AZ-900 Flashcards — Free Microsoft Azure Fundamentals AZ-900 Study Cards

Elasticity

Elasticity is the ability of a cloud service to automatically scale resources up or down based on demand. This allows the startup to handle traffic spikes without manual intervention.

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is designed for containerized microservices, allowing independent scaling and deployment of each service. Azure Functions is for serverless event-driven code, and App Service is for web apps but not optimal for microservices orchestration.

Azure Policy

Azure Policy allows you to create, assign, and manage policies that enforce rules for resources. It can be applied at the management group level to affect multiple subscriptions and provides compliance reporting.

Azure Functions in Premium plan with VNet integration

Azure Functions running on a Premium plan can be integrated with a VNet, and combined with a site-to-site VPN, they can access on-premises resources securely. The Consumption plan does not support VNet integration. Azure SQL Database is a PaaS service, and a hybrid connection is used for PaaS services to on-premises, but for a function accessing an on-prem SQL Server, VNet integration is appropriate.

Availability zone

An availability set ensures VMs are placed across multiple fault domains (separate racks with independent power and networking) and update domains. Fault domains correspond to physical hardware boundaries within a data center; spreading across multiple fault domains protects against hardware failures. However, the scenario mentions two distinct data centers within a region, which is exactly what availability zones provide. Availability sets only work within a single data center (they provide fault domains within a datacenter). Availability zones span separate physical locations (data centers) within a region. Therefore, availability zones are the correct choice. Proximity placement groups are for low latency, not fault tolerance. Load balancer distributes traffic but does not ensure physical separation of VMs.

Policy Initiative

A policy initiative (also known as a policy set) allows you to group related policies together for easier assignment and management. This helps ensure consistent application of a security baseline across subscriptions.

Configuring the network security group (NSG) rules to restrict inbound traffic to the virtual machine.

The shared responsibility model defines which security tasks are managed by Microsoft (the cloud provider) and which are managed by the customer. Microsoft is responsible for the security of the physical datacenter, the hypervisor, and the underlying host infrastructure (including the fabric controller). The customer is responsible for securing their own resources such as virtual machines, including configuring network security groups, patching the operating system, and managing application-level security.

Deployment slots

Deployment slots in Azure App Service allow you to create separate environments (slots) for your web app. You can deploy a new version to a staging slot, test it, and then swap the staging slot with the production slot to make the new version live. If issues arise, you can swap back to the previous slot, instantly rolling back. Autoscale adjusts capacity based on load, not deployment. Traffic Manager is a DNS-based traffic routing service for distributing traffic across endpoints, not an App Service feature for staging. Application Insights is a monitoring and diagnostics service, not a deployment feature.

Azure Traffic Manager

Azure Traffic Manager is a DNS-based traffic load balancer that can distribute traffic based on geographic location and health probes. It performs automatic failover and can route users to the nearest region for performance.

Economies of scale

Economies of scale refers to the cost advantages that enterprises obtain due to their scale of operation. Cloud providers like Microsoft Azure operate massive data centers worldwide, giving them significant purchasing power for hardware, energy, and bandwidth. This allows them to offer infrastructure at a lower per-unit cost than most individual organizations can achieve in an on-premises data center. The reservation commitment provides a discount for long-term usage, but the fundamental ability to offer a lower price stems from economies of scale. Rapid elasticity (scaling resources up/down quickly), high availability (ensuring uptime), and measured service (metering usage) do not directly explain the lower cost structure.

Assign the 'Network Contributor' role to the security group at the 'Production' management group scope.

Role assignments can be applied at the management group scope, and they are inherited by all subscriptions within that management group. This method automatically covers current subscriptions and any new subscriptions added later, without requiring manual per-subscription assignments or complex automation. Azure Policy cannot directly assign RBAC roles to security groups; it can deploy resources but not manage role assignments in this manner. Assigning at the root management group would grant access to all subscriptions across the entire tenant, which is broader than intended and not aligned with the principle of least privilege.

Update domains

An availability set groups VMs into update domains and fault domains. Update domains define a set of VMs that are updated together during planned maintenance. By placing VMs in different update domains, Azure ensures that only one update domain is taken offline at a time, keeping at least one VM running. Fault domains protect against hardware failures but do not affect maintenance updates. Availability zones are independent datacenters, not a component of an availability set. Proximity placement groups are used to minimize network latency between VMs.

DeployIfNotExists

Azure Policy supports several effects. 'DeployIfNotExists' is used to automatically deploy a resource (like a diagnostic setting) when a condition is met and the resource does not already exist. In this scenario, the condition is the creation of a storage account, and the missing resource is the diagnostic setting. The other effects are not suitable because they either block creation (Deny), report compliance only (Audit), or cannot create entire resources (Append).

Fault tolerance

Fault tolerance is the ability of a system to continue functioning without interruption when one or more of its components fail. In this scenario, the application is designed to survive the loss of an entire Azure availability zone (a failure domain) with zero downtime that the user experiences. High availability (option C) also aims for continuous operation but typically allows for a brief period of unavailability during failover, whereas fault tolerance ensures absolutely no interruption. Elasticity (option A) refers to automatically adjusting resources to match demand. Scalability (option D) is the ability to handle increased load by adding resources. Therefore, the scenario best illustrates fault tolerance.

Modify

The Modify effect in Azure Policy is specifically designed to add, update, or remove tags (or other properties) on resources that are non-compliant. It can be configured with a managed identity to automatically remediate non-compliant resources at creation time and on a schedule. Deny would block the resource, Audit would only report, and DeployIfNotExists deploys separate resources, not modify existing ones.

Deny

The 'Deny' effect blocks any resource creation or update that does not meet the policy condition. In this case, if a resource is created without the 'CostCenter' tag, the policy denies the request. 'Audit' only logs non-compliance. 'DeployIfNotExists' creates a remediation task but does not block creation. 'Modify' can add tags, but the requirement is to prevent creation if the tag is missing, so 'Deny' is correct.

Resource pooling

This scenario describes the resource pooling characteristic of cloud computing. Resource pooling allows the provider to serve multiple customers (tenants) from the same physical infrastructure while maintaining logical isolation and security. The other options are also key cloud characteristics but do not align with the concept of shared physical resources managed for multiple tenants.

Create an Azure Policy exemption for the Development management group with the 'Mitigated' category.

Azure Policy inheritances can be overridden by exemptions. When a policy with Deny effect is assigned at a parent scope (like a management group), it applies to all child scopes (subscriptions/resource groups) unless an exemption is created. An Azure Policy exemption excludes a scope from policy evaluation and reporting. There are two categories: 'Mitigated' (for policies that are still compliant due to compensating controls) and 'Waiver' (for a limited time). Creating an exemption at the Development management group allows storage accounts in Development subscriptions to be created without encryption while the Deny policy remains enforced for Production.

Availability zones

Availability zones are physically separate locations (datacenters) within an Azure region. Each zone has independent power, cooling, and networking. Deploying VMs across zones protects against a single datacenter failure. Availability sets distribute VMs across fault domains and update domains within one datacenter, not across datacenters. Resource groups are logical containers. Azure Site Recovery replicates workloads across regions for disaster recovery.

Modify

The question tests knowledge of Azure Policy effects, specifically how to automatically enforce resource tagging. The 'Modify' effect is the correct choice because it can add, change, or remove tags on resources during creation or update, and it supports remediation tasks for existing non-compliant resources. 'Append' can also add tags to new resources, but it cannot modify existing tags and does not support remediation. 'DeployIfNotExists' is used to deploy a resource (e.g., a diagnostic setting) when a specific resource exists, not for modifying tags. 'Audit' only evaluates compliance without applying any changes.

Azure Policy

Azure Policy is the correct service for enforcing rules on resource properties during deployment. The 'Allowed Locations' built-in policy definition can be assigned at a management group scope to restrict the regions where resources can be created, and this assignment applies to all subscriptions within that management group hierarchy, including existing and future ones. Azure Blueprints orchestrates the deployment of multiple resources and policies, but the enforcement of the location restriction itself is done via Azure Policy. Management Groups organize subscriptions but do not enforce resource-level constraints. RBAC controls who can create resources but not where they can be created. Therefore, Azure Policy is the appropriate solution for this governance requirement.