├── other ├── AZ-104-Anki-Flashcards.apkg ├── VMS and containers.md ├── Azure - Governance.md ├── Gateway Transit.md ├── Azure App Service.md ├── Azure - Resiliency.md ├── Azure - Monitoring.md └── Azure AD.md ├── msdocs ├── AZ-104 - 1 - Prereqs for Azure Administrators.md ├── AZ-104 - 6 - Monitor and Back Up Azure Resources.md ├── AZ-104 - 4 - Deploy Compute Resources.md ├── AZ-104 - 2 - Identities & Governance.md ├── AZ-104 - 3 - Implement and manage storage in Azure.md └── AZ-104 - 5 - Networking.md ├── LICENSE.md └── README.md /other/AZ-104-Anki-Flashcards.apkg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mischavandenburg/az-104-azure-administrator/HEAD/other/AZ-104-Anki-Flashcards.apkg -------------------------------------------------------------------------------- /other/VMS and containers.md: -------------------------------------------------------------------------------- 1 | # VMs and containers 2 | 3 | # Savill Notes 4 | 5 | https://youtu.be/_E73_SQN8ZU 6 | 7 | - VMs virtualize hardware 8 | - Containers virtualize the OS 9 | - union filesystem: layers 10 | - share the kernel 11 | - instances of containers 12 | - they are sandboxes 13 | - have their own processes inside them, but they don't see each other 14 | - run images 15 | -------------------------------------------------------------------------------- /other/Azure - Governance.md: -------------------------------------------------------------------------------- 1 | # Azure - Governance 2 | Links: 3 | https://youtu.be/cIh_Nfl67T0 4 | 5 | Vnets are bound to a subscription. You cannot move vnets between subscriptions. 6 | 7 | Vnets from other subscriptions will need to be peered and this can involve a lot of work. 8 | 9 | - resource groups 10 | - Resources live in RG 11 | - A resource can exist in only 1 RG. 12 | - not boundaries 13 | - a vm can have its nic connected to a vnet in a different RG as long as they are in the same subscription 14 | - tags are not inherited 15 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 1 - Prereqs for Azure Administrators.md: -------------------------------------------------------------------------------- 1 | ## Resource Groups 2 | 3 | Resource Groups are a logical collection of resources. 4 | Resource groups store metadata of resources. 5 | 6 | - Resources can only exist in one resource group. 7 | - Resource Groups cannot be renamed. 8 | - Resource Groups can have resources of many different types (services). 9 | - Resource Groups can have resources from many different regions. 10 | 11 | - All the resources in your group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle it should be in another resource group. 12 | - Each resource can only exist in one resource group. 13 | - A resource group can contain resources that reside in different regions. 14 | 15 | Deleting a resource group deletes all the resources contained within it. 16 | 17 | ## arm templates 18 | arm templates are written in json 19 | bicep is an abstaction layer over arm / json, simplified 20 | 21 | when you deploy an arm template a second time, existing resources are not changed 22 | 23 | 24 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 mischavandenburg 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /other/Gateway Transit.md: -------------------------------------------------------------------------------- 1 | # Gateway Transit 2 | Links: 3 | 4 | https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit 5 | 6 | In a hub and spoke model, the spokes can use the gateway of the hub. 7 | 8 | For example, if I have a s2s gateway in the hub, the spokes can use the hub gateway and they don't need their own gateway. 9 | 10 | They do need to have a peering with the hub Vnet, obviously. 11 | 12 | The hub Vnet needs the "-AllowGateWayTransit" property 13 | 14 | The spokes need the "-UseRemoteGateways" 15 | 16 | ```powershell 17 | $SpokeRG = "SpokeRG1" 18 | $SpokeRM = "Spoke-RM" 19 | $HubRG = "HubRG1" 20 | $HubRM = "Hub-RM" 21 | 22 | $spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG 23 | $hubrmvnet = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG 24 | 25 | Add-AzVirtualNetworkPeering ` 26 | -Name SpokeRMtoHubRM ` 27 | -VirtualNetwork $spokermvnet ` 28 | -RemoteVirtualNetworkId $hubrmvnet.Id ` 29 | -UseRemoteGateways 30 | 31 | Add-AzVirtualNetworkPeering ` 32 | -Name HubRMToSpokeRM ` 33 | -VirtualNetwork $hubrmvnet ` 34 | -RemoteVirtualNetworkId $spokermvnet.Id ` 35 | -AllowGatewayTransit 36 | 37 | ``` 38 | 39 | >[!warning] 40 | >You need to allow traffic forwarding in all VNets for this to work 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Study Notes for AZ-104: Microsoft Azure Administrator 2 | 3 | This repo contains my notes for the AZ-104 certification. 4 | 5 | I also wrote a full [study guide](https://mischavandenburg.com/zet/articles/az-104-study-guide/). 6 | 7 | I spent 80 hours studying for this exam. 8 | 9 | There are two directories in this repo, "msdocs" and "other." The "msdocs" directory contains my notes and summaries of the Microsoft Learn modules. The "other" directory contains notes from YouTube videos and other supplemental resources I used. 10 | 11 | I especially needed to put in a lot of effort in Azure AD so the directory contains some extensive notes on that subject. 12 | 13 | # Anki Flash Cards 14 | 15 | I use Anki for spaced repetition. I'm including an export of my Anki deck in this repo as well. You can find it in the "other" directory. 16 | 17 | Throughout my notes, you will come across lines such as: 18 | 19 | > Availability zone::Unique physical location within a region, made up of 1 or more datacenters. Combination of fault domain and update domain. 20 | ID: 1669745066209 21 | 22 | These are actually Anki flash cards. I use Obsidian to take my notes and I run a plugin that generates flashcards from this syntax. The test before the "::" is the front of the card, and the rest is the back of the card. 23 | 24 | ![visitors](https://visitor-badge.glitch.me/badge?page_id=mischavandenburg-az-104&left_color=green&right_color=red) 25 | -------------------------------------------------------------------------------- /other/Azure App Service.md: -------------------------------------------------------------------------------- 1 | # Azure App Service 2 | 3 | An app runs in an App Service plan. 4 | 5 | - App Service plan 6 | - defines set of compute resources for a web app to run 7 | - can have one or more apps 8 | - each app plan defines: 9 | - region 10 | - number of VM instances 11 | - size of VM instances 12 | 13 | ### how it works 14 | 15 | In the Free and Shared tiers, an app receives CPU minutes on a shared VM instance and cannot scale out. 16 | 17 | From Microsoft Docs: 18 | 19 | - Apps run in service plan 20 | - multiple apps in the same plann will share the same VMS 21 | - multiple deployment slots also run on the same VMs 22 | - The plan is the scale unit 23 | - autoscaling will scale all apps in the plan 24 | - Because apps use the same resources, be careful to add more apps to your plan 25 | - understand the capacity of the plan 26 | - understand the load of the new app 27 | 28 | ## deployment slots 29 | 30 | - live apps with their own hostnames 31 | 32 | ==A deployment slot is an instance of an app service, running on the same app service plan. 33 | 34 | Must be swapped to deploy the instance to production. This allows deployment without any downtime. 35 | 36 | 37 | Deployment slot::A deployment slot is an instance of an app service, running on the same App Service plan. 38 | ID: 1670597879212 39 | 40 | # Savill Video 41 | 42 | https://youtu.be/_E73_SQN8ZU 43 | 44 | - can run a container or app 45 | - you purchase nodes, its paas 46 | - app service plan 47 | - certain size 48 | - you deploy app servcies into the plan 49 | - it runs across 3 nodes if size is 3 50 | - you buy guaranteed resource 51 | - if you scale out, all of the apps in the plan scale out 52 | - you scale the plan, not the app 53 | - when you scale the plan, everything in the plan will be scaled 54 | 55 | # pricing 56 | 57 | How many minutes of CPU time do you get with a Free F1 App Services plan?::60 58 | ID: 1670957141154 59 | 60 | 61 | How many minutes of CPU time do you get with a Shared D1 App Services plan?::240 62 | ID: 1670957141160 63 | 64 | 65 | How many hours of CPU time do you get with a Basic B1 App Services plan?::24 66 | ID: 1670957141167 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /other/Azure - Resiliency.md: -------------------------------------------------------------------------------- 1 | # Azure - Resiliency 2 | Links: 3 | https://youtu.be/zLMXu4rtlEk 4 | 5 | ## notes from John Savill video 6 | 7 | - snapshots are stored on the same medium, so they won't be replicated. something to consider in the backup strategy 8 | - asynchronous vs synchronous 9 | - asynchronous 10 | - app writes to postgres master 11 | - pg master instantly acknowledges the write 12 | - pg master then starts replicating to slave 13 | - risk: the replication might not work and you lose the replication 14 | - advantage: useful when there is a lot of distance (and therefore latency) between the master and the slave 15 | - synchronous 16 | - transactions are not comitted on primary (master) until acknowledged on the secondary 17 | - can impact primary performance 18 | - i.e. the app needs to wait until the data is replicated until it gets the acknowledgement 19 | - no risk of data loss 20 | - usually you use synchronous when they are in the same location because latency is sub millisecond 21 | - asynchronous when in different locations (Cross -site) 22 | 23 | Asynchronous replication::App writes to primary and primary instantly acknowledges the write. After acknowledging, the primary starts replicating to secondary. Risk of data loss. Used for cross-site becuase of the higher latency. 24 | ID: 1670957141142 25 | 26 | 27 | Synchronous replication::Transaction not commited on primary until acknowledged on secondary. Can impact performance, but no risk of data loss. Used when primary and secondary are in the same location. 28 | ID: 1670957141148 29 | 30 | 31 | - fault domain 32 | - server rack 33 | - nodes in the rack can fail, or the entire rack can fail 34 | - availability set 35 | - 99.95% sla 36 | - resources are added on the availability set 37 | - these are installed round robin 38 | - distributed over fault domains automatically 39 | - in the same facility 40 | - ==never mix workloads in the same availability set 41 | - different sets for different loads 42 | 43 | - update domains 44 | - 5 to 20 45 | - host updates cause a vm freeze of a few seconds 46 | - availability zones 47 | - data centers within the same region 48 | 49 | - VM harddisk SLA 50 | - premium ssd 99.9 51 | - standard ssd 99.5 52 | - standard HDD 95 53 | 54 | - availability SLA 55 | - set 99.95 56 | - zone 99.99 57 | 58 | >[!quote] 59 | >If there is no state, you don't need replication. 60 | >Just have the process in place to create it via IaC 61 | 62 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 6 - Monitor and Back Up Azure Resources.md: -------------------------------------------------------------------------------- 1 | # 6 - Monitor and Back Up Azure Resources 2 | 3 | # File and Folder Backups 4 | 5 | ## Azure Backup Center 6 | 7 | - single unified management experience 8 | - supports: 9 | - azure vm backup 10 | - sql azure vm backup 11 | - azure files 12 | - azure blobs 13 | - managed disks 14 | - PostgreSQL server backup 15 | 16 | ## recovery service vault 17 | 18 | - a storage entity that stores backup data 19 | - vms 20 | - sql databases 21 | - azure file shares 22 | 23 | Recovery Service Vault::storage entity that stores backup data, such as VM snapshots or Azure SQL databases 24 | ID: 1670266082659 25 | 26 | # VM backup 27 | 28 | - several options: 29 | - snapshots 30 | - quick and simple 31 | - for vms using managed disks 32 | - billed based on size 33 | - azure backup 34 | - production workloads 35 | - azure site recovery 36 | - for major outage due to natural disaster 37 | - when whole region is out 38 | - replicates entire workload structure to secondary location 39 | 40 | # Azure Alerts 41 | 42 | Action group::collection of notification settings defined by an Azure subscription. List of emails that will be alerted when metrics are above a certain level 43 | ID: 1670266082663 44 | 45 | 46 | # Network Watcher 47 | 48 | - Network diagnostics 49 | - for solving network problems 50 | - elements 51 | - monitoring 52 | - network diagnostic tools 53 | - metrics 54 | - logs 55 | 56 | Network Watcher::Network diagnostics for solving problems. Provides monitoring, diagnostics, metrics and logs. 57 | ID: 1670361824265 58 | 59 | 60 | - IP Flow verify 61 | - checks if packet is allowed or denied to/from VM 62 | - identify security groups 63 | 64 | IP Flow verify::checks if packets are allowed/denied to/from VM. Identifies security groups. 65 | ID: 1670361824268 66 | 67 | 68 | - next hop 69 | - determine if traffic is directed to intended destination 70 | - verify routing configuration 71 | - return value none: 72 | - valid system route to destination 73 | - no next hop to route the traffic 74 | 75 | - network watcher topology 76 | - generate visual diagrams 77 | 78 | Network Watcher Topology::generates visual diagrams of your network 79 | ID: 1670361824272 80 | 81 | 82 | Next Hop::verifies routing configuration by giving the Next Hop and the associated routing table 83 | ID: 1670361824276 84 | 85 | # Kusto query language 86 | 87 | heartbeat table::For Azure monitor querying with Kusto. Contains data on everything from OS type, os version, resource ID and resource group. Acts like an inventory of all VMs reporting to a specific workspace. 88 | ID: 1670597879320 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 4 - Deploy Compute Resources.md: -------------------------------------------------------------------------------- 1 | # AZ-104 - 4 - Deploy Compute Resources 2 | 3 | # VM Availablilty 4 | 5 | ==Azure doesn't automatically update / patch VM OS. 6 | 7 | - Availability Sets 8 | - logical group of VMs 9 | - not upgraded at the same time during datacenter host upgrade 10 | - ensures deployment 11 | - should have identical functionalty and software 12 | - Azure ensures they run across multiple physical servers, storage and switches 13 | - only subset of VMs is inpacted in case of failure 14 | 15 | Availability Set::Logical grouping of VMs which ensures they are always deployed. Identical tasks and software, only subset is impacted in case of failure. Redundancy. 16 | ID: 1669745066200 17 | 18 | - update domain 19 | - group of nodes that are upgraded together 20 | - can be rebooted at the same time 21 | - default: 5 22 | 23 | VM Update domain::Group of nodes that are upgraded together. Can be rebooted simultaneously. 24 | ID: 1670597879203 25 | 26 | 27 | - fault domain 28 | - VM group that shares common point of failure. 29 | - Example: server rack 30 | 31 | VM Fault domain::VM group that shares common point of failure. For example, a server rack. 32 | ID: 1670597879208 33 | 34 | 35 | - availabilty zones 36 | - unique physical locations within region 37 | - made up of 1 or more datacenters 38 | 39 | Availability zone::Unique physical location within a region, made up of 1 or more datacenters. Combination of fault domain and update domain. 40 | ID: 1669745066209 41 | 42 | Vertical scaling::scaling the vm size up or down. Requires a stop and restart. 43 | ID: 1669745066213 44 | 45 | horizontal scaling::When the number of vm's is scaled up or down 46 | ID: 1669745066217 47 | 48 | - scale set 49 | - deploys a set of **identical** vms 50 | - autoscale 51 | - manual or automated 52 | - up to 1000 vm instances 53 | 54 | scale set::deploys a set of identical VMS. Can scale manual or atuomated. 55 | ID: 1669745066221 56 | 57 | 58 | 59 | # Azure Container Service 60 | 61 | Windows or Linux "Container as a Service" 62 | 63 | Have a container running in seconds. 64 | 65 | - container group 66 | - share a lifecycle, resources, local network, and storage volumes. 67 | 68 | Container Group::Similar to a pod in Kubernetes 69 | ID: 1669991594603 70 | 71 | ## container 72 | 73 | - instance of a docker image 74 | - execution of a single application, process or service 75 | - consists of 76 | - Docker image 77 | - execution environment 78 | - standard set of instructions 79 | - scaled by creating multiple instances of the same image 80 | 81 | # Azure Automation State Configuration 82 | 83 | DSC::Descired State Configuration. Declarative model of PowerShell 84 | ID: 1670142766974 85 | 86 | 87 | AAS has a built in pull server. Target nodes will automatically pull configuration changes from here to conform to the desired state. 88 | 89 | LCM::Local Configuration Manager. Component of Windows Management Framework (WMF) on a Windows OS. Responsible for updating state of node (e.g. VM) to match desired state. 90 | ID: 1670142766979 91 | -------------------------------------------------------------------------------- /other/Azure - Monitoring.md: -------------------------------------------------------------------------------- 1 | # Azure - Monitoring 2 | 3 | # John Savill - Azure Masterclass part 9 - Monitoring and Security 4 | 5 | https://www.youtube.com/watch?v=hTS8jXEX_88&t=1081s 6 | 7 | Starting from Azure AD and moving down the hierarchy: 8 | 9 | - Azure AD 10 | - always at the top 11 | - Sign in logs 12 | - audit log 13 | - 30 days 14 | - Subscription 15 | - Activity log 16 | - creating resources 17 | - deleting resources 18 | - deleting a key 19 | - service health 20 | - 90 days 21 | - Resources (ARM) 22 | - Metrics 23 | - Turned on by default 24 | - 90 days retention 25 | - Fast pipeline, sub 60 seconds 26 | - Logs 27 | - Must be configured 28 | - they do not exist until I configure the collection of logs 29 | - Numeric or Text 30 | - OS 31 | - These also have metrics and logs. 32 | - ==NOTE these are different from the ARM logs 33 | - ARM VM metrics are things the VM sees on the Hyper-V host level, not the OS level 34 | - So metrics at this OS level are the metrics inside the OS 35 | - The actual CPU usage of the machine inside the VM 36 | - Diagnostics Extentions 37 | - Agents 38 | - Metrics 39 | - Logs (syslog) 40 | - App Insights 41 | - Metrics 42 | - Logs 43 | - How the application is performing 44 | - what it's talking to 45 | - Codeless attach 46 | - Can plugin to the runtime 47 | - Custom things 48 | - you can configure custom things that collect logs 49 | 50 | ==All of the above are sources of data. 51 | 52 | You need to understand all of these things to have a good understanding of the application you are hosting. 53 | 54 | To activate logs, go in the portal. F. ex. subscription, and then go to Diagnostics settings. Here you can activate the different kinds of logs and where you want to send them. 55 | 56 | ## Log Destinations 57 | 58 | We have all these data sources. Where are we sending it to? 59 | 60 | - Send to Log Analytics 61 | - Archive to storage account 62 | - Stream to an event hub 63 | 64 | - Storage 65 | - Cheap 66 | - Long term retention 67 | - Event hub 68 | - you can push events to it, and people can subscribe to it 69 | - 3rd party SIEM solution 70 | - OpsGenie 71 | - Log Analytics 72 | - Azure Monitor Logs 73 | - ==The Superhero 74 | - Log Analytics Workspace 75 | - This breaks the data down in to tables and formats 76 | - can run against queries against these 77 | - 2 year max retention 78 | - configurable retention 79 | - Costs 80 | - Ingestion 81 | - getting the logs into Log Analytics has costs 82 | - Storage 83 | - Retention 84 | - There are a few exceptions, but typically you have to pay for the data that comes in and the data you store 85 | - You can set Caps 86 | - Ingestion cap: do not cost more than xxx per day 87 | - Aanalyze 88 | - Visualize trends 89 | 90 | Which 3 destinations are there for logs?::Accessed in diagnostics settings. They are storage, event hub and Log Analytics. 91 | ID: 1670859846171 92 | 93 | 94 | What is Event Hub?::Used in monitoring. You can send logs and metrics to the event hub and people can subscribe to the events, or you can connect a SIEM solution such as Opsgenie or splunk. 95 | ID: 1670859846187 96 | 97 | 98 | Generally you can set three options in diagnostics settings 99 | - storage 100 | - event hub 101 | - Log Analytics 102 | 103 | The exception is for OS logs (Agents), App Insights, and custom things. These can only go to Log Analytics. 104 | 105 | Can you send App Insights logs to the Event Hub?::No, App Insights can only be sent to Log Analytics 106 | ID: 1670859846194 107 | 108 | 109 | Can you send OS agent logs to blob storage?::No, they can only be sent to Log Analytics 110 | ID: 1670859846202 111 | 112 | 113 | ## Log Analytics 114 | 115 | You can export Log Analytics tables to Storage or Event Hub. 116 | 117 | How can you get OS Agent logs to storage?::You can export the tables from Log Analytics to storage. 118 | ID: 1670859846209 119 | 120 | 121 | ## costs 122 | 123 | Ingestion and retention have costs. So only turn on what you need, what you care about. Have a plan. 124 | 125 | ## dashboard or workbook 126 | 127 | dashboards can be shared and pinned, have rbac 128 | 129 | workbooks can contain visualisations. more of a document. designed to go in an analyze a certain scenario. no native rbac. to share you need access to all underlying resources 130 | 131 | ## Azure Sentinel 132 | 133 | - SIEM solution 134 | - feeds of log analytics 135 | - alerting, playbooks 136 | - uses machine learning for detecting threats 137 | - but also has its own connectors 138 | - syslogs 139 | - network devices 140 | - event forwarding 141 | - firewalls 142 | - other services 143 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 2 - Identities & Governance.md: -------------------------------------------------------------------------------- 1 | # AZ-104 - 2 - Identities & Governance 2 | 3 | # Management Groups 4 | 5 | Management groups are a layer above subscription level. Can apply policies and access control on management groups. 6 | 7 | Subscriptions within a management group inherit the conditions applied to the management group 8 | 9 | ## things to consider when using management groups 10 | 11 | - custom hierarchies 12 | - policy inheritance 13 | - subscriptions inherit policies 14 | - F. ex. limit all resources to a particular region 15 | - compliance rules 16 | - cost reporting 17 | 18 | 19 | 20 | 21 | Management Groups::A layer above subscription level. Access control and policies can be applied to these groups. 22 | ID: 1669451669401 23 | 24 | 25 | # Azure Policies 26 | 27 | Azure Policies::Policies are used to enforce rules on resources to meet compliance standards and SLA's. 28 | ID: 1669478872718 29 | 30 | Can be used to standardize how cloud resources are configured. 31 | 32 | Can be applied at scale. 33 | 34 | There are many built in policy definitions, and you can create your own. 35 | 36 | ## 4 steps 37 | 38 | 1. create policy definition 39 | 1. condition to evaluate & action to perform when condition is met 40 | 2. create initiative definition 41 | 1. set of policy definitions to track resource compliance state to meet a larger goal 42 | 3. scope the initiative definition 43 | 1. specific management or resource groups, or subscriptions 44 | 4. determine compliance 45 | 46 | Initiative definition::Set of policy definitions to track resource compliance state to meet a larger goal 47 | ID: 1669478872726 48 | 49 | 50 | ## initiative definition 51 | 52 | Examples: 53 | 54 | - **Audit machines with insecure password security settings** 55 | - **Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule**: The definition deploys the Azure Monitor Agent extension and associates the resources with a specified Data Collection Rule. 56 | - **ISO 27001:2013**: Use this initiative to apply policies for a subset of ISO 27001:2013 controls. 57 | 58 | # RBAC 59 | 60 | RBAC Security Principal::the entity which is requesting access to something 61 | ID: 1669478872731 62 | 63 | 64 | RBAC role definition::set of permissions that list the allowed operations 65 | ID: 1669478872736 66 | 67 | 68 | RBAC assignment::an assignment attaches a *role definition* to a *security principal* at a particular *scope* 69 | ID: 1669478872739 70 | 71 | 72 | ## role definition 73 | 74 | - actions : what actions are allowed 75 | - NotActions : what actions aren't allowed 76 | - DataActions: how data can be changed or used 77 | - AssignableScopes: list the scopes where the role definition can be assigned 78 | 79 | ### NotActions 80 | - `Authorization/*/Delete`: Not authorized to delete or remove for "all." 81 | - `Authorization/*/Write`: Not authorized to write or change for "all." 82 | - `Authorization/elevateAccess/Action`: Not authorized to increase the level or scope of access privileges. 83 | 84 | The _Contributor_ role also has two _DataActions_ permissions to specify how data can be affected: 85 | 86 | - `"NotDataActions": []`: No specific actions are listed. Therefore, all actions can affect the data. 87 | - `"AssignableScopes": ["/"]`: The role can be assigned for all scopes that affect data. The backslash `{\}` wildcard means "all." 88 | 89 | The contributor role does this: Allow all actions, except write or delete role assignment 90 | 91 | RBAC Contributor role permissions::Can create and manage all types of resources, can create a new tenant in AD, but it cannot grant access to others. 92 | ID: 1670694451641 93 | 94 | 95 | ### things to know about role definition 96 | 97 | - Azure RBAC provides built-in roles 98 | - Owner built-in role has highest level of access 99 | - AssignableScopes can be management groups, subscriptions, resource groups, or resources 100 | 101 | 102 | ### role scopes 103 | 104 | - Scope a role as available for assignment in two subscriptions: 105 | 106 | `"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e", "/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624"` 107 | 108 | - Scope a role as available for assignment only in the Network resource group: 109 | 110 | `"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network"` 111 | 112 | - Scope a role as available for assignment for all requestors: 113 | 114 | `"/"` 115 | 116 | 117 | ## Azure RBAC roles vs Azure AD roles 118 | 119 | ==These are not the same. 120 | 121 | RBAC manages access to Azure resources, AD manages access to Azure AD resources. 122 | 123 | RBAC scope has multiple levels, such as management groups or subscriptions. AD is scoped at tenant level. 124 | 125 | RBAC roles can be defined by azure portal, cli, powershell, ARM Templates or REST API. AD roles: azure admin portal, 365 admin portal etc. 126 | 127 | Azure RBAC roles vs Azure AD roles::Azure AD admin roles manage users, groups and domains in Azure AD. Azure RBAC roles provide more granular management for resources at multiple levels such as root, management groups, resource groups and resources. 128 | ID: 1669478872743 129 | 130 | 131 | -------------------------------------------------------------------------------- /other/Azure AD.md: -------------------------------------------------------------------------------- 1 | # Azure AD 2 | 3 | https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis 4 | 5 | ### devices 6 | https://learn.microsoft.com/en-us/azure/active-directory/devices/overview 7 | 8 | # What is Azure AD? 9 | 10 | > [Azure Active Directory (Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/) is Microsoft's multi-tenant cloud-based directory and identity management service. 11 | 12 | Azure AD is an identity provider. A full identity solution. 13 | 14 | > Azure AD is the underlying product that provides the identity service 15 | 16 | ### for admins 17 | 18 | Azure AD is used for controlling access to your applications and resources. 19 | 20 | For example, you can use Azure AD to require MFA when accessing important resources. 21 | 22 | ### for developers 23 | 24 | You can use Azure AD to add SSO to your application. This allows your app to work with pre-existing credentials. 25 | 26 | ### b2b 27 | 28 | manage your guest users and external partners 29 | 30 | ### b2c 31 | 32 | customize and control how users sign up, sign in and manage their profiles when using your apps 33 | 34 | - function 35 | - provides user access to resources and applications 36 | - internal resources on corporate network 37 | - external resources such as 365, Azure portal, SaaS applications 38 | - cloud apps developed for your organization 39 | 40 | Azure AD provides identity authentication and authorization for cloud resources such as Azure resources, azure apps and microsoft 365 41 | 42 | ## features 43 | 44 | - SSO 45 | - single sign on to web apps in the cloud and on-prem apps 46 | - can use same set of credentials to access all apps 47 | - supported on many devices: iOs, windows, android, macos 48 | - remote access 49 | - secure remote access for on-prem apps from anywhere 50 | - secure access 51 | - MFA 52 | - conditional access policies 53 | - group based access management 54 | - consistency 55 | - Microsoft calls this "cloud extensibility" 56 | - ==A consistent set of users, groups, credentials and devices across environments 57 | - customizing the experience 58 | - banners, fonts etc 59 | - self service 60 | - SSPR 61 | - delegate tasks from admins 62 | - Uses REST API 63 | - HTTP/HTTPS protocols 64 | - OIDC 65 | - OAuth 66 | - SAML 67 | - Does not use Kerberos 68 | - Cannot be queried by LDAP 69 | - Managed Service 70 | - you only manage users, groups and policies 71 | - for AD, you would also manage configuration and patching etc 72 | 73 | # AD and Azure AD 74 | 75 | - Azure AD is NOT Active Directory in the cloud. 76 | - AD speaks kerberos, Azure AD doesn't 77 | - AD is primarily a directory, Azure AD is a full identity solution 78 | 79 | # tenant 80 | 81 | >An Azure _tenant_ is a single dedicated and trusted instance of Azure AD. ==Each tenant (also called a _directory_) represents a single organization.== When your organization signs up for a Microsoft cloud service subscription, a new tenant is automatically created. Because each tenant is a dedicated and trusted instance of Azure AD, you can create multiple tenants or instances. 82 | 83 | Azure Tenant::Single dedicated & trusted instance of Azure AD. Also called directory. Automatically created when creating a subscription. 84 | ID: 1669478872747 85 | 86 | # notes savill video 87 | 88 | https://youtu.be/Jd3IzN9x2as 89 | 90 | - main difference free and P1 is ability to use MFA 91 | - most organizatins will use p1 92 | - AD is very fiddferent from azure AD 93 | - AD is the source of truth 94 | - password changes are not replicated unless you make special configuration 95 | - azure ad does not live in a subscription 96 | - az subscriptions trust tentnats (ad instances) 97 | - resources need to trust azure ad before it can do anything 98 | - subscriptions are moved to trust an azure ad 99 | 100 | - managed identity 101 | - azure resource such as vm can have an identity in azure ad 102 | - within that resoruce i can act as that identity to authetintacate and authorized to use other resources in azure 103 | 104 | # savill line between ad and azure ad 105 | 106 | https://youtu.be/uts0oy8NlUs 107 | 108 | - azure AD has a huge library of federations 109 | - with AD, you had to confiugre all of these yourself 110 | - conditional access 111 | - detecting strange activity 112 | - diffetent ip address, non regular times 113 | - can for example require you to MFA when you log in from a different IP 114 | - collaboration 115 | - 116 | 117 | ## writeback 118 | 119 | Situation: on prem AD and azure AD 120 | 121 | When a user changes its password, its changed in on prem AD. 122 | 123 | Azure AD Connect only synchronizes in one direction: Azure AD to on prem AD. 124 | 125 | To enable synching to Azure AD, you need to enable password writeback. 126 | 127 | Which license do you need for password writeback?::Writeback requires Azure AD Premium P1 or P2. 128 | ID: 1670771143839 129 | 130 | 131 | Password writeback::On prem AD to Azure AD only syncs in one direction: Azure AD to on prem AD. When a user changes a password on the on prem AD, it won't sync to Azure AD. You need to enable password writeback to sync to Azure AD. 132 | ID: 1670771143847 133 | 134 | 135 | Is Azure AD Connect required for writeback::Writeback requires Azure AD connect to be installed. 136 | ID: 1670771143851 137 | 138 | 139 | Is MFA required for password writeback?::MFA is recommended but not required for writeback. 140 | ID: 1670771143855 141 | 142 | 143 | Azure Front Door::Global access solution for web applications. It is not on the AZ 104 outline. It will always be an incorrect answer for the exam. 144 | ID: 1670771143859 145 | 146 | ### device options 147 | 148 | - registered devices 149 | - bring your own device 150 | - not owned by organization 151 | - does not require organizational account to sign in to device 152 | - Azure AD is not authenticating, but personal accounts 153 | - can use personal accounts e.g. Microsoft Outlook account to sign in and access resources 154 | - this limits 2FA because they are personal accounts 155 | - must be supported by the identity provider for the personal account 156 | - FIDO is unavailable in this case because it's not Azure AD that's authenticating, but the personal account 157 | 158 | - hybrid devices 159 | - Owned by organization 160 | - uses on prem AD as identity provider 161 | - joined to on prem AD and registered with Azure AD 162 | - requires organizational account to sign in to device 163 | - cannot use FIDO because it requires keys to be generated by Azure AD 164 | - Only possible if Azure AD is the identity provider 165 | 166 | - joined devices 167 | - owned by organization 168 | - enable all authentication configurations are applied when device requests authentication token 169 | - changes the local state of the device 170 | - requires organizational account to sign in to the device 171 | - Administrators can use MDM or Microsoft Intune 172 | - can enfore configurations like 173 | - requiring encryption 174 | - password complexity 175 | - software installation 176 | - software updates 177 | 178 | - On prem Active Directory joined devices 179 | - Devices never read Azure AD config because they reach out to on-prem AD for authentication 180 | - Doesn't work because the requirement is that they need to log in with the company Azure AD credentials 181 | 182 | ### FIDO 183 | 184 | - Fast Identity Online 185 | - authentication without username or password 186 | - Uses external security key 187 | - typically usb device 188 | - or platform key built into device 189 | - solution when employees are not willing to use their phone to authenticate 190 | 191 | ### SSPR 192 | 193 | SSPR::Self Service Password Reset 194 | ID: 1670771143863 195 | 196 | 197 | Which license is required for SSPR?::Azure AD Premium 1 or higher. 198 | ID: 1670771143866 199 | 200 | ## administrative units 201 | 202 | A container within a tenant. 203 | 204 | Say you have a branch office. you create an AU for that office. You add all the managers and the employees to that AU. 205 | 206 | Then you assign a branch manager role to the branch manager. Now this manager can perform the actions from the branch manager role to all the users in the administrative unit. 207 | 208 | So this is useful 209 | 210 | ## identity 211 | 212 | Hybrid identity::A common identity for authentication and authorization to all resources, regardless of location. Merging on-prem AD with Azure AD through Azure AD connect. This makes SSO possible. 213 | ID: 1670957141121 214 | 215 | 216 | ## Conditional Access 217 | 218 | - Can be thought of as an if-then statement 219 | - uses conditional access policies 220 | 221 | For example, If I want to access the payroll application, Then I need to use MFA. 222 | 223 | You can block access from IP ranges or locations. 224 | 225 | Common uses: 226 | 227 | - Requiring multi-factor authentication for users with administrative roles 228 | - Requiring multi-factor authentication for Azure management tasks 229 | - Blocking sign-ins for users attempting to use legacy authentication protocols 230 | - Requiring trusted locations for Azure AD Multi-Factor Authentication registration 231 | - Blocking or granting access from specific locations 232 | - Blocking risky sign-in behaviors 233 | - Requiring organization-managed devices for specific applications 234 | 235 | Conditional Access::Policies that regulate access to a resource or an app. Thought of as If-Then statements. For example, if I attempt to log in from Russia, I need to use MFA. 236 | ID: 1670957141133 237 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 3 - Implement and manage storage in Azure.md: -------------------------------------------------------------------------------- 1 | # AZ-104 - 3 - Implement and manage storage in Azure 2 | 3 | **Binary Large Object** 4 | Also referred to as object storage or container storage. So it's the same as our Object Store in OpenStack. 5 | 6 | Azure Blob Storage is a service for storing large amounts of unstructured object data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. 7 | 8 | - any type of text or binary data 9 | - uses 3 resources: 10 | - azure storage account 11 | - containers in storage acount 12 | - blobs in container 13 | 14 | ==Blob cannot exist by itself. Must be inside a container resource. 15 | 16 | Azure account can have unlimited containers and containers can have unlimited blobs. 17 | 18 | ## use case examples 19 | 20 | - **browser uploads**. Use Blob Storage to serve images or documents directly to a browser. 21 | - **distributed access**. Blob Storage can store files for distributed access, such as during an installation process. 22 | - **streaming data**. Stream video and audio by using Blob Storage. 23 | - **archiving and recovery**. Blob Storage is a great solution for storing data for backup and restore, disaster recovery, and archiving. 24 | - **application access**. You can store data in Blob Storage for analysis by an on-premises or Azure-hosted service. 25 | 26 | ## tiers 27 | 28 | - premium 29 | - hot 30 | - cool (min 30 days) 31 | - archive (min 180 days, offline) 32 | 33 | ## lifecycle management rules 34 | 35 | You can set up rules with if-then clauses. 36 | 37 | If blob older than 30 days, move to archive storage. 38 | If blob older than 100 days, delete blob. 39 | 40 | ## blob object replication 41 | 42 | asynchronous replication of containers across regions 43 | 44 | - requires versioning to be enabled on source and destination 45 | - doesn't support snapshots 46 | - ==only for hot and cool tiers 47 | 48 | For which tiers can you enable blob object replication?::Only for hot and cool tiers. Requires versioning to be enabled on source and destination. 49 | ID: 1670597879288 50 | 51 | 52 | ## blob types 53 | 54 | - block blob 55 | - blocks of data that are assembled to make blob 56 | - most scenarios use block blobs 57 | - ideal for text and binary data: files, images, videos 58 | - page blob 59 | - up to 8tb in size 60 | - efficient for frequent read/write operations 61 | - Azure virtual machines use page blobs for OS disks and data disks 62 | - append blob 63 | - similar to block, optimized for appending 64 | - useful for logging scenarios 65 | 66 | ## upload tools 67 | 68 | - AzCopy 69 | - CLI tool for windows and Linux 70 | - Azure Data Factory 71 | - blobfuse 72 | - can acces blobs in storage account through linux filesystem 73 | 74 | # Storage Security 75 | 76 | ## SAS 77 | 78 | Secure way to share storage resources without compromising account keys. 79 | 80 | Grants access to a resource for a specified period of time. 81 | 82 | - granular control 83 | - can grant access to multiple Azure Storage services: blobs, files, tables 84 | - can specify time interval + expiration 85 | - can specify permissions 86 | 87 | ## encryption 88 | 89 | Azure Storage encryption is enabled for all new and existing storage accounts and can't be disabled. 90 | 91 | Can you disable storage account encryption?::Enabled on default for all new and existing accounts. Cannot be disabled. 92 | ID: 1670597879298 93 | 94 | # Configure Storage Account 95 | 96 | ## types of storage 97 | 98 | - virtual machine data 99 | - VM harddisks 100 | - max 32767 GB 101 | - number of disks depends on vm tier 102 | - Unstructured data 103 | - Least organized 104 | - mixed 105 | - **non relational 106 | - Azure Blob Storage 107 | - Azure Data Lake Storage 108 | - hadoop distributed file system as a service 109 | - Structured Data 110 | - relational format 111 | - shared schema 112 | - F. ex database table 113 | - rows 114 | - columns 115 | - keys 116 | - Azure Cosmos DB 117 | - globally distributed database service 118 | - Azure SQL Database 119 | - fully managed SQL database as a service 120 | 121 | ## storage account tiers 122 | 123 | - standard 124 | - HDD 125 | - lowest cost 126 | - used for bulk storage that is infrequently accessed 127 | - Premium 128 | - SSD 129 | - VM disks or databases 130 | 131 | >[!NOTE] 132 | >You can't convert standard tier storage account to premium storage or vice versa 133 | 134 | Can you convert a standard tier storage account to premium?::You can't convert standard tier storage account to premium storage or vice versa. 135 | ID: 1670597879305 136 | 137 | 138 | ## Azure Storage Services 139 | 140 | - Blob storage (containers) 141 | - streaming video audio 142 | - backup & restore 143 | - can be accessed from anywhere: url, cli, api 144 | - nfs protocol 145 | - Azure Files 146 | - highly available network file shares 147 | - acces by Server Message Block (SMB) or NFS protocol 148 | - authenticated with storage account credentials 149 | - Azure Queue Storage 150 | - store and retrieve messages 151 | - Azure Table Storage (Azure Cosmos DB) 152 | - fully managed NoSQL database 153 | - automatic management, updates, patching 154 | - automatic scaling 155 | - Disks 156 | 157 | 158 | 159 | >[!info] 160 | >**Azure Queue Scenario** 161 | >Consider a scenario where you want your customers to be able to upload pictures, and you want to create thumbnails for each picture. You could have your customer wait for you to create the thumbnails while uploading the pictures. An alternative is to use a queue. When the customer finishes the upload, you can write a message to the queue. Then you can use an Azure Function to retrieve the message from the queue and create the thumbnails. Each of the processing parts can be scaled separately, which gives you more control when tuning the configuration. 162 | 163 | ## replication strategy 164 | 165 | - locally redundant storage (LRS) 166 | - replicated within same data center 167 | - zone redundant (ZRS) 168 | - replicated in multiple data centers in the same region 169 | - Geo redundant (GRS) 170 | - replicates to secondary region 171 | - RA-GRS: based on GRS, but with read access at all times 172 | - with GRS you only have read access from second region in case of a failover 173 | - geo-zone redundant storage (GZRS) 174 | - combines ZRS with GRS 175 | - replicated across 3 in ZRS 176 | - replicated to second region GRS 177 | - also RA-GZRS 178 | 179 | ## access storage 180 | 181 | >[!info] 182 | > every object you store has a unique URL address 183 | 184 | 185 | `//`**`mystorageaccount`**`.blob.core.windows.net/`**`mycontainer`**`/`**`myblob`**. 186 | 187 | Can configure custom domains 188 | 189 | 190 | 191 | # Azure Storage Tools 192 | 193 | - Azure Storage Explorer 194 | - gui tool 195 | - does not need azure portal 196 | - AzCopy 197 | - cli 198 | - can run in background 199 | - Azure import/export service 200 | - physically send disks to be transferred to/from storage account 201 | 202 | # creating a storage account 203 | 204 | Storage Account::A container that groups a set of Azure Storage services together. Can only contain these resources. Deleting an account deletes all data inside of it. Part of a resource group. 205 | ID: 1669705497235 206 | 207 | ## Storage Account 208 | - container that groups a set of Azure Storage services 209 | - **Can only contain storage resources 210 | - ==Deleting account deletes all data inside of it 211 | - Part of resource group 212 | - Azure SQL and Cosmos DB cannot be included in storage account 213 | - account itself is free 214 | 215 | What happens when you delete a storage account?::Deleting account deletes all data inside of it. Can only contain storage resources. 216 | ID: 1670597879311 217 | 218 | 219 | # Shared Access Signatures 220 | 221 | Grants granular access to files in Azure Storage with time limit. 222 | 223 | >[!quote] 224 | >With a SAS, you control what a client can do with the files and for how long. 225 | 226 | three types: 227 | - User delegation SAS 228 | - only for blob, secured with Azure AD 229 | - Service SAS 230 | - storage account key 231 | - to access Blob, Queue, Table or File 232 | - Account SAS 233 | - same as service SAS 234 | - but can also control acess to service-level operations, such as Get Service Stats 235 | 236 | SAS has two components 237 | - URI that points to storage resource 238 | - token that determines permissions 239 | 240 | `https://medicalrecords.blob.core.windows.net/patient-images/patient-116139-nq8z7f.jpg?sp=r&st=2020-01-20T11:42:32Z&se=2020-01-20T19:42:32Z&spr=https&sv=2019-02-02&sr=b&sig=SrW1HZ5Nb6MbRzTbXCaPm%2BJiSEn15tC91Y4umMPwVZs%3D` 241 | 242 | **uri** 243 | `https://medicalrecords.blob.core.windows.net/patient-images/patient-116139-nq8z7f.jpg?` 244 | **token** 245 | `sp=r&st=2020-01-20T11:42:32Z&se=2020-01-20T19:42:32Z&spr=https&sv=2019-02-02&sr=b&sig=SrW1HZ5Nb6MbRzTbXCaPm%2BJiSEn15tC91Y4umMPwVZs%3D` 246 | 247 | ## stored access policy 248 | 249 | A stored access policy is basically a template for creating sas tokens. For example you can use the c# code just by referencing the identifier and it will create the token 250 | 251 | ```c# 252 | // Create a user SAS that only allows reading for a minute 253 | BlobSasBuilder sas = new BlobSasBuilder 254 | { 255 | Identifier = "stored access policy identifier" 256 | }; 257 | ``` 258 | 259 | Can be used on all 4 types of storage: blob, file, queue, table 260 | 261 | Properties 262 | - identifier 263 | - name 264 | - start time 265 | - expiry time 266 | - permissions 267 | 268 | # anki 269 | 270 | 271 | LRS::Locally Redundant Storage 272 | ID: 1669550890051 273 | 274 | ZRS::Zone Redundant Storage. Multi datacenter in same region. 275 | ID: 1669550890055 276 | 277 | GRS::Geo Redundant Storage. Replicates to secondary region. RA-GRS 278 | ID: 1669550890059 279 | 280 | GZRS::Geo Zone Redundant Storage. 3 ZRS and to second GRS. Also RA-GZRS 281 | ID: 1669550890062 282 | 283 | Storage Account uniqueness?::Storage account must be unique. 284 | ID: 1669550890066 285 | 286 | Storage object URL::mystorageaccount.blob.core.windows.net/mycontainer/myblob Je moet weten hoe de URL is opgebouwd. Er is ook table.core.windows.net, queue.core.windows.net, file.core.windows.net 287 | ID: 1669705497240 288 | 289 | 290 | 291 | URI::Uniform Resource Identifier. This is basically a large url containing the parameters and acces key to access the storage through GET requests 292 | ID: 1669496089442 293 | 294 | 295 | SAS::Shared Access Signature. Grants restricted access rights to resources within a specified timelimit. 296 | ID: 1669496089450 297 | 298 | 299 | Blob Types::Block blob, page blob, append blob. 300 | ID: 1669496089455 301 | 302 | 303 | Block blobs::Blocks that are assembled. Used in most scenarios. Ideal for text and binary data: files, images and videos. 304 | ID: 1669496089459 305 | 306 | 307 | Page blob::Up to 8tb. Best for frequent read/write operations. VM's use these for OS and data disks. 308 | ID: 1669496089462 309 | 310 | 311 | Append blob::Similar to block, optimized for appending. Useful for logging scenarios. 312 | ID: 1669496089467 313 | 314 | 315 | 316 | 317 | Azure Blob Storage::Binary Large Object. Service for storing large amoutns of unstructured object data, it does not have a particular data model or definition. Same as Object Store. 318 | ID: 1669496089471 319 | 320 | 321 | How many blobs can you store?::Accounts can have unlimited containers and containers can have unlimited blobs. 322 | ID: 1669496089474 323 | -------------------------------------------------------------------------------- /msdocs/AZ-104 - 5 - Networking.md: -------------------------------------------------------------------------------- 1 | # 5 - Networking 2 | 3 | # VNets 4 | 5 | A representation of your on prem network in the cloud. 6 | 7 | VNet::A logical isolation from the cloud dedicated to your subscription. Virtual network. Can be linked to other vnets. 8 | ID: 1670142766944 9 | 10 | 11 | - Can link to other VNets if the CIDR's don't overlap 12 | - on prem and cloud 13 | 14 | ## subnets 15 | 16 | A VNet can be subdivided into subnets. These provide logical subdivisions in the network. 17 | 18 | > [!note] 19 | > Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet. 20 | 21 | # security groups 22 | 23 | NSG::network security group 24 | ID: 1670142766955 25 | 26 | 27 | NIC::network interface controller 28 | ID: 1670142766962 29 | 30 | 31 | ASG::application security group 32 | ID: 1670142766969 33 | 34 | # Azure Firewall 35 | 36 | - stateful firewall as a service 37 | - unrestricted cloud scalability 38 | - across subscriptions & vnets 39 | - static public IP 40 | - high availability 41 | - no additional loadbalancers required 42 | - can have multiple public IP addresses 43 | 44 | ## hub-spoke 45 | 46 | Beneficial when you have workloads in different environments that require shared services. Shared services are placed in the hub, such as DNS. 47 | 48 | hub 49 | - virtual network in Azure that acts as a central point of connectivity to your on-prem network 50 | 51 | spokes 52 | - virtual networks that peer with the hub 53 | - used to isolate workloads 54 | 55 | Traffic flows between on-prem datacenter and hub through ExpressRoute or VPN gateway connection. 56 | 57 | Hub::Virtual network in Azure that acts as a central point of connectivity to your on-prem network 58 | ID: 1670151949124 59 | 60 | 61 | Spokes::Virtual networks that peer with the hub. Used to isolate workloads 62 | ID: 1670151949130 63 | 64 | 65 | - Benefits 66 | - cost savings by centralizing 67 | - DNS server in single location 68 | - overcome subscription limits by peering VNets to the hub 69 | 70 | 71 | ## firewall rules 72 | 73 | - 3 kinds of rules 74 | - NAT rules 75 | - DNAT 76 | - Azure Firewall Destination Network Address Translation 77 | - translates and filters inbound traffic to subnets 78 | - each rule translates public firewall IP and port to private IP and port 79 | - useful when publishing SSH or RDP applications to the internet 80 | - Needs network rule to allow traffic 81 | - Network Rules 82 | - any traffic that will be allowed to flow through firewall must have a network rule 83 | - Application rules 84 | - uses FQDN's 85 | - Fully Qualified Domain Names 86 | - defines which FQDNS can be accessed from a subnet 87 | - example: specify Windows Update network traffic through the firewall 88 | 89 | Firewall Rules - 3 Types::NAT rules: translates the public firewall IP to the private IP and port. Network rules: any traffic that flows through the firewall must have a network rule. Application rules: Defines which FQDN's can be accessed from a subnet. 90 | ID: 1670151949170 91 | 92 | 93 | FQDN::Fully Qualified Domain Name 94 | ID: 1670151949176 95 | 96 | 97 | # Azure DNS 98 | 99 | Manages and resolves domain names in a virtual network. 100 | 101 | Each domain has a DNS zone, and each DNS record for your domain is created in the DNS zone. 102 | 103 | For example, contoso.com may contain a number of DNS records such as mail.contoso.com 104 | 105 | DNS Zone::used to host the DNS records for a particular domain. 106 | ID: 1670151949181 107 | 108 | 109 | > [!note] 110 | > You do not have to own a domain name to create a DNS zone with that domain name. However, you need to own the domain to configure the domain. 111 | 112 | ## record sets 113 | 114 | > [!important] 115 | > There is a difference between DNS record sets and individual DNS records 116 | 117 | A record set is a collection of records in a zone that have the same name and the same type. 118 | 119 | ## private dns zones 120 | 121 | 122 | Private zones provide name resolution for VM's within a virtual network and across VNets without having to create a custom DNS solution. 123 | 124 | Name resolution across multiple virtual networks is probably the most common usage for DNS private zones. 125 | 126 | They Allow you to use custom domain names within a VNet. 127 | 128 | Private DNS zones::Private DNS zones are used to configure name resolution between multiple vnets in Azure. They allow you to use custom domain names within VNets 129 | ID: 1670175611848 130 | 131 | DNS Apex domain::The highest level of your domain. AKA zone apex or root apex. Often represented by @ symbol in DNS zone records. 132 | ID: 1670266082628 133 | 134 | 135 | ## alias records 136 | 137 | A record and CNAME record don't support direct connection to Azure resources like load balancers. The solution is alias records. 138 | 139 | Enable a zone apex domain to reference other azure resources from the DNS zone. 140 | 141 | The main advantage is that you can assign DNS records to an azure resource such as a Public IP. When the Public IP changes, the DNS record will also be automatically updated. 142 | 143 | DNS - Alias records::CNAME and A record don't support direct connection to Azure resources like load balancers. Alias records are the solution. Can assign dns record to f. ex. an azure public IP. When public IP changes, the DNS record will be auto updated. 144 | ID: 1670266082633 145 | 146 | 147 | # VNet peering 148 | 149 | VNet Peering::Connects VNets with each other. Once peered, VNets appear as one for connectivity purposes. 150 | ID: 1670175611852 151 | 152 | 153 | - regional vnet peering 154 | - connects vnets in the same region 155 | - global vnet peering 156 | - connects vnets in different regions 157 | - all public cloud regions, but not government cloud regions 158 | 159 | - traffic between peered networks is private 160 | - high performance 161 | - no downtime when creating the peering 162 | 163 | ## service chaining 164 | 165 | when VNET 1 and 2 are peered, and 2 and 3, 1 and 3 are not paired. In other words, peering is not transitive. 166 | 167 | user defined routes and service chaining can be configured to provide the transitivity. 168 | 169 | 170 | # VPN Gateway 171 | 172 | - sends encrypted traffic between Azure virtual network and on-premise location over the public internet 173 | - also encrypted traffic over microsoft network 174 | - ==each vnet can have only 1 VPN gateway 175 | 176 | ## virtual network gateway 177 | - 2 or more automatically configured VMs 178 | - deployed to the gateway subnet (Specific subnet for this) 179 | - contain routing tables 180 | - run specific gateway services 181 | - can't directly configure these VMs 182 | - can be VPN or ExpressRoute 183 | 184 | 185 | Virtual Network Gateway::2 automatically configured VMs that run specific gateway services. Cannot directly configure these. Can be ExpressRoute or VPN Gateway 186 | ID: 1670151949135 187 | 188 | ### gateway subnet 189 | 190 | contains IP addresses that are used by the Virtual Network Gateway. 191 | 192 | If possible, best to use /28 or /27 to provide enough IP addreses for future requirements. 193 | 194 | **==must be named GatewaySubnet 195 | 196 | >[!important] 197 | >Never deploy other resources (VMs) to the gateway subnet. 198 | 199 | 200 | ## VPN gateway 201 | 202 | - can configure gateway type when configuring virtual network gateway 203 | - type determines how it will be used and which actions the gateway takes 204 | - type 'vpn' is different from ExpressRoute gateway 205 | - Vnet can have one VPN gateway and one ExpressRoute gateway 206 | 207 | When a vpn gateway is created, the gateway VM's are deployed to the gateway subnet;. 208 | 209 | - Enables creation of: 210 | - VPN tunnel connection between that VPN gateway and another VPN gateway ( VNet-to-Vnet) 211 | - cross-premises VPN tunnel connection 212 | - Site-to-Site 213 | - between VPN gateway and on-premises VPN device 214 | - Point-to-Site 215 | - VPN connetion over OpenVPN f.ex 216 | - from remote location to anything located in the virtual network 217 | - conference 218 | - home 219 | 220 | VPN Gateway::A type of Virtual Network Gateway. Enables tunnel between the VPN Gateway and another VPN gateway (VNet to VNet) 221 | ID: 1670151949144 222 | 223 | 224 | Site to Site::Tunnel between VPN gateway and on-premises VPN device, connecting the on-prem network to the Azure VNet 225 | ID: 1670151949154 226 | 227 | 228 | Point to Site::Connection over f. ex. OpenVPN from remote location to anything located in the VNet. For example from home 229 | ID: 1670151949163 230 | 231 | ### VPN gateway type 232 | 233 | - route-based 234 | - policy-based 235 | 236 | Type depends on the connection topology. 237 | 238 | point-to-site requires Route-based VPN type. 239 | 240 | Can also depend on the hardware. Site-to-site require a on-prem VPN device. Some devices only support a certain type. 241 | 242 | >[!note] 243 | >Most VPN Gateway configurations require a route-based VPN 244 | 245 | - route-based 246 | - uses routes in IP forwarding or routing table to direct packets to tunnel interfaces 247 | - tunnel interfaces decrypt packets in-out of the tunnels 248 | - policy-based 249 | - uses IPsec policies 250 | - combinations of address prefixes between on-prem and azure vnet 251 | - policy 252 | - acces list in the VPN device configuration 253 | - limitations 254 | - only basic gateway SKU 255 | - only one tunnel 256 | - only for site-to-site connections 257 | 258 | 259 | VPN Gateway type (2)::Route-based and policy-based. Most configurations require route-based VPN. Policy-based is only for site-to-site (S2S). 260 | ID: 1670175611857 261 | 262 | 263 | ### high availability 264 | 265 | Every Azure VPN gateway consists of two VM's in an active-standby configuration. 266 | 267 | If one fails, the other VM takes over. 268 | 269 | #### active-active 270 | 271 | this is when you have both instances of the Gateway VMs establishing connections 272 | 273 | # ExpressRoute & Virtual WAN 274 | 275 | ## ExpressRoute 276 | 277 | ==A service that provides a direct connection from the on-premises datacenter tot he microsoft cloud. 278 | 279 | Used for enterprise-class and mission critical workloads. 280 | 281 | A direct, private connection from your WAN (not over the public Internet) to Microsoft services, including Azure. 282 | 283 | Works with approved connectivity provider to establishes the connections via a dedicated circuit. 284 | 285 | ExpressRoute::Direct connetion from on-prem datacenter to the Microsoft Cloud. Not over public internet. Uses an approved connectivity provider and a dedicated circuit. Used for mission-critical and enterprise-class workloads. 286 | ID: 1670175611861 287 | 288 | 289 | Difference with VPN 290 | - site-to-site VPN traffic travels encrypted over the public internet 291 | - S2S vpn is a secure failover path for ExpressRoute 292 | 293 | - extends on-prem network to Microsoft cloud services 294 | - Azure 295 | - 365 296 | - CRM Online 297 | 298 | When connecting to Microsoft in Amsterdam through ExpressRoute, you'll have access to all Microsoft cloud services in Northern & Western Europe 299 | 300 | ### connection 301 | 302 | - colocated at cloud exchange 303 | - use provider's Ethernet exchange at colocation 304 | - point-to-point ethernet connections 305 | - cable to the datacenter 306 | - any-to-any IPVPN networks 307 | - Integrate your WAN with the Microsoft cloud 308 | 309 | - point to site/vnet connection is fine for dev, test and lab 310 | - Vnet site-to-site for small production workloads 311 | - ExpressRoute for enterprise-class and mission-critical production workloads & big data solutions 312 | 313 | ## Virtual WAN 314 | 315 | Basically the hub-spoke model on steroids. 316 | 317 | Simplifies complex hub-spoke VNet WAN deployments. 318 | 319 | The virtual WAN is the hub and you can connect VNets as spokes. 320 | 321 | > Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN, User VPN (point-to-site), and ExpressRoute into a single operational interface. Connectivity to Azure VNets is established by using virtual network connections. 322 | 323 | 324 | Virtual WAN::Hub-spoke on steroids. Simplifies complex hub-spoke WAN Deployments. The Virtual WAN is the hub and you can connect VNets as spokes. Can connect to the hub via expressroute, S2S vpn or P2S vpn. 325 | ID: 1670175611866 326 | 327 | 328 | # routing and endpoints 329 | 330 | - system routes 331 | - refers to the default routing that is automatically done by Azure 332 | - as opposed to User Routes 333 | - directs network traffic between 334 | - VMs 335 | - in same subnet 336 | - different subnets in same VNet 337 | - data flow from VM to internet 338 | - on-prem networks 339 | - internet 340 | 341 | - routing tables 342 | - contain information about system routes 343 | - set of rules that specify how packets should be routed 344 | - associated to subnets 345 | - matched by using destinations, which are: 346 | - IP address 347 | - VNet gateway 348 | - Virtual appliance 349 | - internet 350 | - if matching route can't be found, the packet is dropped 351 | 352 | 353 | UDR::User Defined Routes. Control network traffic by defining routes that specify the next hop of the traffic flow. As opposed to system routes 354 | ID: 1670175611870 355 | 356 | 357 | System Routes::routing that is done automatically done by azure. Directs traffic between internet, on-prem networks and VMs in same subnet, different subnets in same VNet and data flow from VM to internet. 358 | ID: 1670175611874 359 | 360 | 361 | Routing tables::contain information about system routes. Set of rules that specify how packets should be routed. associated to subnets 362 | ID: 1670175611878 363 | 364 | 365 | - User Defined routes 366 | - as opposed to system routes 367 | - custom configuration, for example: 368 | - directing traffic to a VM that performs routing or firewalling 369 | 370 | 371 | >[!note] 372 | >Each route table can be associated to multiple subnets, but a subnet can only be associated to a single route table. 373 | 374 | ## endpoints 375 | 376 | Used for services such as Azure AD, Cosmos DB, Storage 377 | 378 | >A virtual network service endpoint provides the identity of your virtual network to the Azure service. 379 | 380 | Normally traffic from an Azure VNet uses a public IP address as a source address. 381 | 382 | Service endpoints switches this traffic to use a virtual network private address as the source IP when accessing the azure service from a virtual network. 383 | 384 | This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls. 385 | 386 | - Why? 387 | - improved security for azure service resources 388 | - VNet private address spaces can overlap, therefore not suitable to identify traffic origin 389 | - hence public IP's are used normally 390 | - fully removes public internet access to resources 391 | - allowing traffic only from your virtual network 392 | - optimal routing from VNet 393 | - keeps traffic on Azure backbone network 394 | - no need for reserved public IP adresses in VNets 395 | - no NAT or gateway devices required to set up service endpoints 396 | 397 | Service Endpoint::Provides identity of your VNet to the Azure service (Storage, CosmosDB). Normally public IP's are used to identify VNet. With a service endpoint, you use a private VNet IP as the source IP, thus shielding everything from the internet. 398 | ID: 1670175611881 399 | 400 | 401 | ## Azure Private Link 402 | 403 | Azure Private Link::Private connectivity from a VNet to Azure PaaS or Microsoft partner services 404 | ID: 1670175611885 405 | 406 | 407 | - Simplifies network architecture 408 | - eliminates data exposure to public internet 409 | - traffic remains on Microsoft network 410 | - global, no restrictions 411 | - accessed via 412 | - private peering 413 | - VPN tunnels from on-prem or peered VNets 414 | 415 | # Azure Load Balancer 416 | 417 | Distributes inboud traffic to backend resources. 418 | 419 | Two types: public and internal 420 | 421 | - public 422 | - maps public IP and port of incoming traffic to private IP and port of the VM 423 | - mapping response traffic from VM 424 | - load balance rules to distribute across multiple VMs or services 425 | 426 | - internal 427 | - directs traffic to resources inside a VNnet ==**or that use a VPN to access Azure 428 | - frontend IP addresses and VNets are never directly exposed to internet endpoint 429 | - However, example internal load balancer: 430 | - receiving database requests and distribute to backend SQL servers 431 | - cross-premise VNet 432 | - load balancing from on-prem to VM's in the same VNet 433 | 434 | 435 | - Session persistence 436 | - how traffic from client should be handled 437 | - ==important! example: shopping cart 438 | - default: none 439 | - handled by any VM 440 | - client IP 441 | - successive requests from same client IP are handled by same VM 442 | - client IP and protocol 443 | - same combined with protocol 444 | 445 | - health probes 446 | - allows load balancer to monitor app status 447 | - removes or adds VMS from load balancer rotation based on response to health checks 448 | - when probe fails, LB stops sending new connections to it 449 | 450 | Load Balancer - Session Persistence::Example: shopping cart. If you need session persistence, successive requests from the same client IP must be handled by the same VM 451 | ID: 1670175611888 452 | 453 | 454 | Load Balancer types (2)::internal and public 455 | ID: 1670175611893 456 | 457 | # Application Gateway 458 | 459 | Application Gateway::Provides load balancing and application routing capabilities across multiple websites. 460 | ID: 1670266082638 461 | 462 | 463 | Manages requests that client applications send to a web app. 464 | 465 | - Uses application layer routing 466 | - routes to pool of web servers 467 | - based on URl of a request 468 | - can be 469 | - VMs 470 | - scale sets 471 | - Azure App service 472 | 473 | WAF::Web Application Firewall. Checks for threats based on OWASP. 474 | ID: 1670266082643 475 | 476 | 477 | # IP Address Schema 478 | 479 | Three ranges of non-routable IP addresses for internal networks: 480 | - 10.0.0.0 to 10.255.255.255 481 | - 172.16.0.0 to 172.31.255.255 482 | - 192.168.0.0 to 192.168.255.255 483 | 484 | - VNet is different from on-prem network 485 | - ability to scale up and down 486 | - provisioning happens in seconds 487 | - no physical devices 488 | - virtual 489 | 490 | ## VNets 491 | 492 | - A network in the cloud 493 | - can be divided in subnets 494 | 495 | - By default, all subnets can communicate with each other in a VNet 496 | - deny communication using NSG 497 | 498 | > [!note] 499 | > the smallest subnet that is supported has a /29 subnet mask. The largest has a /2 subnet mask 500 | 501 | Smallest Azure VNet subnet::/29 subnet mask. Largest is /2 502 | ID: 1670266082647 503 | 504 | 505 | 506 | ## planning an IP scheme 507 | 508 | - requirements 509 | - how many devices do you have on the network? 510 | - How many devices are you planning to add in the future? 511 | - Based on the services running on the infrastructure, what devices do you need to separate? 512 | - How many subnets do you need? 513 | - How many devices per subnet will you have? 514 | - How many devices are you planning to add to the subnets in future? 515 | - Are all subnets going to be the same size? 516 | - How many subnets do you want or plan to add in future? 517 | 518 | # VNet Peering 519 | 520 | - peering = connecting VNets together 521 | - when peered, VM's in these networks can connect as if they're in the same network 522 | - private traffic on Azure network 523 | - can peer across subscriptions 524 | 525 | - 2 types of peering 526 | - Virtual network Peering 527 | - VNets in the same Azure region 528 | - Global VNet peering 529 | - VNets in different regions 530 | 531 | - reciprocal connections 532 | - when connecting through Azure CLI, only one side of the peering gets created 533 | - when connecting through Azure Portal, both sides get created 534 | 535 | - transitivity 536 | - VNet peering is nontransitive 537 | - only directly peered networks can communicate 538 | - cannot communicate with peers of peers 539 | 540 | - Gateway transit 541 | - can configure a hub with a gateway to connect with on-prem network 542 | - Using "Allow gateway transit" option, you can connect to all the spokes when connected to the hub from the on-prem 543 | - prevents need to deploy gateways to all VNets 544 | 545 | # Routing 546 | 547 | BGP::Standard routing protocol for routing two or more networks. Typically used to share on-prem routes to Azure when connected through ExpressRoute. 548 | ID: 1670266082651 549 | 550 | 551 | If multiple routes are available in a route table, the most specific option is used. 552 | 553 | So for 10.0.0.0/16 and 10.0.0.0/24, the /24 is used because it has less IP addresses. 554 | 555 | ## routing priority 556 | 1. user defined routes 557 | 2. BGP routes 558 | 3. System routes 559 | 560 | This learn module has a lot of examples of creating subnets with cli: 561 | 562 | https://learn.microsoft.com/en-us/training/modules/control-network-traffic-flow-with-routes/3-exercise-create-custom-routes?activate-azure-sandbox=true 563 | 564 | ## NVA 565 | 566 | NVA::Network Virtual Appliance. Secures and monitors traffic between front-end public servers and internal private servers. 567 | ID: 1670266082655 568 | 569 | 570 | Virtual machines that control the flow of network traffic by routing. Typically used to manage traffic flowing from a perimeter-network environment to other networks or subnets. 571 | 572 | Acts as a router that forwards requests between subnets on the VNet. The requests are inspected by the firewall on the NVA. 573 | 574 | --------------------------------------------------------------------------------