ThanhLD Site
ThanhLD Site

Contents

Az 104

   2688 words   13 minutes 

Entra ID

Licences

  • The feature can only be used with security groups (only), and Microsoft 365 groups that have securityEnabled=TRUE.
  • Can delete all users whether a license is assigned directly or via inheritance from a group membership
  • Groups with active license assignments cannot be deleted

Users

Azure (RBAC) and Azure AD roles are independent. AD roles do not grant access to resources and Azure roles do not grant access to Azure AD. However, a Global Administrator in AD can elevate access to all subscriptions and will be User Access Administrator in Azure root scope.

All 3 users are GA (AD) and Admin3 is owner of the subscription (RBAC). Admin1 has elevated access, so he is also User Access Admin (RBAC). To assign a user the owner role at the Subscription scope, you require permissions, such as User Access Admin or Owner.

Box 1: Yes Admin1 has elevated access, so he is User Access Admin. This is valid.

Box 2: Yes Admi3 is Owner of the Subscription. This is valid.

Box 3: No Admin2 is just a GA in Azure AD scope. He doesn’t have permission in the Subscription.

  • You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory.
  • “Bulk Create” is for new Azure AD Users.
  • Use “Bulk invite users” to prepare a comma-separated value (.csv) file with the user information and invitation preferences
  • Use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.

Managed Identity

  • System-assigned: some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Microsoft Entra ID that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. – User-assigned: you may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

Self service reset password

  • Only global admin can add security questions for password reset.

Subscription and Management group

  • A management group can contain many subscription
  • Core components:
    • Access control:
    • Policy:
    • Budget:
  • For each resource group we can create its own iam, policy,buget
  • Maximum 50 tags and it isn’t inherited

Roles

  • Owner: perform any action, change permissions on it for whatever scope it’s set at
  • Contributor: do all things except change permissions
  • Reader: read everything
  • Operator role only lets you read, enable, and disable apps.
  • Network Contributor = “Lets you manage networks, but not access to them.”.
  • Co-administrators have full access to all resources in a subscription, including the ability to create, read, update, and delete resources.

Alert

  • The rate limit thresholds are: ✑ SMS: No more than 1 SMS every 5 minutes. ✑ Voice: No more than 1 Voice call every 5 minutes. ✑ Email: No more than 100 emails in an hour. ✑ Other actions are not rate limited.

Azure Network Watcher

  • provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.

Connection troubleshoot

  • Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time,

Azure Monitor

  • the tool used to collect and analyze performance metrics and logs in Azure. It provides insights into the performance of Azure resources, applications, and workloads, and helps identify and troubleshoot issues related to availability, performance, and security

Network security group (NSG) flow logs are:

  • a feature of Azure Network Watcher that allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

IP flow

  • verify checks if a packet is allowed or denied to or from a virtual machine. If the packet is denied by a security group, the name of the rule that denied the packet is returned. IP flow verify helps administrators quickly diagnose connectivity issues from or to the Internet and from or to the on-premises environment.

Next hop

  • determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere

Azure Storage

Routing

  • You can choose between microsoft routing or internet routing
  • Configuring routing preference is not supported for Azure Queues or Azure Tables.

Policies

  • Max stored access policies: 5
  • Max immutable blob storage: 2 one Legal hold policy and one Time-based retention policy

Encryption

  • After creation, you can modify encryption type.
  • Azure storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096
  • You can use encryption scope for container only

Performance

  • Tiering is allowed only on block blobs and not for append and page blobs.

  • Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. For more information, see Types of storage accounts.

  • Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:

Block blobs File shares Page blobs

Migration

  • To make a fail over, choose geo-replication(redundancy)

  • To convert to ZRS must the Kind be: Standard general-purpose v2 (StorageV2), Premium block blobs (BlockBlobStorage) or Premium file shares (FileStorage) and the Replication is from LRS possible (…from GRS/RA-GRS convert to LRS first)

  • To request a live migration to ZRS, GZRS, or RA-GZRS, you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration. Similarly, you can request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to LRS, then request a live migration.

  • Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS then you need to first change your account’s replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only endpoint provided by RA-GRS before migration.

Azure Blob

  • Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.
  • Only Shared Access Signature (SAS) token is supported for File storage.
  • Object Replication supports General Purpose V2 and Premium Blob accounts.
  • If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool.

Setup import/export

Step 1: Prepare the drives (Attach an external disk to Server1 and then run waimportexport.exe)
Step 2: Create an import job (From the Azure portal, create an import job)
Step 3: Ship the drives to the Azure datacenter (Detach the external disks from Server1 and ship the disks to an Azure data center)
Step 4: Update the job with tracking information (From the Azure portal, update the import job)

Azure File

  • The SMB (Server Message Broker) protocol does not support SAS. it still asks for username/password.
  • Step to create Azure file Sync
1. Prepare Windows Server to use with Azure File Sync

- You need to disable Internet Explorer Enhanced Security Configuration in your server. This is required only for initial server registration. You can re-enable it after the server has been registered.

2. Deploy the Storage Sync Service

- Allows you to create sync groups that contain Azure file shares across multiple storage accounts and multiple registered Windows Servers.

3. Deploy the Azure File Sync agent to TDFileServer1

- The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

4. Register TDFileServer1 with Storage Sync Service

- This establishes a trust relationship between your server (or cluster) and the Storage Sync Service. A server can only be registered to one Storage Sync Service and can sync with other servers and Azure file shares associated with the same Storage Sync Service.

- 5. Create a sync group and a cloud endpoint

- A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other.

6. Create a server endpoint

- A server endpoint represents a specific location on a registered server, such as a folder on a server volume.
  • Step to enable ad ds authentication
1. Sync on-premises AD with Azure AD connect

2. Enable AD DS authentication

3. Assign share and directory permissions

4. Mount file share with AD credentials

Backup

  • App service works directly with azure storage and a _backup.filter file can be used to exclude specific folders.

Azure Backup

  • When you back up data in Azure, you store that data in an Azure resource called a Recovery Services vault. The Recovery Services vault resource is available from the Settings menu of most Azure services. The benefit of having the Recovery Services vault integrated into the Settings menu of most Azure services is the ease of backing up data.
  • Here are the steps when you backup an Azure virtual machine:
  • Create a Recovery Services vault
  • Define a backup policy
  • Apply the backup policy to protect multiple virtual machines

Azure Recovery Service Vault

  • Multi user authorization: MUA: resource guard
  • a storage entity in Azure that houses data
  • Support:
  • Azure FIle
  • Azure VM
  • SQL in Azure VM
  • DPM
  • Azure Backup server
  • Azure Backup Agent

Azure VM

  • Perform a reverse DNS lookup for 10.0.0.4 from VM2 => vm1.internal.cloudapp.net
  • Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.
  • To protect your AWS-based resources, you can connect an AWS account with either Native of Classic Cloud Connector.Native cloud connector is the recommended way and provides an agentless connection to your AWS account that can extend with Defender for Cloud’s Defender plans to secure the AWS resources
  • Hierarchical namespace: The hierarchical namespace is required for Azure Data Lake Storage, as it enables the storage account to support the data lake’s file system structure.

Bastion

  • When you configure Azure Bastion using the Basic SKU, two instances are created.
  • Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.
  • Subnet: recommend /26
  • Steps to establish connection
+ we need to upgrade the SKU of our Azure Bastion instance.
+ we need to enable the native client support from the configuration settings of Bastion1 in the Azure Portal.
+ Run az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"

State management

Step 1: Create and upload a configuration to Azure Automation
Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node

Scale sets

  • If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer.
  • Azure Virtual Machine Scale Sets: grouping of platform-managed virtual machines. The two types of orchestration modes are:
  • Uniform – uses a virtual machine profile or template to scale up to desired capacity. This orchestration mode is mainly used for large-scale stateless workloads that require identical VM instances. It also provides fault domain high availability (less than 100 VMs).
  • Flexible – offers high availability with identical or multiple VM types (up to 1000 VMs) by spreading VMs across fault domains in a region or within an Availability Zone.

Encryption

  • prepare Vault1 for Azure Disk Encryption with a key encryption key (KEK):
    • You need to have a key in the Key Vault.
    • The key vault itself should be configured for Azure Disk Encryption.

Azure Network

Network interface

  • Each NIC attached to a VM must exist in the same location and subscription as the VM.

Monitoring

  • When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network’s region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.
  • Create a VM with a network security group
  • Enable Network Watcher (done by default with the vnet/subnet creation)
  • Register the Microsoft.Insights provider. Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability
  • NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data.

Connect two vnet

  • There are two ways to connect two virtual networks, based on your specific scenario and needs, you might want to pick one over the other.

  • VNet Peering provides low latency, high bandwidth connection useful in scenarios such as cross-region data replication and database failover scenarios. Since traffic is completely private and remains on the Microsoft backbone, customers with strict data policies prefer to use VNet Peering as public Internet is not involved. Since there is no gateway in the path, there are no extra hops, ensuring low latency connections.

  • VPN Gateways provide a limited bandwidth connection and is useful in scenarios where encryption is needed, but bandwidth restrictions are tolerable. In these scenarios, customers are also not latency-sensitive.

VPN

Point to site VPN

  • IKEv2 IPsec: “Route-Based” coz “Policy-based” only supports IKEv1.
  • Support only RouteBased (dynamic)
  • Take note that after creating the point-to-site connection between TD1 and TDVnet1, there is already a change in network topology when you created the virtual network peering with TDVnet1 and TDVnet2. Whenever there is a change in the topology of your network, you will always need to download and re-install the VPN configuration file.

Site to site VPN

  • Create a virtual network
  • Create a gateway subnet: /27 or larger (/26, /25, etc.) for your gateway subnet.
  • Create a VPN Gateway
  • Create a local network gateway
  • Configure VPN device
  • Create VPN connection
  • Verify connection

WAN

  • Create Azure Virtual WAN
  • Create Virtual Hub
  • Create VPN sites
  • Connect VPN sites to virtual hub

Azure app service

  • Vnet isn’t available for Isolated plan apps in an App Service Environment
  • Virtual network integration is used only to make outbound calls from your app into your virtual network

Azure ACR

  • If activated, you can use the registry name as username and admin user access key as password to docker login to your container registry

Command

  • The Set-AzureStaticVNetIP PowerShell cmdlet is used to set a static internal IP address for an Azure virtual machine. This cmdlet allows you to set the IP address, subnet mask, and default gateway for the virtual machine’s network interface.

  • New-AzureRMVMConfig, is used to create a new virtual machine configuration object.

  • Set-AzureSubnet, is used to modify the properties of an existing Azure subnet, not to set static IP addresses for virtual machines.

  • modifying VM properties in the Azure Management Portal, does not provide a way to set static IP addresses for virtual machines.

  • New-MgUser: creating new users in Azure AD

  • New-AzureADMSInvitation: inviting external guest users

  • New-AzResourceGroupDeployment. This cmdlet allows you to use a custom ARM template file to deploy resources to a resource group

  • New-AzVm to create a VM, but it doesn’t use a template

  • New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment requires.

Updated on 2024-02-19
Back | Home