共计 7731 个字符,预计需要花费 20 分钟才能阅读完成。
Entra ID
Entra ID App访问(remote user → web app, no VPN):
- Entra app proxy: 连接到on-prem的app
- Entra enterprise app: SSO
Entra ID App访问(如果还要求MFA):
- Entra app proxy
- Entra enterprise app
- Conditional access policy
Logic App连接本地DB(Hybrid AAD环境):使用on-premises data gateway和connection gateway resource
P2 Access Review:
- 定期发送邮件展示application的access premissions
- automatically revoke permissions
OAuth 2.0 Flow
| Authorization code grant flow | |
| Client credential grant flow | app in VM |
| Implicit grant flow |
Azure Instance Metadata Service(IMDS): 让app获得auth token
外部协作/Governance
B2B, guest accounts
Entra ID Governance == Access Review
entitlement management → external users
其它
T1Q55: API roles, API permissions
T1Q59: 1个ADD tenant, 2个conditional access policies
T4Q75: owner, tenant linked to specific Azure subscriptions
Azure Databricks
Azure Databricks Premium → Users access folders with permissions
| SKU | Features |
| Standard | |
| Premium | • cloud storage access • credential passthrough |
Network Watcher
| IP Flow Verify | 确定阻止网络数据包(packet)到达 Azure 虚拟机的安全规则 |
| Traffic Analytics | 出入站流量的可视化和统计 |
Computing
虚拟机
B系列是可突发的虚拟机,在空闲时间积累CPU积分,然后在高CPU使用期间消耗这些积分。
集成服务
| 服务名称 | 类型 | 功能 | 开源竞品 | Azure应用 |
| Event Hub | 系列事件 | • 遥测流 • 数据pipeline |
Kafka | 捕获Entra ID用户的创建和role分配 |
| Event Grid | 离散事件 | 监听Azure资源的事件 | CloudEvents? | vault即将到期 |
| Service Bus | 消息 | 重要的企业级消息:比如订单处理,财务交易 | RabbitMQ, ActiveMQ | Service Bus Topic |
Azure Service Bus queues with sessions enabled → FIFO
Azure Queue Storage == Azure Service Bus
Azure Batch:
Short-running tasks for development environment → low-priority virtual machines
Long-running MPI applications for production environment → batch service and dedicated virtual machines
T4Q49, T4Q64
API管理
支持OAuth 2.0,支持lower rate
JWT validation policy(T1Q33)
数据库
SQLInsights(T1Q21, 均支持)
SQL
Azure SQL Managed Instance
- 只有它支持server-side transactions
- 只有它支持CLR存储过程
- DB size limit: 2 – 8TB, 而Azure SQL database支持最大100TB(需Hyperscale)
- references database tables combination, SQL in VM + MI(T4Q50)
- User Initiated Backups: MI + Auto Failover Group(T4Q51)
T3Q17(SQL DB, active Geo)
Azure SQL database
加密
| 加密方案 | 适用对象 |
| Dynamic data masking | PII, 例phone number |
| TDE | DB文件 |
| Always Encrypted | social security numbers |
Resource type – elastic pool
- T2Q7(varying usage patterns)
- T4Q62(automatic scaling, vCore)
Purchasing Model
| Purchasing | Service tier | Features | Serverless compute tier |
| vCore | General Purpose | • Geo Redundancy | Y, Automatically scales compute resources based on the workload demand(T3Q19, T4Q12) |
| Business Critical |
• prevent data loss • Geo Redundancy • 1 read-only replica |
|
|
| Hyperscale |
• Data warehouse • multiple read-only replicas |
Y(prv) | |
| DTU | Basic | ||
| Standard | • auditing(只有此SKU支持,T2Q11) | ||
| Premium |
• prevent data loss • Geo Redundancy • 1 read-only replica |
|
This Question has 3 answers based on the priority:
- Azure SQL Database Premium
- Azure SQL Database Serverless(T3Q16 controversial)
- Azure SQL Database Business Critical
Azure Database for MySQL Flexible Server
Compute tier
| Burstable | |
| General Purpose | HA |
| Memory Optimized |
Business Continuity, minimize downtime → geo-redundant backup(T3Q20)
NoSQL
Azure Cosmos DB: multi-master writes/reading and writing data from multiple Azure regions, mission critical application/Data, SLA for latency(T4Q43)
Azure SQL Database: Hyperscale, Dynamic Data Masking, Always Encrypted, Business critical tier(read-only replicas), Always On availability group(DNN)
MS SQL Server: Log: None Data: ReadOnly(T4Q48)
迁移工具对比
| Azure Database Migration Service | on-prem SQL Server → Azure SQL Database or Azure SQL Managed Instance | 离线(一次性)迁移 |
| Data Migration Assistant | old SQL Server(2005 – 2012 and later) → Azure SQL Database or Azure SQL Managed Instance | 评估是否存在兼容性问题 |
| SQL Server Migration Assistant | Non SQL Server → Azure SQL Database | |
| Azure Cosmos DB Data Migration Tool | SQL Server → Azure Cosmos Database |
T4Q104(only Azure Migrate & DMA can handle a SQL Server migration to Azure VM), T4Q117(是将server中的DB迁移,所以是Azure migrate和SQL In VM)
Azure Data Studio(T4Q93)
Azure Synapse – two pools
- Dedicated SQL Pool → Ingest data from Data Lake Storage into hash-distributed tables
- Serverless SQL Pool
- Apach Spark Pool → Implement query, and update data in Delta Lake, → NRT(T4Q115)
Azure Synapse Analytics – massive parallel processing, data warehouse(T2Q36)
Azure Synapse Link: 连接Azure Synapse Analytics ↔ Azure Cosmos DB
Azure Synapse Pipelines, Azure Data Share(T2Q35)
Azure Data Lake Storage Gen2 features:
Access Control List(T2Q31), data format: Avro(T2Q28), Data Explorer + KQL(T2Q32)
Analysis Services – OLAP(T2Q36)
SSIS packages → Azure Data Factory
ADF pipeline: An integration component will process the message(T4Q29,这里不是service bus)
存储
| SKU | 功能 | Questions |
| General purpose v2 | Blob • Encryption scopes (different users encrypt with different keys) • customer-managed keys • ACLs • levels of subfold(hierachical) |
T4Q21 |
Account Type:
BlockBlobStorage: maximize data throughput
Point-in-time restore for block blobs, change feed(T2Q34)
Performance:
| Standard | • tiering/lifecycle management | • LRS • ZRS • GRS • GZRS |
| Premium | • file shares • minimize latency |
• LRS • ZRS |
T3Q7: app2 General v2, Standard, Cool, RA-GRS
文件用途
| Blob | unstructured data, large files |
| Files | SMB小文件 |
| Table | REST API |
访问
- Blob: user delegated SAS only
- Files: AAD credentials
写入存储账户,必须同一region(T2Q11)
Hot tier: higher storage costs, but lower access and transaction costs.(T2Q17)
container access policy: prevent data/file editing or deletion, 不是resource lock(T2Q17)
Failover只支持GRS(T3Q27)
enable Azure Backup + permanent delete for soft deleted items: T3Q25
监控
Log Analytics
Retention: T1Q27(90 + maximum 730天)
Commitment Pricing tier
non-compliance alerts: Azure activity logs
Azure Monitor Data collection: forward JSON log, T1Q67
Collects event logs from multiple subscriptions → 先启用Lighthouse
Azure Monitor Private Link Scope (AMPLS) x 1, private endpoints x 2, T4Q124
备份/灾备
T3Q2: 36 months, 1 day
T3Q22: Recovery Service Vault + resource guard
T3Q23: MARS + LRS(只有backup选LRS)
部署
Azure Blueprint
T1Q19(2-2-2), T4Q47
• definition: Root Management Groups
• assignment: Subscriptons
T4Q33: remain connected to the deployed resources
Azure Policy
effect区别
- Modify: adding or updating existing tag value
- Append: adding new tag value
T1Q61: 部署TDE, deployIfNotExists, RBAC remediation task
T4Q11: Parent policy must be in the same region as child policy!所以minimum是3
T4Q57, T4Q109: 不是enforce resource groups location!
Azure Migrate
T3Q18: secondary replica → minimize downtime on DB1
网络
Azure Traffic Manager, Azure Front Door
Azure Front Door with WAF → rate limiting(T4Q17)
Traffic manager: multi region, SSL Offloading❌(Choose Azure Front Door for SSL instead)
Gateway Load Balancer → VMSS, NVA1 and NVA2(T3Q21)
VirtualWAN(T4Q72)
只有Azure Function Premium可以集成VNet
APIM Premium支持private endpoint集成并启用TLS(T4Q9)
T4Q24: Overlap都是192
容器
AKS: cluster autoscaler → Windows, Virtual Nodes → Linux
Azure CNI, horizontal pod autoscaler(T4Q87)
Azure Service Fabric → automatic repairs microservices(T4Q37)
只有Preimum的Container Registry支持geo-rep(T4Q59)
安全
Vault
对于App Service,做法是将Key Vault references存在Application settings中,对Secret仅Get(T1Q24)
发生Failover:paired region, Delete request will be unavailable.(T3Q11)
restore the backup: the same geography(有geo) only(T4Q53)
加密算法
RSA 3072(T2Q19)
Azure Bastion
T1Q29
其它
T1Q43: Authentication使用app registration, Authorization使用delegated permissions(访问用户的calendar data,不是Azure资源)
T1Q46: 只有user 2不能grant permissions,因为他是contributor
Topic 4 Question #111, at least 2 subnets
T4Q80(DS, Premium SSD)
T4Q86(3 WAN hubs, Standard)
Case Study
Litware
- T5Q1: register the users for Azure MFA, AAD identity protection, enforce Azure MFA auth, grant control
- T5Q2: access policy for the blob
- T8Q1: host groups: 3, num of VMSS sets: 3
- T8Q2: general v2, hierachy
- T8Q3: private endpoint
- T8Q4: two tenants two MG, so 2 Network Contributor role
- T8Q5: azure policy TDE: definition, assignment, remediation
- T12Q1: DB: Azure SQL elastic pool, Tier: Business Critical
- T15Q1: DB1 and DB2,
SQL MI, elastic pool, Business Critical
Contoso
- T6Q1: maintenance task: Azure Func
- T6Q2: new version, product version: deployment slots
- T6Q3: App Service plan per region
- T6Q4: Authenticate app1: system-assigned MI, Authorize app1: role assignment
- T10Q1: AAD Identity Gov, access review
- T10Q2: monitoring app2, App Insights
- T13Q1: app2 storage, az sub: Azure File, on_prem network: Azure File Sync
- T13Q2: app1 availability zone: Cosmos DB multi-region writes
- T14Q1: 1 x traiffic manager, 2 x appgw
Fabrikam
- T7Q1: storage account for SQL Server DB migr ✔, web site content ×, DB metric monitoring ×
- T7Q2: DC for corp.xxx.com to VNet in Azure
- T9Q1: 1 tenant, 1 custom domains, 2 conditional access policies
- T9Q2: notified of any issues relating to the directory synchronization services. → AAD Connect Health
- T9Q3: data rentation: long-term
- T11Q1: WebApp1, vCore-based SQL DB
- T16Q1: 都support,但不需要manual conbfig