AZ-400
Azure DSC – Maintain a consistent configuration. You need to setup a Configuration, Node, and a Resource.
To manage the consistency of a machine, you need to onboard the virtual machines to azure automation state config
Upload the configuration to azure automation state configuration
Compile a configuration into a node configuration
Assign the node configuration
Check the compliance status of the node
For DSC, applyandautocorrect fixes issues
GitHub Codespaces – Integrates with GitHub, provides devugging, remote workers, hot desking, browsers, tablets, chromebooks
Register-AzureRMAutomationDSCNode registers a new machine to a DSC Configuration
The –ConfigurationMode parameter has APplyAndMonitor, ApplyAndAutCorrect, and APplyOnly as options for enforcing.
Import-AzureRMAutomatonDSCConifugration allows you to upload/import a conifuguration
Parameters include for monitoring, Category, Operation Name, REsultType
To register a linux machine with DSC< you have to create a DSC metaconfiguration, copy the config to the VM, and then run the configuration manager.
Anatomy of a workflow – On Push, Pull, Main. The workflow versions are in SHA-based hashes, the tag, or the branch.
Contributors can unlist packages
Configuring SSO SAML requires an identifier, which is the URL of the source ending in org1 usually, the reply URL, which is /saml/consume usually, and the sign on url which is the /sso usually
You can use gates for policy compliance by using a pre-deployment task for security and compliance. You can use post and pre-deployment gates for approvals as well such as tickets in SNOW/JIRA.
These can be used to manage technical debt by manually verifying the packages prior to deployment.
The gates have the ability to extend the default timeout from 2 hours
Microsoft Test and Feedback Extensions helps collect crash reports, distribute beta releases, and get user feedback on functionality.
SonarQube has a set of static analyzers. You can use Maven, Gradle, and MSBuild to analyze the code quality for .NET projects. SonarQube can be connected by creating an endpoint in Azure Devops which it can access.
In Maven, you can run PMD (it’s a source code analyzer) and it finds flaws like unused variables, empty catch blocks, unnecessary objects and so on.
Xcpretty on the other hand is a code formatter for xcodebuild
SonarQube requires an analysis configuration, a VS build, VS test, then a code analysis to be configured as part of a c# pipeline. SonarQube and DevOps allow you to manage technical debt by finding bugs, code smells, security issues, and quality concerns.
PMD anit wont d FindBugs allow static code analysis, this is generally during pull requests and CI. During CD you want to run pen tests externally. Static code analysis is the irst step in ci as its competed before committing code.
Code review assignments can allow code reviews to be assigned to available personnel automatically, and ensure all members have an equal amount of reviews over a period of time (30 days suppose)
To setup automatic code reviews you can use the load balance routing algorithm and set never assign for certain members to exempt them from reviews
Project administrators can create a wiki, however, contributors cannot. Contributors can add/edit pages in a wiki. The wiki can use an .order file to set the page hierarchy. The wiki can only be created if there is a Repo in the project.
JSON is the ideal format for log aggregation
Create a service principal in AD, Create a service connection in the Project, then Authorize the Pipeline to use the Service Connection to secure a pipeline.
Project managers can create work item queries if they have Contributor access. Contributors cannot manage or administrate resources.
Git in Azure Repos is good for YAML files and pipelines. GitHub enterprise is good for an on-premise repo, and Assembla Subersion is a centralized source code versioning system.
In GitHub Enterprise Server, register a new oAuthApp, then add an oAuth Configuration, then lastly, add a GitHub connection.
The pipelines can be debugged by setting System.Debug to True
With Git you can clone –bare then CD into the project and push a mirror, this will push only certain parts of the repo.
To clone from Git to Azure Devops, you can import a git repo.
Squash merging is a merge option that allows you to condense the Git history. Explicit merge is not for this. Explicit extends the merge history.
Path fitlers allow you to incude/exclude certain folders from a trigger.
The setting for automatically watch repos and teams needs to be turned off if you want to reduce notifications
Cobertura and JaCoCo are supported code coverage systems. Also coverlet, nunit, and coverage.py
To implement a project which requires a pipeline to execute based on a query, you have to edit the pipeline, enable gates, and add query work items to it.
You can also modify the integration options for a pipeline so that the release information is added to the work items assosciated to it commit
Create a repo, create a fork, and add a build policy. This helps protect important branches.
If you want to pin a specific commit, create a tag pointing to that commit, then pin that to the tag. If you want to use a fixed version of template, reference the branch you want to access.
Microsoft.Resource/deployment is used for referencing a secret with a dynamic IC and template link is for passing parameters
You can set secrets in the pipeline editor. To share secrets in a project, you can use a vault and create a variable group in a project.
Git rebase allows to clean up the commit history in the main branch
ARM templates reduce effort to deploy machines and DSC helps with a uniform state
Personal Access Tokens are a form of authentication for azure devops
Application Insights has User Flows for feature usage monitoring, count users for user behaviour analytics, and impact for load times
Application insights also contains availability tests to check for status codes
Application insights supports bot fixed-rate and adaptive sampling, by default it uses adaptive. To modify the rate, you have to usage the usage and estimated cost settings tab.
To setup Application insights, you need to create it application insights resource and give it a name, then launch visual studio code/solution explorer, add application insights telemetry. To keep costs down for telemetry data, you can disable adaptive sampling, and use fixed rate sampling instead. Fixed rate reduces the volume of data set, as you can can set the rate.
To ensure a fixed sampling rate, the code repostiry setting for startup.cs has to be set.[s3]
The retention setting of a project release can be updated to reduce the disk spaced used by older packages
Azure Container Instances support a liveness probe so that you can configure your containers to restart if critical functionality is not working.
A readiness probe lets you query a database before the application serves traffic to it
You can authenticate Azure Boards to GitHub using Azure AD or GitHub User Creds
To deploy charts using That’s /Title on AKS, you have to create the kubectl, helm init, then helm install
HELM can only be deployed after TillerHealt
Create a service principal in AD, then configure RBAC roles in the cluster, lastly add a Heml package and deploy a task to the pipeline using Azure Devops
Azure Monitor supports KQL
Azure Dashboards contains burndowns for remaining work, cycle time is the time to complete items once active, and lead time is the time from create to complete, velocity displays what was planned versus delivered, release pipeline overview shows the status of environments in a definition, and query tiles display the total number of results from a query
Black Duck helps you mitigate open source security, license, compliance, and code quality issues.
WhiteSource Bolt is also another option. Whitesource allows you to look for license violations and prohibited libraries as well. WhiteSource can be setup with npm install44 –production to scan only production directories, and dependencies are usually stored in node_modules. Another option is Veracode.
WhiteSource can have a devDependcnies section t only scan explicitly defined libraries
WhiteSource can be utilized with a build task
Git gc –aggressive cleans up unnecessary files and optimizes the local repo, and git prune –expire now removes all unreachable objects from the database
Git rebase and git filter-branch let you delete files you want to remove from the history form of a repo
Git restore –source allows you to restore from the tree by naming a commit, branch, or tag.
Git submodule add allows you to add a repo as a subfolder
Git reflag expire –expire-unreachable=now –all
Git gc –prune=now
To clone a folder in a repo, you can:
Cd repos
Scalar clone git@ssh.dev.azure.com/..repo
Cd src/folder
Git spare-checkout set repo1/src
In Azure Boards, referencing Fixes #task_id for a bug, closes the bug. You can add this value in the commit, or in the title/description of a pull request.[s4]
To configure authentication for an application, you can create an app, add a secret and then configure the ID and the secret for the application
Flaky test is a test that provides different outcomes, pass or fail, even when there are no changes in the source code or execution environment. You can turn them off manually and create the test pass percentage to prevent pipeline failures
Azure Pipelines App for Teams allows you to have notifications in teams. It needs to be configured as a connector. Also you can use Azure Logic Apps and Azure Application Insights.
Azure Boards replaces Jira, Build Pipelines replaces Jenkins, and Release Pipelines replaces Octopusol
Teams can be hooked into using action groups or a logic app with an http trigger.
@azure pipelines subscriptions is the command to interact with the boards bot
@azure boards link gets you the ability to create items on a board. Azure Boards are a replacement for Jira task management. You can place a link text (KEY#) in the title and description.
To trigger a build when code is checked in, you can enable CI by using the Triggers tab and enable continuous integration. This also allows you to version your code to prevent the configuration of a project to change over time.
Self-hosted agents help you speed up the job and give you more control and there is a cache on the server. The self hosted agent also allows incremental builds without purging environments between the pipeline executions. ACI will work for an agent on a VM or in a container. They require a PAT to register. The agent requires line of sight for on-premise, so most likely need a self hosted. Also requires an external service connection for Git, if its hosted somewhere else. You can purchase self-hosted parallel jobs to speed up deployment.
Incremental mode when deploying a YAML template leaves unchanged resources in the resource group. Complete mode deletes the resources that aren’t in the template. Validation mode is to find probems with the template before creating reources. It will always create the resource group though.
A step that runs on an agent is a job. A task is part of the agent job.
Once self-hosted, you can create an agent pool and increase parallel jobs to increase speed. Also, an external git connection to hook into other git repos[s5]
The hosted agent has a version for MacOS for iOS apps, and regular hosted. You can run the windows 2019/2022, or Ubuntu 18.04+, or macOS 11+. For MacOS you use Hosted MacOS and for the rest its Hosted
Defect escape rate is the metric that assesses the collective quality of the software releases by evaluating how often errors are discovered and rectified in pre-prod versus prod
To send a notification when code is committed, you can create a service hook subscription that has a code push event. The hooks can be HTTP or HTTPS.
A parallel test runner will help you validate test logic when deploying a pipeline
To connect Jenkins and Azure Repos, you need to add the TFS plugin to Jenkins, and create a PAT for the Azure DevOps and Jenkins accounts
The dependency tracker extension allows you to create dependencies at the begging of an interation.
The consumer is the team who has a need and starts a request for work, the producer is a team who makes a commitment to delivery work.
To deploy a project using Visual Studio Resoruce Group Deployment you can use PowerShell to Deploy-AzureREsourceGroup.ps1 that copies all artifacts and deploys the template, or you can add multiple steps performing each step of the task
If you need to share a repo with an external party, you can create a new feed for the package. You can create an @prerelease feed view and then when a packages tests successfully, it can be promoted to the @release view
Azure SQL Database Deployment Task (DACPAC) used in a pipeline to update the DB/run scripts, or you can use SQLCMD
Deployment groups is the set of targets which the pipeline will run against. They are used to deploy VM resources against. You can create a deployment group, then add the azure pipelines agent extension to the VM, configure the deployment group job for the pipeline, and then execute it
To configure ACI in a hosted environment for running AKS containers, you need an az ad group create, a role assignment, kubectl create, and then a yaml file to kubectl apply –f
To configure AKS, you can create a service principle az ad sp create-for-rbac and then az aks create then finally assign the role, az role assignment create
The AKS health check has a livenessprobe and a periodofseconds probe as well. There is also a successthreshold for the time the test can run.
Crashlytics is good for Firebase are good for reporting
Adminsitartive category operations are related to deleting items not scaling or changing them.[s6]
To push out an iOS ap using a DG you can register the device(s) of that group and sign your app. The p12 file is required.
To isolate shared code, you would have to create a dependency graph and then group the related components, and assign an ownership to each group
The reader role allows people to install packages. The owner role allows people to create new packages and edit permissions
The dependencies can be shown on a dependencies tracker using link width for depencnies, and risk level for the colour of the link
Pipeline varaibles go from job, stage, root and the UI in this order (JSRU)
Azure Key Vault can be used for template deployments using an advanced access policy, also you can restrict access using RBAC. This allows you to use credentials in your application which do not need given to the person deploying the system. This is also useful in your ARM templates.
To secure AKS you need to configure an access policy, use a system managed identity for servers, and modify the application access to the key vaults
Batch changes allow you to not deploy commits if a build is running. It also allows you to run a build when code is checked in
To access resources using AKS you can use proviisioner:kubernetes.io/azure-file for SMB shares, azure-disk for managed disk and driver for local resources.
To authenticate pipelines against a web service with a secret, you need a service principal, an access policy in the vault allowing authorized apps then go into your pipeline (arm template) and create the service connection to the vault/key). To hide secrets you can use environment variables.
To associated an automated test to a test case, create a test proejt, check in the project to the repo, and then add an automated test to a the build pipeline
When migrating TFS, all current versions need to ube updated to the latest versions to match Azure’s schemas. Also utilize the TFS Database Import Service
The Microsoft security code analysis extension allows running security analysis and processing results from log files during the build phase
Cycle time is the time it takes from when you start working to finish.
An extend in YAML requires the required property to be referenced first
Smart detection looks for spikes in traffics or bottlenecks and anomalies.
Stories and tasks go to teams and management deal with epics and features[s7]
If you need to manage credentials securely, the .npmrc file is in the users home folder (for dev environments). The .npmrc file in the project will allow you to store feed registry information securely.
To encrypt a Log Analytics workspace, you have to enable soft-delete, then create a log analytics cluster, grant permission to the key vault, and then link the workspace to the vault
For KQL queries, if you use top first, then have a condition, it won’t return the expected amount of results in some cases
For monitoring servers you need log analytics and the dependency agent, but in the future azure monitor will be there.
To store secrets over 48KB, you can use Github secrets to save the passphrase, and the encrypted secrets in your repo
Azure Container Registry (ACR) task in DevOps allows you to trigger a new build when a new image is pushed to Docker Hub. You can also scan the ACR in your CI pipeline.
Ensure a scheduled task runs against the image registry to analyze images at all times
The service map solution requires the dependencey agent for data collection and kernel access
TerraForm can be enhanced using Terratest and Yeoman. Yeoman makes it easy to create modules. Terratest provides helper functions and patterns for infrastructure tasks like http/ssh.
Yeoman and Terratest allow you to create terraform modules and deploy resource groups.ooo
GitHub Importer – This is used to migrate code to private GitHUb Repos
Topic branch allow you to create short-lived branches that you can use for a single and particulare feature or related work.
Main branch for production code, develop branch for the dev team, and a feature branch for new features.
Capability Maturity Model Integration (CMMI) allows organizations to effectuate process improvement, by utilizing requirements, requests, risk and reviews for tracking.
In Azure Boards, you can add a Successor link to create a dependency. With Boards you can see the status of commits.
You cannot use Microsoft-hosted agents or the Azure pielines agent with on-premise TFS/Azure Devops Server
Mult-stage builds are a new feature allowing you to have clean docker files, minimize image uses, and reduce the security surface of the final image
To monitor an Azure Pipeline, you can use Pipeline Analytics[s8]
To automate release documentation, you can create a service principal with a PAT, and then a powershell task that writes the data to the markdown file
Azure Boards replaces Terllo, Bamboo replaced by Pipelines and BitBucket can be replaced by GitHub repos
Retention policy for a global release can be set as the default retention policy in azure devops, and the stage retention policy can be adjusted accordingly
All the applications you want to monitor using App Center, require MSAnalytics, and MSCrashes.self to be initialized as a service
Azure App Configuration supports feature flags, tracks config changes for 30-days, stories hierarchically structured config values, uses key/value pairs, and RBAC
Continuous Assurance prevents security state drift, helps to stay current with Azure security feature improvements.
Azure Automation Runbooks and Azure Monitor Alerts with Dynamic Thresholds can make monitoring easy
Microsoft Visual Studio App Center distrubtion groups can be used to deploy multiple applications to a group of users
DependaBot allows y9ou to look for dependencies. IF found, it creates a new brach and a pull request for approval. You need to approve the PR and merge it.
License procurement cannot be automated
Code coupling and dependency cycles reduce the amount of technical debt
Azure Key Vault is the best place to store credentials. If you have to retrieve a credential you have to copy it to use it if it’s using multiple pipelines
Teamm Foundation Version Control allows you to restrict access to files and folders in a repo. It also allows you to limit who can view and edit branches.
GIt allows you to have version control and approval gates. Also lets you work from XCode. It also allows offline access.
You can have a build policy to force commited code to have to compile before accepting it, and a status policy which forces a pull request to have passed security scanning
Logs | Where timestamp > ago(2d) | where content = “Africa” | join (Events ) on Request ID
To use an Azure Key Vault, you must first create it, then have a monitor logs dedicated cluster with a SAS, then grant the system-assigned identity permissions to the key vault, configure the vault properties for the cluster, and finally link Log Analytics allow you to share a subset of package versions with your consumers. You can create two views such as pre-release and release, then create a pipeline to promote packages to the release view after testing.
To access a repo using USSH, you have to create the SSH keys using ssh-keygen, sign into devops, add the public ssh key, and then clone the repo1
NuGet packages can use Azure Artifact Credential Provider to download packages behind an authentication prompt.[s9]
Pipelines in azure utilize the inked artifact variable for the template location
To publish a package you can create a new feed, publish the package to the feed, and then add the URL to the nugget package manager
ACR is externally hosted, ACI is interla. You can use service principals for managemwent.
To give log analytics access you have to “setfacl –m u:omsagent:rwx /tmp”
Branch policies allow you to protect important branches of development. It also allows you to create feature branch and pull request merges.
To restore a file you can git log to find the commit, git checkout that commit with the hash, then git commit the previous checkout.
When deploying ARM templates, you want to separate into separate parts for larger projects/multiple resource groups
To secure an AKS, first create a cluster, then assign a System assigned identity and then an RBAC binding for it.
Azure Resource Manager + Managed Service Identity Authentication reduces complexity and allows integration with Azure Devops
For Azure Devops and Jenkins to work, port 8080 needs to be opened to Azure Devops.
Canary releases a small portion of the platform to a core group of users. Blue/green is an on/off switch deployment method to roll back.
ACR (Azure Container Registry) allows you to publish apps internally only. Also the AKS cluster requires a service principal to create and manage containers.
Setfacl –m u:omsagent rwx /tmp – The log analytics agent on linux runs as omgsagent and requires access to /tmp for DSC
For continuous delivery to be enabled there must be an artficate (build or code ) to trigger the release process
Environment variables for app services can be set in the Configuration tab
Traffic managers allow geo locate, and round robin, also latency based
Windows .NET agents can be run on windwos 2019+, Ubuntu 18.04+ and mac 11+[s10]
Azure Functions allow Remote Debugging udner App Settings
Security Center allows you to view security recommendations under Compute and Apps
The application health extension runs a health check against the app itself
Jekyll and DocFX allow you to turn markdown into websites
Docx can be re-written as markdown files in order to store plain text. While mermaid diagrams can replace flow charts.
Test coverage doesn’t help reduce debt, code complexity does
Kanban boards can be used in Agile
Docker reigstrys allow you to create a pipeline that allows you to download a public container image
Docker multi-stage dockerfile allows you to prevent results from being published to a pipeline from inline testing
To optimize a docker file you need to have only one RUN command
An example application is
FROM **mcr.microsoft.com/dotnet/sdk:1.0** as **env-name**
COPY . **/app/**
WORKDIR **/app/**
RUN **dotnet publish –c Release –o out**
FROM **mcr.microsoft.com/dotnet/aspnet:5.0**
COPY **–from=env-name /app/out /app**
WORKINGDIR /app
ENTRYPOINT \[“dotnet”, “MvcMovie.dll”\]
The first group of lines declares which image to use (base) to build the container on top of.
The dotnet publish command sets the out folder
The container images include only production payloads and its dependencies. We don’t want the SDK in the image as we only need the runtimes to serve the app so this creates a temporary container to build the app“`
YAML files can be setup to cache dependencies between jobs using conditions (ne(variables.Cache_restored, ‘true’) as a condition, for say, npm install
Advanced data security on serverssql (This no longer exists I don’t think)
OWASP ZAP testing requires calling a baseline scan, download the file, convert the report format, publish tests results and finally destroy the owasp container. You also need to create a resource group and storage account, lastly an owasp container.[s11]
To consolidate packages into a feed, you can create an azure feed that uses upstream source,s then modify the configuration to reference the artifacts feed, finally run a package restore.
License procurement is manual, everything else is automatic
Summarize and makelist are KQL queries for filtering
GitLFS allows you to manage larger files and not have them always consuming resources. To use it, you need to install, configure the extension you want to add using config add, then commit the change. You want to then import the lfs module and update it it. You have to use PAT tokens to authenticate it.
Major version changes include renaming a parameter. Minor include deprecating functionality or adding a feature while keeping backwards compatibility
The TFS Database Import Service and the latest version of TFS RTW is all that’s needed to migrate to Azure Devops if you want to only preserve the dates of chagnesets, dates of work item revisions, and a migration of all artifacts
Azure artifacts are used to create, host and share packages with your team. The repos let you store code. Pipeline view allow you to see all the stages and tests, with a summary of test results. Lastly, azure storage for larger files you want to share which change frequently.
The organizaiton URL and the authorization credenitals are all that’s required for an unattened install. The agent but know the URL and the creds of the org.
@azure pipelines subscribe projectURL
Progressive exposure is used in canary deployments where the experience can be monitored in rings, (a small subset of the servers)
Rolling replaces instances of the previous verison of an application with instances of the new version.
Feature flags allow you to turn on a feature at a different time for different people.
Blue/Green is a flip it on and off for everyone
An Application Insights test can trigger an Azure Logic app using a Request Trigger
To create a server using DSC create a DSC COnfig using PowerShell then copy the file to to a storage account and and configure the DSC extension on the VM
You can also create an automation account, configure it for DSC, then onboard the VMs to the automaton account, lastly, install the DSC extension on the VM.
WindowsFeature and File are required DSC fields for IIS. For IIS you need a Hosted Windows Container also.
When code scanning with Github you have to add the name of the non-defualt branch to the on:push sepficiation in the code scan workflow and update the code in the pull request.
Admin is required to push to the repo, maintain is required to manage issues and pull request, and Triage is used for manging the repo only without accessing sensitive data.
To integrate Azure AD you need the tenant ID, sub ID, and app ID. Or app ID, secret and tenant iD.
Selenium can automate UI testing
Task Groups allow you to run specific tasks during pipeline execution
A developer in Azure has Basic access. A non-dev has Stakeholder access for feedback testing.
Ignoring files can be accomplished by adding the file to the .gitignore file, then git add .gitignore and then lastly git commit to see if it works
Distribution groups come in 3 sets, shared, public and private. They are private by default, and testers invited via email can access releases available to the group. For unauthenticated installs, the group has to be public. Shared groups allow access to multiple apps in a single organization.[s12]
To receive SMS alerts you need an action group, and a service health alert.
To create a new slot in an app service, create new deployment slots and call it staging or its name
In Azure DevOps the deployment queue settings allow you to set the order of deployment
OpenTElemetry and OpenCensus support distributed tracing for applications
BACPAC – Is a ZIP file with an extension of BACPAC containing metadata and data from the database. It can be stored in Azure Blob Storage, or local storage, and then imported into a SQL database instance.
Register-AzureRMAutomaitonDSCNode registers an azure virtual machine as DSC (desired state config)
To maintain
Cherry-picking a pull request allows you to copy changes made in a pull request to another branch in your repo. IN the pull request, choose cherry pick, then select the target branch, and then create a topic branch (the new branch you want the changes in) and then lastly, create a pull request to merge the topic into the target to complete cherry picking
Azure Data Explorer allows you to create dashboards using KQLB
Exabeam – Register an Application, Configure the Cloud Connector, then configure API permissions
A state diagram describes the behaviour of systems in a finite state. The sequence diagram is an interaction diagram that shows how processes operate with one another and in what order.
To use Key Vaults with Azure Data Factory you have to use Secrets and an Access Policy
Create a DSC configuration, then import-azurermautomationdescconfigratuon, then lastly start-azurermatuomationdsccompliationjob
You can reference parameters in a YAML file using $ – Double Curly Brackets
Container jobs allow you to control dependencies for software or operating systems. However, they don’t help speed up deployment, need to use pipeline caching to do that as it reduces download times for dependencies.
In order to control the deployment process between prod and dev, you can add an alert task on QA which then is connected to a Production gate.
To distribute a NUGEt package, you create a new azure articafat feed, connect it to a feed, then publish the package, lastly install the package
For an 3rd party SDK with incremental builds, you can sign into devops using an adminstratior connection security role, then create a personal access token, lastly, register the pipelijes agent in order to use DevOps.
Git tag –a v3.0 –m “Release v3.0” creates a tag, with an annotitaiotion, and the message
Building in Azure, PATs are better than any other option, except certificate, ignore this comment, not sure how to explain it, but PATs replace passwords, if certs aren’t an option.
Security updates are for Operating Systems in most cases
The Git IFS extension can work with Zip files in Git. The Git-stash extension can also work with zip files.
Azure Stack offers virtual machines that you can run a self-hosted agent on. This agent will let you work with Erland/HackI dropped