在今年微软的挑战中拿了两张免费考卷,一张是115$,怕浪费啊,就分别考了AZ-104和AZ-305,基本上你104能过,305就没有问题,az-104挺多知识点的,最讨厌的是步骤题,不知道死记那些步骤有何意思,把104的知识要点分列如下:
-
ResourceGroup的 Tag不会被resource继承,新建的policy只针对新添加和更新的resource生效,对没有修改的resource不生效,另外需要关注policy的defination是只针对resource还是包括resource groups Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.
-
Resize Availability Set下的VM, 需要停止Availability Set下所有的VM If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.
-
The number of fault domains for managed availability sets varies by region - either two or three per region. Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given availability set, five non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time.
-
You need to make sure that the password cannot be stored in plain text.You are preparing to create the necessary components to achieve your goal. Key vault + access policy
-
The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
-
recovery For physical servers - Storage Account - Azure Recovery Services Vault - Replication policy https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-disaster-recovery For Hyper-v server - Hyper-V site - Azure Recovery Services Vault - Replication policy https://docs.microsoft.com/en-nz/azure/site-recovery/hyper-v-prepare-on-premises-tutorial
-
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client
-
To configure an Azure internal load balancer as a listener for the availability group, you need to create a TCP health probe on port 1433, which is the default port for SQL Server.
-
Each VM will have a minimum of 1 NIC, which can have one or more IPs associated to it(include public and privite ip)
-
You can only restore a VM to the original VM or a new Azure VM. Azure Backup is a cloud-based backup solution, and it doesn’t support restoring VMs to on-premise Windows devices.
-
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
-
Each management group and subscription can only support one parent
-
Groups can contain both registered and joined devices as members. Cloud device admin cannot add/join devices,user admin can add device/user/groups, Dynamic groups dont require manual intervention, it uses criteria to add or remove devices/users/groups only assigned groups you can add
-
You can’t delete a Recovery Services vault with any of the following dependencies: You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state. You can’t delete a vault that contains backup data in the soft deleted state.
-
Before you can delete a Recovery Service vault that contains protected virtual machines, you need to stop the backup of each backup item.
-
If you want to change the recovery service vault you need to disassociate the previous RSV and delete the backup data. To delete backup data, you need to stop the backup first.
-
Recover Servies vault backup need resource in the same location with vault. to create a Vault to protect VMs, the Vault must be in the same Region as the VMs. VM,SQL,file share support be backuped by Recover Servies vault Blobs cannot be backup up to service vaults.
-
Azure RBAC is the authorization system you use to manage access to Azure resources.
-
Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD.
-
Azure AD Roles like Global Administrator dont provided access to resources. For that RBAC Roles need to be aplied to the users.
-
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
-
You can adjust the guest user settings, their access, who can invite them from “External collaboration settings”
-
You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active. Usage location is an Azure property that can only be modified from Azure AD (for all users including Windows Server AD users synced via Azure AD Connect).
-
Your account must have any one of the following Azure roles at the subscription scope to enable traffic analytics: owner, contributor, reader, or network contributor. https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements
-
both Tags and Locks are available to Subscriptions, Resource Groups, and Resources.
-
Administrative units restrict permissions in a role to any portion of your organization that you define.
-
Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights) User Access Administrator = Lets you manage user access to Azure resources. Reader = View all resources, but does not allow you to make any changes. Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)
-
Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites: \1. Select or create an Azure AD tenant. \2. To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant.
-
you can assign policy to Tenant Root Group,ManagementGroup1,Subscription1 and RG1 you can exclude policy from ManagementGroup1,Subscription1,RG11 and VM1
-
Built-in AD roles can’t be cloned, but built-in subscription roles can be. Custom roles of either type can be cloned.
-
Group-based licensing currently does not support groups that contain other groups (nested groups). If you apply a license to a nested group, only the immediate first-level user members of the group have the licenses applied(license不支持嵌套group)
-
Nesting is currently not supported for groups that can be assigned to a role. (role不支持group嵌套)
-
General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables. Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs. General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
-
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.
-
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability. Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit. Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
-
A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint. Azure File Sync does not support more than one server endpoint from the same register server in the same Sync Group. Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is syncing to a unique sync group.
-
Server Point synced quick, cloud point sync in 24 hours. cloud endpoint, and it is scanned by the detection job every 24 hours the on-premises servers the file is scanned and synced automatically after it’s being added.
-
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
-
Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage. Only Shared Access Signature (SAS) token is supported for File storage.
-
The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults exist. vault和log analytics workspace不按照location和subscription区分 Storage Account must be in the same Region as the Recovery Services Vault.
-
Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account. The archive tier supports only LRS, GRS, and RA-GRS.
-
Server Message Block (SMB) is used to connect to an Azure file share over the internet. The SMB protocol requires TCP port 445 to be open. Incorrect Answers: Port 80 is required for HTTP to a web server Port 443 is required for HTTPS to a web server Port 3389 is required for Remote desktop protocol (RDP) connections
-
While a blob is in archive storage, the blob data is offline and can’t be read or modified. To read or download a blob in archive, you must first rehydrate it to an online tier.
-
backup VM1 and make sure backup data are stored across three availability zones in the primary region. Create Recovery Services Vault, Set Replication Policy to ZRS (because of the requirement for having in three separate zones) For VM1, create a backup policy
-
Azure storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096
-
Storage account policy: Maximum number of Stored access policies is 5 Maximum number of Immutable blob storage is 2
-
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts. Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the archive tier. The archive tier isn’t supported for ZRS, GZRS, or RA-GZRS accounts.(No Z)
-
According to documentation only Premium file shares (FileStorage), LRS/ZRS are supported for SMB.
-
Azure Blob Storage provides containers for storing blobs and queues for storing messages. Both containers and queues support conditions when assigning RBAC roles to specific resources within the storage account, allowing for more granular access control based on certain conditions.
-
If you want to select an existing virtual network, make sure it’s in the same location and Azure subscription as your Kubernetes cluster. VNet should be same location with AKS.
-
We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
-
Web App can only created and identified in App Service plan in same region and resource group.
-
To install kubectl locally, use the az aks install-cli command.
-
Use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations steps Step 1: Create and upload a configuration to Azure Automation Step 2: Compile a configuration into a node configuration Step 3: Register a VM to be managed by State Configuration Step 4: Specify configuration mode settings Step 5: Assign a node configuration to a managed node Step 6: Check the compliance status of a managed node
Answer in exam 1: Upload a configuration to Azure Automation State Configuration 2: Compile a configuration into a node configuration 3: Check the compliance status of the node.
-
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your configuration options and associated resources. 当Azure 维护导致VM需要shutdown时,使用该方式切换
-
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2.
-
While resizing the VM it must be in a stopped state.
-
record all the successful and failed connection attempts to VM1. 1.Create a VM with a network security group 2.Enable Network Watcher and register the Microsoft.Insights provider 3.Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability 4.Download logged data 5.View logged data
-
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set VMs are created in a single shot). VM (virtual machines) orchestration mode: Virtual machines created outside of the scale set can be explicitly added to the scale set. The orchestration mode VM will only create an empty VMSS without any instances, and you will have to manually add new VMs into it by specifying the VMSS ID during the creation of the VM. (Separately VMs are created and added to scale set later)
-
Recover Servies vault backup need resource in the same location with vault. to create a Vault to protect VMs, the Vault must be in the same Region as the VMs.
-
You can assign an NSG to the subnet of the virtual network in the same region
-
By default, Azure virtual machines can communicate only with other virtual machines that are connected to the same virtual network. If you want a virtual machine to communicate with other virtual machines that are connected to other virtual networks, you must configure network peering.
-
You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the access control list (ACL) rules apply to all virtual machine instances of that subnet.
-
Application gateway allows you to configure load-balanced virtual machines on a private IP address and provide a web app firewall to block any SQL injection, header, and cross-site scripting XSS attacks. An internal load balancer cannot provide load balancing on a public front. A network security group (NSG) is only used to open ports on virtual machines. A public load balancer does not provide web app firewall capabilities to block attacks.
-
Azure Application Gateway is a web traffic load balancer that operates at Layer 7 of the OSI model. Application Gateway can make routing decisions based on additional attributes of an HTTP request, such as the URI path or host headers.
-
You can detach a disk from a running virtual machine (hot removal).
-
Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for workloads that do not require any specific SLA.
-
Only zone-redundant replication (ZRS) supports StorageV2, FileStorage, and BlockBlobStorage accounts. Live migration is not supported for read-access geo-redundant storage (RA-GRS) and only standard storage accounts can be used.
-
For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Azure AD.
-
By default, backups of virtual machines are kept for 30 days.
-
A maximum of one SMS message can be sent every five minutes. Therefore, a maximum of 12 messages will be sent per hour.
-
Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery
-
Basic Azure Load Balancer supports deployment in a single availability zone. Basic Azure Load Balancer supports only Basic SKU public IP. Azure Standard Load Balancer is zone-redundant, but has a higher cost.
-
You can use delete locks to block the deletion of virtual machines, subscriptions, and resource groups. You cannot use delete locks on management groups or storage account data.
-
Command in SecurityEvent table in Azure Monitor. Summarize is used to group records from one or more columns of data. Where is used to filter the rows. Project is used to rename and select columns. Extend is used to add columns.
-
You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual machines.
The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other configuration or management task.
Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development infrastructure with configuration as code.
The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or perform disk-level maintenance.
-
A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the access time, access tracking must be enabled. This can incur additional storage costs.
-
Add-AzVhd: Uploads an on-premises VHD to Azure New-AzVM: Used to create a new virtual machine New-AzDisk: Used to create a managed disk New-AzDataShare: Used to create an Azure data share
-
Versioning must be enabled for the source and target. An object type container is needed to replicate the images. You must create a StandardV2 storage account. File shares are not needed, and queues are unsupported for replication.
-
Azure Network Watcher is a regional service that allows you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. When you create or update a virtual network in a subscription, Network Watcher will be enabled automatically in the virtual network’s region. There is no impact on resources or associated charges for automatically enabling Network Watcher.
-
You can use API server authorized IP ranges if you want to maintain a public endpoint for the API server while restricting access to a set of trusted IP ranges. You can use a private cluster if you want to limit the API server to be accessible only from within your virtual network.
-
Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
-
Data pinned on a shared dashboard can only be displayed for a maximum of 14 days.
-
By default, backups of virtual machines are kept for 30 days.
-
A timed-based retention policy or legal hold policies can be applied to block deletion. Immutability policies can be scoped to a blob version or to a container.
-
SMS: No more than 1 SMS every 5 minutes. ✑ Voice: No more than 1 Voice call every 5 minutes. ✑ Email: No more than 100 emails in an hour. ✑ Other actions are not rate limited.
-
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines
-
Use the az aks command and the Azure portal to configure cluster autoscaler for AKS1.
-
The Linux Diagnostic Extension should be used which downloads the Diagnostic Extension (LAD) agent on Linux server.
-
the DNS port 53
-
o deploy a YAML file, the command is: kubectl apply -f <file_name>.yaml
-
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location,
-
You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands. To deploy to a resource group, use New-AzResourceGroupDeployment. To deploy to a tenant, use New-AzTenantDeployment. To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet. To deploy to a management group, use New-AzManagementGroupDeployment.
-
App Service can back up the following information to an Azure storage account and container that you have configured your app to use App configuration - File content - Database connected to your app -
-
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
-
A public and a private IP address can be assigned to a single network interface.
-
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
-
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
-
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space.
-
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint
-
load balancers with VMs The Basic tier load balancer is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine. The Standard tier load balancer can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
-
Azure DNS provides automatic registration of virtual machines from a single virtual network that’s linked to a private zone as a registration virtual network.
-
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. IKEv2 supports 10 S2S connections, while IKEv1 only supports 1.
-
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.
-
VM apply azure firewall shoule use same location with Azure firewall A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set