Azure AZ-104 Certification Important Notes

Management – Azure Cloud Shell

Azure Cloud Shell

Browser-accessible shell for managing Azure resources
- Can provide Bash or PowerShell
- □ In background it uses dockerized version of PowerShell / bash
- When you open it for the first time –
  - It creates a new storage account called azcloudshell and some numbers

11. It then creates a file share that stores your user information.

Management – Resources & Costs.

Subscriptions

Resource tagging

! Always tag!
Tags are additional metadata that can be assigned to resources/resource groups.
- ! Child resources do not inherit resource groups tags
- ! Max 15 tag name/value pairs.
E.g. CostCenter = YHZ
Why?
- Organize
- Search
- View
- Billing & cost managements
On Portal
- You can search for Tags and see filtered lists.
- ! Resources are tagged after resource is created as opposed to PowerShell/CLI.

Resource Tagging and Cost Center Spending Limits

Spending Limits

Applies to free trial subscriptions, fv1SDN and Visual Studio subscriptions.
- If spending limit is exceeded:
  - Email message is sent

pg. 1

Deployed resources are disabled in next billing cycle.
- Databases and storage accounts become read-only

o Free trials can be upgraded to Pay-as-you-go

Do not apply to support plans, pay-as-you-go, Enterprise Dev/Test

ARM Consumption API

Returns usage details
! Supported only in Enterprise enrollments and Web Direct subscriptions
Available through CLI and different SDKs.
Consumption APls
- Enterprise customers only: Price Sheet, Budgets, Balance
- Reserved VMs: Reservation Summaries AP/, Reservation Details AP/, Reservation recommendations AP/
- Others: Marketplace charges, usage details

Azure Pricing Calculator

Estimates monthly costs
See online

Azure Advisor Cost Recomendations

Identifies wastage
E.g. idle VMs, SQL DBs.
- Can configure automatic shutdown
- Auto-shutdown option in VM.
Recommendations about:
- High availability
- Security
- Performance
- Cost recommendations, e.g.:
Virtual machine reserved instances to reduce costs.
VM resizing: Scale up/ down
Remove unprovisioned ExpressRoute circuits.
Configure rule:

o E.g. Average CPU Utilization < 5%

Subscription blade

In Cost analysis you can filter by Tags.
Invoices
Manage in Subscription blade
- Manage payment methods
  - ! Adding one allows you to remove subscription limits.
- Download usage details
- Transfer/cancel subscription
- Set-up billing alerts
  - E.g. e-mail if billing total is $150

Optimizing VM costs

!if• Use VM Reserved Instances
- You can create one in Reservations blade
!if• Set-up auto shutdown in VMs
- Auto-shutdown blade in VM.

Microsoft Azure Resource Providers

Enables Azure features.
Many are registered automatically
- E.g. Microsoft. Compute that handles

VMs, Microsoft.Network,Microsoft.Sql, Microsoft.Storage

Some are not registered automatically
- E.g.Microsoft.Policyinsights,Microsoft.AzureActiveDirectory,Microsoft.Az ureStack, Microsoft.Botservice
- Custom providers can be registered with subscription.
  - Requires the Contributor or Owner roles.
  - In most cases providers are registered automatically when you deploy resources that uses the providers.
You can register, unregister, re-register through Subscription _. Resource providers in Portal

Management – Resource Groups

pg. 3

Resource groups

Logical grouping of resources that shares the same lifecycles.
- Resource group holds different unique resources.
- Resource groups can contain resources that reside in different regions.
  - Location of resource group is just the meta data for the resource group.

Locks

For accidental deletion or accidental changes to resources within a resource group.
- Consists of two locks:
  - CanNotDelete
    - Authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly
- Authorized users can read a resource, but they can’t delete or update the resource.
- Same as giving everyone a Reader role.
  - Locks are inherited from resources within the resource group.

1AM

Access control, RBAC
- Roles are inherited
- Role assignment: Role definition role (role, e.g. Reader) + Person/Scope/Service Principal + Scope

Policies

Azure entity that controls behaviors within a resource group
- Allow you to keep compliant with corporate standards and SLAs.
- Set in a scope with a name and definition.

pg.4

Scope: E.g. resource group, subscription.
- Definition: E.g. “Allow resource types”Name, description, Policy (e.g. azurepolicy. rules. json),

Parameters (e.g. azurepolicy. parameters. j son)

Events

Create event subscriptions triggered by the resources group in Event Grid.

Automation Script

Can be added to library to be redeployed later on.
- ! All resources cannot be redeployed
- ! Must change the name to avoid duplicates.
- ARM templates for resource groups can also be found on GitHub.
- You can Add to library, or click on Deploy to deploy directly.

Moving Resources

You can move resources to another resource group or subscription.
- ! All resources cannot be moved.
- Ways of moving
  - Using CU: az resource move –destination-group new-rg –id resourceid
  - In portal: Overview –. Move

Alerts

Target: What resource and where
Criteria: What specific action
Details: Who, when, where, how
Action Group: Who to inform and how to inform them

Metrics

Resource group: Where to look at the metric
Resource type: The type of resource to look at
Available metrics: What specifics about the metrics

pg. 5

Chart: Graphic display of the metric

Governance – Roles

Roles

Role assignments

Delegated resource administration
Roles organize related resource permissions together
- Depends on resource type
  - E.g. different for VM and storage.
Scope
- Roles are applied to a scope.
- They’re inherited in following order:
  - Management groups
  - Subscription
  - Resource groups
  - Individual resources
Role can be assigned to:
- Users
- Groups
- Service principal
  - Application
  - System Assigned Managed Identity: App Service, Function App, Virtual Machine, Virtual Machine Scale Set
  - User Assigned Managed Identity

Role types

Built-in roles

60+
Common roles:
- Owner: Manage resources and resource access
- Contributor: Manage resources but not resource access.

pg. 6

Reader: Read-only access
- Storage Blob Data Reader: Specific to storage accounts
- SQL DB Contributor: Manage, but not access, SQL databases
- VM Contributor: Manage, but not access, virtual machines.

Custom roles

! Built using only PowerShell / CLI or REST API.

o New-AzureRmRoleDefinitation -Role $customRole

Shows in same drop-down lists with built-in roles

JSON file looks like this:

. {

“Name”: “Network Resource Viewer”,
“IsCustom”: true,
“Description”: “Allows reading Azure network resources.”,
“Actions”: [ “Microsoft.Network/*/read” ],
“NotAction s” : [ ],
“AssignableScopes”: [ “/subscriptions/048.. “

}

Classic Administrator Roles

The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator.

o Roles are properties that can be changed in Subscription blade

! Azure recommends using RBAC roles
Account Administrator (1 per Azure account)
- Conceptually, the billing owner of the subscription.
- The Account Administrator has no access to the Azure portal.
Service Administrator (1 per Azure subscription)
- By default, for a new subscription, the Account Administrator is also the Service Administrator.
- The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
- The Service Administrator has full access to the Azure portal.
Co-Administrator (200 per subscription)
- The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.