AZ-304 Episode 1 Azure Active Directory

AZ-304 Episode 1

AZ-304 Course Introduction Hello! Instructor Introduction

Susanth Sutheesh

Blog: AGuideToCloud.com @AGuideToCloud AZ-304 Microsoft Azure Architect Design Certification (AZ-304) AZ-304 Episode 2

Choose an Azure Compute Service Choosing an Azure Compute Service

Lift and Shift

Cloud Optimized Review Features

App Service

Functions

Batch

AKS

Container Instances

Virtual Machines Review – Hosting Models

IaaS

PaaS Service Limits and Cost Scalability Availability AZ-304 Episode 3

Determine Appropriate Compute Technologies Choosing an Azure Compute Option Containers with Orchestration Containers

Portability

Agility

Density

Resource isolation Serverless ~ Orchestrator or Serverless?

Manageability

Flexibility and control

Portability

Application integration

Cost

Scalability AZ-304 Episode 4

Recommend a Solution for Containers When to use Azure Kubernetes Servcie

Feature Considerations and Decisions Identity and Security AD Integration Logging and Monitoring Azure Monitor for Containers, custom monitoring solutions Auto Scaling Manual and Auto, scheduled and programmatically, horizontal and vertical Cluster Node Upgrade Azure managed cluster upgrade and software updates GPU support GPU enabled node pools Storage Volumes Static and dynamic storage volumes Virtual Network (Vnet) Can be deployed into existing Vnet. HTTP Routing Add-on HTTP application routing support Docker Image Default support for docker file image support Private Container Registry Integrates with ACR (Azure Container Registry), public and private repositories When to use Azure Container Instances

Fast startup times

Container access

Hypervisor-level security

Custom sizes

Linux and Windows containers

Persistent storage Bursting from AKS with ACI AZ-304 Episode 5

Provisioning Solutions for ACI Why automate compute provisioning?

Faster Deployment

Reduce Complexity Custom Script Extension Desired State Configuration (DSC) Extensions Azure Automation State Configuration Chef Terraform Azure Resource Manager (ARM) Templates AZ-304 Episode 6

Planning for Virtual Networks Planning for Virtual Networks

Address space – (RFC 1918) Addresses assigned from selected address space

Resources will be assigned address within the subnet Subnets – (RFC 1918) range (excluding reserved Ips)

Regions Use Vnet Peering

Subscription Multiple VNets can be assigned to a single subscription Naming and Regions Segmentation

Do any organizational security requirements exist for isolating traffic into separate virtual networks?

Do any organizational requirements exist for isolating virtual networks into separate subscriptions or regions?

How many network interfaces and private IP addresses do you require in a virtual network?

Do you want to connect the virtual network to another virtual network or on-premises network?

Do you have any organizational administration requirements for resources in different virtual networks? Network Security Connectivity

Peering

VPN Gateway

Name Resolution AZ-304 Episode 7

Network Addressing and Name Resolution Name Resolution for Recourses in Azure VN

Scenario Solution DNS Suffix Between VMs in the same Vnet, Cloud Services role Azure DNS Private Zone, Hostname or FQDN instances Azure-Provided name resolution Between VMs in different VNet or instances in different Azure DNS Private Zones, Hostname or FQDN cloud services Customer-managed DNS forwarding to Azure DNS Proxy From App Service (Web App, Function or Bot) using Customer-managed DNS FQDN only VNet integration to VM in the same VNet forwarding to Azure DNS Proxy From App Service Web App to VMs in the same VNet Customer-managed DNS FQDN only forwarding to Azure DNS Proxy App Service Web app to VM in different VNet Customer-managed DNS FQDN only forwarding to Azure DNS Proxy Cont.

Scenario Solution DNS Suffix On-prem computer and service name from VMs or role Customer Managed DNS FQDN only instances in Azure Azure hostnames from on-prem computers Forward queries to a FQDN only customer Managed DNS proxy server in the corresponding VNet. Reverse DNS for Internal IP Azure DNS private Not applicable zones or Azure-provided name resolution or Customer own DNS Between VMs in different cloud services, not in Virtual Not supported Not supported Networks Azure Provided Name Resolution

▪ No configuration is required.

▪ High availability. You don't need to create and manage clusters of your own DNS servers.

▪ You can use the service in conjunction with your own DNS servers, to resolve both on-premises and Azure host names.

▪ You can use name resolution between VMs and role instances within the same cloud service, without the need for an FQDN. Customer-Provided DNS Server AZ-304 Episode 8

Recommend Solutions for Network Security Network Security

Network security focuses on the following areas:

▪ Securing traffic flow between applications and the internet ▪ Securing traffic flow amongst applications ▪ Securing traffic flow between users and the application

Azure Network Security Best Practices Internet Protection

▪ Azure Security Center identifies internet-facing resources that aren’t assigned network security groups

▪ Application Gateway is a Layer 7 load balancer with a Web Application Firewall (WAF) for securing HTTP- based services Virtual Network Security

Network security groups operate in layers 3 & 4 allowing communication between network interfaces Network Integration AZ-304 Episode 9

Recommendation for Hybrid Networks Azure ExpressRoute for Hybrid Networks ExpressRoute Connectivity Types ExpressRoute Circuits

A Circuit is an ExpressRoute logical connection between an on- premises network and an Azure network

▪ Azure private peering

▪ Microsoft peering

▪ Circuit bandwidth ExpressRoute Reference Architecture ExpressRoute Benefits & Considerations

▪ Requires working with connectivity providers

▪ Requires on-premises high-bandwidth routers

▪ Circuit is managed by the connectivity provider

▪ No support for Hot Standby Router Protocol (HSRP), enable a Border Gateway Protocol (BGP) configuration

▪ Operates at layer 3 and requires a network security appliance to manage threats

▪ Use Azure Connectivity Toolkit to monitoring the connectivity between on-premises networks and Azure

▪ Requires network security appliances between the provider's edge routers and on-premises networks AZ-304 Episode 10

Implement a Secure Hybrid Network Implement a Perimeter Network to On-Premises Datacenter

▪ Gateway subnet: traffic sent to the web-tier subnet (10.0.1.0/24) is routed through the Azure Firewall instance ▪ Web tier subnet: Web tier instances communicate directly without an Azure Firewall Architecture

▪ Azure virtual network

▪ Gateway

▪ Azure Firewall

▪ Virtual network routes

▪ Network security groups

▪ Bastion Recommendations

Access control recommendations

▪ Use role-based access control (RBAC) to manage the resources in your application ▪ Create roles: DevOps role, centralized IT administrator role, and security IT administrator role

Resource group recommendations

▪ Assign RBAC roles to each resource group to restrict access ▪ Create a resource group containing VMs, NSGs, and gateways and assign the centralized IT administrator role to it

Networking recommendations

▪ Destination address = Public IP address of the firewall instance ▪ Translated address = Private IP address within the virtual network Security Considerations

Route on-premises user requests through Azure Firewall

Use NSGs to block/pass traffic between application tiers

Assign DevOps access AZ-304 Episode 11

Planning Azure Migration Migration Journey

Assess Migrate Optimize Monitor Start with a full You'll need destination After your services are Azure Monitor captures assessment of your systems and services on migrated, it's important to health and performance current environment. Azure to migrate to. optimize them to ensure information from Azure that they're running VMs using Log Analytics efficiently. agent.

Cloud Adoption Framework Discovery and Evaluation

Migration Strategy ▪ Rehost ▪ Refactor ▪ Rearchitect ▪ Rebuild ▪ Replace Migration Planning

Migration Planning ▪ Create a Cloud Migration Plan (requirements, environment, tools) ▪ Involve Stakeholders (business and IT)

▪ Calculate TCO ▪ Discover, evaluate, and document applications ▪ Tools and Partners Migration Steps

1. Prepare the source (vCenter Server) and target (Azure) environments 2. Set up and start replication 3. Test replication 4. Fail over to Azure

Database migrations steps 1. Assess your on-premises databases 2. Migrate the schemas 3. Create and run an Azure Database Migration Service 4. Monitor migration Optimize

• Use Azure Cost Management to analyze Azure costs for various management scopes

Azure Network Security Best Practices Monitor

Set up alerts based on data sources:

▪ Specific metric values like CPU usage ▪ Specific text in log files ▪ Health metrics ▪ An Autoscale metric AZ-304 Episode 12

Assessments using Azure Migrate Using Azure Migrate to Assess Environment

Assessment Steps:

1. Discover virtual machines 2. Create assessments Discover Machines Create an Assessment AZ-304 Episode 13

Migrate Servers with Azure Migrate Migrate Servers with Azure Migrate

Azure Migrate assessment identifies candidates for server migration to Azure. Virtual Machine Replication

Azure Migrate runs agentless migration of virtual and physical servers into Azure Migrating the VMs to Production

1. Select Migrate from the replicating machines 2. Shut down the VMs for final replication 3. Migrate during off-peak hours Post-Migration Steps

After the migration:

• Review security settings of virtual machines. • Restrict network access for unused services (SNG) • Deploy Azure Disk Encryption AZ-304 Episode 14

Migrate DBs with Azure DMS Migrate DB with Azure DMS

▪ Offline migration requires shutting down the server at the start of the migration for service

▪ Online migration uses a continuous synchronization of live data, allowing a cutover to the Azure replica database at any time Overview of Database Migration

Offline and online migrations prerequisites:

• Download the Data Migration Assistant • Create an Azure Virtual Network instance • Configure the network security group • Configure the Windows Firewall • Configure credentials Assess the On-Premises Databases

1. Use Data Migration Assistant to create an Assessment project 2. Select the source and target servers 3. Provide the connection details and permissions 4. Choose the database to migrate Migrate Data with DMS

1. Create an instance of Azure Database Migration Service 2. Create a new migration project 3. Specify source and target server details 4. Identify the databases 5. Run and monitor the migration 6. Review migrated content AZ-304 Episode 15

Tips for Identity & Access Management Tips for Identity and Access Management

This lesson covers the following tips for identity and access management:

▪ Single Enterprise Directory

▪ Synchronize Identity Systems

▪ Use Cloud Provider Identity Source for Third Parties

▪ Passwordless, or Multi-Factor Authentication for Admins

▪ Block Legacy Authentication

▪ Don’t Synchronize On-Premises Admin Accounts to Cloud Identity Providers

▪ Use Modern Password Protection Offerings

▪ Use Cross-Platform Credential Management Single Enterprise Directory

▪ For managing identities of full-time employees and enterprise resources

▪ A single authoritative source for identities

▪ Designate a single Azure Active Directory (Azure AD) instance directory

Centralized Identity Management Synchronize Identity Systems

▪ Synchronize cloud identity with existing identity systems

▪ Consistency of identities across cloud and on-premises reduces human errors

▪ Teams managing resources in both environments need a consistent authoritative source

▪ For Azure, synchronize Azure AD with an existing authoritative on premises Active Directory using Azure AD connect

▪ Also required for Office 365 migration

See: Turn on Conditional Access Block Legacy Authentication

Disable insecure legacy protocols for internet-facing services ▪ Legacy authentication are password-centric and prime targets for password spraying, dictionary, or brute force attacks ▪ Nearly 100% of all password spray attacks against Office 365 customers use legacy protocols ▪ Legacy protocols lack account lockouts or back-off timers

For Azure and Azure AD-based accounts, configure Conditional Access to block legacy protocols. ▪ Use metrics and logging data provided by authentication providers to determine users authenticating using older clients ▪ Disable low-level protocols not in use ▪ Provide ample notice and guidance to users ahead of upgrading from legacy authentication Don’t Sync Admin Accounts

Don’t synchronize accounts with the highest privilege access to on- premises resources while synchronizing enterprise identity systems with cloud directories

• Risk: Possible adversary gaining full control of on-premises assets following a successful compromise of a cloud account

Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory

• Note: Blocked by default in the Azure AD Connect configuration Use Modern Password Protection

▪ Provide modern and effective protections for accounts that cannot go passwordless

▪ Cloud identity providers apply anomaly detection to proactively notify companies when passwords have been compromised

▪ Cloud identity providers validate whether a sign-in appears legitimate and not a malicious host Use Cross-Platform Credential Management

Azure Active Directory can be used to authenticate Windows, Linux, Azure, Office 365, Amazon Web Services (AWS), Google Services, (remote access to) legacy on-premises applications, and third-party Software as a Service providers AZ-304 Episode 16

Recommend a Solution for MFA Authentication vs Authorization

Authentication is the Authorization is the act of granting process of proving you are an authenticated party permission to do who you say you are something

▪ Microsoft identity platform implements ▪ Microsoft identity the OAuth 2.0 protocol for handling platform implements the authorization OpenID Connect protocol for handling authentication Using Microsoft Identity Platform

OAuth vs OpenID Connect:

▪ OAuth is used for authorization and OpenID Connect (OIDC) is used for authentication ▪ OpenID Connect is built on top of OAuth 2.0 ▪ You can both authenticate a user (using OpenID Connect) and get authorization to access a protected resource that the user owns (using OAuth 2.0) in one request Reasons for MFA

▪ Password complexity rules ▪ Password expiration rules ▪ Self-service password reset (SSPR)

▪ Azure AD identity protection ▪ Azure AD password protection ▪ Azure AD smart lockout ▪ Azure AD application proxy ▪ Single sign-on (SSO) ▪ Azure AD connect How MFA Works?

▪ Something you know ▪ Something you possess ▪ Something you are Conditional Access

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies Conditional Access with Azure MFA AZ-304 Episode 17

Five Steps for Securing Identity Infrastructure Five Steps

Five-step checklist to protecting against cyber-attacks by using Azure AD

▪ Step 1: Strengthen credentials

▪ Step 2: Reduce attack surface

▪ Step 3: Automate threat response

▪ Step 4: Utilize cloud intelligence

▪ Step 5: Enable end-user self-service Step 1 – Strengthen Credentials

▪ Use strong authentication

▪ Ban common passwords and turn off traditional complexity, and expiration rules

▪ Protect against leaked credentials

▪ Take advantage of intrinsically secure, easier to use credentials Step 2 – Reduce Attach Surface

▪ Block invalid authentication entry points

▪ Restrict user consent operations

▪ Implement Azure AD Privileged Identity Management

▪ Identify and manage users assigned to administrative roles

▪ Establish rules for multi-factor authentication

▪ Understand unused or excessive privilege roles Step 3 – Automate Threat Response

▪ Implement user risk security policy using Azure AD Identity Protection

▪ Implement sign-in risk policy using Azure AD Identity Protection Step 4 – Utilize Cloud Intelligence

Monitor Azure AD Connect Health in hybrid environments ▪ Details, resolution steps ▪ Usage analytics ▪ Performance monitoring and reports

Monitor Azure AD Identity Protection events ▪ Risky sign-in reports ▪ Risky user reports Step 5 – Enable End-User Self Service

▪ Self-service password reset

▪ Self-service group and application access

▪ Azure AD access reviews AZ-304 Episode 18

Recommend a Solution for SSO Azure Active Directory SSO Key Benefits

User experience

▪ Users are automatically signed into both on-premises and cloud-based applications. ▪ Users don't have to enter their passwords repeatedly.

Easy to deploy & administer

▪ No additional components needed on-premises to make this work. ▪ Works with any method of cloud authentication ▪ Can be rolled out to some or all your users using Group Policy. ▪ Register non-Windows 10 devices with Azure AD Considerations

▪ Can be combined with Password Hash or Pass-through Authentication

▪ Azure AD Join provides SSO for devices registered with Azure AD AZ-304 Episode 19

Recommend a Solution for a Hybrid Identity Considerations - MFA for Hybrid Identity

▪ Define the technical requirements for MFA

▪ Define the MFA strategy

▪ Define requirements for rolling out MFA

▪ Define technical requirements for enabling users for MFA Hybrid Identity Decision Tree Authentication Architecture

Simplicity of a password hash synchronization solution

Agent requirements of pass- through authentication, using two agents for redundancy Comparing Authentication Methods AZ-304 Episode 20

Recommend a Solution for B2B Integration Azure Active Directory B2B

Partners use their own identity management solution

Invite guest users with an invitation Add Guest Users in the Azure AD Portal

Add guest users in the Azure portal 1. Create a new guest user 2. The guest user receives 3. Guest users assigned to app or group Integrate with Identity Providers

Set up Federation with Identity Providers

Create a Self- Service Sign-Up User Flow AZ-304 Episode 21

Recommend a Hierarchical Structure Hierarchy of Management Groups

Facts about management groups: • 10,000 / Subscriptions • 7 levels (including root) • 1 or many • Single hierarchy Root Management Group

▪ Default ID: Azure Active Directory ID ▪ Owner or Contributor ▪ Cannot be moved or deleted ▪ All resources in the directory fold up to the root management group ▪ Default group for new subscriptions. ▪ Can be seen by all customers Management Group Access Custom RBAC Role Definition and Assignment

Scenario: A custom role defined on the Marketing management group.

• The custom role is then assigned on two free trial subscriptions

• Attempt to move one of those subscriptions to be a child of the Production management group

• The move breaks the path from subscription role assignment to the Marketing management group role definition

• You'll receive an error saying the move isn't allowed since it will break this relationship

What are the options for fixing this scenario? AZ-304 Episode 22

Design Governance Governance

Governance:

• How is the organization’s security going to be monitored, audited, and reported? • How does the organization know that things are actually working? • Are there new requirements? • Is there mandatory reporting? Risk

Risk:

• What types of risks does the organization face ?

• Who may be interested or could use this information? Compliance

Compliance:

• Are there specific industry, government, or regulatory requirements that dictate or provide recommendations on criteria that your organization’s security controls must meet?

Define

Improve

Sustain Clear Lines of Responsibility

Network Security Incident Monitoring

Network Management Policy Management

Server Endpoint Security Identity Security Audit and Enforce Policy Compliance

• Audit environment

• Policy monitoring

• Use Azure Policy to create and manage policies that enforce compliance AZ-304 Episode 23

Recommend a Solution for using Azure Policy Compliance with Azure Policy

Azure Policy is an Azure service you use to create, assign and, manage policies

▪ Enforce rules

▪ Evaluate Noncompliance

▪ Audit Policies

▪ Integrate with Azure DevOps Azure Policy vs. RBAC

Unlike RBAC,

Azure Policy is a default-allow-and-explicit-deny system Azure Policy Initiatives or Azure Policies

• Azure Policy is three components:

• Policy definition - conditions which you want controlled

• Policy assignment - scope of what the policy definition

• Policy parameters - characteristics and values of the policy Identifying Non-Compliant Resources

Use the applied policy definition to identify resources that aren't compliant with the policy assignment using the Azure portal Policy Effects View Policy Evaluation Results AZ-304 Episode 24

Recommend a Solution for using Azure Blueprint Azure Blueprints

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: ▪ Role Assignments ▪ Policy Assignments ▪ Azure Resource Manager templates (ARM templates) ▪ Resource Groups Blueprints vs Resource Manager Templates

▪ Blueprints are designed for environment setup

▪ Template are used for deployments – no active connection post deployment.

▪ Blueprints preserves relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed)

▪ Blueprints can upgrade multiple subscriptions at once

▪ Blueprints consist of zero or more templates

▪ Templates are reusable in Blueprints Blueprints vs Azure Policy

▪ Blueprints are packages with sets of standards, patterns, and requirements related to the implementation of Azure cloud services

▪ A policy focused on resource properties

▪ A policy can be included as one of many artifacts in a blueprint definition AZ-304 Episode 25

Select an Appropriate Data Platform Recommending the Right Data Store

• Relational database management systems • Key/Value stores • Document databases • Graph databases • Data analytics Relational Database Management Systems

Relational databases organize data as a series of two-dimensional tables with rows and columns

Relevant Azure services: ▪ Azure SQL Database ▪ Azure Database for MySQL Key/Value Stores

A key/value store is a large hash table

Relevant Azure services: ▪ Cosmos DB ▪ Azure Cache for Redis ▪ Azure Tables Document Databases Graph Databases AZ-304 Episode 26

Overview of Azure Data Storage Azure SQL Database

Azure SQL Database is a fully managed platform as a service (PaaS) database engine)

Azure SQL Database deployment options for a database: ▪ Single database ▪ Elastic pool Azure Cosmos DB

Azure Cosmos DB features: • Geo-replication • Elastic scaling of throughput and storage worldwide

• Five well-defined consistency levels Azure Blob Storage

▪ Azure Blob Storage is unstructured

▪ Highly scalable

▪ Thousands of simultaneous uploads

▪ Anywhere in the world Azure Data Lake Storage Azure Files

Azure Files are fully managed file shares accessible via Server Message Block (SMB) Azure Queue

Use queue storage to: • Create a backlog of work • Pass messages between services • Distribute load • Build resilience against component failures Disk Storage

▪ Provides disks for virtual machines, applications, and other services

▪ Persistent virtual hard disk storage

▪ Disks can be managed or unmanaged

▪ Solid-state drives (SSDs) and hard disk drives (HDDs)

▪ Standard SSD and HDD disks

▪ Premium SSD for mission-critical applications AZ-304 Episode 27

Recommend Database Service Tier Sizing Azure SQL DB & Azure SQL MI Service Tiers

❑ General purpose

❑ Business critical

❑ Hyperscale, (Azure SQL) General Purpose Service Tier

• 99.99% availability

• Separation of compute and storage (general purpose)

• Use Azure Blob storage to replicate database files

General-purpose service: • A stateless compute layer - contains only transient and cached data • A stateful data layer - files (.mdf/.ldf) stored in Azure Blob storage Business Critical Tier

Premium/Business Critical service tier is based on a cluster of database engine processes Service Tier Comparison

https://docs.microsoft.com/en-us/azure/azure-sql/database/features-comparison Dynamically Scale Azure SQL

• Azure SQL Database – DTU / vCore

• Azure SQL Managed Instance - vCore

• DTU-based purchasing model - Basic, Standard, and Premium.

• vCore-based purchasing - General Purpose, Business Critical, and Hyperscale Scale Single Database

▪ Single databases in Azure SQL Database support manual dynamic scalability

▪ You can change DTU service tiers or vCore characteristics at any time with minimal downtime AZ-304 Episode 28

Recommend Database Encryption Options Data Encryption

▪ There are two top-level types of encryption: symmetric and asymmetric

▪ Symmetric encryption uses the same key to encrypt and decrypt the data

▪ Asymmetric encryption uses a public key and private key pair

▪ Either key can encrypt but cannot decrypt its own encrypted data

▪ To decrypt, you need the paired key

▪ Asymmetric encryption is used for things like TLS (used in https), and data signing

Azure encryption overview Encryption at Rest

• Data at rest is the data that has been stored on a physical medium

• Unreadable without the keys and secrets

• Azure Disk Encryption uses Windows BitLocker, Linux dm-crypt

• Azure Storage and Azure SQL Database encrypt data at rest by default

• Use Azure Key Vault to maintain control of keys

• Encrypt drives before you write sensitive data Encryption in Transit

• Encrypting data in transit protects the data from outside observers

• Microsoft uses the Transport Layer Security (TLS)

• Microsoft datacenters negotiate a TLS connection with client systems Identify and Classify Data

Data Classification Explanation Example Restricted Data Classified as restricted poses Data containing SS significant risk if exposed, altered, or numbers, CC numbers deleted. Strong levels of protection are personal health records required for this data. Restricted Data classified as private poses moderate Personal records risk if exposed, altered, or deleted. containing information Reasonable levels of protection are such as address, phone required for this data. Data that is not numbers, personal health classified as restricted or public will be records classified as private. Public Data classified as public poses no risk if Public financial reports, exposed, altered, or deleted. No public policies, product protection is required for this data. documentation for customers Encrypting Raw Storage

• Azure Storage Service Encryption (SSE) for data at rest protects data to meet organizational security and compliance commitments

• The Azure storage platform automatically encrypts data with 256-bit Advanced Encryption Standard (AES) Encrypting Virtual Machines

• Azure Disk Encryption (ADE) encrypts Windows and Linux IaaS virtual machine disks

• ADE use BitLocker on Windows and the DM-Crypt feature of Linux

• ADE is integrated with Azure Key Vault Encrypting Databases

• Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse

• Real-time encryption and decryption

• Enabled by default

• Uses symmetric key called the database encryption key

• Unique encryption key per logical SQL Server

• Bring-your-own-key is also supported with keys stored in Azure Key Vault Encrypting Secrets

• Vaults are backed by hardware security modules (HSMs)

• Helps reduce the chances of accidental loss of security information

• Key Vaults control and log all access

• Can handle requesting and renewing Transport Layer Security (TLS) certificates

• Supports passwords, database credentials, API keys and, certificates AZ-304 Episode 29

Choose Between Storage Tiers Azure Blob Storage Access Tiers

• Hot and cool access tiers - Account level - Blob level during upload

• Hot, cool, and archive tiers - Blob level during upload or after upload.

• Data in the cool tier - high durability, retrieval latency, throughput

• For cool data – SLA, availability, cost

• Archive – Off-line Support Tiering for Storage Accounts

• Hot: • Active, frequent read-write

• Cool: • Short-term backup and disaster recovery • Older content not viewed frequently • Large data sets stored cost effectively

• Archive: • Long-term backup, secondary backup, and archival Common Questions

1. Should I use Blob storage or GPv2 accounts if I want to tier my data?

2. Can I store objects in all three (hot, cool, and archive) access tiers in the same account?

3. Can I change the default access tier of my Blob or GPv2 storage account?

4. Can I set my default account access tier to archive?

5. Do the blobs in the cool access tier behave differently than the ones in the hot access tier?

6. Are the operations among the hot, cool, and archive tiers the same? AZ-304 Episode 30

Azure Data Platform End-To-End Azure Data Platform End-To-End

This solution architecture demonstrates how a single, unified data platform can be used to meet the most common requirements for:

▪ Traditional relational data pipelines ▪ Big data transformations ▪ Unstructured data ingestion and enrichment with AI-based functions ▪ Stream ingestion and processing following the Lambda architecture ▪ Serving insights for data-driven applications and rich data visualization

Topics covered in this lesson include the following:

❑Use Cases ❑Architecture ❑Architecture Components Architecture

Streaming

Non-structured Data sources

Semi-Structured Data sources

Relational Databases Architecture Components

Azure Service Microsoft Learn Technical Documentation Azure Data Factory Data ingestion with Azure Data Factory Azure Data Factory Technical Documentation

Azure Synapse Analytics Implement a Data Warehouse with Azure Synapse Analytics Azure Synapse Analytics Technical Documentation

Azure Data Lake Storage Gen2 Large Scale Data Processing with Azure Data Lake Storage Gen2 Azure Data Lake Storage Gen2 Technical Documentation

Azure Cognitive Services Cognitive Services Learning Paths and Modules Azure Cognitive Services Technical Documentation

Azure Cosmos DB Work with NoSQL data in Azure Cosmos DB Azure Cosmos DB Technical Documentation

Azure Databricks Perform data engineering with Azure Databricks Azure Databricks Technical Documentation

Azure Event Hubs Enable reliable messaging for Big Data applications using Azure Azure Event Hubs Technical Documentation Event Hubs

Azure Stream Analytics Implement a Data Streaming Solution with Azure Streaming Azure Stream Analytics Technical Documentation Analytics

Power BI Create and use analytics reports with Power BI Power BI Technical Documentation AZ-304 Episode 31

Recommend a Solution for Data Integration Data Flows using Azure Data Factory

▪ Azure Data Factory is a cloud-based ETL and data integration service

▪ Create and schedule data-driven workflows (pipelines)

▪ Build complex ETL processes

▪ Integrates with other compute services

What is Azure Data Factory? How Data Factory Works

▪ Connect and collect – Copy Activity

▪ Transform and enrich – Execute on Spark

▪ CI/CD and publish – Azure DevOps and GitHub

▪ Monitor - Azure Monitor, API, PowerShell Data Factory Key Concepts

▪ Pipeline ▪ Mapping data flows ▪ Activity ▪ Datasets ▪ Linked services ▪ Triggers ▪ Pipeline runs ▪ Parameters ▪ Control flow Integrate Data Factory and Databricks

1. Create an Azure storage account

2. Create a Data Factory instance - Portal

3. Create a data workflow pipeline – Copy activity

4. Add a Databricks notebook to the pipeline

5. Analyze the data – train data AZ-304 Episode 32

Data Warehousing and Big Data Analytics Azure Synapse Analytics

▪ Synapse SQL ▪ Spark ▪ Synapse Pipelines ▪ Studio (preview)

Data Flow: 1. Ingest Data 2. Prepare Data (Hadoop, Spark, and machine learning) 3. PolyBase to query big data stores 4. T-SQL queries to populate pool tables 5. Stores data in relational tables with columnar storage Azure Synapse Analytics Architecture

Azure Storage • Hash • Round Robin • Replicate

Control node • The MPP engine • T-SQL query

Compute nodes • Distributed processing

Data Movement Service • Transport between notes Distributions

Hash-Distributed Tables ▪ Each row belongs to one distribution ▪ A deterministic hash algorithm assigns each row to one distribution ▪ The number of table rows per distribution varies

Round-Robin Distributed Tables • A round-robin distributed table distributes data evenly across the table

• A distribution is first chosen at random Replicated Tables

▪ A replicated table caches a full copy of the table on each compute node

▪ Removes the need to transfer data among compute nodes

▪ Best with small tables AZ-304 Episode 33

Monitoring Azure Monitoring Azure

Traditional application and infrastructure monitoring is based on whether the application is running or not, or what response time it is giving

This lesson summarizes the following recommendations for:

• Application Monitoring

• Platform Monitoring

• Monitoring Best Practices Application Monitoring

Application Insights:

▪ Default dashboard ▪ Performance statistics ▪ Smart Detection ▪ Usage Analysis ▪ Cross-component transaction diagnostics ▪ Snapshot Debugger Platform Monitoring

Container Insights ▪ Clusters, nodes, and pods and provides visual and actionable information

▪ CPU and memory and logs for individual Kubernetes pods

Network Watcher

▪ Traffic Analytics ▪ Network Performance Manager

▪ VPN diagnostics

▪ Connection Monitor Monitoring Best Practices

Event correlation

• Create shared dashboards in order to expose relevant information to different groups

Notifications

• Action groups in Azure Monitor are used to notify multiple recipients, trigger automated actions • Define actions to be executed upon receiving certain alerts

Other monitoring tasks

• Review Azure subscription limits • Understand Azure support plans • Monitor expiration dates of digital certificates AZ-304 Episode 34

Azure Monitor Monitor Azure Resources

The Azure Monitor data platform collects data into logs and metrics where they can be analyzed together using a complete set of monitoring tools Costs Associated with Monitoring

There is no cost for analyzing monitoring data that is collected by default:

▪ Platform Metrics

▪ Activity Log

▪ Alert Rules Monitoring Data

▪ Platform metrics

▪ Resource logs

▪ Activity log Configure Monitoring

Monitoring data is collected automatically

• Platform metrics • Resource logs • Activity log Monitoring in Azure Portal

Monitor data from the Overview page Insights and Solutions

• Customized monitoring experience

• Predefined monitoring logic Activity Log

▪ Initial filter set to the current resource

▪ Copy it to a Log Analytics workspace to use with log queries and workbooks Azure Monitor Logs

Data stores for Sources of metrics and logs Analysis, monitoring data: alerting, and Azure, operating streaming to systems, and external custom sources systems Azure Sentinel

▪ Built-in threat intelligence for detection and investigation

▪ Collects data on the devices, users, infrastructure, and applications

▪ Cloud and on-prem monitoring/management

▪ Investigates threats using AI

Security information event management (SIEM) Azure Security Center

▪ Manages infrastructure security from a centralized location

▪ Monitors security of workloads on-premises or in the cloud

▪ Monitors the health of resources and implements recommendations AZ-304 Episode 35

Architectural Best Practices for Reliability Best Practices for Reliability

1. Define Requirements

2. Use Architectural Best Practices

3. Test with Simulations and Forced Failovers

4. Deploy the Application Consistently

5. Monitor Application Health

6. Respond to Failures and Disasters

Azure Well-Architected Framework Overview of the reliability pillar Define Requirements

• Identify workloads and usage

• Plan for usage patterns

• Establish availability metrics (MTTR/MTBF)

• Establish recovery metrics (RTO/RPO)

• Determine workload availability targets

• Understand service-level agreements

See: Define requirements Use Architectural Best Practices

• Perform a failure mode analysis (FMA)

• Create a redundancy plan

• Design for scalability

• Plan for subscription and service requirements

• Use load-balancing to distribute requests

• Build availability requirements into your design

• Manage your data

See: Use architectural best practices Azure Service Dependencies

▪ There are no services that are dependent on a single logical data center

▪ Non-regional services are deployed to two or more regions

▪ Customer specific regions in which their data will be stored

▪ Azure service dependency documentation

See: Azure service dependencies Test with Simulations and Forced Failovers

▪ Test for common failure scenarios by triggering actual failures or by simulating them

▪ Identify failures that occur only under load

▪ Run disaster recovery drills

▪ Perform failover and failback testing

▪ Run simulation tests

▪ Test health probes

▪ Test monitoring systems

▪ Include third-party services in test scenarios

▪ See: Test with simulations and forced failovers Deploy Applications Consistently

▪ Automate your application deployment process

▪ Design your release process to maximize availability

▪ Have a rollback plan for deployment

▪ Log and audit deployments

▪ Document the application release process

▪ See: Deploy the application consistently Monitor Application Health

• Implement health probes and check functions • Check long-running workflows • Maintain application logs • Measure remote call statistics and share the data with the application team • Track transient exceptions and retries over an appropriate time frame • Set up an early warning system • Operate within Azure subscription limits • Monitor third-party services • Train multiple operators to monitor the application and to perform manual recovery steps

See: Monitor application health Respond to Failures and Disasters

• Plan for Azure support interactions

• Document and test your disaster recovery plan

• Fail over manually when required

• Prepare for application failure

• Recover from data corruption

• Recover from a network outage

• Recover from a dependent service failure

• Recover from a region-wide service disruption

See: Respond to failures and disasters AZ-304 Episode 36

Recommend an Azure Site Recovery Solution Azure to Azure DR Architecture Target Resources

▪ Subscription

▪ Resource group

▪ VNet

▪ Storage account

▪ Managed disks

▪ Availability sets

▪ Availability zones Replication Policy

Recovery Point Retention

App-Consistent Snapshot Frequency Snapshots and Recovery Points

Recovery points are created from snapshots

Site Recovery snapshots:

Crash-consistent - data that was on the disk when the snapshot was taken

App-consistent - all the information in a crash-consistent snapshot, plus all the data in memory and transactions in progress Failover Process AZ-304 Episode 37

Archive On-premises Data to Cloud Architecture

Components:

▪ Azure StorSimple ▪ Blob Storage Archive on-premises Data to Cloud

Archive on-premises data to Azure Blob storage

Azure StorSimple

Azure Blob Storage Backup On-prem App and Data to the Cloud

Backup data and applications from an on-premises system to Azure using Azure Backup

Azure Backup Server

Azure Backup service

Blob Storage Backup Cloud Applications and Data to Cloud

Azure Backup Blob Storage AZ-304 Episode 38

Azure High Availability Solutions Availability Zones

Availability Zones are unique physical locations within an Azure region

• A zone is made up of one or more datacenters with independent power, cooling, and networking

• The physical separation of Availability Zones within a region limits the impact to applications

• Zones are designed to support services, capacity, and availability from other zones in the region Delivering Reliability in Azure

Designing solutions that continue to function despite failure is key to improving the reliability

▪ Resilient foundation

▪ Resilient services

▪ Resilient applications

Foundation is the Microsoft investment in the platform, including Availability Zones

Services support high availability, such as zone-redundant storage (ZRS)

Applications should be architected to support resiliency Zonal vs. Zone-Redundant Architecture

Individual load balancers deployed Zone-redundant load balancer to specific zones

See: Zonal vs. zone-redundant architecture SAL offered by Availability Zones

High Availability offered by a single VM, Availability Sets, and Availability Zones High Availability for BCDR

1. Create zone-redundant Load Balancer

2. Create front-end subnet

3. Create DB subnet

4. Create VMs in three Availability Zones

5. Configure zone-redundant SQL DB

6. Add VMs to the load balancer's back-end pool

7. Deploy your application on VMs for redundancy and high availability AZ-304 Episode 39

Recommendations for Minimizing Azure Costs Azure Cost Management View Cost breakdown by Azure Service

1 Review Invoiced Charges in Cost Analysis

2 View Cost Breakdown by Azure Resource

View Cost Breakdown by Selected 3 Dimensions View Costs by Day or Month

Monthly or Daily: Cost Management + Billing > Cost Management > Cost Analysis View Reservation Charges

• Actual cost – The purchase as it appears on the bill

• Amortized cost - Amortized cost over the duration of the reservation term

After purchasing a reservation, it's important to track utilization View Costs for a Specific Tag

Support for tags applies to usage reported after is tag was applied to the resource 1. Cost Management + Billing > Cost Management > Cost analysis 2. Select Group by for the tag Download Usage Details

Cost Management + Billing > Billing > Usage + charges

Select the line item to download from and click the download symbol AZ-304 Episode 40

Knowledge Check Part 1 AZ304 Review Question 1

You are designing a container solution in Azure that will include two containers. One container will host a web API that will be available to the public. The other container will perform health monitoring of the web API and will remain private. The two containers will be deployed together as a group. You need to recommend a compute service for the containers. The solution much minimize costs and maintenance overhead. What should you include in your recommendation?

❑ Azure Kubernetes Service (AKS)

❑ Azure Container Instances

❑ Azure Container registries

❑ Azure Service Fabric AZ304 Review Question 2

You are designing a solution for a company to deploy software for testing and production. The solution must meet the following requirements: o Applications must be deployed to several different environments and must run without installation dependencies. o Existing published applications must be ported to the new solution. o Application developers must be given flexibility when designing the architecture for their code. What should you include in your solution for hosting applications?

❑ ††Azure Kubernetes Service (AKS)

❑ ††Azure Container Instances

❑ ††Azure Logic App

❑ ††Azure Batch AZ304 Review Question 3

You are recommending solution for an organization that wants to run an image rendering application in Azure.

What is the best service to use to run the workload?

❑ ††Azure Kubernetes Service (AKS)

❑ ††Azure Container Instances

❑ ††Azure Function App

❑ ††Azure Batch Service AZ304 Review Question 4

You are designing a solution for an on-premises network to deploy a virtual appliance. The plan is to deploy several Azure virtual machines and connect the on- premises network to Azure by using a site-to-site connection. All network traffic that will be directed from the Azure virtual machines to a specific subnet must flow through the virtual appliance. You need to recommend a solution to manage network traffic. What is the solution?

❑ ††Implement an Azure virtual network

❑ ††Implement Azure ExpressRoute

❑ ††Implement Azure Batch Service

❑ ††Configure Azure Traffic Manager AZ304 Review Question 5

You are designing a solution for on-premises networks and Azure virtual networks. You need a secure private connection between on-premises networks and the Azure virtual networks. The connection must offer a redundant pair of cross connections to provide high availability. What should you recommend?

❑ Virtual network peering

❑ ††Azure Load Balancer

❑ ††VPN Gateway

❑ ††ExpressRoute AZ304 Review Question 6

You use a virtual network to extend an on-premises IT environment into the cloud. The virtual network has two virtual machines that store sensitive data. The data must only be available using internal communication channels. Internet access to those VMs is not permitted. You need to ensure that the VMs cannot access the Internet. What should you recommend?

❑ ††Azure ExpressRoute

❑ ††Azure Load Balancer

❑ ††Source Network Address Translation (SNAT)

❑ ††Network Security Groups (NSG) AZ304 Review Question 7

A company that you are consulting for has 400 virtual machines hosted in a VMWare environment. The virtual machines vary in size and have various utilization levels. The plan to move all the virtual machines in Azure. You need to recommend how many and what size Azure virtual machines will be required to move the current workloads to Azure. The solution must minimize administrative effort. What should you recommend?

❑ †† Azure Pricing calculator

❑ †† Azure Cost Management

❑ †† Azure Advisor

❑ †† Azure Migrate AZ304 Review Question 8

You are advising an organization that has an on-premises Hyper-V cluster that hosts 30 virtual machines. Some virtual machines run Window Server 2019 and some are running Linux. The organization wants to migrate the virtual machines to an Azure subscription. You need to recommend a solution to replicate the disks of the virtual machines to Azure. The solution must ensure that the virtual machines remain available during the migration of the disks. You recommend implementing an Azure Storage account, and then using Azure Migrate. Does the meet the goal?

❑ Yes

❑ No AZ304 Review Question 9

A company you advise wants to deploy Azure AD Connect to synchronize identity information from their on-premises AD DS directory to an Azure AD tenant. The synchronized identity information includes group memberships, user accounts, and credential hashes (password sync). The company plans to deploy VMs (Linux and Windows). The requirements for the VMs include: o Must allow users to sign in to the domain with their credential from their organization and connect remotely to VMs using Remote Desktop. o Must support Group Policy, Kerberos and NTLM authorization, LDAP read and bind, and domain join.

Which service should you recommend?

❑ ††Azure AD Domain Services

❑ ††Azure AD Privileged Identity Management (PIM)

❑ ††Azure Managed Identity

❑ ††Application Insights AZ304 Review Question 10

You advise an organization that has an existing hybrid deployment of Azure AD. They have asked you to recommend a solution that makes certain that the Azure AD tenant can only be manage from the computers that are within the on-premises network. What should you recommend?

❑ ††††A user assigned Managed Service Identity

❑ ††A custom RBAC role

❑ ††Azure Managed Identity

❑ ††A conditional access policy AZ304 Review Question 11

You are advising an organization that is exploring the possibility of using an Azure AD hybrid identity as a solution. They have asked you to recommend a solution that ensures their users can authenticate, even if the internet connection is not available. They require the proposed solution should keep the authentication prompts to a minimum for users on the system. What would you include in the solution?

❑ ††††††Pass-through Authentication and Azure AD Seamless SSO

❑ ††A custom RBAC role

❑ ††Password hash synchronization and Azure AD Seamless SSO

❑ ††Active Directory Federation Services AZ304 Review Question 12

You are recommending a design for a SaaS app that will allow Azure AD users to create and publish reviews online. There will be a front-end web app and a back-end web API. The web app will be dependent on web API to handle updates to the customer reviews. You need to recommend a design for authorization flow for the SaaS app that meets the following: o Access to the back-end web API, the web app must authenticate using OAuth 2 bearer tokens. o The web app must authenticate using identities of the individual users.

If tokens are generated by Azure AD, which part of the solution performs the authorization?

❑ Azure AD

❑ ††The web API

❑ ††The web app

❑ ††Azure Key Vault AZ304 Review Question 13

An organization you are consulting with has an existing Azure AD tenant. They plan to deploy multiple Azure Cosmos DB databases will use the SQL API. You are asked to recommend a solution that provides Azure AD user accounts with read access to the Cosmos DB databases.

What do you recommend?

❑ ††Master keys and Azure Information Protection policies

❑ ††A resource token and an Azure control (IAM) role assignment

❑ ††SAS and conditional access policies

❑ ††Azure Key Vault and certificates AZ304 Review Question 14

An organization has asked you to make a recommendation on whether to use Azure Active Directory Domain Services (Azure AD DS). They have an existing Azure AD tenant. They want to provide access to shared files with Azure Storage. The users will be provided different levels of access to the Azure file shares based on their user account or group membership. They ask that you recommend which Azure services to use.

What do you recommend?

❑ ††Azure Information Protection

❑ An Azure AD DS instance

❑ ††Azure Information Protection

❑ ††Azure Key Vault and certificates AZ-304 Episode 41

Knowledge Check Part 2 AZ304 Review Question 15

You have been asked to recommend a solution to developers which grants them the ability to provision virtual machines. The requirements are scoped to the following: o Allow creation of VMs for in specific regions o Allow specific sizes for the VMs

What do you recommend?

❑ ††ARM templates

❑ ††Azure Policy

❑ ††Conditional Access policies

❑ ††RBAC AZ304 Review Question 16

You are advising a company that has an Azure subscription with several resource groups including a group call Tailwind_RG1. An administrator named Tailwind_admin1 has been assigned the Owner role for the subscription. You are asked to prevent Tailwind_admin1 from modifying resources in Tailwind_RG1. However, you need to provide a solution that allows Tailwind_admin1 to manage the resources in other resource groups

What do you recommend?

❑ ††††An Azure Blueprint

❑ ††An Azure Policy

❑ ††A Conditional Access policy

❑ ††A custom role AZ304 Review Question 17

You advise a company that plans to deploy multiple Azure App Service instances that will use Azure SQL Databases. The instances will be deployed contemporaneously with the Azure SQL Databases. The company has requirements to deploy App Service instances to specific regions. Also, the resources for the App Service instances must be in the same region.You need to recommend a solution that meets the requirements. You recommend using an Azure policy initiative that enforces location.

Does your recommendation meet the requirements?

❑ Yes

❑ No AZ304 Review Question 18

You are asked to provide a recommendation for a governance solution for an auto parts wholesaler. They ask that all the Azure resources are identifiable based on the following: Loc: the location of the warehouse CostCenter: the Cost Center to be tracked by accounting Categ: the category of parts PartNum: the part number You need to make sure that they can use the operational information when they generate the report. What do you recommend?

❑ ††††Azure management groups and RBAC

❑ ††Azure policy that enforces tagging rules

❑ ††Custom role assignments

❑ ††Azure Advisor Alerts AZ304 Review Question 19

You are asked to recommend a data storage solution to fit the following requirements. o Applications must be able to have access to data using a REST connection. o The storage solution must hold costs to a minimum. o The solution will host 30 independent tables of changing sizes and varied usage patterns. o Automatic replication of the data to a second Azure region. What do you recommend?

❑ ††††††Use of tables within an Azure Storage account using geo-redundant storage (GRS)

❑ ††An Azure SQL Database elastic database pool using active geo-replication

❑ ††Use of tables within an Azure Storage account using read-access geo-redundant storage (RA-GRS)

❑ ††An Azure SQL Database using active geo-replication. AZ304 Review Question 20

You are asked to recommend a solution for migrating an application data to Azure. The scenario is as follows: o An existing application instance that consume data from multiple databases. o The application code references database tables using a combination of server, database, and table name. o You need to migrate the application data to Azure. Which service do you recommend?

❑ ††††††SQL Managed Instance

❑ ††An Azure SQL Database

❑ ††An Azure Storage account AZ304 Review Question 21

You are designing a solution for an organization with the following requirements. o They are using Application Insights. o They intend on using continuous export. o Application Insights data needs to be stored for four years. Which service do you recommend?

❑ †† Azure Storage

❑ †† Azure Backup

❑ †† Azure SQL Database

❑ †† Azure Storage Service Encryption (SSE) AZ304 Review Question 22

You are asked to design a message application can be run on a Linux VM. The app runs on Azure Storage queues. You are asked to recommend a solution for the app to interact with the storage queues. o The requirements are as below: o Upload messages every 15 minutes o To be scheduled using a CRON job Can create and delete messages every 3 minutes What do you recommend to developers to work with the queue?

❑ †† †† A. AzCopy

❑ †† B. Azure Data Lake

❑ †† C. .NET Core AZ304 Review Question 23

You are recommending a solution for an auto parts wholesaler who is in the process of migrating to a new warehouse management system. The warehouse managers must keep file-based database backups for five years to meet OEM agreement standards. Given past experiences, using backups is not often necessary. Where would you advise the wholesaler to store their backups?

❑ †† †† Azure Blob storage using the Cool tier

❑ †† Azure Blob storage using the Archive tier

❑ †† Azure Data Factory

❑ †† Azure Blob storage using the Hot access tier AZ304 Review Question 24

The same auto parts wholesaler has setup an Azure Storage account that contains two 4-GB data files named Partslist1 and Partslist2. The data files have been set to use the Archive access tier. You are asked to make sure that the Partslist2 data file is immediately accessible when a retrieval request has begun. You recommend that the Partslist2 data file be set to Access tier Hot so that access is without delay. Does this recommendation fulfill the requirements?

❑ †† ††Yes

❑ No AZ304 Review Question 25

The same auto parts wholesaler has setup an Azure Storage account that contains two 2-GB data files named OEMlist1 and OEMlist2. The data files have been set to use the Archive access tier. You are asked to make sure that the OEMlist1 data file is immediately accessible when a retrieval request has begun. You recommend adding a new file share to the Azure Storage account. Does this recommendation fulfill the requirements?

❑ †† ††Yes

❑ No AZ304 Review Question 26

You are asked to make a recommendation for storing data in Blob storage for an auto parts distributor. The data will be stored in a cool access tier or an archive access tier depending on the access pattern of the data. You are given the following data categories and their frequency of access. o Part distribution barcodes: Deleted after 3 years o Return location: Deleted after 220 days o Refund transaction number: Deleted after 14 days You recommend using the archive access tier to store the files listed above. Which of the following below supports the recommendation?

❑ †† A. Access to data is guaranteed within 15 minutes

❑ †† B. Storage costs will be based on a minimum of 200 days

❑ †† C. Storage costs will be based on a minimum of 30 days AZ-304 Episode 42

Knowledge Check Part 3 AZ304 Review Question 27

You are designing a database migration solution for an organization with 80 SQL Server Integration Services (SSIS) packages that are configured to use eight on-premises SQL Server databases as targets. Below are the specifics: o They want to migrate 8 on-premises SQL Server databases to Azure SQL Database. o The solution must be able to host the SSIS packages in Azure. o The solution needs to ensure that the packages can target the SQL Database instances as destinations. Which service do you recommend?

❑ †† Azure Migration Assistant

❑ †† Azure Backup

❑ †† Azure Data Factory

❑ †† Azure Data Catalog AZ304 Review Question 28

You are designing an automated process to facilitate the upload of data to an Azure SQL Database once a week. Below are the specifics: o Ensure that weekly reports are generated from web access logs. o The web access logs data is stored in Azure Blob storage. You need to recommend an automated process for uploading the data to an Azure SQL Database once a week. Which of the options below do you recommend?

❑ †† Azure Migration Assistant

❑ †† Azure Backup

❑ †† Azure SQL Server Migration Assistant

❑ †† Azure Data Factory AZ304 Review Question 29

You are recommending a service for an organization that has the following requirements. Ensure that o They store data files in Azure Blob storage. o They want to transform the files and the move them to Azure Data Lake Storage. o The solution must ensure that the data is transformed by mapping data flow.

Which of the service below do you recommend?

❑ †† †† Azure Databricks

❑ †† Azure Data Factory

❑ †† Azure Stack Hub

❑ †† Azure SQL Server Migration Assistant AZ304 Review Question 30

You are advising a company that is wants to increase efficiency while reducing costs. The flow below shows the log files generated by the users to a web server. o Log Files -> Azure Data Factory -> Azure Data Lake Storage -> Azure DataBricks -> Power BI o The log files are consistent in format and there 500-900 MB of logs created in a day. Power BI is used to see the data. o You are asked to recommend a solution that minimizes costs without affecting functionality. What do you recommend?

❑ †† †† Replace Azure Data Lake Storage with Azure Storage

❑ †† Replace Azure DataBricks with Azure AI

❑ †† Replace Azure Data Factory with CRON jobs using AzCopy AZ304 Review Question 31

Your organization has an Azure VM named OEM_VM3 that runs on Windows Server 2019 and contains 1 TB of data files. You are asked to design a solution using Azure Data Factory to transform the data files and then load them into Azure Data Lake Storage. What should you deploy on OEM_VM3 to support your design?

❑ A self-hosted integration runtime

❑ †† An Azure key vault in the same region as the storage account

❑ †† An on-premises data gateway

❑ †† An Azure runbook AZ304 Review Question 32

You are asked to recommend a solution to generate a monthly report on all the recent Azure Resource Manager resource deployments in a subscription.

Which two solutions below should you include in your recommendation?

❑ †† Azure Advisor

❑ †† Azure Activity Log

❑ †† Application Insights

❑ †† Azure Log Analytics

❑ †† Azure Monitor action groups AZ304 Review Question 33

You are asked to recommend a solution that supports multiple Azure subscriptions and third-party hosting providers. You are designing a central monitoring solution that will provide the following services: o Collect log and diagnostic data from all subscriptions and third-party providers into a central repository. o Also, services that analyze log data, detect threats, and provide automatic responses to known events. Which Azure service should you include in the recommended solution?

❑ †† Azure Activity Log

❑ †† Application Insights

❑ †† Azure Sentinel

❑ †† Azure Log Analytics

❑ †† Azure Monitor AZ304 Review Question 34

You are asked to recommend the implementation of an retail order processing web service that will contain microservices hosted in an Azure Service Fabric cluster. You need to recommend a solution to developers that can actively identify and resolve performance issues. The developers need to have the ability to simulate user connections to the order processing web service from the Web and simulate user transactions. The developers want to be notified if thresholds of the transaction response times are not met. What should you recommend for the solution?

❑ †††Azure Network Watcher

❑ ††Azure Sentinel

❑ ††Azure Log Analytics

❑ Application Insights AZ304 Review Question 35

You have been asked to design a business continuity solution for the deployment of a payment processing system to Azure for an auto parts wholesaler. The payment processing system will use Azure VMs running SUSE Linux Enterprise Server and Windows. You need to recommend a solution for a business continuity solution that fulfill the following: o Provide business continuity if an Azure region fails. o Minimize costs. o Provide and RTO of 90 minutes. o Provide and RPO of 5 minutes.

What should you recommendation? ❑ †††Azure Backup

❑ ††Azure Site Recovery

❑ ††Premium managed disks

❑ ††Azure Data Lake Analytics with Azure Monitor Logs AZ304 Review Question 36

You are asked to design a storage solution to support on-premises resources and Azure-hosted resources.

You need to provide on-premises storage that has built-in replication to Azure. Your solution is to include StorSimple as a part of your design.

Does your design recommendation provide on-premises storage with replication to Azure?

❑ †††Yes

❑ No AZ-304 Episode 43

Knowledge Check Part 4 AZ304 Review Question 37

You need recommend a strategy for moving a Web app named WebApp4 from an on-premises data center to Azure. WebApp4 is dependent on an extension that is installed on the host server. You need to recommend a solution for hosting WebApp4 in Azure. The recommendation should fulfill the following: o WebApp4 must be available to users if an Azure data center becomes unavailable. o Cost should be minimized. What should your recommendation include?

❑ ††In two Azure regions, deploy a load balancer and a virtual machine scale set.

❑ ††Deploy a load balancer and a virtual machine scale set across two availability zones.

❑ ††In two Azure regions, deploy a load balancer and a web app.

❑ ††In two Azure regions, deploy a Traffic Manager profile and a web app. AZ304 Review Question 38

You are recommending a plan for deploying 15 applications to Azure. The applications will be deployed to two Azure Kubernetes Service clusters. Each cluster will be deployed to a separate Azure region. The application deployment must meet the following requirements: Ensure that the applications remain available if a single AKS cluster fails. Ensure that the connection traffic over the internet is encrypted by using SSL without having to configure SSL on each container instance.

Which Azure service should you include in your recommendation?

❑ †††† AKS ingress controller

❑ †† Azure Front Door

❑ †† Azure Traffic Manager

❑ †† Azure Load Balancer AZ304 Review Question 39

You advise a company that plans to deploy multiple instances of an Azure web app across multiple regions. You need to recommend an access solution for the Azure web app. The recommendation must fulfill the following o Include rate limiting o Balance all requests between all instances o Allow that users to access the Azure web app even during a regional outage

You recommend using Azure Front Door to provide access to the Azure web app. Does your recommendation meet the requirements?

❑ †††† Yes

❑ No AZ304 Review Question 40

You are designing an Azure solution for your organization that has five departments. Every department will deploy Azure app services and Azure SQL databases. You are asked to recommend a solution that reports costs for each department deploying the databases and app services and there needs to be a combined view for the cost reporting.

Your solution: Create an individual resource group for each department and place the separate resources for each department in their individual groups.

Does this fulfill your objective?

❑ †††† Yes

❑ No AZ304 Review Question 41

You manage an Azure subscription that contains 250 Linux virtual machines. You need to evaluate CPU utilization and network throughput over time to check if the resources are used adequately. You want to identify and choose to decommission, resize, or shut down unused machines to meet the cost requirements.

What should you do next?

❑ †††† †† Modify the inventory settings for all VMs.

❑ †† Use Azure Advisor to identify underutilized virtual machines.

❑ †† From Azure Advisor, modify the Advisor configuration.

❑ †† Assign tags to the VMs. AZ304 Review Question 42

You are responsible for identifying and managing costs for your organization. You have been tasked to report on the parts of your infrastructure that cost the most for a monthly review meeting. You notice that VM compute costs are relatively small. Yet you accrue significant networking costs because of the amount of information emitting from the VMs.

What should you do?

❑ Use Azure Advisor to view a dashboard identify costs.

❑ †† Use Azure activity log for an audit log of resource activities.

❑ †† Use Cost Management and review cost analysis to view the costs by service.

❑ †† Use Query Performance Insight to view the query text and history of resource utilization. AZ304 Review Question 43

††You are planning the implementation of an order processing web service that will contain microservices hosted in an Azure Service Fabric cluster. You need to recommend a solution to provide developers with the ability to proactively identify and fix performance issues. The developers must be able to simulate user connections to the order processing web service from the internet, as well as simulate user transactions. The developers must be notified if the goals for the transaction response times are not met. What should you recommend?

❑ †† Azure Fabric Analytics

❑ †† Azure Network Watcher

❑ †† Source Network Address Translation (SNAT)

❑ †† Application Insights AZ304 Review Question 44

You are designing a microservices architecture that will support a web application. The solution must meet the following requirements: o Allow independent upgrades to each microservice. o Deploy the solution on-premises and to Azure. o Set policies for performing automatic repairs to the microservices. o Support low-latency and hyper-scale operations.

What should you recommend?

❑ †† †† Azure Service Fabric

❑ †† Azure Logic App

❑ †† Azure Container Instance

❑ †† Azure Virtual Machine Scale Sets AZ304 Review Question 45

You are asked to design a data protection solution for Azure VMs, where all of the VMs use managed disks. The requirements are as follows: o All data is encrypted at rest o The use of encryption keys is audited o Microsoft does not manage the encryption keys, your organization does.

What do you recommend?

❑ †† †† †† Azure Disk Encryption

❑ †† Bitlocker

❑ †† Client-side encryption

❑ †† Azure Storage Service Encryption AZ304 Review Question 46

Your organization has an Azure subscription with 210 virtual machines. You have been asked to design a data protection strategy to encrypt the VMs. The requirements are as follows: o Encrypt disks using by using Azur Disk Encryption o The solution must allow for encrypting operating system disks and data disks.

What do you recommend?

❑ †† A secret

❑ †† Bitlocker

❑ †† A certificate

❑ †† A key AZ304 Review Question 47

You are asked to recommend an identity solution for a customer who is planning to migrate several on-premises applications to Azure. The requirements are as follows: o You are working with an existing single-domain on-premises AD forest named tailwind.com with forest functional level at Windows Server 2016. o Must eliminate the need for hybrid network connectivity. o Must minimize the management overhead of Active Directory.

What do you recommend?

❑ †† Within Azure, deploy additional domain controllers for the tailwind.com domain

❑ †† Implement Azure AD DS

❑ †† Implement a new Active Directory forest in Azure

❑ †† Deploy an additional child domain in tailwind.com within Azure AZ304 Review Question 48

Your company has a line-of-business application that uses a Key Vault named Key_Vault_Seattle_3 for the West US Azure region. o The company has an Azure Subscription and is located in Seattle. o Key_Vault_Seattle_3 is routinely backed up. o You are asked to recommend a disaster recovery plan for Key_Vault_Seattle_3. o You need to identify where to restore the backup.

What needs to be identified?

❑ †† The same region only

❑ †† The same geography only

❑ †† Key_Vault_Seattle_3 only

❑ †† The Azure subscription only AZ304 Review Question 49

††You are asked to create an Azure Storage account that uses a custom encryption key. o The storage account is in the West US Azure region.

What do you need to implement encryption?

❑ †† †† An Azure key vault in the same region as the storage account

❑ †† Keys stored in Key Vault that are hardware-protected

❑ †† An asymmetric key used for SQL Server TDE (Transparent Data Encryption)

❑ †† An Azure subscription Thank You!

All the best for your AZ-304 exam!