Prerequisites for Azure administrators Flashcards
What is Azure Policy
Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. For example, you might have a policy that allows virtual machines of only a certain size in your environment. After this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance
How are Azure Policy and RBAC different?
At first glance, it might seem like Azure Policy is a way to restrict access to specific resource types similar to role-based access control (RBAC). However, they solve different problems. RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to anything in that resource group. Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.
Create a policy
- Create a policy definition
- Assign a definition to a scope of resources
- View policy evaluation results
What is a policy definition?
A policy definition expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used
How are policy definitions represented ?
The policy definition itself is represented as a JSON file - you can use one of the pre-defined definitions in the portal or create your own (either modifying an existing one or starting from scratch)
Assign a definition to a scope of resources
Once you’ve defined one or more policy definitions, you’ll need to assign them. A policy assignment is a policy definition that has been assigned to take place within a specific scope.
This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resources. This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a sub scope from the policy assignment. For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups.
You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters that are defined.
initiative definition
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
Azure Management Groups
Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have
Important facts about management groups
- Any Azure AD user in the organization can create a management group. The creator is given an Owner role assignment.
- A single Azure AD organization can support 10,000 management groups.
- A management group tree can support up to six levels of depth not including the Root level or subscription level.
- Each management group can have many children.
- When your organization creates subscriptions, they are automatically added to the root management group.
Azure Blueprints
enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and deploy new environments with the trust they’re building within organizational compliance using a set of built-in components, such as networking, to speed up development and delivery
Compliance Manager
Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Microsoft 365, Dynamics 365, and Azure
Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on
Activity Logs
Activity Logs record when resources are created or modified and Metrics tell you how the resource is performing and the resources that it’s consuming
Azure Monitor for containers
a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected
Azure Monitor for VMs
a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.
Autoscale
Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load. Autoscale can also help reduce your Azure costs by removing resources that are not being used. You can specify a minimum and maximum number of instances, and provide the logic that determines when Autoscale should increase or decrease resources
Azure Service Health
a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources
Azure Status
provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state
Service Health
provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you
Resource Health
helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you with details about the current and past state of your resources. It also provides technical support to help you mitigate problems
Azure Resource Manager
It organizes resources into named resource groups that let you deploy, update, or delete all of the resources together.
Resource Manager also allows you to create templates, which can be used to create and deploy specific configurations
What are Resource Manager templates?
Resource Manager templates are JSON files that define the resources you need to deploy for your solution.
PowerShell Command: New Azure VMs?
New-AzVM
Azure CLI / CLI Command
The Azure CLI is Microsoft’s cross-platform command-line tool for managing Azure resources such as virtual machines and disks from the command line. It’s available for macOS, Linux, and Windows, or in the browser using the Cloud Shell. Like Azure PowerShell, the Azure CLI is a powerful way to streamline your administrative workflow. Unlike Azure PowerShell, the Azure CLI does not need PowerShell to function
az vm create
Azure REST API
- Create and manage availability sets
- Add and manage virtual machine extensions
- Create and manage managed disks, snapshots, and images
4 . Access the platform images available in Azure - Retrieve usage information of your resources
- Create and manage virtual machines
- Create and manage virtual machine scale sets
Azure VM Extensions
are small applications that allow you to configure and automate tasks on Azure VMs after initial deployment
Availability and Instances
o ensure your services aren’t interrupted and avoid a single point of failure, it’s recommended to deploy at least two instances of each VM. This feature is called an availability set
What is an availability set?
An availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren’t all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter. VMs placed in an availability set should perform an identical set of functionalities and have the same software installed.
Microsoft offers a 99.95% external connectivity service level agreement (SLA) for multiple-instance VMs deployed in an availability set
What is a fault domain?
A fault domain is a logical group of hardware in Azure that shares a common power source and network switch
What is an update domain?
An update domain is a logical group of hardware that can undergo maintenance or be rebooted at the same time. Azure will automatically place availability sets into update domains to minimize the impact when the Azure platform introduces host operating system changes. Azure then processes each update domain one at a time
Azure Site Recovery
replicates workloads from a primary site to a secondary location. If an outage happens at your primary site, you can fail over to a secondary location
Azure Site Recovery: Benefits
Site Recovery enables the use of Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter