- 1. Examen et ressources de préparation
- 2. Intro
- 3. Section 1: Quick start
- 4. Section 2: Overview of Azure
- 5. Section 3: Analyse Resource Utilization and Consumption
- 6. Section 4: Implement VMs for Windows and Linux
- 7. Section 5: Powershell Azure AZ module
- 8. Section 6: Automate deployment and configuration of resources
- 9. Section 7: Implement storage accounts
- 10. Section 8: Implement virtual networking
- 11. Section 9: Implement Cloud infrastructure monitoring
- 12. Section 10: Implement Azure Active Directory
- 13. Section 11: Implement and manage hybrid identities
- 14. Section 12: Manage workloads in Azure
- 15. Section 13: Implement load balancing and network security
- 16. Ressources
- 17. Mock exams
- 18. Lexique
Microsoft AZ-900 examen : https://docs.microsoft.com/fr-fr/learn/certifications/exams/az-303
|
❗
|
Exam updated on 2025/05/25 ! |
Exam plan :
-
Implement and Monitor an Azure Infrastructure (50-55%)
-
Implement Management and Security Solutions (25-30%)
-
Implement Solutions for Apps (10-15%)
-
Implement and Manage Data Platforms (10-15%)
Déroulement de la certification :
-
40 à 60 questions sur 1 heure
-
score minimum de 700 / 1000
|
📎
|
Pour plus d’informations sur la certification AZ-303, voir la description faite par testprep training : https://www.testpreptraining.com/tutorial/exam-az-303-microsoft-azure-architect-technologies/ |
|
📎
|
Pour constater plus en détails la différence entre les ressources de cours Microsoft Learn et les autres disponibles (MOOC, sites, etc.), je me suis principalement servi du cours de Scott Duffy sur Udemy (https://www.udemy.com/course/70534-azure) pour me préparer. Pour rappel, pour l’AZ-900 sur les fondamentaux d’Azure, je m’étais principalement (mais pas que 😉) servi de Microsoft Learn. Comme d’habitude, une partie des autres ressources dont je me suis servi est disponible dans la section Ressources |
|
📎
|
48 heures requises après la création d’une nouvelle subscription pour pouvoir utiliser les budgets
J’ai créé une subscription "Pay-As-You-Go" pour ma préparation, et ai tout de suite essayé de mettre en place un budget pour suivre les dépenses associées. → Confirmé : j’ai pu créé un budget 24 heures après création de la subscription |
-
Cheaper per server: It’s cheaper for Microsoft to run a server than you can ever achieve yourself
-
Hardware - large buyers can get 30% off the cost of the hardware
-
Electricity - 15% 20% of the cost of running a server
-
-
Availability:
-
90% availability: 2.4 hours per day' of downtime
-
99% availability: 14.4 minutes per day of downtime
-
99.9% (3 nines) availability: 1.45 minutes per day of downtime
-
99.99% (4 nines) availability: 8.6 secondes per day of downtime
-
100%: generally said to be NOT possible
-
|
💡
|
Aller sur https://azure.microsoft.com/ pour toutes les ressources concernant Azure (Azure services, documentation, pricing, etc.) |
-
Actuellement, de l’ordre de ~1min30 pour créer (et démarrer) une VM
-
Unmanaged disks: it just charges you for the gigabytes used.
It can give you a 5 Po bucket that you can fili, and you just pay for the Go used. -
Managed disks: you pay for whatever you choose, nevermind whether you use it or not.
-
Disks are now encrypted by default.
-
So if you want to make a copy of the VHD encrypted file, we will need the key (stored apart from the data) to be able to read the data.
-
-
Using some additional disks, that we can detach and reattach to some other VM, can be a good way to share data between VMs.
-
On ne peut pas placer une VM dans un Availability Set après sa création, il faut le faire à ce moment.
-
You need a load balancer to distribute equally the traffic between VMs running in different Availability Zones.
-
A Virtual machine scale set (or scaleset) does not cost anything on top of the cost of the virtual machines.
It’s technically free, although you do have to pay for the VMs.-
Reminder: With all VMs configured the same, virtual machine scale sets are designed to support true autoscale.
-
-
In Linux, disk are not encrypted with BitLocker, but with D Encrypt.
-
For instanciation purpose Linux uses "cloud-init" instead of Powershell scripts
-
Question 1:
You have a set of virtual machines that are hosting mission-critical applications. You have to ensure the experience of virtual machines experiences as little downtime as possible.
Which of the following can you use to maintain application performance across an identical set of Virtual Machines?-
Scale sets : GOOD ONE !
-
If you have an identical set of virtual machines, you can use Virtual Machine scale sets and scaling conditions to maintain application performance.
-
-
Availability sets
-
Availability zones
-
Azure Functions
-
-
Question 2:
You are planning the move of some app to Azure. You create a network security group (NSG). You need to recommend a solution to provide users with access to the app. What should you recommend?-
Create an outgoing security rule for port 443 from the Internet. Associate the Network Security Group to all the subnets
-
Create an incoming security rule for port 443 from the Internet. Associate the Network Security Group to all the subnets
-
Create an incoming security rule for port 443 from the Internet. Associate the Network Security Group to the subnet that contains the web servers : GOOD ONE !
-
If you have a Network Security group, change the Incoming rules to allow port 443. This is so that users from the Internet can access the web server on the secure port 443.
-
-
Create an outgoing security rule for port 443 from the Internet. Associate the Network Security Group to the subnet that contains the web servers
-
-
Question 3:
You have a set of virtual machines that are hosting mission-critical applications. You have to ensure the experience of virtual machines as little downtime as possible.
Which of the following can you use to maintain application availability when an Azure datacenter fails?-
Scale sets
-
Availability sets
-
Availability zones : GOOD ONE !
-
You can use Availability zones to help protect against datacenter level failures.
-
-
Azure Functions
-
-
Question 4: The following requirements need to be met for the Virtual Machine.
The underlying data disks for the Virtual Machine need to be encrypted.
The company does not want to store the encryption keys locally.
Which of the following would be used for the management of the encryption keys?-
Azure CosmoSDB
-
Azure Storage Account
-
Azure Key Vault : GOOD ONE !
-
You should use the Azure key vault service for managing the encryption keys.
-
-
Azure AD
-
-
End of 2018, Microsoft deprecated the old version of Azure PowerShell that was based on AzureRM module.
Now as of 2019 and beyond, the new standard is based on Az module.
|
📎
|
To know your PowerShell version, use the PowerShell command
To get all versions installed of your Az or AzureRM modules, you can use |
It’s good to know that both exist PowerShell and Azure extensions for PowerShell
-
To force an update of your Az module to the last one, you can use the command:
Install-Module -Name Az -AllowClobber -Scope CurrentUser -Force.
BUT, there is a "trick”… In fact, you can’t UPDATE an Az module, that’s mandatorily (at least now, 2021/06) a new version that is installed next to the previous one.
Meaning that, after running the previous command, if displaying all versions installed, you will get Az 2.3.2 AND AZ 2.5.0 (by example) -
It’s NOT an issue to have 2 versions of Az modules on your system, as the import module command will only use the most recent one.
-
Avant de pouvoir faire quoi que ce soit avec Azure dans PowerShell, il faut commencer par se connecter (log in), avec la commande
Connect-AzAccount
La commande retournera un code qu’il faudra rentrer sur le site https://microsoft.com/devicelogin pour pouvoir s’authentifier. -
If you have multiple Azure subscriptions and want to switch from one to another, you can use the following commands:
# Get your subscriptions PS C:\Users\toto> Get-AzSubscription <gives you your subscriptions with their Name, Id, TenantId, State, etc.> # We need a context variable PS C:\Users\toto> $context = Get-AzSubscription -SubscriptionId <Id from above command> PS C:\Users\toto> Set-AzContext $context
-
To create a VM through PowerShell (new one, based on Az module) :
# First we need to create a resource group PS C:\Users\toto> New-AzResourceGroup -Name someRgName -Location EastUS # Then we crete the VM PS C:\Users\toto> New-AZVM -ResourceGroupName "someRgName" -Name "someNewVMName" -Location "EastUS" -VirtualNetworkName "someVNetName" -SubnetName "default" -SecurityGroupName "newSG" -PublicIpAddressName "myipaddr" -OpenPorts 80,443, 3389 # Reminder: port 3389 is default RDP port # here we have to fill the user ID and password (those last will be used for RDP)
Just for information, contrary to creating a VM through the Azure Portal (with some mandatory characteristics), if, with the PowerShell command line", we do not set some VM characteristics, default ones will be used.
Example: In the former example, we didn’t set instance type for the VM, so a "DS1 v2" was used by default.
-
To stop and start the WM through PowerShell :
# To stop the VM PS C:\Users\toto> Stop-AzVM -ResourceGroupName "someRgName" -Name "someNewVMName" # To start the VM PS C:\Users\toto> Start-AzVM -ResourceGroupName "someRgName" -Name "someNewVMName"
-
ARM Template is composed of 2 files : template.json and parameters.json
-
Des exemples de templates ARM peuvent être trouvés dans ce repo GitHub : https://github.com/Azure/azure-quickstart-templates
Un template ARM est composé de plusieurs properties (6 types de properties) :
-
schema
-
contentVersion
-
parameters : what is required as inputs for the template. Every one of those parameters must have a corresponding value within the parameters.json
-
Example :
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParementers.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string" }, ... }
-
-
variables : variables are basically computed values
-
Example :
"variables": { "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" }, ...
-
-
resources : each entry in bracket represents 1 resource being deployed in Azure.
-
create a VM implies the creation of several other objects / resources like a network interface, a network security group, etc.
-
-
outputs : you use outputs when you need to return values from the deployed resources.
-
You can redeploy the same ARM template several times without harming the existing environment.
Each time Azure sees that the resource already exists, it will just skip it.
This behavior is known as DSC, Desired State Configuration, and allows to ensure that your production environment hasn’t changed since you deployed it.-
This allows to avoid what is called configuration drift in IT: from time to time, people goes in PROD and tweak some settings, opens a port, etc.
In this way, over time, the deployment that is in production doesn’t match that script that was used to deploy.
You can use this technique to redeploy ARM template repeatedly to ensure that your environment doesn’t change from when you deployed it.
-
-
Again, some examples of PowerShell deployment scripts exist in GitHub: https://github.com/Azure/azure-docs-powershell-samples
-
As a reminder, you can manipulate the Azure APIs with PowerShell and Azure CLI
|
📎
|
For the AZ-303 exam, the "common way" to automate deployment is to use ARM templates, and not PowerShell or CLI scripts. BUT, that’s still a goode thing to know for your own needs. |
Here is an example of PowerShell script to deployment a VM in Azure:
# Variables for common values
$resourceGroup = "myResourceGroup"
$location = "westeurope"
$vmName = "myVM"
# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."
# Create a resource group
New-AzResourceGroup -Name $resourceGroup -Location $location
# Create a virtual machine
New-AzVM `
-ResourceGroupName $resourceGroup `
-Name $vmName `
-Location $location `
-ImageName "Win2016Datacenter" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIp" `
-Credential $cred `
-OpenPorts 80
# Install IIS
$PublicSettings = '{"commandToExecute":"powershell Add-WindowsFeature Web-Server"}'
Set-AzVMExtension -ExtensionName "IIS" -ResourceGroupName $resourceGroup -VMName $vmName `
-Publisher "Microsoft.Compute" -ExtensionType "CustomScriptExtension" -TypeHandlerVersion 1.4 `
-SettingString $PublicSettings -Location $location-
Search for "Automation Accounts" in Azure Portal
-
Automation account is required to run jobs in Azure that are based on PowerShell and other scripting
-
With it, you can schedule a job to run every hour by example.
-
-
A Runbook is an automated script that you can run in your automation account.
To practice, you can go along those 2 labs from Microsoft Learning on GitHub :
-
-
DONE
-
When creating a new storage account :
-
Basics configuration :
-
you can choose between Standard and Premium for performances :
-
Standard is for magnetic disks.
-
Premium is for SSD, which is the Solid-State Disc, the flash disk for performance
-
-
Account kind : StorageV2 will be used in 99% of the cases
-
StorageV1 is an old version that must only be used for compatibility reasons.
-
-
Replication :
-
LRS : Locally-redundant storage. Maintain 3 copies of my files in the same datacenter
-
ZRS : Zone-redundant storage. Distributes data across multiple data centers in the same region
-
GRS : Geo-redundant storage. Distributes 6 copies of your files across 2 data centers (3 in the primary region, and 3 in the secondary one).
-
RA-GRS : Read Access geo-redundant storage. Gives you a 2nd URL that can be used to read your files, so that you can split the writing to the principal location, and the reading to the 2nd one. This is a performance hack for frequently accessed files.
-
-
Access tier :
-
Hot : default choice. It means that you are going to be charge a certain amount for the storage, and a certain amount for accessing those files.
-
Cool : half the price for storage, BUT twice the price for access.
This one is great for backup files, zip files, for historical files.
-
-
-
Advanced configuration :
-
Blob soft delete : enables you to save and recover your blob data up to X days after deletion.
BUT, you are charge for those X days during which your files are still recoverable. -
Data lake storage Gen2 - hierarchical namespace: special type of storage account, called "Hadoop DFS namespace".
Allows the collection of objects/files within an account to be organized into a hierarchy of directories and nested subdirectories in the same way that the file system on your computer is organized.
With a hierarchical namespace enabled, a storage account becomes capable of providing the scalability and cost-effectiveness of object storage, with file system semantics that are familiar to analytics engines and frameworks.
-
-
Through the Acces keys section of your storage account, you get 2 keys to access your account.
-
Key 1 is the principal, key 2 is the backup.
The recommandation is NOT to use both at the same time. If one is compromised, then you can switch to the other one, and regenerate the first.
-
-
But access keys are NOT the recommended way of sharing access to a storage account, for programs or individuals.
To do so, the best way is to use a Share Access Signature (SAS)
A SAS is a token that you can generate, signed by one of your keys, that you can hand to someone.-
Permissions can be configured on this SAS to define who can do what on what objects for how long.
-
4 types of data that the general purpose V2 storage can store :
-
Containers : blob storage
-
File Shares : file system, which is a SMB (Server Message Block) file share, meaning we can mount it on Windows servers, Windows workstations or Linux.
📎Reminder: SMB protocolThe Server Message Block protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
-
Tables : not really a SQLServer database, but allows tabular data storage with columns and rows.
-
Queues : a messaging system that uses First In First Out (FIFO) metaphor
-
With feature "Open in explorer" of storage account "Overview", or from menu "Storage explorer" you are given a convenient way to interact with your data.
BUT the best way to do so is to use the standalone tool "Azure Storage Explorer" that you can install locally on your computer. -
When uploading blob :
-
blob type :
-
block blob : default choice, pretty good for most situations (99% of the cases)
-
page blob : optimized for when you need to update the file, but not the entire file.
-
Good for Virtual Hard Disk (VHD) or some piece of data that is just updated partially
-
-
append blob : optimized for adding to a file, like a log file
-
-
|
📎
|
IAM is Identity and Access Management |
A RBAC feature is available for Azure Storage Account through menu "Access control (IAM)".
Access tier defines how you are going to get charged for storage AND for access.
Choosing between Cool, Hot (default level of pricing for storage and access) or Archive is choosing the compromise you want between being charged for storage or access.
-
Cool tier is 50% cheaper that Hot tier for storage, but access cost is double.
-
You can’t put a file in Cool tier for less than 30 days.
-
-
Archive tier is even cheaper to store files, and way more expensive to access them.
-
Archive tier can only be set at the blob level, and not on the account
-
This tier is designed for files that you almost never need, except in an emergency, like backup files.
-
Archive tier storage is 90% cheaper than Hot tier
-
For Archive tier, there is the concept of rehydration :
See MS Archive access tier explanation : a blob in archive tier is offline data that can’t be read, overwritten, or modified.
To read or download it, you must first rehydrate it to an online tier.
This rehydration can take time, depending of its priority (under 1 hour for high priority rehydration), which has a cost.
-
-
Cool and Archive early deletion : you have to pay if you delete data too early in those tiers (30 days for Cool and 180 for Archive)
This charge is prorated. -
Premium can also be considered as a tier, and can only be chosen at creation.
-
you can’t switch from Hot to Premium after creation by example
-
You can’t change from Premium to another tier afterwards
-
Premium is the best tier in terms of performance (at least 10x better in terms of latency)
-
Premium is about 8x more expensive than Hot tier for storage, BUT for data transfer, Premium only costs 1/3 of Hot price (for Read and Write operations)
-
So, if you have really frequent reads, you could save money on the Premium tier compared to the Hot tier because access cost is much lower.
-
-
Premium gives you 99.99% SLA, even when running outside of an availability set
-
-
Through menu "Access Control (IAM)" on your Storage account, you see the interface of Azure Active Directory.
It allows us to use RBAC to give permissions to items within our storage account.-
This feature was added during 2020
-
|
💡
|
For the AZ-303 exam, most of virtual network questions are about Virtual Network to Virtual Network connections, as well as VNet Peering. |
-
The IP address ranges in Azure generally follow CIDR notation
-
Voir la page wikipedia sur les sous-réseaux pour plus de détails sur la notation CIDR (Classless Inter-Domain Routing) :
https://fr.wikipedia.org/wiki/Sous-r%C3%A9seau
-
-
Pour la création d’un VNet sur Azure, la plage d’adresse IPv4 maximale que l’on peut réserver est 10.0.0.0/8, soit ~16 000 000 d’adresses.
C’est une MAUVAISE idée que de créer un VNet de cette taille, car on ne pourra plus en créer d’autres ! (on a pris absolument tout ce qui pouvait être disponible) -
Une plage d’adresse correcte / conseillée pour un VNet est par exemple 10.0.0.0/24, soit 256 adresses.
-
A Virtual Network is just a database entry. It is created nearly instantly and doesn’t cost anything.
-
All Virtual networks require at least 1 subnet.
-
A subnet is a subdivision of that VNet IP address range
-
By default, there is no VNet to VNet communication.
-
1st way to connect 2 Virtual Networks in Azure: using a Network Gateway
A network gateway is :-
like a site to site VPN
-
a virtual device that is going to encrypt the traffic.
So any traffic traveling between the 2 VNets will be encrypted through a tunnel.
That’s the same Virtual Network Gateway that you would use if you were connecting your on premises to Azure using a VPN or a point to site VPN. -
it takes around 45 min to create a Virtual Network Gateway
-
-
A VNet Gateway is charged by hour (0.19$ / hour), with :
-
free inbound inter-virtual network data transfers (data going into Azure data centers between 2 virtual networks)
-
chargeable outbound inter-virtual network data transfers (data going out of Azure data centers between 2 virtual networks)
-
-
"Peerings" is available in the "settings" menu of VNets
-
Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.
-
Network traffic between peered virtual networks is private. Traffic between the virtual network is kept on Microsoft backbone network.
No public internet, gateways, or encryption is required in the communication between the virtual networks. -
Contrary to VNet gateway, I am charged in all the cases for data transfer:
-
for outbound data connection from one network
-
and inbound data connection to another network
-
-
It’s a kind of expensive connection if you are transferring a lot of data between your VNets.
-
So, there is no device involved, you don’t pay for the peering to be available, BUT you pay for all data transfers.
-
-
Question 1:
A company currently has an on-premise datacenter. The data center has 2 VPN devices. They have also set up a Virtual Network in Azure. The Company has the following requirements:-
They need to set up a site-to-site VPN connection.
-
Then ensure the Site-to-Site VPN connection failure will not cause an interruption of more than 2 minutes.
Based on the above requirements what is the minimum number of Virtual network gateways that would be required to be set up in Azure?-
1 : GOOD ONE !
-
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
-
-
2
-
3
-
4
-
-
-
A company has 2 virtual networks as shown below:
-
Vnet1: 10.1.0.0/16
-
Vnet2: 10.2.0.0/16
To complete the peering connection, you go ahead and add a subnet to Vnet1. Would this ensure the peering connection is successful?-
1 : GOOD ONE!
-
You don’t need to add a subnet. You just need to ensure that you add a peering connection from Vnet1.
-
-
2 :
-
3 :
-
4 :
-
-
-
You can start by enabling Azure Security Center, which can be seen as a centralized place for the security of both your Azure resources, and the non-Azure ones that you choose to include.
-
Azure Defender is included in Security Center
-
It proposes a free tiers and a paid tier (defender tiers)
-
free tiers gives you a secure score, and security recommandations
-
paid tiers (defender tiers) also gives you threat protection for Azure VMs and non-Azure servers
-
Azure Defender for App Service : 14.60$/App Service/month
-
Azure Defender for Servers : 14.60$/Server/month
-
-
-
It can manage not only your Azure workloads, but your on premise ones as well
-
-
-
Azure Advisor, between other things, also makes security recommendations
-
It alerts you about security issues with your account and your usage of Azure
-
it proposes some quick fix remediations to the issues found
-
-
The best way to monitor performance on Azure is to do it on a resource by resource basis.
-
Because Azure services have different characteristics
-
This monitoring can in the first place be done using the logs of the service
-
you can also turn on diagnostics for some components
-
turn on diagnostics requires having created a log analytics workspace
-
a log analytics workspace is a storage repository for log data.
-
That data stored at that place can then be used by Azure Monitor
-
Be careful not to collect log data too frequently, as it will impact performances
-
-
-
-
On an Azure VM, in the "monitoring" section, you find "Diagnostic settings", which regroup what is called host level metrics, like CPU, disk and network usage.
-
There, by enabling "guest-level monitoring", you will install an agent on the VM
-
-
Question 2:
A company has the following windows virtual machines deployed to their subscription in Azure:-
VM1
-
VM2
The Monitoring department needs to collect certain performance-based counters from the virtual machines. Which of the following could help accomplish this?-
enable base collection of metrics
-
enable collection of boot diagnostics
-
enable collection of performance diagnostics
-
enable collection of guest OS diagnostics data : GOOD ONE!
-
If you enable collection of guest OS diagnostics data, you will have the ability to collect data on the performance counters on Windows based virtual machines.
-
-
-
-
In computing, identity is a representation of a person, application or device.
-
It usually requires a password, a secret key or a certificate to prove
-
Azure provides an identity management system based on their popular Active Directory : Azure Active Directory (AAD)
-
Be careful, Azure Active Directory is NOT the same as Azure Directory, they do not provide the same services.
-
Traditional AD is based on LDAP protocol and Kerberos, and does not work Internet protocols.
-
Azure Active Directory uses Internet protocols (SAML, WS-Federation, OpenID)
-
-
By default, Azure AD will assign you a domain on xxx.onmicrosoft.com
|
❗
|
Switching tenant implies switching Azure subscription If you create a new AD tenant, it will have no Azure subscription to begin with, and will need one if you want to create resources against them. |
Identity Protection:
-
That’s where we can set up policies, that will basically deny access to people identified as risky by Azure
-
User risk policy: this risk is anything like:
-
user ID and password being found online
-
brute force attacks against a range of user IDs, resulting in a user having thousands of login attempts
-
there is also threat intelligence, which is a machine learning model that Azure can apply to understand ifa user’s behavior or activity is unusual (like connection at a strange time)
-
-
Sign-in risk policy: this risk is the probability that the given signing attempt is NOT the identified owner
-
like using a anonymous VPN, or using the TOR network
-
logging in from a country you’ve never used before
-
if your IP address is known to be a bad IP address (hacker’s IP address)
-
to be signed in in 2 locations at the same time, from different locations
-
So, the user risk is the probability that the account is compromised, whereas the sign-in risk is the probability that the signing attempt is not the person who he is supposed to be.
If some of those risks are detected the policy can be set up to either block access, or allow it with constraints (change password, enable MFA, etc.)
|
📎
|
Azure doesn’t give much details on the different risk levels (perhaps to avoid giving info to hackers) So we can’t easily say what’s the difference between a low risk and medium risk by example. |
Conditional Access:
-
Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Guest user: a guest user is a user external to your organization
-
This user is not part of your Active Directory, but they do need access to your applications
-
They can be invited into your Active Directory tenant, in the custom domain that you created for it.
-
But they will not be part of your organization.
-
-
Question 1:
Your company has set up an Azure AD tenant with the domain name of softwarearchitect.onmicrosoft.com. The company has purchased the domain softwarearchitect.com from a domain registrar. They want to ensure now that they can define users in Azure AD with the suffix of @softwarearchitect.com.
Which of the following steps would you need to implement for this? Choose three answers from the options given below.-
Add an Azure AD tenant and verify the domainin Azure AD
-
Verify the domain in Azure AD and add a record in the domain registrar
-
Add a custom domain name and verify the domain in Azure AD
-
Add a custom domain name, add a record in the domain registrar and verify the domain in Azure AD : GOOD ONE!
-
As a reminder, record to be added in the chosen domain registrar can be of type TXT or MX
-
-
-
Question 2:
A company has an Azure AD tenant named whizlabs.com. The company hires a consultant to perform some work. The consultant needs to authenticate to the tenant using a Microsoft account names john.doe@outlook.com Which of the following would you do to fulfill this requirement?-
Create a new user using the PowerShell cmdlet New-AzureADUser. Specify the "-userPrincipalName" parameter for the command as john.doe@outlook.com
-
Add a custom domain in Azure and the add the user
-
In the Azure portal, add a guest user and specify john.doe@outlook.com as the email ID : GOOD ONE!
-
If you have an external user who is not part of your domain, you can create a new guest user in Azure AD
-
-
Create a new user in Azure AD as john.doe@softewarearchitect.com
-
-
Question 4:
A group has been created and all users have been added as part of the group. You create a conditional access policy that enforces the use of multi-factor authentication for the group for all cloud-based applications.
Would User1 with a Multi-factor authentication status of "Enforced" be required to use multi-factor authentication when signing into Azure via the web browser?-
yes : GOOD ONE!
-
If the user state is in the Enforced state, then the user will need to use MFA for the login process
-
-
no
-
-
Azure Active Directory has the ability to synchronize with your on-premise Active Directory: this feature is called Azure AD Connect
-
Azure AD Connect needs to be downloaded and installed so as to be able to perform the synchronization
-
Azure can also allow seamless single sign-on between Azure and on-premise apps / services.
-
You can choose to synchronize only some groups of people with filters
-
You can also choose Pass-through authentication that makes Azure AD only a middleman to the on-premise AD that will always perform the real authentication.
-
-
Azure AD Connect Health allows you to be warned (alert, mail, etc.) in case of issues with the synchronization between yours Azure AD and on-premise AD (which could be a security hole)
-
Question 1: For user authentication, the company wants to enforce the use of their on-premise Active Directory security and password policies. The company decides to configure Azure AD Connect with Pass-through Authentication.
Would this fulfill the requirement?-
yes: GOOD ONE!
-
no
-
-
Question 2: Your company has an Active Directory forest named softwarearchitect.com. The forest contains two child domains: staging.softwarearchitect.com and production.softwarearchitect.com. Your company has now set up an Azure AD tenant named softwarearchitect.com. All of the on-premises user accounts are now being synced onto Azure AD with the help of Azure AD Connect. The company has also implemented a seamless single sign-on.
You now have to change the source of authority for all user accounts in the staging.softwarearchitect.com domain. You have to prevent the synchronization of the staging.softwarearchitect.com domain.
You decide to use the Azure AD Connect wizard.
Would this fulfill the requirement?-
yes: GOOD ONE!
-
For more information on Azure AD Connect filtering, please refer to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering
-
-
no
-
-
Azure Migrate is a hub for migration from on-premises datacenter to Azure
-
it does the assessments of your on-premises
-
it can also help you with the migration of physical machines, virtual machines, Virtual Desktop Instances (VDI), web apps and raw data (in the form of files)
-
-
Azure Migrate will create some assessments for your migration project. It will inform you about:
-
The Azure readiness: number of VMs ready to be imported in Azure, ready with conditions, not ready, etc.
-
the monthly compute cost estimate for those VMs
-
the monthly storage cost estimate for those VMs
-
-
Azure has backup and recovery services, called Recovery Services vaults
-
Region is important, you need to put the recovery services vault in the same region as your resources.
-
Recovery Services vault has 2 purposes : backup and recovery (sometimes called replication)
-
site recovery operation : to copy a machine from one location and put it to another location
-
-
Storage replication type (Geo-redundant (GRS), Locally-redundant (LRS)) cannot be changed once you start protecting items
-
|
|
Concept of Soft delete
Soft delete protects backup data from accidental deletes by retaining data for 14 days after delete operation. This implies that after a deletion, you will have to pay for the backup still in your storage account for those 14 days. |
-
Some Azure services (like Azure SQL Database) have their own built-in backup mechanism, so you don’t do a backup with Recovery Services vault for them.
A backup policy defines :
-
a backup frequency
-
if you want instant restore : When you backup, backed up VM disks are copied from storage, across the network to the recovery storage location. With instant restore, you can leverage locally stored snapshots taken during a backup job, without waiting for backup data to be transferred to the vault.
-
The snapshot retention value is configurable to any value between 1 to 5 days, with a default value of 2 days.
-
-
a retention range: the duration during which a backup is retained.
-
Example : Retain backup every day at 08:30 AM for 30 days.
This implies that you are keeping 30 times the storage of your virtual machine.
-
Windows OS Update management is available in the Azure Portal, in the VM section.
This feature is different from the built-in on-premise Windows update manager, that it can replace.
-
Azure Update management requires to enable Logs Analytics, which itself requires an Automation account.
-
Question 1: You need to perform an assessment of the Virtual Machines in the on-premise environment which can be migrated to Azure.
You decide to use the Azure Migrate tool.
Does this meet the requirement?-
yes: GOOD ONE
-
no
-
-
Question 2: A company is preparing its Azure environment for the backup of Azure Virtual Machines. They need to ensure the following when it comes to the backup of Virtual Machines.
-
The Virtual machines need to be backed up daily at 03:00 UTC.
-
The backups should be retained for a period of 90 days.
Which of the following should you configure in the Azure Recovery Services vault?-
Backup Policy: GOOD ONE
-
Backup Schedule
-
Backup Logs
-
Backuop Infrastructure
-
Question 3: You need to perform an assessment of the Virtual Machines in the on-premise environment which can be migrated to Azure.
You decide to create a replication policy.
Does this meet the requirement? -
yes: GOOD ONE
-
You create the replication policy when you finally want to perform the replication of the Virtual Machines. It is not used in the assessment phase.
-
-
no
-
Question 4: You need to ensure that the virtual machines VM3 and VM4 are protected by Azure Recovery services. Which of the following would you need to do to achieve this?
-
Create a new recovery services policy
-
Create a new backup policy
-
Create a new subscription
-
Create a new Recovery Services Vault: GOOD ONE
-
-
-
The load balancer is a device whose goal is to distribute traffic between 2 or more servers.
Differences between an Application Gateway and a Load Balancer :
-
Application Gateway is a running instance, like a mini Virtual Machine doing its work: take some time to be deployed
-
A Load Balancer is just some settings in one of the internal database tables at Microsoft: it is created in seconds.
There are 3 main characteristics for load balancers (and also application gateway) :
-
Frontend
-
Backend: those are the servers that are handling the traffic
-
load balancing rules: how does the traffic travel from the front end to the back end ?
There is also health probes, which allow the load balancer to know that the backend pools are operating correctly, and will remove the servers that are not.
|
📎
|
Backend pools : group of servers that are going to handle traffic as one. It is indeed a collection of ressources that can contain VMs, scale sets, IP addresses or fully qualified domain names (FQDN) |
The Application Gateway is a different "kind" of load balancer from the "classic" one :
-
"Classic" load balancers are indeed "level 4 load balancer", which means that it only understands things at a transport protocol level.
It understands TCP, UDP (the 4th level of OSI model), it understands IP addresses and ports (3rd level of OSI model), BUT it doesn’t understand URLs that represent the 7th level of OSI model. -
Application Gateway are at this 7th level and, as a consequence, are called 7th level load balancer.
image::0,58
With a 7th level load balancer, you can set up rules to handle differently URLs :
-
/images/*URLs are oriented towards ImageServerPool -
whereas
/video/*URLs are oriented towards VideoServerPool
→ This can’t be done with a classic 4th level load balancer
Moreover, Application Gateway :
-
can be placed in specific Availability Zones
-
can be clustered, can be scaled
-
it is finally more an "enterprise grade" load balancer, it is more flexible when it comes to availability
-
unlike load balancer, it IS a device, an instance, and so it needs to be placed in a Virtual Network
|
📎
|
Connection draining
When adding a rule for an Application Gateway, you will also have to add a HTTP setting. Example : when wanting to scale down from 10 to 5 servers in the pool, instead of simply cuting off 5 servers, which can have bad impacts on the user experience, you can leverage connection draining. |
Reminder : like L4 load balancer, you need to define Frontends, Backends (backend pool) and rules for Application Gateway.
-
Firewall is a network security device that can monitor both incoming and outgoing traffic that’s coming to a Virtual Network
-
It can either allow or prevent data packets based on a set of security rules
|
❗
|
a Firewall is different from a Network Security Group |
As a reminder, a Network Security Group is some kind of access control list, based on IP address, port, source, destination protocol.
It’s a very static list, it doesn’t examine the packets themselves, it only examines the source and destination.
By comparison, a Firewall is a more "intelligent" device.
Advices and steps for the creation of a firewall :
-
the firewall subnet MUST be called "AzureFirewallSubnet", and should be a small range one, like 10.2.0.0/26 by example (meaning 59 addresses)
-
take note of the firewall private and public IP address
-
we need to create a Route table, which contains the rules (here called "routes") specifying how packets should be routed in a virtual network.
Route tables are associated to subnets, and each packet leaving a subnet is handled based on the associated route table.-
This route table will have to be associated with a Virtual Network, and a subnet (the subnet dedicated to your VMs, and NOT the specific firewall subnet "AzureFirewallSubnet")
-
-
we have to create a new rule to allow the traffic to go out of the VMs, because, as traffic now has to go through the firewall, it is blocked by default.
This rule is called "application rule", because the L7 of the OSI model is the application layer, in which HTTP traffic travels-
rule has to be given a priority, between 1 and 10 000, the smaller being the one with the higher priority
-
-
you also need to create a "network rule" for the DNS lookup needed to find the target URL used in the previous application rule.
Through this network rule, we are going to allow DNS traffic.-
DNS doesn’t travel over TCP but over UDP.
-
-
we finally must allow traffic to come inbound in order for us to even access to the VM.
By default, there is no inbound traffic allowed, and not even a public IP address for the VM.-
In our case, we are not going to add a public IP address for the VM, because we are going to use the public IP address of our firewall.
-
So we are going to accept any public IP connection of RDP into the firewall, and redirect it to the VM.
-
So the rule we are going to create is a redirection of traffic, hence its name : a NAT rule
-
RDP uses the TCP protocol.
-
For our NAT rule:
-
Source : if you want to be secure, should be limited to your own IP address, but for the current example, we are going to accept any IP
-
Destination address : the firewall public IP address (the port for RDP is 3389)
-
Translated address : it’s through translated address that we direct traffic to our VM, meaning you will have to set the IP address assigned to the VM network interface card.
-
-
-
Last thing we have to do: change the DNS settings of the Virtual Machine to use the ones that we provided
-
We need to go to the network interface that was automatically created with our VM
-
and to change the DNS to use the one we created (instead of the default one)
-
for information, it exists public DNS servers that anyone can use (ex: 209.244.0.3 and 209.244.0.4)
-
-
-
Azure Firewall Manager is a centralized management dashboard for your firewalls.
Firewall manager is basically centralized management of policies across all your firewalls (definitively recommended in a large enterprise environment) -
It supports 2 types of network architectures: .Azure Firewall Manager: 2 supported network architectures
-
Secured virtual hub:
An Azure Virtual WAN Hub is a Microsoft managed ressource that lets you easily create hub and spoke architectures.
When security and routing policies are associated with such a hub, it is referred to as a "secured virtual hub". -
Hub virtual network:
This is a standard Azure virtual network that you create and manage yourself.
When security and routing policies are associated with such a hub, it is referred to as a "hub virtual network".
At this time (2021/08), only Azure Firewall Policy is supported.
You can peer spoke virtual networks that contain your workload servers and services.
You can also manage firewalls in standalone virtual networks that are not peered to any spoke.
-
-
This kind of dashboard is more and more important, because as you grow your network, you’ve got plenty of networks.
So it becomes harder to keep all of those up to date with the latest security policies.-
In fact, Azure Firewall Manager allows you to manage your security footprint
-
-
The pricing of Azure Firewall Manager policies is quite steep: 100$ per policy per region
-
this product focuses large enterprises for which some hundreds of dollars are not going to faze them too much.
-
There is a free level (but quite limited): a single rule associated with only a single firewall is free.
-
Details can be found on Microsoft docs :
-
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
-
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture
-
Azure Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks.
-
It is a Microsoft managed cloud networking service. All the networking components that this services is composed of are hosted and managed by Microsoft
-
It enables a global transit network architecture, which is based on a classic hub and spoke connectivity model where the cloud hosted network "hub" enables transitive connectivity between endpoints that may be distributed across different types of "spokes".
By "transitive connectivity" we mean that any spoke that wants to speak to another has to go through to the hub in order to have that connection. -
In this model, a spoke can be:
-
Virtual network (VNets)
-
Physical branch site
-
Remote user
-
Internet
-
-
Imagine you the same Web app deployed in 2 different regions. You do this in case a region suffer some outage, and so you have a backup already standing by.
But how can you provide a fallback, so that when one fails, the other takes over ?-
You could get into Application gateways, and try to set this up as a backend pool. Even if they are in different regions, it’s possible to do that.
BUT, even doing so, the application gateway has to be in some region. And in case of a regional outage, the associated application gateway would be affected. -
The solution for this is called Azure Front Door.
-
-
Azure Front Door is basically a global level of a load balancer, that also goes far beyond this lone feature.
It also provides:-
a firewall
-
a CDN
-
other services
-
-
Very much like a load balancer, it has frontends, backend pools and routing rules.
-
we have a lot more options in terms of backends to what we normally get with load balancer.
We can even direct traffic to another application gateway.-
An Azure Front Door could be the front door for an AWS machine or for hosted on-premises services.
-
-
-
You can set up cache for you Front Door service, which is hence at global level (kind of CDN type feature).
It’s basically going to cache your images, Javascript, CSS and all your static content at global level. -
There is also dynamic compression : it takes the files as they get sent from the server to the front door service, and use GZip compression to get it sent down to you (meaning less data, and so quicker)
So if you want to be highly available for a service, you have to consider using more regions and therefore you have to consider something like Front Door to be in front of this.
-
Azure Traffic Manager is older than Azure Front Door (which is a quite recent technoloy), but shares a similar purpose : to send traffic on a global scale to one region or another.
-
BUT, traffic manager works at DNS level.
-
Use case :
-
The end user ends up typing a domain name into his browser
-
The browser goes and looks up the IP address for that domain name
-
That’s where Traffic Manager responds with 1 IP address or the other, depending on the region.
-
Default behavior being to send the IP address of the application closest to him geographically
-
-
So, Traffic Manager is basically a DNS "trick" that will give 1 domain name, multiple IP addresses.
-
Traffic Manager also handles failover.
When 1 region goes down and stops responding to traffic, after some time (~10 or 15 min), the traffic will start flowing to the other region.-
It is the aspect of availability that some downtime is allowed, but excessive downtime is what you are trying to avoid.
-
|
📎
|
It is sometimes seen that Azure Front Door forwards traffic to Traffic Manager, so there is a place for this technology in your stack. |
When you have a Virtual Machine and you need to connect to it for any maintenance task, you have to open up a port such as RDP for Windows, or SSH for Linux.
→ Those port openings are known as security risks.
-
You can use the Azure Portal and Azure Bastion to connect to your VM, without RDP, without opening a port.
It is the "modern way" to get remotely into a machine without having RDP ports opened at all. -
Azure Bastion is a device installed on your Virtual Network
-
It has its own subnet that must be called "AzureBastionSubnet"
-
In fact, RDP is used, BUT only between Bastion and your server.
D’autres sites permettant de préparer la certification :
-
Le cours Udemy de Scott Duffy (payant) : https://www.udemy.com/course/70534-azure
-
Ce site d’un personne ayant réussi l’examen et donnant quelques conseils et ressources : https://www.programmingwithwolfgang.com/how-to-pass-az-303-and-az-304-certification-exams/
-
Learning paths on MS Learn : https://docs.microsoft.com/en-us/learn/certifications/exams/az-303#two-ways-to-prepare
-
MS Learn : https://docs.microsoft.com/en-us/learn/browse/?roles=administrator&products=azure
-
Azure Code Samples : https://azure.microsoft.com/en-us/resources/samples/?sort=0
-
Official Azure Documentation : https://docs.microsoft.com/en-us/azure/
-
Official Microsoft Azure YouTube Channel : https://www.youtube.com/user/windowsazure
Sites de labs et workshops pour pratiquer :
-
Azure Citadel - Labs and Workshops : https://azurecitadel.com/
-
Microsoft Cloud Workshop - More labs and workshops : https://microsoftcloudworkshop.com/
-
Labs from Microsoft Training on GitHub :
-
https://github.com/MicrosoftLearning/AZ-303-Microsoft-Azure-Architect-Technologies
-
https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/
-
Ces labs de Microsofts sont vraiment des guides "step by step" permettant de manipuler les technologies Azure autour d’un thème donné.
-
Sites d’examens blancs (mock exams), questions / réponses pour s’entraîner :
-
ExamTopics AZ-303 : https://www.examtopics.com/exams/microsoft/az-303/
- IAM
-
Identity and Access Management
- RBAC
-
Role-Based Access Control
- RCO
-
Recovery Time Objectives
- RPO
-
Recovery Point Objectives
- WAN
-
Wide Area Network. Désigne le réseau informatique connectant les sites d’une entreprise entre eux et à Internet.
le SD WAN est évolution du WAN lui conférant davantage d’agilité et de flexibilité.
Pour plus de détails, voir https://www.pyxya.fr/le-wan-intelligent/wan-sd-wan-et-limites-actuelles/