default outbound routes for
network traffic. The outbound traffic from all resources, such as VMs, deployed in a virtual network, are
routed based on Azure's default routes. You might override Azure's default routes or create additional
routes.
VPN Diagnostics: Troubleshoot gateways and connections. VPN Diagnostics returns a wealth of informa-
tion. Summary information is available in the portal and more detailed information is provided in log files.
The log files are stored in a storage account and include things like connection statistics, CPU and
memory information, IKE security errors, packet drops, and buffers and events.
NSG Flow Logs: NSG Flow Logs maps IP traffic through a network security group. These capabilities can
be used in security compliance and auditing. You can define a prescriptive set of security rules as a model
for security governance in your organization. A periodic compliance audit can be implemented in a
programmatic way by comparing the prescriptive rules with the effective rules for each of the VMs in
your network.
Connection Troubleshoot. Azure Network Watcher Connection Troubleshoot is a more recent addition
to the Network Watcher suite of networking tools and capabilities. Connection Troubleshoot enables you
to troubleshoot network performance and connectivity issues in Azure.
412
Note: To use Network Watcher, you must be an Owner, Contributor, or Network Contributor. If you
create a custom role, the role must be able to read, write, and delete the Network Watcher.
Note: IP Flow Verify is ideal for making sure security rules are being correctly applied. When used for
troubleshooting, if IP Flow Verify doesn’t show a problem, you will need to explore other areas such as
firewall restrictions.
Next Hop also returns the route table associated with the next hop. If the route is defined as a user-de-
fined route, that route is returned. Otherwise, Next Hop returns the system route. Depending on your
situation, the next hop could be the Internet, Virtual Appliance, Virtual Network Gateway, VNet Local,
VNet Peering, or None. A returned value of None lets you know that there may be a valid system route to
the destination, there is no next hop to route the traffic to the destination.
The topology tool generates a graphical display of your Azure virtual network, its resources, its intercon-
nections, and their relationships with each other.
Note: To generate the topology, you need a Network Watcher instance in the same region as the virtual
network.
Knowledge check
Multiple choice
You are analyzing the company virtual network and think it would be helpful to get a visual representation
of the networking elements. Which feature can you use? Select one.
Network Watcher Next Hop
Network Watcher Views
Network Watcher Topology
Multiple choice
Your company has a website and users are reporting connectivity errors and timeouts. You suspect that a
security rule may be blocking traffic to or from one of the virtual machines. You need to quickly trouble-
shoot the problem, so you do which of the following? Select one.
Use Network Watcher's VPN Diagnostics feature.
Use Network Watcher's IP Flow Verify feature.
Configure Windows performance counters and use Performance Monitor.
Multiple choice
To capture traffic on a VM, Azure Network Watcher requires:
An Azure storage account
Azure Traffic Manager
Network Watcher Agent VM Extension
Learn more
You can learn more by reviewing the following.
●● Azure Network Watcher documentation28
●● Network Performance Monitor solution in Azure29
●● Learn - Monitor and troubleshoot your end-to-end Azure network infrastructure by using
network monitoring tools30
28 https://docs.microsoft.com/azure/network-watcher/
29 https://docs.microsoft.com/azure/azure-monitor/insights/network-performance-monitor
30 https://docs.microsoft.com/learn/modules/troubleshoot-azure-network-infrastructure/
416
Module 11 Lab
Lab 11 - Implement Monitoring
Lab scenario
You need to evaluate Azure functionality that would provide insight into performance and configuration
of Azure resources, focusing in particular on Azure virtual machines. To accomplish this, you intend to
examine the capabilities of Azure Monitor, including Log Analytics.
Objectives
In this lab, you will:
●● Task 1: Provision the lab environment.
●● Task 2: Create and configure an Azure Log Analytics workspace and Azure Automation-based solu-
tions.
●● Task 3: Review default monitoring settings of Azure virtual machines.
●● Task 4: Configure Azure virtual machine diagnostic settings.
●● Task 5: Review Azure Monitor functionality.
●● Task 6: Review Azure Log Analytics functionality.
Note: Consult with your instructor for how to access the lab instructions and lab environment (if provid-
ed).
417
Answers
Multiple choice
You need to determine who deleted a network security group through Resource Manager. You are
viewing the Activity Log when another Azure Administrator says you should use this event category to
narrow your search. Select one.
■■ Administrative
Service Health
Policy
Explanation
Administrative. This category contains the record of all create, update, delete, and action operations
performed through Resource Manager. Examples of the types of events you would observe in this category
include "create virtual machine" and "delete network security group". The Administrative category also
includes any changes to role-based access control in a subscription.
Multiple choice
What is the shared underlying logging data platform for Azure Sentinel and Azure Security Center?
Activity Logs
■■ Azure Monitor Logs
Diagnostic Settings
Explanation
Azure Monitor Logs. Several services in Azure including Sentinel and Security Center use Azure Monitor Logs
as their underlying logging data platform.
Multiple choice
What data does Azure Monitor collect?
■■ Data from a variety of sources, such as the application event log, the operating system (Windows and
Linux), Azure resources, and custom data sources
Azure billing details
Backups of database transaction logs
Explanation
Data from a variety of sources, such as the application event log, the operating system (Windows and
Linux), Azure resources, and custom data sources.
Multiple choice
What two fundamental types of data does Azure Monitor collect?
■■ Metrics and logs
Username and password
Email notifications and errors
Explanation
Metrics and logs. Azure Monitor collects two types of data: metrics and logs. Metrics are numerical values
that describe some aspect of a system at a particular time. Logs contain different kinds of data, such as
event information, organized into records.
418
Multiple choice
Your organization has an app that is used across the business. The performance of this app is critical to
day-to-day operations. Because the app is so important, four IT administrators have been identified to
address any issues. You have configured an alert and need to ensure the administrators are notified if
there is a problem. In which area of the portal will you provide the administrator email addresses? Select
one.
Activity log
Performance group
■■ Action Group
Explanation
Action Group. When creating the alert, you will select Email as the Action Type. You will then be able to
provide the administrator email addresses as part of the Action Group.
Multiple choice
You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean?
Select one.
■■ An administrator has reviewed the alert and started working on it.
The issue has been resolved.
The issue has been closed.
Explanation
An administrator has reviewed the alert and started working on it. An alert status of Acknowledged means
an administrator has reviewed the alert and started working on it. Alert state is different and independent of
the monitor condition. Alert state is set by the user. Monitor condition is set by the system.
Multiple choice
What's the composition of an alert rule? Select one.
Resource, condition, log, alert type
Metrics, logs, application, operating system
■■ Resource, condition, actions, alert details
Explanation
Resource, condition, actions, alert details. These elements make up an alert rule.
Multiple choice
Which of the following is an example of a log data type?
■■ HTTP response records
Percentage of CPU over time
Website requests per hour
Explanation
HTTP response records. HTTP response records are examples of log data types.
419
Multiple choice
How does Azure Monitor organize log data for queries?
■■ Azure Monitor organizes log data into tables.
Azure Monitor organizes log data into tabular operators.
Azure Monitor organizes log data into the Kusto Query Language.
Explanation
Azure Monitor organizes log data into tables. Azure Monitor organizes log data in tables, each composed of
multiple columns. Every query contains data that's organized into a hierarchy similar to SQL (databases,
tables, and columns).
Multiple choice
Your organization has a very large web farm with more than 100 virtual machines. You would like to use
Log Analytics to ensure these machines are responding to requests. You plan to automate the process, so
you create a search query. You begin the query by identifying the source table. Which source table do
you use? Select one.
Event
SysLog
■■ Heartbeat
Explanation
The Heartbeat table will help you identify computers that haven't had a heartbeat in a specific time frame,
for example, the last six hours.
Multiple choice
Your organization has several Linux virtual machines. You would like to use Log Analytics to retrieve error
messages for these machines. You plan to automate the process, so you create a search query. You begin
the query by identifying the source table. Which source table do you use? Select one.
■■ SysLog
Heartbeat
Alert
Explanation
Syslog is an event logging protocol that is common to Linux. Syslog includes information such as error
messages.
Multiple choice
You are analyzing the company virtual network and think it would be helpful to get a visual representa-
tion of the networking elements. Which feature can you use? Select one.
Network Watcher Next Hop
Network Watcher Views
■■ Network Watcher Topology
Explanation
Network Watcher's Topology feature provides a visual representation of your networking elements.
420
Multiple choice
Your company has a website and users are reporting connectivity errors and timeouts. You suspect that a
security rule may be blocking traffic to or from one of the virtual machines. You need to quickly trouble-
shoot the problem, so you do which of the following? Select one.
Use Network Watcher's VPN Diagnostics feature.
■■ Use Network Watcher's IP Flow Verify feature.
Configure Windows performance counters and use Performance Monitor.
Explanation
IP Flow Verify. Diagnosing connectivity issues is ideal for Network Watcher's IP Flow Verify feature. The IP
Flow Verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or
UDP), and traffic direction (inbound or outbound). IP Flow Verify then tests the communication and informs
you if the connection succeeds or fails.
Multiple choice
To capture traffic on a VM, Azure Network Watcher requires:
An Azure storage account
Azure Traffic Manager
■■ Network Watcher Agent VM Extension
Explanation
Network Watcher Agent VM Extension. The Network Watcher Agent VM Extension is required when you
capture traffic on a VM. It's automatically installed when you start a packet capture session in the Azure
portal.