Azure AZ-104 Preparation Guide

This article intends to serve as a preparation guide for the AZ-104 exams. It is a fast read that cannot replace the full preparation guide that you can find on Microsoft's Learn website https://docs.microsoft.com/en-us/learn/certifications/exams/az-104, though I hope that it will serve to refresh your memory or as a quick path to your preparation for the exams.

Azure Active Directory

It is Microsoft's SSO solution that gives you access to thousands cloud SaaS and on-premises apps like Salesforce, Office365 and more. It is an identity management solution that gives you several benefits like:

• Single sign-on to any cloud or on-premises web app.
• Works with iOS, OS X, Android and Windows.
• Protect on-premises web applications with secure remote access. It offers MFA, conditional policies and group-based access management.
• Easily extend Active Directory to the cloud.
• Protect sensitive data and applications. It offers security reports, notifications, suspicious sign-in activities and potential vulnerabilities.
• Reduce costs and enhance security with self-service capabilities. For example password management through verification steps.

AD Concepts

• Identity - User Account or Service Account.
• Account - An identity that has associated data.
• Azure AD Account - An identity created through Azure AD or another Microsoft's cloud service.
• Azure Subscription - It is used to pay for the services.
• Azure tenant - It represents a single organization.
• Azure AD directory - It includes the tenant's users, groups, and apps

How is Azure AD different from AD DS

• Azure AD is an identity solution and it is designed for apps that using HTTP/HTTPS
• It uses the REST API and not LDAP
• It uses SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization) and not Kerberos
• It includes federation services and many third-party services like Facebook

Azure Active Directory Editions

• Free - provides user and group management, on-premises directory synchronization, basic reports, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps
• MS 365 Apps - in addition to the free, it provides Identity & Access Management for Microsoft 365 apps including branding, MFA, group access management, and self-service password reset for cloud users
• Premium 1 - in addition to the free, it lets your hybrid users access both on-premises and cloud resources. It also supports advance administration, self-service group management and password reset for on-premises users
• Premium 2 - in addition to the Premium 1 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your data and Privileged Identity Management to discover, restrict, and monitor administrators and their access to resources

Azure AD Join

It is designed to provide access to resources and simplify Windows deployments of worked-owned devices. It offers:

• Single-Sign-On (SSO)
• Enterprise compliant roaming
• Access to Microsoft Store for Business
• Windows Hello
• Restriction of access to devices that meet the compliance policy
• Seamless access to on-premise resources

Connection Options

• Registering - when a device is registered, Azure AD provides the device with an id that is used to authenticate the device when sign-in
• Joining - in addition to registering it also changes the local state of the device, which means that you allow the user to sign-in with an organizational account instead of personal

Self-Service Password Reset

Azure AD offers three options, none, selected and all. After you enable password reset there are options for the number of authentication methods required to reset a password. At least one is required.

User Accounts

• Cloud identities - like administrator accounts or self-managed accounts. They exist only in Azure AD and when they are removed from the primary directory, they are deleted. Their source is the Azure Active Directory.
• Directory-synchronized identities - Their source is Windows Server AD. Azure AD Connect brings these users into Azure.
• Guest users - like Xbox accounts. Their source is Invited user.

There is an option to configure bulk user accounts using a CSV file. An admin with privileges on the directory can create a PowerShell connection with Connect-AzAccount, create a password profile for the new users. The password for the new users needs to conform the rules for the directory password complexity.

Azure Governance

Management Group

In order to manage access, policies and compliance for several subscriptions, Azure offers management groups whose scope is above subscriptions. Each management group can contain more than one subscriptions. All subscriptions within a management group inherit the conditions applied in the management group.

Azure Policy

It is a service on Azure to manage policies. It is important when there is a need for managing multiple engineering teams or subscriptions. It can be used to specify the resource types your organization can deploy, restrict the locations your organization can deploy resources etc.

To implement Azure Policies:

1. Browse Policy Definitions - a list of ready definitions to choose from. If there isn't an applicable policy you can add a new Policy Definition or import it from GitHub.
2. Create Initiative Definitions - Once you have determined which Policy Definitions you need, you create an Initiative Definition. This definition will include one or more policies.
3. Scope the Initiative Definitions - Once our Initiative Definition is created, you can assign the definition to establish its scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.
4. View Policy Evaluation results - Once your policy is in place you can use the Compliance blade to review non-compliant initiatives, non-compliant policies, and non-compliant resources.

Role-Based Access Control (RBAC)

RBAC helps you manage who (user, group or application) has access to Azure resources, what they can do with those resources, and what areas they have access to.

Azure RBAC roles control permissions to manage Azure resources, while Azure AD administrator roles control permissions to manage Azure Active Directory resources

Azure includes several built-in RBAC roles like Owner who has full access to all resources including the right to delegate access to others, Contributor that can create and manage all types of Azure resources but can’t grant access to others, Reader who can view existing Azure resources, User Access Administrator who lets you manage user access to Azure resources etc. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles.

Azure Administration

Resource Manager

The infrastructure of an application is usual made of many components (virtual machine, storage account, and virtual network, database, database server, and third-party services). The resource manager is a layer between the Azure PowerShell, Azure CLI, Azure portal, REST API, and client SDKs and the resource providers. The API passes requests to the resource manager, which authenticates and authorizes the requests and then routes to the appropriate resources.

Some of the benefits of the resource manager are that you can manage your infrastructure as templates rather than scripts, deploy your resources as a group and not individually, apply RBAC and tags to all services and you can clarify your billing by viewing costs for a group of resources with the same tag.

Resource Groups

Resources can be deployed to a new or existing resource group and can exist only in one. Resource groups cannot be renamed and they can contain many different services from different regions. The resources in it should have the same lifecycle but you can add, remove, move and interact with other resources in a different one. Resource groups have a location in which they store their metadata. Resource manager offers also two types of locks. Read-only locks which prevent any changes to the resource and Delete locks which prevent deletion. Deleting a resource group deletes all the resources contained within it.

ARM Templates

In addition to the Azure Portal, the Cloud Shell, the Azure Powershell and the Azure CLI, ARM Templates (Azure Resource Manager Template), precisely defines all the resource manager resources in a deployment. Some of it's benefits are:

• Improved Consistency
• Faster complex deployments
• Reduce manual, error-prone tasks
• IAC benefits - It can be shared, versioned, tested etc
• Orchestration simplification

ARM Templates are written in JSON but is not limited to it.

{
    /* Required - Location of the JSON schema file that describes the version of the template language */
    "$schema": "https://schema.management. azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    /* Required - Version of the template*/ 
    "contentVersion": "", 
    /* Values that are provided when deployment is executed to customize resource deployment */
    "parameters": {}, 
    /* Values that are used as JSON fragments in the template to simplify template language expressions */
    "variables": {}, 
    /* User-defined functions that are available within the template */
    "functions": [], 
    /* Required - Resource types that are deployed or updated in a resource group */
    "resources": [], 
    /* Values that are returned after deployment */
    "outputs": {} 
}

Virtual Networking

Virtual networks can be used in many ways.

• Create a dedicated private cloud-only VNet
• Securely extend your data centre With VNets. You can build traditional site-to-site (S2S) VPNs to securely scale your datacenter capacity. S2S VPNs use IPSEC to provide a secure connection between your corporate VPN gateway and Azure
• Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud scenarios.

A virtual network can be segmented into one or more subnets (logical divisions within your network). Each subnet contains a range of IP addresses that fall within the virtual network address space. Each subnet must have a unique address range, specified in CIDR format. The address range cannot overlap with other subnets in the virtual network in the same subscription.

Each service directly deployed into a virtual network has specific requirements for routing and traffic. A service may require or create their own subnet and therefore there must be enough unallocated space.

Azure routes network traffic between all subnets in a virtual network by default. If this is not the required behaviour, deployment can be done in different subnets. Access to Azure resources can be limited to specific subnets with a virtual network service endpoint

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. A DMZ is a subnet that has been assigned an NSG. Each subnet can have only one NSG. With the security rules in NSG, you can filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. Azure creates several default security rules within each network security group.

Azure reserves five IP addresses within each subnet.

• x.x.x.0: Network address
• x.x.x.1: Reserved by Azure for the default gateway
• x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
• x.x.x.255: Network broadcast address

By default, you can create up to 50 virtual networks per subscription per region, although you can increase this limit to 500 by contacting Azure support.

IP addresses can be assigned to resources, on-premises network or the Internet and they can be either Private(Communication between Azure resources and/or on-premises network) or Public (Communication with the Internet). Also, an IP can be either Static which is not changing and they are best for DNS name resolution, SSL certificates, Firewall rules or Dynamic

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics. Some of its features are:

• Built-in high availability
• Availability Zones
• Unrestricted cloud scalability
• Application FQDN filtering rules - You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards.
• Network traffic filtering rules
• Threat intelligence - filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
• Multiple public IP addresses - You can associate multiple public IP addresses (up to 100) with your firewall.

There are three types of rules that you can configure in the Azure Firewall:

• NAT Rules - Each rule in the NAT rule collection is used to translate your firewall public IP and port to a private IP and port
• Network Rules - Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule. In order for resources in different subnets to communicate, you would configure a network rule from the source to the destination
• Application Rules - Application rules define fully qualified domain names that can be accessed from a subnet.

Intersite Connectivity

In order to connect Virtual Networks, we use peering. Once peering they appear as one. The benefits of using local or global virtual network peering, include:

• Private - No public Internet, gateways, or encryption is required in the communication between the virtual networks
• Performance
• Communication between the peered networks
• Seamless - The ability to transfer data across Azure subscriptions, deployment models, and across Azure regions
• No disruption - no downtime during the creation of the peering

Global VNet peering is the same as the Regional but they cannot be created in Government cloud regions. You can only peer virtual networks in the same region in Azure Government cloud regions. The load balancer and the resources that communicate with it must be in the same virtual network.

When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.

VNet Peering is nontransitive. However, you can leverage user-defined routes and service chaining to implement custom routing that will provide transitivity.

VPN Gateways

It is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. With a VPN Gateway, you can connect site-to-site, VNet-to-VNet or point-to-site. A VNet Gateway consists of two or more VMs that are deployed to a specific subnet. They contain routing tables and run specific gateway services. They are created automatically and you cannot directly configure them. To create a VNet, first create the gateway subnet. You shouldn't deploy any other resources else in this subnet.

ExpressRoute

It can be used to create private connections between Azure datacenters and infrastructure on your premises or in a co-location environment. It is the proper choice for data migration, replication for business continuity, disaster recovery, and other high-availability strategies. Global connectivity can be extended with an ExpressRoute premium add-on. ExpressRoute Global Reach enables the exchange of data across your on-premises sites by connecting your ExpressRoute circuits.

You can create a connection between your on-premises network and the Microsoft cloud in three different ways:

• Co-located at a cloud exchange
• Point-to-point Ethernet Connection
• Any-to-any (IPVPN) Connection

Azure Virtual WAN

It is a networking service providing optimized and automated branch connectivity to, and through, Azure. Azure regions serve as hubs that you can choose to connect your branches to. Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN, User VPN (point-to-site), and ExpressRoute into a single operational interface.

Network Traffic Management

System Routes

Azure uses system routes to direct network traffic between virtual machines, on-premises networks, and the Internet. Information about the system routes is recorded in a routeing table. A routeing table contains a set of rules, called routes, that specifies how packets should be routed in a virtual network

Virtual Network Service Endpoint

A virtual network service endpoint provides the identity of your virtual network to the Azure service. Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. The benefits of the service endpoints are:

• Improved security for your Azure service resources
• Optimal routing for Azure service traffic from your virtual network
• Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network
• Simple to set up with less management overhead

Azure Private Link

It provides private connectivity from a virtual network to Azure PaaS. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

• Private connectivity to services on Azure
• Integration with on-premises and peered networks
• Protection against data exfiltration for Azure resources
• Services delivered directly to your customers’ virtual networks

Azure Load Balancer

A public load balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of the VM, and vice versa for the response traffic from the VM. By applying load-balancing rules, you can distribute specific types of traffic across multiple VMs or services.

An internal load balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure infrastructure. Frontend IP addresses and virtual networks are never directly exposed to an internet endpoint. An internal load balancer allows load balancing within a virtual network, for a cross-premises virtual network, for a multi-tier applications, for a line-of-business applications.

Application Gateway

Application Gateway manages the requests that client applications can send to a web app. Application Gateway routes traffic to a pool of web servers based on the URL of a request. The pool of web servers can be Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers.

Azure Storage

Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for messaging, and a NoSQL store. Azure Storage is durable and highly available, secure, scalable, managed, accessible over HTTP/S, SDK for many languages, as well as a REST API. Azure Storage is a service that you can use to store files, messages, tables, and other types of information. You can think Azure storage in three categories, Storage for Virtual Machines, Unstructured Data, Structured Data. It comes in two tiers, Premium and Standard and it can be changed.

Azure Storage includes the following data services:

• Azure Containers (Blobs): A massively scalable object storage for text and binary data like photos.
• Azure Files: Managed file shares for cloud or on-premises deployments through SMB protocol. Multiple VMs can share the same files with both read and write access
• Azure Queues: A messaging storage for reliable messaging between application components.
• Azure Tables: A NoSQL storage for schemaless storage of structured data.

Replication options include:

• LRS (Locally redundant storage) - Lowest cost replication with the least durability
• ZRS (Zone redundant storage) - Synchronously replicates your data across 3 storage clusters in a single region
• GRS/RA-GRS (Geo-redundant storage) - Replicates your data to a secondary region
• GZRS/RA-GZRS (Geo-zone redundant storage) - Combines the high availability of zone-redundant storage with protection from regional outages as provided by geo-redundant storage

Every object that you store in Azure Storage has a unique URL address.

Some security capabilities for Azure Storage:

• Encryption - all data written to Azure Storage is automatically encrypted using Storage Service Encryption.
• Authentication - Azure Active Directory and RBAC are supported for Azure Storage for both resource management operations and data operations
• Data in transit - data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.
• Disk encryption OS and data disks used by Azure VMs can be encrypted using Azure Disk Encryption
• Shared Access Signatures delegated access to the data objects in Azure Storage through Shared Access Signatures

Every request made against a secured resource in the Blob, File, Queue, or Table service must be authorized. Options for authorizing requests to Azure Storage include Azure Active Directory, Shared Key, Shared access signatures, Anonymous access to containers and blobs.

Azure Storage Service Encryption (SSE) for data at REST helps you protect your data to meet your organizational security and compliance commitments.

Virtual Machines

To connect to a Windows VM in Azure you need to use the remote desktop client to connect to the Windows-based VM hosted on Azure. For a Linux VM, you need a secure shell protocol (SSH) client. The Azure Bastion service is a PaaS that you provision inside your virtual network. It provides secure RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.

Availability Sets

It is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the data centre. VMs placed in an availability set should perform an identical set of functionalities and have the same software installed.

Availability Zones

An Availability Zone in an Azure region is a combination of a fault domain (a group of nodes that represent a physical unit of failure) and an update domain (a group of nodes that are upgraded together during the process of a service upgrade). Build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones.

There are two categories of services that support Availability Zones

• Zonal services Pin the resource to a specific zone (virtual machines, managed disks)
• Zone-redundant services Platform replicates automatically across zones (zone-redundant storage, SQL Database)

Scale Sets

An Azure Compute resource you can use to deploy and manage a set of identical VMs. Scale Sets supports load balancing for high availability. It supports autoscaling which means that adjust capacity automatically or on-demand, manually or scheduled.

VM Extensions

Azure VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs, like software installation, anti-virus protection or a configuration script. Extensions are all about managing your virtual machines.

Serverless Computing

App Service

There are two workflows for Web App scaling, scale-up (more CPU, memory, disk space, and extra features) and scale-out (increase the number of VM instances that run your app - max 30 instances).

Azure App Service brings together everything you need to create websites, mobile backends, and web APIs for any platform or device. With App Services you can choose between multiple languages and frameworks and set up CI/CD with Azure DevOps, GitHub and more. App Service can be scaled up or out and can be connected with several connectors for enterprise systems like SAP, Salesforce or Facebook. App Service is ISO, SOC, and PCI compliant, it offers a collection of Application templates in Azure Marketplace and dedicated tools in Visual Studio and provides turn-key CORS support for RESTful API scenarios, and simplifies mobile app scenarios by enabling authentication, offline data sync, push notifications, and more.

Azure Kubernetes Service

You can build and run modern, portable, microservices-based applications that benefit from Kubernetes orchestrating and managing the availability of those application components. Kubernetes supports both stateless and stateful applications. It comes with features like:

• Flexible deployments - command-line or template-driven with Resource Manager templates and Terraform
• Identity and security management - RBAC, integration with Active Directory
• Integrated logging and monitoring
• Cluster node scaling
• Cluster node upgrades
• HTTP application routing
• GPU enabled nodes
• Development tooling integration - like Kubernetes extension for VS Code
• Virtual network integration - Pods can connect also to other services in a peered VNet, and to on-premises networks
• Private container registry

Azure Backup

It is the service you can use to back up your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive. It comes with features like:

• Offload on-premises backup
• VMs Backup
• Unlimited data transfer
• Data Security
• App-consistent backups
• Retain short and long-term data
• Automatic storage management
• Multiple storage options

The following table summarizes the use case of Azure Backup Agent (MARS) and the Azure Backup Server.

Azure Monitoring

It allows you to Monitor and visualize metrics, Query and analyze logs, Setup alerts and actions. All data collected by Azure Monitor fits into one of two types, metrics and logs.

• Metrics are numerical values that describe some aspect of a system at a particular point in time.
• Logs contain different kinds of data organized into records with different sets of properties for each type. Telemetry such as events and traces are stored as logs in addition to performance data so that it can all be combined for analysis.

Log data collected by Azure Monitor is stored in Log Analytics which includes a query language to retrieve, consolidate, and analyze collected data. Azure Monitor collects data from the following tiers:

• Application monitoring data
• Guest OS monitoring data
• Azure resource monitoring data
• Azure subscription monitoring data
• Azure tenant monitoring data

I hope you will find this article useful. Thanks for reading it, and share if you liked it!