Azure Private DNS Zone – A private DNS zone is a DNS namespace that can only be accessed by using virtual network name resolution, and that is scoped to a virtual network.
- Can have multiple registration virtual networks
DNS Auto Registration – Feature that automatically registers a computer’s IP address and host name with a DNS server, allowing the computer to be easily located on a network.
- Virtual networks can only have one auto registration DNS zone
- To register a public DNS hostname you need either an MX or TXT record setup at teh registrar to verify
- NS records to delegate the zone
Azure – Azure is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.
Availability Zone – An availability zone is a physically separate zone within an Azure region, providing redundant power, cooling, and networking.
Availability Set – An availability set is a logical group of virtual machines that are separated by fault domains.
- All the VMs need to be stopped before you can make changes
- Virtual machines by default have internal.cloudapp.net as the DNS address
Azure Resource Manager – Azure Resource Manager is a management tool that provides a single deployment model and management interface for creating and managing Azure resources.
Virtual Machine Runbooks – Scale Up – A runbook is a set of automated tasks that can be executed in Azure Automation.
Network Security Group – A network security group is a feature in Azure that allows you to manage incoming and outgoing network traffic.
- Need to be associated once created and assigned
- There are 6 default rules, 3 inbound, 3 outbound. Anything other than the default,r requires a custom policy definition.
- Can be attached to multiple subnets
Azure Policy / Custom Policy Definition – Azure Policy is a feature in Azure that allows you to manage and enforce compliance of your resources.
- Existing policies are not modified by newly created policies. Services will stay as is, until unless explicit overrided
IP Flow Verify Azure – IP flow verify is a feature in Azure that allows you to check if a packet is allowed or denied to or from a virtual machine.
Connection Troubleshoot Azure – The Connection Troubleshoot Azure tool is used to diagnose and repair problems with network connections.
Connection Monitor Azure – Connection Monitor is a feature in Azure that provides network level health monitoring for virtual machines.
Azure Site Recovery Provider: Azure Site Recovery is a disaster recovery solution that helps you to recover from a disaster by orchestrating replication, failover, and recovery of virtual machines.
- Requires port 443 for communication
- Deploy a configuration server in teh host environemnt
- Install Site Recovery Unified Setup
- Enable Replication
- This requires having a Virtual Network, a replication policy, receovery services vault and a storage account in advance.
- BitLocker needs to be disabled.
- Maximum size for site recovery is 2tb for OS drives
- Max data disk size is 4tb
Recovery Services Vault – A recovery services vault is a storage entity in Azure that houses backup data and configuration information for various workloads.
- You can restore a VM by using the Create new restore configuration option
- Region based, so each region needs its own
- The policies would also have to be applied per region.
- If you need to change which RSV is protecting a resource, the backups need to be stopped from the previous one
- A temporary drive is mounted as the D drive on a recovered box
- You can backup a VM which is offline as well
- The fastest way to restore is stop the VM, detach the disk VM2, start VM2
- For Hyper-V
- Download the installation file for Azure Site Recovery Provider
- Download the vault registration Key
- Install the SIte REcoveyr Provider for the Host
- Register the Server
- The key lasts 5 days
- To restore from backup, you can select a restore point fro the VM, restore the disks, the ndeploy a template from RSV
Vault Registration Key: Key used to register a resource with an Azure Recovery Services Vault, used for backup and disaster recovery purposes.
Azure Backup – Azure Backup is a backup service that provides data protection and recovery for various workloads, such as virtual machines and databases.
- Allows you to restore a VM to a new VM
- File shares and VMs have their own policy
- This is not for Azure SQL Databases as they have their own backups for 30 days
- This has the Windows Server Backup Feature requirement
- Backups need to be stopped to delete the backup data
- To restore files you can use the portal, go to the file recovery vault, select a restore point, download and run the script to mount the drive on a computer, copy the files using file explorer for quick restores of files
Azure Active Directory – Azure Active Directory is a cloud-based identity and access management service that provides single sign-on and multi-factor authentication.
- Guest accounts are created using AzureADSMInvititation
- Bulk delete is done using the UPN
- The UPN is unique
- Directory-wide groups allow assigning permissions to non-identity provided accounts such as gmail.com
- You can change the default sing in directory from the Azure Portal
- To grant acess to externa partners, in the user blade, you can modify the external collaboration settings
Subscription – An Azure subscription is a logical container for one or more Azure resources, allowing you to manage and control access to them.
- The service administrator is set in the properties section of the subscription
Tenant – An Azure tenant is a dedicated instance of Azure Active Directory.
- Global Administrator – A global administrator is a user with full administrative access to an Azure Active Directory tenant. They are also auto added as local administrators on the computers joined
- User Administrator – A user administrator is a user with administrative privileges to manage user accounts, including assigning and revoking licenses, creating and managing groups, and resetting passwords. Is meant for access assignment without access.
- Contributor – A contributor is a user who has the ability to create and manage resources, but cannot manage access to them.
- Resource Policy Contributor is a role to assign and create initiative definitions
- Owner – An owner is a user who has full control over a resource, including managing access to it. Can assign access.
- Device administrators can be added from the device settings blade
Office 365 Groups – Office 365 Groups is a feature in Azure that allows you to create and manage collaboration groups.
Security Dynamic User Group – A security dynamic user group is a group that is automatically populated based on dynamic membership rules.
Security Dynamic Device Group – A security dynamic device group is a group that is automatically populated based on dynamic membership rules.
Azure SQL Servers – Azure SQL Servers is a managed relational database service in Azure that provides scalable, highly available, and secure data storage.
Resource Group – A resource group is a logical container for one or more Azure resources, allowing you to manage and control access to them.
- Managed Disks don’t support move
- Virtual networks (classic) cannotbe moved
- Virtual machiens with the managed disks cannot be moved
Set-Az*: Commandlet in Azure PowerShell for configuring and managing Azure resources.
Virtual Network: Logical representation of a network in Azure that allows VMs to communicate with each other and with the internet.
- Virtual networks require the resource group in the same region
- Once the Virtual Network is deployed
- New-AzureRMVirtualNetwork
- Create a new Application Security Group if required
- New-AzureRMApplicationSecurityGroup
- Create a new Network Security Rule Config and attach the ASG to it
- Add-AzureRMVirtualNetworkSubnetConfig
- Create a new Network Security Group and attach the rule to it
- New-AzureRMApplicationSecurityGroup
- Add the Config to the Virtual Network
- New-AzureRMNetworkSecurityRuleConfig
- The CIDR blocks of a subnet to know are
- /16 = Has 65,536 addresses
- Azure takes away 5 per subnet
- 2^CIDR Block -5
- 2^(32-16) = 65,536 – 5=65,531
- 2^(32-24)=256-5=251
- Requires an address space
- Network Security Cards require a virtual network to exit before being created
Virtual Network Gateway: Azure service that provides secure communication between a virtual network and another network.
- Create a virtual network and local network gateway in teh Azure Portal
- Configure the site to site VPN connection from on-premise
- Create VPN connection
- Requires a GatewaySubnet in Azure
Point to Site Connection: VPN connection between a single client and an Azure Virtual Network.
Route based virtual network gateway: Azure VPN gateway service that supports both PolicyBased and RouteBased VPN types.
VPN Gateway: Azure service that provides secure communication between a virtual network and another network, either on-premises or in Azure.
Azure Load Balancer: Azure service that distributes incoming traffic among multiple resources in a virtual network. Different levels include Basic and Standard.
Session Persistence: Ability of a load balancer to persist client sessions to a specific backend.
SMB: Server Message Block, a protocol for sharing files, printers, and serial ports between computers.
SMB 4.1: Latest version of the SMB protocol that provides improved performance and security.
Site to Site VPN: VPN connection between two different networks.
- Can be encrypted using IKEv2
- autologon.microsoftazuread-sso.com needs to be added to intranet zones for logging in using SSO
Application Proxy Azure AD: Azure service that provides secure remote access to on-premises web applications.
Azure Application Insights: Azure service for monitoring the performance and usage of web applications.
Azure Custom Script Extension: Azure service that enables execution of custom scripts on Azure VMs.
Desired State Configuration: Azure service that enables configuration management of Azure resources.
- Upload a configuration to Azure Automation State Configuration
- Compile a configuration into a node configuration
- Check the compliance status of the node
- SetupComplete.cmd batchfile in windir/setup/scripts can allow you to run scripts on new VMs
- To install DSC, the VM needs to be powered on
Application Service Logs: Logs generated by Azure App Service that can be used for troubleshooting and debugging.
Licenses Blade: Azure portal blade that displays information about the licenses assigned to a user.
- The usage location needs to be set to provision a license
Directory Blade: Azure portal blade that displays information about the Azure Active Directory tenants associated with a user.
Groups Blade: Azure portal blade that displays information about the Office 365 Groups associated with a user.
Virtual Machine Blade: Azure portal blade that displays information about Azure VMs.
- Virtual Machines must be redeployed if they are deployed using ARM to be moved
- NIC and VM have to be in the same location
- VM and VNET have to be in the same location
- There are 3 AZs, and you can separate a VM across the zones for scale reliability
IT Service Management Connector: Connector that integrates Azure with IT service management tools.
Azure Storage Account: Azure service that provides scalable and secure storage for data and media. Types include v2 and premium.
- Cannot be moved to another region, need to be recreated
- Life Cycle Management are for block and append blobs in v2 accounts, premium block blobs and blob storage accounts only
- The rules are not in priority order
- You can apply access policies to target lower than the account level
- Shared Access Signature is supported for File Storage (File Shares)
- Azure AD and SAS are supported for Blob Storage
- General Purpsoe V2 storage is usedin most cases for logging
- V2 also offers replication
- V2 storage can have identity based access for RBAC and file shares
AZCopy: Command-line utility for copying data to and from Azure storage accounts. “-recursive” option copies files recursively.
- Works for MacOS, Linux, and Windows
Storage Explorer: Tool for managing Azure storage accounts and data.
Azure Import/Export: Azure service for importing or exporting large amounts of data to and from Azure storage.
- Need to configure the dataset.csv and driveset.csv files when using this
- This works for File and Blob Storage only
- To use the service you have to attach an external disk to a server
- Run wamimportexport.exe
- Create an import job from the Azure Portal
- Detach the external disks from Server1 and ship the disk to an Azure Data Center
- From the portal update the import job
Azure Blob: Azure storage service for unstructured data such as images, videos, and documents.
Azure Files: Azure storage service that provides SMB file shares.
Azure Table: Azure NoSQL key-value store for structured data.
Azure Queue Storage: Azure service for messaging between components of a cloud application.
Temporary Disk: Disk attached to an Azure VM for temporary storage.
D Drive: Letter assigned to the temporary disk in an Azure VM.
/dev/sdb1: Linux device file that represents a storage device. In Azure, it can represent the temporary disk.
Azure WebApp: A platform as a service (PaaS) offering that enables the deployment and scaling of web applications.
- Windows ASP.NET apps require a separate instance from Linux and .NET
- Create a resource group and then deploy the web app to it
- From the automation blade add it to the library
- From the templates service, select the template and share it to web administrators to allow quick deployments
Swap Slots: A feature of Azure WebApp that allows you to swap the active and staged deployments, making it easier to perform rolling upgrades and rollbacks.
Fault Domains: Physical unit of a data center that can contain multiple virtual machines and network connections. The maximum is 3 fault domains per data center.
Update Domains: The logical unit for updating virtual machines, network connections, and storage accounts in Azure. There can be a maximum of 20 update domains.
Management Group: A hierarchical structure in Azure that provides a single point of administrative control for multiple Azure subscriptions.
- No one is given default access to the root management group
- Azure AD global admins can elevate and then grant and manage access/resources
Tenant Root Group: The top-level container for the management groups in a tenant.
SAS: Shared Access Signature, a secure way to grant temporary access to resources in Azure storage accounts.
Storage Sync Service: A service in Azure that helps to synchronize files between an on-premises file server and Azure file shares.
Azure File Sync Group: A logical grouping of servers in the Azure File Sync service that can share file data between them.
- Deploy an Azure File Sync Storage Service
- Need to create a Sync Group
- There can only be one cloud endpoint per sync group
- Install the Agent on the Server
- Register the Server
- Add a server end-point
- Cloud shares sync down once every 24 hours
- The on premise is automatically sent up
Storage Account Naming Convention: The naming rules and restrictions for storage accounts in Azure.
Log Analytics: A service in Azure that collects and analyzes log data from multiple sources to give you operational insights and alerts.
Workspace: A container in Log Analytics where data is collected, analyzed, and visualized.
Sample Azure Policy: A policy definition in Azure that enforces compliance with a set of rules and standards.
Scale Set: A group of virtual machines in Azure that can automatically scale out or in based on demand.
AZVMSS: Azure Virtual Machine Scale Set, a feature in Azure that allows you to create and manage a group of identical virtual machines.
GatewaySubnet: A subnet in an Azure virtual network that is reserved for virtual network gateway resources.
Port 3389 – 80 – 443 – 445: Well-known port numbers in the Internet Protocol used by network services and applications.
IP Forwarding: A feature in Azure that allows network traffic to be forwarded from one network interface to another.
Recovery Services Vault: An Azure storage account used for backing up and recovering data.
Dependent Resources: A resource in Azure that depends on another resource for its configuration or operation.
App Service Plan Tiers: The pricing tiers for Azure App Service, which determine the performance and capacity of the service.
- Free Tier runs for 60 minutes
- Shared runs for 240 minutes
- Basic runs continuously
- D1 doesn’t have connectivity
- Scale Out –> B1 pricing doesn’t work
- Scale Out — Enable Auto Scale
- Scaling can be done based on metrics
Linux Diagnostic Extension: An extension in Azure that provides diagnostic information and performance metrics for Linux virtual machines.
Azure HDInsight: A service in Azure that provides managed Hadoop clusters for big data processing and analysis.
Azure VM Sizes: The different sizes available for Azure virtual machines, each with different CPU, memory, and storage capabilities.
Azure Content Delivery Network: A global content delivery network in Azure that enables efficient delivery of content to users.
Application Gateway: A service in Azure that provides load balancing, secure web application access, and traffic management.
- Requires its own subnet
- Collects total requests, failed requests, current connections, healthy host count, response status, throughput, unhealthy host count
TXT Records: DNS records that provide text-based information about a domain, such as SPF and DMARC records.
MX: Mail Exchange, a type of DNS record that specifies the mail servers for a domain.
SOA: Start of Authority, a type of DNS record that specifies the authoritative information about a domain.
NS: Name Server, a type of DNS record that specifies the DNS servers responsible for a domain.
Azure AD Connect: A tool in Azure that synchronizes on-premises active directory with Azure Active Directory.
- PowerShell cmdlet used to manually start a synchronization cycle for Azure AD Connect, used for synchronizing identities between on-premises and cloud environments.
- Start-ADSyncSyncCyel -PolicyType Delta
- Start-ADSyncSyncCyel -PolicyType Initial
- The Enterprise Admin accounts are used for configuring your on-premise active directory, not the domain admin
- Staging mode has to be disabled for password sync to work as the hash sync is disabled when it’s enabled
Single Sign On: A feature in Azure that enables users to sign in to multiple applications with one set of credentials.
Managed Service Identity: A feature in Azure Active Directory (AD) that enables Azure services to use an automatically managed identity to access resources in Azure.
Network Watcher: This allows you to use a service like network in and network out as well, to monitor traffic.
- Connection Monitor needs to be used over a specific port
- This doesn’t work wtih network traffic, it’s more for resource traffic
- Create a storage account, register the insights provider, and then enable network watcher flow logs to monitor connections to a resource
Packet Capture: A feature in Azure Network Watcher that allows you to capture network traffic for analysis and troubleshooting purposes.
Azure Connection Monitor: A feature in Azure Network Watcher that allows you to monitor the availability and connectivity of your network connections.
Application Insights: A monitoring service in Azure that provides application performance analytics and allows you to monitor the availability, performance, and usage of your web applications.
Azure Key Vault: A secure, highly available, and managed cloud service that provides a centralized repository for storing and managing secrets and certificates.
Virtual Network Peering: A feature in Azure Virtual Network (VNet) that allows you to connect two VNets in the same region through a direct and high-bandwidth connection.
- Requires forwarded traffic
- Requires route tables and the tables being assigned to subnets
- Address spaces cannot be overlapping
- Peering Status has to say “Connected”
- Gateway Transit is “Enabled”
- Peering needs to be deleted if a new endpoint is created, or the status needs to be changed to connected.
Authentication: The process of verifying the identity of a user, device, or service.
Authorization: The process of granting or denying access to resources based on the identity of a user, device, or service.
New-AzureRM: A PowerShell cmdlet that creates a new Azure resource in the Azure Resource Manager (ARM) deployment model.
Cloud-Init: An open-source tool used to configure cloud instances on first boot, such as setting up users, setting the password, and installing packages.
- The az vm create command can be used with –custom-data to provide the init text file.
Conditional Access: A feature in Azure AD that allows you to control access to your applications and data based on conditions such as location, device, and user identity.
- Grants allow you to control the location of the login
Session Persistence: A feature in Azure Load Balancer that allows you to ensure that a client’s requests are sent to the same backend instance for the duration of a session.
Metrics: Data that provides information about the performance, resource usage, and availability of a system or application.
Resource Tags: Metadata that you can assign to your Azure resources to help categorize and manage them.
- These can be used to differentiate billing reports and costs per department
Azure Migrate Limitations for DNS Servers – Domain Controllers and Certificate Authorities: Limitations with migrating Active Directory domains, including the need to ensure that DNS servers, domain controllers and certificate authorities are compatible with Azure.
Data Collector Azure Migrate: Azure tool used to collect data from on-premises environments for assessment and migration to Azure.
Azure Migrate: A service in Azure that allows you to assess, plan, and migrate your on-premises workloads to the cloud.
- Comfort Factor
- Percentile Utilization
- Utilization
- For example, 16 cores at 25% utilization with a comfort factor of 2
- 16 (Cores) * 0.25 (Utilization) = 4
- 4 * 2 (Comfort Factor) = 8
- Create an Assessment
- Download the OVA file
- From a VM, run teh OVF Template Wizard
- Connect the collector virtual machine and run the Migrate Collector
- Create a Migrate Project from the Portal
Multi-Factor Authentication: An authentication method that requires a user to provide two or more forms of identity verification, such as a password and a security token.
- adminstrator accounts don’t work with security questions, need AD Privileged Identity Management for that
- Fraud alert can be enabled for self reporting of access issues
Azure Data Factory: A cloud-based data integration service that allows you to create, schedule, and orchestrate data pipelines.
Azure Blog Storage: A scalable object storage service in Azure that can store and retrieve any amount of data from anywhere in the world.
Azure Data Lake Store: A scalable and secure data lake that allows you to store unlimited data in its native format for big data analytics.
Cost Management: The process of monitoring, analyzing, and controlling the cost of using Azure services.
ARM Template Example and Explanation: An example and explanation of an Azure Resource Manager (ARM) template, which is a JSON file that defines the resources and their properties that you want to deploy to Azure.
- When deploying a VM the offer is WindowServer and the sku is 2016-DataCenter
- When deploying roles, the * at the end is for writing
- The resource group blade lets you view the template used for deployment
- New-AZDeployment allows you to deploy resources and resource groups
- New-AzResourceGroupDeployment deploys an ARM template to an existing group
- dataActions is used to modify who can sign in
- assignableScopes restrict who can be assigned the role/policy/etc
- Type contains the servicetype/service/layer
Logic App: A cloud-based service that allows you to automate workflows and integrations between cloud and on-premises applications.
- Logic apps can be controlled for scaling with a workflow setting configuration
Azure AD Premium P1 vs P2: Azure Active Directory Premium P1 is a version of Azure AD that includes basic identity protection and access management features, while Azure Active Directory Premium P2 includes advanced identity protection and access management features.
Resource Lock: A feature in Azure that allows you to lock a specific resource or resource group to prevent deletion or accidental modification.
- These don’t apply to moves
Azure AD Premium P1 vs Basic: Azure Active Directory (AD) Premium P1 is a paid version of Azure AD that provides additional features and functionality over the free version (Azure AD Basic). Some of the features that are available in Premium P1 but not in Basic include single sign-on (SSO) for on-premises and cloud-based apps, conditional access, and self-service password reset.
Azure Network Watcher: A network monitoring tool in Azure that allows you to diagnose and troubleshoot network-related issues.
Azure Functions: A serverless compute service in Azure that allows you to run event-triggered code without having to manage infrastructure.
Docker container: A type of containerization technology that allows you to package and deploy applications as containers.
Azure App Service: A fully managed platform for building, deploying, and scaling web apps and mobile apps in the cloud.
- The development slots are not backed up
- You can restore a prod instance to a new slot
- Region specific and cannot be moved across regions – Have to clone/copy
- Does not support A records
- Web server logging allows acces to raw http data including 500 error codes. It’s part of appliccation service logs
- _backup.filter file allows you to ignore certain files from backups
Azure App Service Environment: A fully managed and dedicated environment for running Azure App Service apps.
Azure App Service Plan: A logical grouping of resources in Azure App Service that defines the scale and capacity of the apps that run in it.
Azure Deployment Slots: A feature in Azure App Service that allows you to test new versions of your app in a staging environment before deploying them to production.
Service Bus: A messaging service in Azure that allows you to send and receive messages between applications and services.
- Sessions allow you to guarantee First In First Out
Security Administrator: A user in Azure with the security administrator role, who is responsible for managing security-related tasks such as setting up conditional access policies, monitoring security logs, and managing Azure AD identity protection.
Service Administrator: A user in Azure with the service administrator role, who is responsible for managing the overall health and availability of Azure services and resources.
Subnet: A subnetwork in a virtual network in Azure that provides a way to segment the virtual network into smaller, isolated networks.
Cost Analysis: A feature in Azure Cost Management that allows you to analyze your Azure spending and usage to identify areas for cost optimization.
NAT Rule: A rule in Azure Network Security Group (NSG) that allows you to map an external IP address to an internal IP address for outbound network traffic. It also allows the ability to filter outbound connections in Azure.
Route Tables: A feature in Azure Virtual Network that allows you to define custom routing rules for network traffic.
Azure Application Gateway: A fully managed, multi-tier, load balancing solution in Azure that provides high availability, security, and scalability for web applications.
Azure Bastion: A service in Azure that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Azure virtual machines directly from the Azure portal.
- The subnet name is AzureBastionSubnet
- The address prefix is always a /27
URL Path-based listener: A feature in Azure Application Gateway that allows you to route incoming traffic based on the URL path of the request.
multi-site listener: A feature in Azure Application Gateway that allows you to route incoming traffic to multiple backend servers based on the URL path of the request.
ssl termination/ssl offloading: A feature in Azure Application Gateway that allows you to terminate SSL/TLS connections at the gateway, freeing the backend servers from the CPU-intensive SSL encryption and decryption process.
AD Identity Protection: Azure AD Identity Protection is a security service that provides risk-based conditional access and helps protect your organization from threats posed by compromised identities.
AD Privileged Identity Management: Azure AD Privileged Identity Management (PIM) is a security service that enables you to manage, control, and monitor the use of elevated privileges in Azure AD and Azure services.
- Access can be granted on demand, and auto-approvals can be initiated
- Force 2FA for administrator accounts
- You need a phone number (mobile or office)
- User account in Azure AD is required (Microsoft/Azure AD)
- Cloud apps lists the apps
- Grant to grant MFA as an option
- Active roles assign immediately
- Multi factor blade is used to restrict access to certain locations for administrators
- Allows email notifications when privileged accounts are modified
Azure Security Center: Azure Security Center is a security management platform that provides unified security management and advanced threat protection across hybrid cloud workloads.
IDFix tool: IDFix is a tool used to fix identity synchronization issues between on-premises Active Directory and Azure AD.
Invoices tab: The invoices tab in Azure portal allows you to view and manage billing information, such as cost analysis and payment history.
Azure Event Hub: Azure Event Hub is a highly scalable data streaming platform and event ingestion service that can process millions of events per second.
ExpressRoute: ExpressRoute is a service provided by Microsoft Azure that enables you to create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment.
- ErGw3AZ allows up to 10gbs, azs, fast path
Log Analytics Agent: The Log Analytics agent is software that you install on servers and workstations to collect data for Log Analytics.
- The Agent has to be installed for Microsoft Monitoring Agent, not the extension.
Log Analytics Workspace: Log Analytics Workspace is a central repository for storing and analyzing log data.
- The data can include events, performance data, or custom data from the azure PAPI
- It can be used for alerting, analysis and expert
- Monitoring network performance monitor and traaffic analytics is built in
Migrating virtual machine limitations: Limitations of migrating virtual machines may include compatibility issues with the target virtual machine size, storage configurations, and network settings.
ScaleSetVM orchestration: ScaleSetVM orchestration is the process of automatically provisioning and managing virtual machines in a scale set.
Virtual WAN: Virtual WAN is a hub-and-spoke architecture that enables you to manage virtual networks and gateways in a unified manner.
Network virtual appliance: A network virtual appliance is a software-based network function that runs on a virtual machine.
Standard Load Balancer: Azure Standard Load Balancer is a load balancing solution for applications running on multiple virtual machines.
- Works for non scale set VMs
- Doesn’t matter if the IP is standard
- The IP and LB SKU must match
- To create a rule, you need a Front End IP
- Once you have a front-end IP, you need a backend pool and a health probe
Basic Load Balancer: Azure Basic Load Balancer is a load balancing solution for applications running on a single virtual machine.
- The basic LB can only balance a scale set
- It also requires the VMs to be in the same location
- Same virtual network
- Standard SKU Public IP or No IP (Can’t have Basic)
Floating IP: Floating IP is a feature that allows you to assign a static public IP address to a virtual machine, even if the virtual machine is stopped or restarted. This is ideal for SQL type servers that are active/passive or scale sets.
HA ports: HA ports are high availability ports that provide automatic failover for network interfaces in the event of network outages.
Frontend IP: Frontend IP is the public IP address that is used to access a virtual machine over the internet.
Backend IP: Backend IP is the private IP address of a virtual machine that is used to access internal resources.
VPN: VPN stands for Virtual Private Network, a technology that enables secure, encrypted communication over a public network.
- VPN has to be reinstalled if network topology is updated
AzCopy: a command-line utility that you can use to copy data to/from Azure storage accounts.
Web Application Firewall (WAF): a firewall that sits in front of your web application, protecting it from common web-based attacks, such as SQL injection, cross-site scripting, and cross-site request forgery.
Log Analytics Query Examples for Events and SysLog: sample queries that you can use to search and analyze logs collected in Azure Log Analytics.
Azure Advisor: a service that provides personalized recommendations to help optimize your Azure resources.
- This can be accessed from Cost Management as well
- Unused disks from virtual machines can be point using storage explorer, account management properties
ExtensionProfile/Custom Script Extension ARM: a feature in Azure Resource Manager (ARM) templates that enables you to execute scripts on Azure VMs during deployment and post-deployment.
Application Security Group: a way to group virtual machines (VMs) and define network security rules for the VMs within a virtual network in Azure.
Shared Access Signature (SAS): a secure signature that you can generate for a resource in Azure storage, allowing you to grant limited access to the resource.
IAM (Identity and Access Management): a set of security principles and policies that determine who has access to a resource in Azure and what they can do with it.
RBAC (Role-Based Access Control): a way to control access to resources in Azure based on the role of the user who is requesting access.
Docker Push: a command used to upload a Docker image to a Docker registry, such as Docker Hub or Azure Container Registry.
acr build: Azure Container Registry build, used to build and store Docker images in the cloud.
acr create: Azure Container Registry create, used to create a new instance of Azure Container Registry.
Azure CLI: Azure Command-Line Interface, used to manage Azure services and resources from the command line.
- This is the only way to migrate DNS zones easily by importing zone files
Azure Bash: Azure shell for Linux, used to manage Azure services and resources from the Bash shell.
Azure CloudShell: Azure shell for Windows, used to manage Azure services and resources from the browser.
Azure PowerShell: Azure module for Windows PowerShell, used to manage Azure services and resources using PowerShell.
Network Performance Monitor: Azure service that monitors and analyzes network performance, identifies and resolves network issues.
Gateway Transit: Azure feature that enables network-to-network connectivity between virtual networks.
- Set-AzureRMVirtualNetworkGatewayDefaultSite allows you to route traffic
Sign in Risk Policy: Azure security feature that sets policies to control access based on risk level of sign-in attempts.
Managed Identities: Azure feature that manages and rotates service identities for Azure resources, eliminates the need for shared secrets to access resources.
Enterprise Mobility: Azure solution that provides secure access to resources and identity management for employees, contractors and partners.
Security E3: Azure security bundle that includes Azure Advanced Threat Protection, Azure Information Protection and Azure Conditional Access.
Security E5: Azure security bundle that includes all features from E3, plus Azure Advanced Threat Analytics, Azure Defender and Azure Sentinal.
UEFI Boot: Unified Extensible Firmware Interface boot, a firmware interface for starting and initializing operating systems.
Service Bus Queue: Azure service used for reliable message delivery between applications and services.
Service Bus Topic: Azure service used for publish/subscribe messaging pattern, where multiple receivers subscribe to a single message source.
Event Grid Topic: Azure service used for event-driven messaging and triggering of actions in response to events.
Scale in Versus Scale Out: Scaling in refers to reducing the number of instances, while scaling out refers to increasing the number of instances.
CORS and WebApps: Cross-Origin Resource Sharing, a mechanism to allow restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
Grants: Permissions granted to access resources, such as a specific database or file.
Session controls: To restrict access to a session
KQL examples: Keyword Query Language examples, used for querying data in Azure Log Analytics and Azure Sentinel.
- Startofweek returns the start of the week, which is Sunday
- Endoftheweek is Saturday
- Render creates a graph
- TableName | Query | Selector
- Level == ‘Critical’ , or
- Event | search “error”
- Event | where EventType == “error”
- search in (Event) “Error”
Cosmos DB: Azure database service for globally distributed, multi-model data.
Read Only Geo Redundant Storage: Azure storage option that provides read-only access to data stored in a secondary region, in the event of a disaster in the primary region.
SetupComplete.cmd: Command script used to run custom extensions during the deployment of a virtual machine in Azure.
Azure Activity Log: Azure service used to track changes and activity for resources in Azure.
Access Policy: Policy in Azure used to control access to resources and services.
Live Metrics Stream in Application Insights: Azure feature that provides real-time streaming of metrics and telemetry data for application performance monitoring.
Stored Access Policy: Access policy in Azure used to control access to resources over time, with a set expiration date.
Azure Kubernetes Service: Allows kubernets but managed in Azure and orchestrated
- For networking it uses CNI or kubenet
- Azure Network Policy ssupports CNI only.
- Calico supports CNI and kubenet
- With CNI, every pod gets an IP address from the subnet and can be accesssed directly.
- OAuth 2.0 endpoints are required for access
- Docker push is required to deploy the app1 first
Kubenet: Container network plugin in Kubernetes, used to provide basic network connectivity for pods.
- kubectl apply -f file_name.yaml to deploy a yaml file
Container Network Interface: Network interface for containers, used to connect containers to networks and other resources.
Health Probe: Mechanism used to monitor the health of an application or service, ensuring that it is functioning properly.
Administrative Units: Azure Active Directory feature that allows administrators to delegate administrative tasks to other users, while maintaining control over resources.
- These let you restrict access to people for a certain region
Reader Role: Role in Azure used to provide read-only access to resources.
Service Endpoint: Azure feature that secures access to services over the network.
Private Endpoint: Azure feature that enables communication with a service through a private IP address, rather than a public IP address.
Active Directory Domain Services: Azure service that provides a managed version of Active Directory, used for identity and access management.
Action Group: Azure service used to group alerts and automate responses to specific incidents.
- You can send 100 emails per hour
- You can send 1 text messages per 5 minutes and 1 call every 5 minutes
- Connect to Azure Monitor, also each metric requires its own rule, so powered off, restarted, and deallocated is 3 rules.
- Action groups can contain multiple recipients and can be re-used for alerts
Azure Firewall: Azure service used to provide centralized network security and protect against cyberattacks.
- Only works with a Standard IP for Premium
Encryption Scope: Azure feature that provides the ability to manage encryption settings for specific resources or services.
Azure Custom Script Extension: Azure feature that allows administrators to run custom scripts during the deployment of virtual machines.
IP Address SKU: Azure feature that defines the pricing tier for a static or dynamic IP address.
Gateway SKU: Azure feature that defines the pricing tier for a VPN gateway.
Backup Vault: Azure service used for backup and disaster recovery, providing a centralized location for storing backup data.
Service Tag: Azure feature that allows administrators to identify and control access to resources and services.
Application Insights Profiler: Azure feature that provides real-time profiling and performance analysis of .NET applications.
Bastion Hosts: Azure service that provides secure, browser-based remote access to virtual machines.