AZ 104 Exam Study Cram Guide

Aug 6, 2024

AZ 104 V2 Study Cram Notes

Introduction

  • Updated version of the AZ 104 study cram, with some modifications and updates.
  • Links to different sections in the description.
  • Recommendations to follow the study guide and perform hands-on activities.
  • Go through learning modules and schedule the exam.
  • Hands-on practice is crucial.

Entra ID (formerly Azure AD)

Overview

  • Identity Provider from Microsoft.
  • Supports cloud protocols like OAuth2, OpenID Connect, SAML, WS-Fed.
  • Uses HTTPS and TLS encryption.
  • Different from on-prem Active Directory which uses Kerberos, NTLM, LDAP.
  • Microsoft Graph is the standard way to interact with services like Office 365.

Entra ID vs Active Directory Domain Services

  • Entra ID is primarily flat, no organizational units but has administrative units for granular permissions.
  • Active Directory Domain Services can replicate to Entra ID using Entra Connect or Entra Connect Cloud Sync.
  • Replication flow is always from on-prem to Entra ID.

Applications and Trust

  • Applications like Azure and Microsoft 365 trust Entra ID for authentication and authorization.
  • Third-party applications can also trust Entra ID.
  • Secure Services Edge extends checks to any internet site or on-premises TCP/UDP apps using Entra private access.

Tenant and Custom Domains

  • Organizations have specific tenants (e.g., Savtech.net).
  • Primary domain can be customized after verification.
  • Tenants can have accounts created directly in the cloud or synchronized from on-premises.
  • Guests from external instances can be invited and assigned roles.

Groups and Devices

  • Groups can be security or Microsoft 365 types and can have assigned or dynamic membership.
  • Devices can be registered or joined to Entra ID.
  • Registered devices are user-owned, joined devices are corporation-owned and allow authentication.

Licensing

  • Entra ID licenses: Free, P1, P2, and Identity Governance add-on.
  • P1 adds features like conditional access, HR-driven provisioning; P2 adds advanced features like Privileged Identity Management.
  • Different licenses can be assigned to different users/groups.

Self-Service Password Reset

  • Allows users to reset passwords using various authentication methods.
  • Configurable options for reset requirements and methods.
  • Can write back to on-prem Active Directory if enabled.

Roles and Administrative Units

  • Global Administrator is the most privileged role; other roles available for specific permissions.
  • Administrative units help delegate permissions over specific sets of users, groups, or devices.

Azure Cloud Concepts

Regions and Availability Zones

  • Azure has multiple clouds: Commercial, US Gov, China, etc.
  • Regions are divided into data centers and availability zones for high availability.
  • Resources can be zonal (within a specific AZ) or zone redundant (across multiple AZs).
  • Paired regions for disaster recovery, usually within the same geopolitical boundary.

Subscriptions and Management Groups

  • Resources are deployed into subscriptions, which can be organized using Management Groups.
  • Management Groups allow for governance, tracking budget, role assignments, and policy application at various levels.
  • Free trial accounts available for initial practice.

Cost Management

Cost Analysis and Optimization

  • Azure is consumption-based; pay for what you use.
  • Cost analysis tools available for monitoring spend and forecasting costs.
  • Azure Advisor provides recommendations for cost optimization.
  • Budgets can be set to trigger alerts based on spend or forecasted spend.

Financial Options

  • Azure Hybrid Benefit: Use existing licenses for cost savings.
  • Azure Reservations: Discounts for committing to specific resources for 1 or 3 years.
  • Azure Savings Plan: Flexible but only for included compute services.

Tags

  • Tags are key-value pairs used for metadata, filtering, and billing purposes.
  • Tags are not inherited but can be propagated using Azure Policy.

Governance and Compliance

Azure Policy

  • Sets guardrails for resource creation and management.
  • Policies and initiatives for standardizing resource configurations and tracking compliance.
  • Policies can have effects like deny, audit, or deploy if not exists.
  • Initiatives are collections of policies for broader compliance management.

Role-Based Access Control (RBAC)

  • Assign roles to users/groups at different scopes (Management Group, Subscription, Resource Group, Resource).
  • Least privilege principle: minimum permissions required.
  • Custom roles can be created if built-in roles are not sufficient.
  • Audit and manage role assignments using Access Control (IAM) in the portal.

Resource Locks

  • Resource locks prevent accidental deletion or modification.
  • Types: Read-only, Cannot delete.
  • Locks apply only to the control plane, not the data plane.

Networking

Virtual Networks (VNet)

  • VNet is a fundamental building block for networking in Azure, defined by IPv4 and optionally IPv6 address spaces.
  • Subnets divide the VNet, and resources are assigned private IP addresses.
  • Public IPs can be assigned but are not recommended for direct use; instead, use Load Balancer or NAT Gateway.

VNet Peering

  • VNet Peering connects VNets within the same or different regions, enabling private IP communication.
  • Hub and spoke topology can be used for centralized management of connectivity.
  • Peering is not transitive; manual configuration is required for full connectivity.

Azure Virtual Network Manager

  • Manages network configurations and security rules centrally.
  • Supports both Hub and Spoke and Mesh topologies.
  • Security Admin Rules for overriding local NSG rules.

Network Security Groups (NSG)

  • NSGs control inbound and outbound traffic at the subnet or NIC level.
  • Rules based on priority, source, destination, ports, and action (allow, deny).
  • Use Service Tags and Application Security Groups for more flexible configurations.

Azure Firewall

  • Managed network security service for controlling traffic in and out of Azure.
  • Supports network and application layer rules.
  • Different SKUs: Basic, Standard, Premium.

DNS

  • Azure DNS supports both public and private DNS zones.
  • Alias records prevent dangling DNS issues.
  • Private DNS zones for internal name resolution.
  • Azure Private DNS Resolver for custom DNS resolution.

ExpressRoute and VPN

  • ExpressRoute: Private connectivity to Azure via dedicated circuits.
  • VPN Gateway: Connects on-premises networks to Azure over the internet.
  • Supports Site-to-Site, Point-to-Site, and VNet-to-VNet configurations.

Load Balancing

  • Azure Load Balancer: Layer 4 (TCP, UDP) load balancing within a region.
  • Azure Application Gateway: Layer 7 (HTTP, HTTPS) load balancing with advanced routing and WAF.
  • Azure Front Door: Global layer 7 load balancing with caching and security features.
  • Azure Traffic Manager: DNS-based global load balancing.

Storage

Storage Accounts

  • General Purpose V2 is the most common type, with support for blobs, files, queues, and tables.
  • Redundancy options: LRS, ZRS, GRS, GZRS, and read-access variants.

Blobs

  • Different tiers for optimizing cost: Hot, Cool, Cold, Archive.
  • Lifecycle management for automatic tiering and deletion.
  • Tools for interaction: Azure Portal, Storage Explorer, azcopy, Data Box.

Azure Files

  • SMB and NFS file shares with redundancy options.
  • Azure File Sync for syncing on-premises file servers with Azure.

Managed Disks

  • Types: Standard HDD, Standard SSD, Premium SSD, Premium SSD V2, Ultra Disk.
  • Encryption options: Platform-managed keys, Customer-managed keys with Disk Encryption Sets.
  • Disk encryption within the guest OS (BitLocker for Windows, DM-Crypt for Linux).

Compute

Virtual Machines

  • Different SKUs and sizes for various workloads (General Purpose, Compute Optimized, Memory Optimized, etc.).
  • Availability sets and zones for high availability.
  • Managed identities, extensions, and backup integration.

Virtual Machine Scale Sets

  • Uniform and flexible modes for scaling VMs.
  • Auto-scaling based on metrics and rules.

Containers and Kubernetes

  • Azure Container Instances for running containers.
  • Azure Kubernetes Service for orchestrating containers at scale.
  • Networking models: kubenet, Azure CNI, Overlay.
  • Scaling: Horizontal Pod Autoscaler, Cluster Autoscaler.

Platform as a Service (PaaS)

  • Azure App Service for running web apps with deployment slots and scaling options.
  • Azure Functions for serverless computing.

Monitoring and Management

Azure Monitor

  • Subscription-level monitoring through Activity Logs.
  • Resource-level metrics and diagnostic settings.
  • Log Analytics Workspace for advanced log querying and analysis.

Alerts and Action Groups

  • Create alerts based on metrics, logs, and activity logs.
  • Alert Processing Rules for managing alert actions and suppression.
  • Action Groups for notifications and automated responses.

Network Watcher

  • Tools for monitoring and diagnosing network issues: IP Flow Verify, NSG Diagnostics, Packet Capture, etc.

Final Tips

  • Follow the study guide and get hands-on practice.
  • Don't panic during the exam; use logical thinking.
  • Review areas of weakness if you don't pass the first time.
  • Good luck!