Azure - ashishranjandev/interview-wiki GitHub Wiki

AZ-204 Skills

  • Develop Azure compute solutions (25-30%) Implement IaaS solutions • Provision virtual machines (VMs) • Configure, validate, and deploy ARM templates • Configure container images for solutions • Publish an image to Azure Container Registry • Run containers by using Azure Container Instance Create Azure App Service Web Apps • Create an Azure App Service Web App • Enable diagnostics logging • Deploy code to a web app • Configure web app settings including SSL, API settings, and connection strings • Implement autoscaling rules including scheduled autoscaling and autoscaling by operational or system metrics Implement Azure Functions • Create and deploy Azure Functions apps • Implement input and output bindings for a function • Implement function triggers by using data operations, timers, and webhooks • Implement Azure Durable Functions
  • Develop for Azure storage (15-20%) Develop solutions that use Cosmos DB storage • Select the appropriate API and SDK for a solution • Implement partitioning schemes and partition keys • Perform operations on data and Cosmos DB containers • Set the appropriate consistency level for operations • Manage change feed notifications Develop solutions that use blob storage • Move items in Blob storage between storage accounts or containers • Set and retrieve properties and metadata • Perform operations on data by using the appropriate SDK • Implement storage policies, data archiving, and retention
  • Implement Azure security (20-25%) Implement user authentication and authorization • Authenticate and authorize users by using the Microsoft Identity platform • Authenticate and authorize users and apps by using Azure Active Directory • Create and implement shared access signatures • Implement solutions that interact with Microsoft Graph Implement secure cloud solutions • Secure app configuration data by using App Configuration or Azure Key Vault • Develop code that uses keys, secrets, and certificates stored in Azure Key Vault • Implement Managed Identities for Azure resources
  • Monitor, troubleshoot, and optimise Azure solutions (15-20%) Implement caching for solutions • Configure cache and expiration policies for Azure Cache for Redis • Implement secure and optimized application cache patterns including data sizing, connections, encryption, and expiration Troubleshoot solutions by using metrics and log data • Configure an app or service to use Application Insights • Review and analyze metrics and log data • Implement Application Insights web tests and alerts
  • Connect to and consume Azure services and third-party services (15-20%) Implement API Management • Create an APIM instance • Create and document APIs • Configure authentication for APIs • Define policies for APIs Develop event-based solutions • Implement solutions that use Azure Event Grid • Implement solutions that use Azure Event Hub Develop message-based solutions • Implement solutions that use Azure Service Bus • Implement solutions that use Azure Queue Storage queues

Two way to pay

  • Pay as you go
  • Passcode

Resource Group

Like a room is hotel. How I am paying? - Using Subscription.

All services in a resource group share same lifecycle. Grouping services in a project.

App Services

  • Shared Infra
  • We can change app service plan later

How to deploy Code? Deployment -> Deployment Center -> Source

App Service Plans

  • Basic
  • Production
  • Isolated [Will Require App Service Environment]

Adding Identity Providers

Scaling Out

  • Auto Scale - We can still add a maximum value. We should keep a minimum value as 1 as well for availability. We can add rules and scaling conditions
  • Fixed Instance Count

Networking

  • Inbound = IP the load balancer connects to for customer usage
  • Outbound = network ips the app could use to connect to other Azure services

Virtual Network - Isolated Virtual Network

Hybrid Connection - Isolated Virtual Network

The outbound IP address of Azure app service might change, see when it will change.

So you could have two options:

  • Hybrid connection. It makes outbound calls to Azure over port 443. Hybrid Connections provides access from your app to a TCP endpoint and does not enable a new way to access your app. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination.
  • VNet integration and VPN gateway. With these methods, you can access the RabbitMQ service in a private network with a point to site or site to site VPN connection. VNet Integration is used only to make outbound calls from your app into your VNet. It doesn't grant inbound private access to your app from the VNet. In this case, If you want to use Private Endpoints for Azure Web App, then you need to either integrate with Azure DNS Private Zones or manage the private endpoint in the DNS server used by your app.

Functions

Functions

  • Execution should not take more than 15 mins.
  • Storage Account is needed (Backup + Logs)

Function app - Only functions that needs a trigger to go in a Function app.

Plans

  • App Service Plan - same as App Service
  • Consumption - Servless
  • Functions - Premium [Vnet + Unlimited duration of Execution]

In Function app -> When we try to create a function it asks for a trigger. It creates 3 files

  • run.css - functions code
  • readMe - Documentation
  • functions.json - Properties

Durable Functions Orchestration[They can call each other.] - What about functions using more than 15 mins?

Types: [Cloud will ask for the type]

  • Orchestrator
  • Activity
  • Entity - Retrieving records, allowing customer to change the record, saving the updated record - Output will not change
  • Client -

Class is Created -> Has 3 functions -> HttpStart -> Runorchestrator -> [Activity function]

Storage Account

It can have

  • Table
  • File Share
  • Queue
  • Containers - most flexible - We can store whatever we want - Massively Scalable - Highly Secured - Highly Available (Always backed up)

Benefits of Containers

  • most flexible
  • We can store whatever we want
  • Massively Scalable
  • Highly Secured
  • Highly Available (Always backed up)

BLOB - Binary large objects stored inside container - File, Media, Disk

When we say we need a blob storage account - we are going to create Container

Region: We don't create standalone storage account? We are going to connect it to some other service - Function app, Logic Apps (Keep them in same region so that the performance is good)

Performance [To have file sharing]:

  • Premium for High Transactions - Low Storage latency File Sharing is available - 2 protocols SMB - Server Messaging - Windows NFS - Network file sharing - Linux

Redundancy Options:

Hardware Failure Disaster Power Failure

Questions to ask to select redundancy options

Do I need to have a secondary region to support me? Is the region I chose is not a stable one ?

No 2 options-> LRS & ZRS

LRS Locally redundant storage account -> Cheapest One -> ZRS Zone Redundant Storage account -> High Availability -> Expensive than LRS -> Different Data centres have copies synchronously

Yes 2 Options -> GRS & GR GRS Geo Redundant Storage Accounts -> Locally Copied Synchronously inn One DC -> Files Copied in One DC in another region Asynchronously GZRS Geo Redundant -> Files Copied in different data centres -> Files Copied in different regions in another region Asynchronously

5th Option

Read Access on 2nd Region -> Trust that another copy is present

Encryption:

Everything is encrypted. -> We can let MS use its key or we can provide our own key. By default everything is encrypted.

Default Container is created. [$logs -> Everything happening inside the storage account.]

  • Only users registered in my Active Directory.
  • Blob - Only having connection strings -> will have read access
  • User can have access to container setting and read access to the blobs

Blob types while uploading

  • Block[Default] -> 190.7 PB -> Saved as Blocks for good scalability
  • Append -> To add data to a block -> No Access Tier -> Can't be accessed directly
  • Page 8 TB ->

Access Tiers:

  • Hot -> Block is frequently accessed -> Less money for read -> More money for storage
  • Cool -> Block is moderately accessed -> More money for read -> Less money for storage
  • Archive -> Very less money for Storage -> Very High Money for Reading

Moving from Hot to Cool is best Option Not recommended to move from Archive(Dusty library) to Cool to High -> Goes to ReHydration -> Copy to Hot -> Takes hours

Locking a file -> Acquire Lease

No one is allowed to modify/delete the file.

SAS

Account Key is for access at Storage account level and SAS is for access at container level

To have same policy for all the SAS -> We can create Access Policy

Eventing

  • [Event Grid] Pub/Sub -> Consumer Subscribers
  • [Event Hub]Event Streaming -> Producers start publishing the events without waiting for consumers.

Event Grid System Topic -> Events from only one particular Service Event Grid System Topic -> It will have endpoint -> Anyone connected to endpoint can produce

We can create event grid subscription [we can add unlimited no of subscriptions] - add a function We can further filter type of updates by adding filters

Dead Lettering -> If event was not sent -> The event will be sent to a storage account. Retries Policy -> Either number of times or time to live -> if either is crossed -> pass to dead letter

Enable expiry -> to add expiration time for subscription

Delivery Properties -> Send Header (Can be encrypted.)

Event Grid Domain - Management Tool

Basic - 1 hub in namespace Standard - Recommended Premium - Isolation + Vnet

Throughput units vs Processing Units

1 throughput units - 1 Mb/sec Ingress and 2 Mb/Sec Egress i.e. 4096 Events 1 Processing units - 5-10 Mb/sec Ingress and 10-20 Mb/Sec Egress i.e. 4096 Events

Create Event Hub

Partition [upto 32] -> Number of Consumers to support. Retention [No of Days]

Capturing -> At a time take all the events of the hub and save it in storage account or Data lake.

How to send messages -> Shared Access policies -> Add Key -> Manage/Send/List [Manage = Send + Listen]

Service Bus - Different from Event Hub and Event Grid

2 way communication Receiver can reply on the messages

It has message broker i.e. it allows communication.

Two ways

  • Queue - FIFO - Timestamped
  • Topic - like a Box - Receivers need to subscribe to a topic - Sending message to more than 1 subscriber

Create Namespace

name region

Pricing Tier

  • Basic - Only Queue. No Topics
  • Standard - Variable Throughput. Topics are available. Isolation is not given. Messages less than premium.
  • Premium - Too many messages. Vnet. Isolated.

Create queue

Name - Max Queue Size - 2 GB - Size of messages in queue Max Delivery Count - 10 messages in the queue - What if I send 15 messages? - 5 will move to Dead Letter Queue Message TTL - 14 days - What will happen after 14 days? - Moved to Dead Letter queue Lock Duration - 30 seconds - No one would be allowed to read from the queue. Dead Letter Queue required? Auto-delete? - Delete the messages instead of moving to dead lettering queue Expiration on Dead lettering queue - Same as Message TTL - Default is Forever. Enabling Partitioning? Forward to message/topic

To connect -> Go to Access Policy -> Create a SAS To see messages -> Service Bus Explorer

Create Topic - +Topic

To send message I need endpoint -> To get this we can create a shared Access Signature

To get messages from Topic we need to create a new subscription

Create Subscription -> We can add Filters -> Every Subscription has its own dead-lettering. To connect -> Go to Shared Access Signature

Storage Accounts - Queues - For storing Message.

As a subscriber, There is an option to just read the message and not delete it while in service bus message is deleted when read.

How to connect? Same way -> Shared Access Signature

When to use

Service Bus -> whatsapp, Insta DMs -> Don't Store the message Storage Accounts - Queues -> Store large number of messages -> Messages are not removed when read.

Cosmos DB

NoSQL, Multi Modal DB

It supports following APIs

  • Gremlin
  • SQL
  • Cassandra -> Supports Drivers
  • Mongo -> Supports Drivers
  • Azure Tables -> Moving table of Storage Account -> Advantage of OLTP Scenarios -> Can't write SQL

We don't just create a DB. We create an Account and it can have multiple databases. All DBs will share the same setting of the Account.

Instead of creating tables we are creating containers - Physical Partition. It is elastic scale. There is no limitation in creating physical partitions. There is no join possible between containers.

In container all data will be called items. Items are organised in logical partitions. The location of logical partition is determined by key (not primary key). There is a limitation in logical partition. 1 logical partition is allowed only 20 GB of records.

Can we add a unique key in logical partition? Yes

Inside Cosmos Container

Items -> All it have id not necessarily the primary key. Cosmos will create primary key - _rid _self - Full location information _attachment _etag - Indexing Information _ts

Trigger -> We can integrate Azure Functions

select * from c

Here c is an alias for the container.

How request units are calculated? How DB searched for the item to get it from the database. To optimise change the settings of indexing policy.

Geo redundancy

Go to Back up and Restore -> Select the regions for the read from the globe -> Order of recovery will be decided based on the order that we selected

How to choose region? Replicate Data Globally

How data will reach other regions? Consistency Levels

  • Strong - No Delay [High Latency]
  • Bounded-Statelessness - After a fixed Delay - We can handle the delay i.e. time based or no of operations. Default is 50 s or 100 operations.
  • Session -
  • Constant Prefix - There is a delay even in primary region. Order is preserved.
  • Eventual - It doesnt care about order availability. Okay to have delay.

To export data from Cosmos DB ? - Data Factory.

Virtual Machine

Ready on demand scalable - Team mates decided on an environment.

We use VM when we want control of Virtual machine. Constant environment across the developers.

name - 15 characters for windows - 64 characters for Linux region - Availability Options - SLA % - Do I specify number of VMs? Yes

  • Availability Set - 99.95%
  • Availability Zone - 99.99% - Addition Protection from Natural Disasters.

Availability Sets

  • Fault Domains - Functioning racks of servers with your VMs. There is another fault domain in the same network. Protection from accidental failure.
  • Update Domains - To update machine without machine going down. When update happens? MS will not update automatically. This is used for OS updates.

Availability Zones

Virtual Machine Scale Set

VMs across zones and a Load Balances in front of them.

Security Type -

Standard -

Trust Launch -

Confidential VM -

Image (We can attach our own image)

URN is the full name of images It has 3 things

  • Publisher - Name of Organisation that offers the image -> ->
  • SKU (instance of the offer)
  • Version
az vm image list-publishers --location eastus

## To get images of Microsoft 
az vm image list-offers --location Eastus --publisher MicrosoftWindowsServer

## To get SKUs
az vm image list-skus --location eastus --publisher MicrosoftWindowsServer --offer windowsServer

## To get all the list of all the versions of images - get the URN
az vm image list --all --location Eastus --publisher MicrosoftWindowsServer --offer WindowsServer --sku 2022-Datacenter

Size -

D and B family - General Purpose - means good CPU performance - Not consistent CPU E family - Memory Optimisation F Family - Compute Optimisation L family - High thru , Low latency - Storage

Azure on Spot Discount

If we want to pay for used size only.

What happens to unused one ?

  • Capacity - Only pay what you use. The unused will get allocated to another VM. If our machine needs more capacity it gets evicted.
  • Price/Capacity - If our machine needs more capacity or exceeds the capacity it gets evicted.

Inbound Ports

Disks

Disks are always encrypted. MS will give the key or we can use our own key or both. Types -

  • Managed Disks - MS will manage it e.g. RBAC Authorisation.
  • Unmanaged

Disk Type -

  • Premium SSD
  • Standard SSD
  • HDD

Delete the disk when VM is deleted?

  • Yes
  • No

Attach the disk -

  • Snapshot
  • Storage Blob - has to be of page type
  • Create a new disk

Performance Diagnostics

We can send the logs of the VM to a Virtual machine. Go to Performance Diagnostics -> Perfln Sights - Visualised Eye for Performance Diagnostics of the VM.

To create a similar VM Machine

Go to VM -> Go to Automation -> Go to Export Template -> Copy or download the Template. -> We can see the summary in Resource Visualiser. Template -> Custom Deploy Templates -> Run the Template.

Docker Containers

Container hold images. kind of like standard package - It contains software i.e. Bundle of libraries, dependencies, configurations, system, etc to run your application.

Why containers are better than VM?

I don't need to create Disk. I don't need to specify Kernel. Light weight package of Infrastructure. It contains software + my code.

  • Agility -> If someone uses same container as mine then we don't need to worry. It is stable and consistent.

  • Portable -> Across multiple developers. Everything will work fine.

Docker containers are most widely type of containers.

Container Registries

It is used to store container images. Container Registry is like a big box. Images are not directly stored in the box. Images will be added in repositories. Each repo holds a version of same image.

Create Registry

Name of the outer box that contains repositories

Basic -> We can store only 1 image with its versions. Standard -> Basic + Facility to add as many repositories as we want. Premium -> We can store + Redundancy so we can add availability zones + Isolation + Virtual Networks

By Default admin user permission is not available.

After admin access -> We can run instance -> Create a Container Instance (We can run a container without creating a VM . It creates a small hosting instance.)

Microsoft Identity Platform

Active Directory cannot handle other emails like facebook, gmail.

It has 2 gates

  • Authenticate/Authorisation -
  • OAuth -

6 flows of authentication

Can I use MIP in our code? using MSAL i.e. Microsoft Authentication Library. We can restrict for a companies or for other Auth Providers like Facebook. It has logging as well.

How can we integrate with MS office 365 Auth API? MS Graph.

Microsoft Graph

Key Vault

  • Standard
  • Premium - HSM + Vnet + Isolation

Delete Policy [We cant change later] - with or without Purge Protection

Keys will not be masked and encrypted. Secret will be masked and encrypted.

Whitelist KeyVault for an application? 2 ways -

  • Service Principal for applications - It will register in Active Directory (Then we need to rotate the passwords).
  • Access Identity - Creating an Id of your service.

2 types of MS identity (We can switch later)

  • System assigned - Id lives and dies with the web application. Kinda like govt assigning an id to a person.
  • User assigned - Managed Id and then set it using identity -> user assigned . Does not share lifecycle with the services.

If workload is spread across the services user assigned is recommended.

  • User assigned

API Management Service

To handle our APIs. Acts like Front gate. To Control what request comes in. What response goes out.

Organisation Name - Add email - Act like administrator in case something goes wrong.

Pricing Tier -

  • Developer -
  • Basic - 1 DB with 3 copies - only 1 API with all Verbs
  • Standard - Basic + As many APIs as we want
  • Premium - Vnet + Isolation - High Transactions
  • Consumption - Vnet + Isolation + For Prod - Operations are easy

We can control the incoming request - Use Inbound Policies

Policies are written in xml way.

We can add policies between front end or back end.

How about the response API gives? - Outbound Policies.

How to use API Management?

Go to App Serice -> API -> Select Api Management Service that was created.

To get access to the APIs in the api -> We can add a subscription and add everyone's email so they can login from landing page. to give access to only one 1 -> In Subscription -> Select API instead of APIs

To group APIs to give access ? -> Add Product and add the 3 APIs to group and now we can give access. In Subscription -> Select Product.

Cache and CDN

To improve performance.

What MS offers in cache? Redis (an open source software) - used outside cloud as DB, Message Broker and Cache.

We can create cache for Redis - In memory datastore + Low latency + High Throughput.

2 type of Cache -

Node - Where we add data in key value way. Cluster - Replicas

2 ways of creating Cache

Azure Cache for Redis

DNS name Region Pricing

  • Basic - c0 to c6 - Size of Cache and how many connnections can be done. You will have a node and no cluster. Working in Dev and Test. No SLA and No backup. We can change between c0 to c6 but not from basic to standard.
  • Standard - For Production Environment. Normal workloads.
  • Premium - 5 levels - Standard + Offers Vnet and isolation. Best performance ever. Enhancements in DR and security. We can take snapshots.

To enable full redis software -

  • Enterprise - 3 levels - Benefits of having Cache + Having Redis Software - Powered by Redis Labs - Full capacity of redis software. Offered highest availability.
  • Enterprise Flash - 3 levels - Not normal cache. Non volatile memory storage - Cheaper than creating a Dynamic Random Access Memory. We can use it in the VM.

Attaching a DB to Redis Database

Azure CDN

To get content as if server is near me. Using POP Get location using DNS and look for a location near the user . All copy of static contents will be near him e.g. videos, css.

What about dynamic content? We can trick the CDN. We can ask to accelerate the delivery of dynamic content without prioritising. MS can hop effectively as it knows your address. It has a dedicated network (provided by CDN provider) for CDN users. CDN will also check for the update for the static content.

how to use CDN?

  • Create a CDN
  • Choose a Provide - akamai, MS.

and move all the static content to the CDN. and add the url of the application for dynamic acceleration.

Comparing Offerings -

By default - CDN providers are not added.

Front Door - CDN Standard - Premium - Media Streaming is lower Akamai - Network is distributed around the world. (Most recommended)

Exam tips

How to create service?

  • How to connect? Endpoints, connection strings, key-vault - service principal and access policy.
  • MSAL Library
  • AAD does not have a library.

Website - examtopics