Coconote
AI notes
AI voice & video notes
Export note
Try for free
AZ 104 Exam Study Cram Guide
Aug 6, 2024
π€
Take quiz
π
Review flashcards
πΊοΈ
Mindmap
AZ 104 V2 Study Cram Notes
Introduction
Updated version of the AZ 104 study cram, with some modifications and updates.
Links to different sections in the description.
Recommendations to follow the study guide and perform hands-on activities.
Go through learning modules and schedule the exam.
Hands-on practice is crucial.
Entra ID (formerly Azure AD)
Overview
Identity Provider from Microsoft.
Supports cloud protocols like OAuth2, OpenID Connect, SAML, WS-Fed.
Uses HTTPS and TLS encryption.
Different from on-prem Active Directory which uses Kerberos, NTLM, LDAP.
Microsoft Graph is the standard way to interact with services like Office 365.
Entra ID vs Active Directory Domain Services
Entra ID is primarily flat, no organizational units but has administrative units for granular permissions.
Active Directory Domain Services can replicate to Entra ID using Entra Connect or Entra Connect Cloud Sync.
Replication flow is always from on-prem to Entra ID.
Applications and Trust
Applications like Azure and Microsoft 365 trust Entra ID for authentication and authorization.
Third-party applications can also trust Entra ID.
Secure Services Edge extends checks to any internet site or on-premises TCP/UDP apps using Entra private access.
Tenant and Custom Domains
Organizations have specific tenants (e.g., Savtech.net).
Primary domain can be customized after verification.
Tenants can have accounts created directly in the cloud or synchronized from on-premises.
Guests from external instances can be invited and assigned roles.
Groups and Devices
Groups can be security or Microsoft 365 types and can have assigned or dynamic membership.
Devices can be registered or joined to Entra ID.
Registered devices are user-owned, joined devices are corporation-owned and allow authentication.
Licensing
Entra ID licenses: Free, P1, P2, and Identity Governance add-on.
P1 adds features like conditional access, HR-driven provisioning; P2 adds advanced features like Privileged Identity Management.
Different licenses can be assigned to different users/groups.
Self-Service Password Reset
Allows users to reset passwords using various authentication methods.
Configurable options for reset requirements and methods.
Can write back to on-prem Active Directory if enabled.
Roles and Administrative Units
Global Administrator is the most privileged role; other roles available for specific permissions.
Administrative units help delegate permissions over specific sets of users, groups, or devices.
Azure Cloud Concepts
Regions and Availability Zones
Azure has multiple clouds: Commercial, US Gov, China, etc.
Regions are divided into data centers and availability zones for high availability.
Resources can be zonal (within a specific AZ) or zone redundant (across multiple AZs).
Paired regions for disaster recovery, usually within the same geopolitical boundary.
Subscriptions and Management Groups
Resources are deployed into subscriptions, which can be organized using Management Groups.
Management Groups allow for governance, tracking budget, role assignments, and policy application at various levels.
Free trial accounts available for initial practice.
Cost Management
Cost Analysis and Optimization
Azure is consumption-based; pay for what you use.
Cost analysis tools available for monitoring spend and forecasting costs.
Azure Advisor provides recommendations for cost optimization.
Budgets can be set to trigger alerts based on spend or forecasted spend.
Financial Options
Azure Hybrid Benefit: Use existing licenses for cost savings.
Azure Reservations: Discounts for committing to specific resources for 1 or 3 years.
Azure Savings Plan: Flexible but only for included compute services.
Tags
Tags are key-value pairs used for metadata, filtering, and billing purposes.
Tags are not inherited but can be propagated using Azure Policy.
Governance and Compliance
Azure Policy
Sets guardrails for resource creation and management.
Policies and initiatives for standardizing resource configurations and tracking compliance.
Policies can have effects like deny, audit, or deploy if not exists.
Initiatives are collections of policies for broader compliance management.
Role-Based Access Control (RBAC)
Assign roles to users/groups at different scopes (Management Group, Subscription, Resource Group, Resource).
Least privilege principle: minimum permissions required.
Custom roles can be created if built-in roles are not sufficient.
Audit and manage role assignments using Access Control (IAM) in the portal.
Resource Locks
Resource locks prevent accidental deletion or modification.
Types: Read-only, Cannot delete.
Locks apply only to the control plane, not the data plane.
Networking
Virtual Networks (VNet)
VNet is a fundamental building block for networking in Azure, defined by IPv4 and optionally IPv6 address spaces.
Subnets divide the VNet, and resources are assigned private IP addresses.
Public IPs can be assigned but are not recommended for direct use; instead, use Load Balancer or NAT Gateway.
VNet Peering
VNet Peering connects VNets within the same or different regions, enabling private IP communication.
Hub and spoke topology can be used for centralized management of connectivity.
Peering is not transitive; manual configuration is required for full connectivity.
Azure Virtual Network Manager
Manages network configurations and security rules centrally.
Supports both Hub and Spoke and Mesh topologies.
Security Admin Rules for overriding local NSG rules.
Network Security Groups (NSG)
NSGs control inbound and outbound traffic at the subnet or NIC level.
Rules based on priority, source, destination, ports, and action (allow, deny).
Use Service Tags and Application Security Groups for more flexible configurations.
Azure Firewall
Managed network security service for controlling traffic in and out of Azure.
Supports network and application layer rules.
Different SKUs: Basic, Standard, Premium.
DNS
Azure DNS supports both public and private DNS zones.
Alias records prevent dangling DNS issues.
Private DNS zones for internal name resolution.
Azure Private DNS Resolver for custom DNS resolution.
ExpressRoute and VPN
ExpressRoute: Private connectivity to Azure via dedicated circuits.
VPN Gateway: Connects on-premises networks to Azure over the internet.
Supports Site-to-Site, Point-to-Site, and VNet-to-VNet configurations.
Load Balancing
Azure Load Balancer: Layer 4 (TCP, UDP) load balancing within a region.
Azure Application Gateway: Layer 7 (HTTP, HTTPS) load balancing with advanced routing and WAF.
Azure Front Door: Global layer 7 load balancing with caching and security features.
Azure Traffic Manager: DNS-based global load balancing.
Storage
Storage Accounts
General Purpose V2 is the most common type, with support for blobs, files, queues, and tables.
Redundancy options: LRS, ZRS, GRS, GZRS, and read-access variants.
Blobs
Different tiers for optimizing cost: Hot, Cool, Cold, Archive.
Lifecycle management for automatic tiering and deletion.
Tools for interaction: Azure Portal, Storage Explorer, azcopy, Data Box.
Azure Files
SMB and NFS file shares with redundancy options.
Azure File Sync for syncing on-premises file servers with Azure.
Managed Disks
Types: Standard HDD, Standard SSD, Premium SSD, Premium SSD V2, Ultra Disk.
Encryption options: Platform-managed keys, Customer-managed keys with Disk Encryption Sets.
Disk encryption within the guest OS (BitLocker for Windows, DM-Crypt for Linux).
Compute
Virtual Machines
Different SKUs and sizes for various workloads (General Purpose, Compute Optimized, Memory Optimized, etc.).
Availability sets and zones for high availability.
Managed identities, extensions, and backup integration.
Virtual Machine Scale Sets
Uniform and flexible modes for scaling VMs.
Auto-scaling based on metrics and rules.
Containers and Kubernetes
Azure Container Instances for running containers.
Azure Kubernetes Service for orchestrating containers at scale.
Networking models: kubenet, Azure CNI, Overlay.
Scaling: Horizontal Pod Autoscaler, Cluster Autoscaler.
Platform as a Service (PaaS)
Azure App Service for running web apps with deployment slots and scaling options.
Azure Functions for serverless computing.
Monitoring and Management
Azure Monitor
Subscription-level monitoring through Activity Logs.
Resource-level metrics and diagnostic settings.
Log Analytics Workspace for advanced log querying and analysis.
Alerts and Action Groups
Create alerts based on metrics, logs, and activity logs.
Alert Processing Rules for managing alert actions and suppression.
Action Groups for notifications and automated responses.
Network Watcher
Tools for monitoring and diagnosing network issues: IP Flow Verify, NSG Diagnostics, Packet Capture, etc.
Final Tips
Follow the study guide and get hands-on practice.
Don't panic during the exam; use logical thinking.
Review areas of weakness if you don't pass the first time.
Good luck!
π
Full transcript