AZ-104 Prerequisites

Build a cloud governance strategy on Azure – Learn | Microsoft Docs

The organizing structure for Azure resources has 4 levels

  • Management groups
  • Subscriptions
  • Resource groups
  • Resources


You can create one billing report per subscription. If you have multiple departments and need to do a “chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by project. Resource tags can also help. You’ll explore tags later in this module. When you define how many subscriptions you need and what to name them, take into account your internal billing requirements.

Access Control

A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.

Subscription Limits

Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase. If you’ll need to exceed those limits, you might need to add more subscriptions. If you hit a hard limit maximum, there’s no flexibility to increase it.

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to. Scopes include:

  • A management group (a collection of multiple subscriptions).
  • A single subscription.
  • A resource group.
  • A single resource.

Observers, Users managing resources, Admins, and Automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles. When you grant access at a parent scope, those permissions are inherited by all child scopes. For example:

  • When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
  • When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.
  • When you assign the Contributor role to an application at the resource group scope, the application can manage resources of all types within that resource group, but not other resource groups within the subscription.

Prevent accidental changes by using resource locks

A resource lock prevents resources from being accidentally deleted or changed. Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed.

Combine resource locks with Azure Blueprints

What if a cloud administrator accidentally deletes a resource lock? If the resource lock is removed, its associated resources can be changed or deleted. To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.


  • Resource management: Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
  • Cost management and optimization:Tags enable you to group resources so that you can report on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
  • Operations management:Tags enable you to group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs). An SLA is an uptime or performance guarantee between you and your users.
  • Security: Tags enable you to classify data by its security level, such as public or confidential.
  • Governance and regulatory compliance: Tags enable you to identify resources that align with governance or regulatory compliance requirements, such as ISO 27001. Tags can also be part of your standards enforcement efforts. For example, you might require that all resources be tagged with an owner or department name.
  • Workload optimization and automation: Tags can help you visualize all of the resources that participate in complex deployments. For example, you might tag a resource with its associated workload or application name and use software such as Azure DevOps to perform automated tasks on those resources.

You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.

You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, but those tags aren’t automatically applied to the resources within that resource group. You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group. You’ll learn more about Azure Policy later in this module.

You can also use Azure Policy to enforce tagging rules and conventions. For example, you can require that certain tags be added to new resources as they’re provisioned. You can also define rules that reapply tags that have been removed.

Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards. Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent noncompliant resources from being created. Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring.

In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources. For example, if all resources in a certain resource group should be tagged with the AppName tag and a value of “SpecialOrders,” Azure Policy can automatically reapply that tag if it has been removed. Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment phases of your applications.

Manage Azure Policy

Implementing a policy in Azure Policy involves these three steps:

  1. Create a policy definition.: A policy definition expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed in certain Azure regions. You also could audit your storage accounts to verify that they only accept connections from allowed networks. Every policy definition has conditions under which it’s enforced. A policy definition also has an accompanying effect that takes place when the conditions are met. Here are some example policy definitions:
    • Allowed virtual machine SKUs: This policy enables you to specify a set of VM SKUs that your organization can deploy.
    • Allowed locations: This policy enables you to restrict the locations that your organization can specify when it deploys resources. Its effect is used to enforce your geographic compliance requirements.
    • MFA should be enabled on accounts with write permissions on your subscription: This policy requires that multifactor authentication (MFA) be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
    • CORS should not allow every resource to access your web applications: Cross-origin resource sharing (CORS) is an HTTP feature that enables a web application running under one domain to access resources in another domain. For security reasons, modern web browsers restrict cross-site scripting by default. This policy allows only required domains to interact with your web app.
    • System updates should be installed on your machines: This policy enables Azure Security Center to recommend missing security system updates on your servers.
  2. Assign the definition to resources.: To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group.Policy assignments are inherited by all child resources within that scope. If a policy is applied to a resource group, that policy is applied to all resources within that resource group. You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment.
  3. Review the evaluation results: When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant. You can review the noncompliant policy results and take any action that’s needed. Policy evaluation happens about once per hour. If you make changes to your policy definition and create a policy assignment, that policy is evaluated over your resources within the hour.

Azure Policy Initiatives

An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal. You define initiatives by using the Azure portal or by using command-line tools. Like a policy assignment, an initiative assignment is an initiative definition that’s assigned to a specific scope of a management group, a subscription, or a resource group. Even if you have only a single policy, an initiative enables you to increase the number of policies over time. Because the associated initiative remains assigned, it’s easier to add and remove policies without the need to change the policy assignment for your resources.

Azure Blueprints

Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed the development and deployment phases. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:

  • Role assignments
  • Policy assignments
  • Azure Resource Manager templates
  • Resource groups

When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization. Implementing a blueprint in Azure Blueprints involves these three steps:

  • Create an Azure blueprint.
  • Assign the blueprint.
  • Track the blueprint assignments.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.
Blueprints are also versioned. Versioning enables you to track and comment on changes to your blueprint.

Azure Blueprint Artifacts

Each component in the blueprint definition is known as an artifact. Artifacts can have no parameters. An example is the Deploy threat detection on SQL servers policy, which requires no further configuration. Artifacts can also contain one or more parameters that you can configure.

Introduction to Azure virtual machines – Learn | Microsoft Docs

Azure reserves the first four addresses and the last address in each subnet for its use.

Azure Automation Services

Azure Automation allows you to integrate services that allow you to automate frequent, time-consuming, and error-prone management tasks with ease. These services include process automation, configuration management, and update management.

Authentication protocols

An authentication protocol is a shared set of rules for how information is exchanged between electronic devices. Two of the most commonly used authentication protocols are Kerberos and Transport Layer Security/Secure Sockets Layer (TLS/SSL).


Kerberos is an authentication protocol used across different operating systems. Windows uses Kerberos as its default authentication protocol. Linux and Mac OSs can also use Kerberos.

Diagram that shows the process flow of Kerberos authentication.

Kerberos authentication protocol relies on a trusted server called a Key Distribution Center (KDC). A KDC consists of a few components: An authentication server that authenticates and issues tickets to principals, like a user or service. A database that holds information about the principals and their secret keys. Another server that grants service tickets based on the initial tickets that the principals present. In Kerberos, principals get tickets that grant them service tickets from the KDC. They use those service tickets to access resources, services, or applications. This process remains invisible to the user.


TLS and the older SSL are both protocols for encrypting information sent over the internet. Because the data is encrypted, attackers can’t view what is sent through TLS/SSL. You’ll often see a padlock on the browser when a site makes use of a secure connection. This symbol means the site is using a secure TLS/SSL session with the browser. TLS/SSL is also used for file transfers, voice-over-IP, and email. SSL is the predecessor of TLS (Transport Layer Security) and is deprecated. We’ll often find the two terms used interchangeably. The protocols work as follows:

Diagram that shows the process flow of SSL/TLS process authentication.
  1. The client sends a “ClientHello” message to the server. This message includes information like the SSL/TLS version, and the cryptographic algorithms that the client supports.
  2. The server sends a “ServerHello” message back that includes the algorithm it has chosen from the list of algorithms supported by the client. The message also includes a session ID, the server’s digital certificate, and its public key.
  3. The client uses the digital certificate to verify the server’s identity with a certificate authority, so the client can be sure it’s dealing with a trusted server.
  4. A client key exchange happens, where the client sends a shared key that’s encrypted with the server’s public key to the server.
  5. The client sends a “finished” message that’s encrypted with the shared key.
  6. The server sends its own “finished” message that is encrypted with the shared key. From this point, the client and the server can continue to exchange messages that are encrypted with the shared encrypted key.

Firewall Types

Firewalls can perform several different functions across your network:

  • Application-layer firewalls can be a physical appliance, or software-based, like a plug-in or a filter. These types of firewalls target your applications. For example, they could affect how requests for HTTP connections are inspected across each of your applications.
  • Packet filtering firewalls scrutinize each data packet as it travels through your network. Based on rules you configure, they decide whether to block the specific packet or not.
  • Circuit-level firewalls check whether TCP and UDP connections across your network are valid before data is exchanged. For example, this type of firewall might first check whether the source and destination addresses, the user, the time, and date meet certain defined rules. When these checks pass and a session starts, data is exchanged between parties without further scrutiny.
  • Proxy server firewalls control the information that goes into and out of a network. Firewall proxy servers provide safety and security by providing internet access to all devices on a network. This ability means the server can monitor, filter, and cache data requests to and from the network. alt=
  • Stateful firewalls and next-generation firewalls inspect characteristics about the connections on your network. The firewall also monitors packets over time and stores a combination of this information in a state table. When a connection and packet match aren’t recognized, based on the information held in the table, traffic is blocked. Diagram showing how a stateful firewall block requests from an address that is not allowed.
  • Next-generation firewalls perform many of the same functions as stateful firewalls, but they can encompass more functions from other types of firewalls, such as packet filtering and VPN support. This type of firewall also investigates packets more thoroughly when compared to stateful firewalls. For example, a next-generation firewall could look at the payload for each packet and inspect it for suspicious characteristics and malware.

Azure network security tools

Azure provides several tools that you can use as part of your network security. Each of these tools is designed to address a different aspect of your network’s security. You can build your networks through Azure Virtual Network. Use Network Security Groups to filter traffic from Azure and on-premises resources to, and from, resources that form part of your virtual networks. A Network Security Group filters traffic through security rules that you specify to deny or permit different types of traffic across your networks.

Diagram of an Azure Network Security Group at work with an inbound rule configured to allow TCP and UDP traffic on port 80.

You can also log all the traffic flowing through your network security groups for analysis. Use the Azure Network Watcher service and enable NSG flow logs. Your logs will then be stored for use in a JSON file in a storage account.

Azure Firewall is a fully managed firewall that you can use to protect the resources that are inside your Azure virtual networks. Because Azure Firewall is cloud-based, it comes with certain advantages. You won’t have to worry about whether Azure Firewall can scale to the number of resources on your networks. It comes preconfigured with high availability to prevent your firewall from going down.

Diagram showing how an Azure firewall blocks traffic.

You connect your on-premises network to your Azure virtual networks by configuring a site-to-site VPN connection with Azure. Use a VPN gateway (which is a VPN appliance from Azure), along with your local VPN device, to establish a VPN tunnel for communication. Your cloud and on-premises resources then communicate across the VPN tunnel.

Diagram showing an Azure site-to-site connection using an IPSec IKE S2S VPN tunnel.

You can also set up a point-to-site VPN connection between Azure and your on-premises network. Here, individual users and clients can connect to your Azure resources through a secure tunnel.

A diagram showing an Azure point-to-site connection using P2S SSTP tunnels.


To monitor your network, you’ll need to use a secure network management protocol that consumes minimum bandwidth. You want to keep your network secure and prevent unnecessary load on network performance. The following are some network management protocols that you can use:

  • Simple Network Management Protocol (SNMP): Like switches and routers, the majority of Linux servers and network devices use SNMP. An SNMP-based agent is preinstalled on the device and allows for configuration. The SNMP agent collects things like traffic on the network switch, memory usage, or even printer queues. The SNMP protocol communicates information about the device to the network monitoring and management solution (NMS).
  • Windows Management Instrumentation (WMI): Windows devices use WMI to provide information about the status of the device. You also use WMI to make changes to devices, such as scheduling processes to trigger, or updating system properties and settings. Windows Management Infrastructure is a newer version of WMI that has upgraded capabilities, such as better integration with PowerShell to run commands and scripts.
  • System Logging Protocol (Syslog): Syslog is a protocol that lets the device send event messages and is used for event logging. For example, the web server might use Syslog to log events about failed attempts to access it, or the router might log events on user activities.

Best Practices


When you manage a network, you deal with many different tasks and functions. These tasks and functions have been categorized to help us do them effectively. The categories are fault management, configuration management, accounting/administration, performance management, and security, or FCAPS:

  • Fault management. Relates to the processes and tasks used to identify and resolve faults on the network. Dealing with issues that might cause problems later is also classified as fault management.
  • Configuration management. Includes aspects like collecting information based on changes made to the configurations of devices, physical hardware, and network changes, as well as software updates.
  • Accounting/administration. Applies when you’re dealing with a network used in a service provider setting, and all the tasks and functions that apply. With service provider networks, usage needs to be monitored to track utilization and billing for users. If the network isn’t in a service provider setting, then administration is applicable, and tasks like managing permissions and user passwords are included.
  • Performance management. Covers anything that’s done to manage the performance of your network. Aspects include monitoring throughput, monitoring usage, and improving response times.
  • Security. Encompasses all the tasks you do to secure your network. These tasks include protecting devices, restricting access to network resources, or protecting user activity in the network.

Decide if Azure PowerShell is right for your tasks – Learn | Microsoft Docs

Secure your identities by using Azure Active Directory – Learn | Microsoft Docs

Identity secure score in Azure AD

If you’re an administrator, you need to know how secure your Azure AD tenant is. The identity secure score can help you understand. Azure AD gives an overall value between 1 and 223. This value represents how well you match the recommendations and best practices that Microsoft suggests for tenant security. The identity secure score reveals how effective your security is and helps you implement improvements. You can find your tenant’s identity secure score in the Azure portal. Go to your Azure AD tenant, select Security, and then select the Identity Secure Score dashboard.

Secure identity score

The dashboard shows information such as how you compare with the industry average and with tenants of the same size as yours. The dashboard also provides a graph that shows how your score has changed over time. You see what you can do to improve your score and how much impact each improvement will have.

How Azure AD compares with Active Directory

Active Directory and Azure AD share a similar name, but they’re separate services that are used for different purposes. Azure AD is a cloud-based identity solution that helps you manage users and applications. Active Directory manages objects, like devices and users, on your on-premises network. Here are some other differences:

ServiceAuthenticationStructureWhat it’s used for
Active DirectoryKerberos, NTLMForests, domains, organizational unitsAuthentication and authorization for on-premises printers, applications, file services, and more
Azure Active DirectoryIncludes SAML, OAuth, WS-FederationTenantsInternet-based services and applications like Microsoft 365, Azure services, and third-party SaaS applications
A comparison between Active Directory and Azure AD

Hybrid identity for linking on-premises Active Directory with Azure AD

Your users will want to access applications from both the cloud and on-premises. You can use Azure AD and Active Directory together to provide an identity solution that spans on-premises and the cloud. A single user identity can be used for authentication and to access applications and resources, whatever their location. This user identity is called a hybrid identity. Multiple authentication methods let you achieve hybrid identity for users:

  • Azure AD password hash synchronization. Here, the user’s password is hashed twice and synchronized between the on-premises Active Directory and Azure AD. Users have the same credentials to access resources and applications both on-premises and in the cloud.
  • Azure AD pass-through authentication. Here, an agent is installed on on-premises servers that authenticate against the on-premises Active Directory. When an Azure AD user account tries to authenticate, password authentication is handled on-premises through these servers and Active Directory.
  • Federated authentication. Here, the authentication process is performed by an on-premises Active Directory Federation Services (AD FS) server that validates users’ passwords. Use this authentication method if you want advanced measures like smart card-based authentication for users.

These authentication options allow you to give users a single sign-on experience. Using single sign-on means users are automatically signed in when they use company devices and connect to your internal corporate network.

You want to:Password hash synchronizationPass-through authenticationFederated authentication
Automatically synchronize to the cloud the users, contacts, and groups that have been set up on on-premises Active Directory.yesyesyes
Allow users to access cloud applications and resources by using their on-premises password.yesyesyes
Ensure that password hashes aren’t stored in the cloud.noyesyes
Use cloud-based multi-factor authentication.yesyesyes
Use on-premises multi-factor authentication.Nonono
Use smart card authentication for additional protection.nonoyes

European identity data storage

When you subscribe to a service like Azure or Microsoft 365, all of your identity data is stored based on the address that you provide during the subscription process. If you’re a customer who uses an address in Europe, Azure AD stores most of your data in European datacenters. However, some data is stored outside Europe by services that you use with Azure AD. Here are a few examples of some of the data that’s stored outside Europe:

Azure AD-based serviceData location
Azure Active Directory B2B (Azure AD B2B)Guest users access applications through a link in an invitation email or a link shared directly with them. These redemption links are stored in US datacenters. If a user unsubscribes from invitation messages, their email address is also stored in US datacenters.
Azure Active Directory B2C (Azure AD B2C)No personal data is stored outside of Europe, but policy configuration data is stored in US datacenters.
Azure AD Multi-Factor AuthenticationPhone calls and text messages come from US datacenters, and global providers handle the routing. OAuth code validation happens in the US. Push notifications for the Microsoft Authenticator app come from US datacenters.

Azure AD licenses

You can use different features of Azure AD, depending on the type of license you choose:


  1. Azure Active Directory Free. You can manage
    • users and groups, and you get basic reports,
    • on-premises Active Directory synchronization,
    • self-service password reset for Azure AD users.
    • You also get single sign-on for Microsoft 365, Azure services, and many third-party SaaS applications.
  2. Azure Active Directory Premium P1. You get all the features from the free tier, but you can also
    • Users can access on-premises and cloud-based services and resources.
    • You can use self-service group management or dynamic groups, where users are added and removed automatically, based on your criteria.
    • This tier supports on-premises identity management suites like Microsoft Identity Manager.
    • Self-service password reset is also supported for users who are based on-premises.
  3. Azure Active Directory Premium P2. You get all the features of the previous two tiers, along with
    • Active Directory Identity Protection. This feature helps you configure risk-based conditional access to protect applications from identity risks.
    • You can also use privileged identity management, which lets you monitor and put detailed restrictions on administrators.
  4. Pay-as-you-go licenses for specific features. You access specific Azure AD features, like Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.

Azure AD B2B

Use Azure AD to invite external users to your tenant. Your organization can then collaborate with external healthcare partner staff members through Azure AD B2B Collaboration. For example, your company works with external healthcare partners. These partners can be invited as guest users to your tenant. When their work is done, you can revoke access for those external partners until it’s needed again. Here’s the B2B collaboration process:

B2B collaboration process
  1. The external user either receives an email invitation that includes a redemption link or gets a direct link.
  2. The user selects the redemption link to access the apps they were invited to.
  3. If multi-factor authentication is set up, the user receives a verification code on their phone.
  4. The user provides the code they received.
  5. The user can access the app, whether it’s on-premises or in the cloud.

This feature is available for all licensing tiers in Azure AD.

Azure AD B2C

You can also use Azure AD B2C to manage your customers’ identities and access. Your doctors’ accounts should have protected access to resources and services. Use Azure AD B2C to securely authenticate the doctors through their preferred identity providers. AD B2C also helps you monitor for threats like brute force attacks and denial-of-service attacks on doctors’ user accounts. To use Azure AD B2C, you register your apps. You then configure user flows to set up the user’s journey to access an app.

flow for users
  1. On their browser or mobile phone, the user goes to the app they want to access.
  2. The user is required to complete the sign-in form.
  3. If the credentials are verified and multi-factor authentication is enabled, the user receives a verification code on their phone.
  4. The user provides the code they received.
  5. The user is granted access to the app.

This feature is available on a pay-as-you-go basis.

Azure AD DS

Azure AD DS lets you add virtual machines to a domain without needing domain controllers. Your internal staff users can access virtual machines by using their company Azure AD credentials. Use this service to reduce the complexity of migrating on-premises apps to Azure. An organization could also use Azure AD DS to handle its infrastructure if it runs apps both on-premises and in the cloud. The process might go like this:

Process for adding VMs to a domain in Azure AD DS
  1. The organization deploys its apps and servers in a virtual network on Azure.
  2. Azure AD Connect sync synchronizes identity information between the on-premises Active Directory instance and the organization’s tenant in Azure AD.
  3. The company enables Azure AD DS on their Azure AD tenant.
  4. The apps and servers in Azure can use features like domain joining and Kerberos authentication.

This feature is available for pay-as-you-go, based on the total number of objects in your domain that’s managed by Azure AD DS. Objects can include users, groups, and domain-joined computers.

You can add on-premises apps by configuring Azure AD Application Proxy. This process creates secure remote access for your on-premises apps. To connect them, download and install the Application Proxy connector on-premises.

Azure AD Features

  • Protect your apps through conditional-access policies: Use conditional-access policies to require users to pass additional authentication challenges before they access an app. For example, you can configure a conditional-access policy to require users to complete a multi-factor authentication challenge after their credentials are verified and before they access the app.
  • Monitor your app access: Azure AD can help monitor your app sign-ins by generating reports that cover sign-in dates, user details, apps the user has used, risk detection, location, and more. Access those reports through the Azure portal or specific APIs for programmatic usage.

Azure AD Identity Protection

Azure AD Identity Protection helps you to automatically detect, investigate, and remediate identity risks for users. Identity Protection also lets you export all the information that was collected about risks. Export the information to third-party tools and solutions so that you can further analyze it. Identity Protection uses risk policies to automatically detect and respond to threats. You configure a risk policy to set up how Identity Protection should respond to a particular type of risk. Use policies in this way to save time and give you peace of mind.

Identity Protection flow in Azure AD

By using automated risk detection and remediation through Identity Protection, the admin first configures the risk policies. These policies then monitor for identity risks. When a risk is detected, the policies enforce measures to remediate it. For example, a policy might require a user to reset their password in response to a detected risk. The user then resets their password, and the risk is remediated.

Introduction to Docker containers – Learn | Microsoft Docs

What is the Stackable Unification File System (Unionfs)?

Unionfs is used to create Docker images. Unionfs is a filesystem that allows you to stack several directories, called branches, in such a way that it appears as if the content is merged. However, the content is physically kept separate. Unionfs allows you to add and remove branches as you build out your file system.

Diagram showing the stacking of layers in a Docker image created with unionfs.

We’ll layer the Ubuntu distribution as a base image on top of the boot file system. Next we’ll install Nginx and our web app. We’re effectively layering Nginx and the web app on top of the original Ubuntu image. A final writeable layer is created once the container is run from the image. This layer however, does not persist when the container is destroyed.

Docker container storage configuration

When your app writes data to the log file, the system writes the data to the writable container layer. Even though this approach works, it, unfortunately, has several drawbacks.

  • Container storage is temporary: Your log file won’t persist between container instances. For example, let’s assume that you stop and remove the container. When you launch a new container instance, the new instance bases itself on the image specified, and all your previous data will be missing. Remember, all data in a container is destroyed with the container when you remove a container.
  • Container storage is coupled to the underlying host machine: Accessing or moving the log file from the container is difficult to do as the container is coupled to the underlying host machine. You’ll have to connect to the container instance to access the file.
  • Container storage drives are less performant: Containers implement a storage driver to allow your apps to write data. This driver introduces an extra abstraction to communicate with the host OS kernel and is less performant than writing directly to a host filesystem.

Containers can make use of two options to persist data. The first option is to make use of volumes, and the second is bind mounts.

What is a volume?

A volume is stored on the host filesystem at a specific folder location. Choose a folder where you know the data isn’t going to be modified by non-Docker processes.

Docker creates and manages the new volume by running the docker volume create command. This command can form part of our Dockerfile definition, which means that you can create volumes as part of the container creation process. Docker will create the volume if it doesn’t exist when you try to mount the volume into a container the first time. Volumes are stored within directories on the host filesystem. Docker will mount and manage the volumes in the container. After mounting, these volumes are isolated from the host machine.

Multiple containers can simultaneously use the same volumes. Volumes also don’t get removed automatically when a container stops using the volume. In this example, you can create a directory on our container host, and mount this volume into the container when you create the tracking portal container. When your tracking portal logs data, you can access this information via the container host’s filesystem. You’ll have access to this log file even if your container is removed.

What is a bind mount?

A bind mount is conceptually the same as a volume, however, instead of using a specific folder, you can mount any file or folder on the host. You’re also expecting the host can change the contents of these mounts. Just like volumes, the bind mount is created if you mount it, and it doesn’t yet exist on the host. Bind mounts have limited functionality compared to volumes, and even though they’re more performant, they depend on the host having a specific folder structure in place. Volumes are considered the preferred data storage strategy to use with containers.

Docker container network configuration

The default Docker network configuration allows for the isolation of containers on the Docker host. This feature enables you to build and configure apps that can communicate securely with each other. Docker provides three pre-configured network configurations:

  • Bridge
  • Host
  • none

What is the bridge network?

The bridge network is the default configuration applied to containers when launched without specifying any additional network configuration. This network is an internal, private network used by the container, and isolates the container network from the Docker host network.

Each container in the bridge network is assigned an IP address and subnet mask with the hostname defaulting to the container name. Containers connected to the default bridge network are allowed to access other bridge connected containers by IP address. The bridge network doesn’t allow communication between containers using hostnames.

By default, Docker doesn’t publish any container ports. To enable port mapping between the container ports and the Docker host ports, use the Docker port –publish flag. The publish flag effectively configures a firewall rule that maps the ports.

--publish 8080:80

Any client browsing to the Docker host IP and port 8080 can access it.

What is the host network?

The host network enables you to run the container on the host network directly. This configuration effectively removes the isolation between the host and the container at a network level. In this example, let’s assume you decide to change the networking configuration to the host network option. Your tracking portal is still accessible using the host IP. You can now use the well known port 80 instead of a mapped port. Keep in mind that the container can use only ports not already used by the host.

To disable networking for containers, use the none network option.

When not to use Docker containers

  • Security and virtualization: Containers provide a level of isolation. However, containers share a single host OS kernel, which can be a single point of attack. We also need to take into account configure aspects such as storage and networks to make sure that we consider all security aspects. For example, all containers will use the bridge network by default and can access each other via IP address. Not all applications will benefit from containerization. In such instances, it may make more sense to use a VM.
  • Service monitoring: Managing the applications and containers are more complicated than traditional VM deployments. Logging features exist that tell us about the state of the running containers. However, more detailed information about services inside the container is harder to monitor. For example, Docker provides us with the docker stats command. This command returns information for the container such as percentage CPU usage, percentage memory usage, I/O written to disk, network data send and received and process IDs assigned. This information is useful as an immediate data stream, however no aggregation is done as the data isn’t stored. We’ll have to install third-party software for meaningful data capture over a period of time.

Choose a data storage approach in Azure – Learn | Microsoft Docs

Knowledge Check

Scenario 1

Consider the following scenario. Then choose the best response for each question that follows, and select Check your answers. Tailwind Traders has created environments for development and testing for its e-commerce system. Here’s a diagram that shows the basic compute, database, and networking components found in each environment.

These environments provide a way for the team to build and test new application features. Although the development and test teams report to different departments, both environments exist under the same Azure subscription. The IT manager wants to implement governance controls to help ensure that only authorized users can access these systems. Having these controls in place will also help them track and manage operating costs.

  1. How can Tailwind Traders allow some users to control the virtual machines in each environment but prevent them from modifying networking and other resources in the same resource group or Azure subscription? [Scenario 1]
    1. Create a role assignment through Azure role-based access control (Azure RBAC).
    2. Create a policy in Azure Policy that audits resource usage.
    3. Split the environment into separate resource groups.
  2. Which is the best way for Tailwind Traders to ensure that the team deploys only cost-effective virtual machine SKU sizes? [Scenario 1]
    1. Create a policy in Azure Policy that specifies the allowed SKU sizes.
    2. Periodically inspect the deployment manually to see which SKU sizes are used.
    3. Create an Azure RBAC role that defines the allowed virtual machine SKU sizes.
  3. Which is likely the best way for Tailwind Traders to identify which billing department each Azure resource belongs to? [Scenario 1]
    1. Track resource usage in a spreadsheet.
    2. Split the deployment into separate Azure subscriptions, where each subscription belongs to its own billing department.
    3. Apply a tag to each resource that includes the associated billing department.
  4. Suppose you want to run a network appliance on a virtual machine. Which workload option should you choose?
    1. General purpose
    2. Compute optimized
    3. Memory optimized
    4. Storage optimized
  5. True or false: Resource Manager templates are JSON files?
    1. True
    2. False
  6. What are network standards used for?
    1. To ensure that hardware conforms to a minimum standard necessary for a good network development.
    2. To ensure that software is tightly constrained and meets the needs of the organization’s network.
    3. To ensure that hardware and software made by different vendors can work together seamlessly.
  7. What is the primary purpose of a hub?
    1. A hub allows one Ethernet network device to send data packets to a specific Ethernet device.
    2. A hub allows the connection of multiple Ethernet devices to make them act as a single network segment.
    3. A hub allows multiple Ethernet network devices access to the internet.
  8. What is the principal difference between hub routing and switch routing?
    1. Hub routing sends all packets to all connected devices. Switch routing sends packets to specific devices.
    2. Hub routing sends packets to specific locations. Switch routing is only used to route traffic between switches.
    3. Hub routing sends all packets to all connected devices. Switch routing is only used to route traffic between switches.
  9. What does a router do?
    1. A router is a network device that works out the fastest and most efficient way to send data across a network.
    2. A router is a network device that forwards data packets around faults in your network.
    3. A router is a network device that forwards data packets between computer networks.
  10. What is a thin client?
    1. A thin client can only display processed data provided by a server.
    2. A thin client can process some data locally, but needs the server to store the data.
    3. A thin client can process and store data locally, and uses the server when it needs more processing power or storage.
  11. What is the purpose of an application server?
    1. Hosts non-web apps and lets users in the network run them through.
    2. Hosts all your web and non-web apps in one place, so they can be accessed across the network.
    3. Hosts all your web apps and lets users in the network run them and use them in their browser.
  12. What role does authorization play during a sign-in event?
    1. Authorization is the process of determining whether the authenticated user or client has access to specific resources.
    2. Authorization is the process of determining whether a particular user or client is the author of specific resources.
    3. Authorization is the process of determining whether a client or user is who they claim to be.
  13. Which of following happens in the handshake process of SSL/TLS protocol?
    1. The server sends a “ServerHello” message back. This message includes a session ID, the server’s digital certificate, and its public key.
    2. The server sends a “ServerHello” message back. This message includes a session ID, the client’s digital certificate, and a public key.
    3. The server sends a “ClientHello” message back. This message includes a session ID, the server’s digital certificate, and its public key.
  14. Which of the following best practices should you implement for your network security on Azure?
    1. Disable load balancing of traffic.
    2. Disable SSH/RDP protocols.
    3. Disable network service endpoints.
  15. You need to prevent users’ devices from directly requesting web pages from the internet. Which tool would you use to do this?
    1. Packet filtering firewall.
    2. Circuit-level firewall.
    3. Proxy server firewall.
  16. You need to query log data for applications across your network in Azure. Which tool do you use?
    1. You use Syslog to query the log data that has been collected.
    2. You use Log Analytics to query the data that has been collected.
    3. You use an agent to run queries on the data that has been collected.
  17. What is Syslog used for?
    1. Syslog is used to let your device send event messages.
    2. Syslog is used to schedule processes to be triggered.
    3. Syslog is used to update system properties on your device.
  18. What do you need to install on your machine to let you execute Azure CLI commands locally?
    1. The Azure cloud shell
    2. The Azure CLI and Azure PowerShell
    3. Only the Azure CLI
  19. True or false: The Azure CLI can be installed on Linux, macOS, and Windows, and the CLI commands you use are the same in all platforms.
    1. True
    2. False
  20. Which parameter can you add to most CLI commands to get concise, formatted output?
    1. list
    2. table
    3. group
  21. True or false: The Azure portal, the Azure CLI, and Azure PowerShell offer significantly different services, so it is unlikely that all three will support the operation you need.
    1. True
    2. False
  22. Suppose you are building a video-editing application that will offer online storage for user-generated video content. You will store the videos in Azure Blobs, so you need to create an Azure storage account to contain the blobs. Once the storage account is in place, it is unlikely you would remove and recreate it because this would delete all the user videos. Which tool is likely to offer the quickest and easiest way to create the storage account?
    1. Azure portal
    2. Azure CLI
    3. Azure PowerShell
  23. What needs to be installed on your machine to let you execute Azure PowerShell cmdlets locally?
    1. The Azure cloud shell
    2. The base PowerShell product and the Az module
    3. The Azure CLI and Azure PowerShell
  24. What is a tenant in Azure AD?
    1. A tenant represents an entire organization.
    2. A tenant represents a user in an organization.
    3. A tenant represents a geographic location in an organization.
  25. What is an identity security score?
    1. It’s a number between 1 and 223 that indicates exactly how many identities are secured in your organization.
    2. It’s a number between 1 and 223 that indicates how aligned your security is with Microsoft best practices.
    3. It’s a number between 1 and 223 that indicates how well your organization’s tenants align with each other.
  26. What does the term identity mean?
    1. Something that can be authenticated. It can be a user, application, service, or anything that needs to be identified.
    2. A user that can be authenticated. It has to be a user. Applications or services can’t be considered as identities.
    3. The service that does the authentication for users. It can also be an application.
  27. Which licensing plan supports Identity Protection?
    1. Azure Active Directory Free
    2. Azure Active Directory Premium P1
    3. Azure Active Directory Premium P2
  28. What does Azure AD B2B provide?
    1. Azure AD B2B allows you to manage your customers’ identities. It provides access to applications and resources.
    2. Azure AD B2B allows you to let your users access virtual machines by using their company Azure AD credentials.
    3. Azure AD B2B allows you to invite external users to your tenant so that your staff can collaborate with them.
  29. What does Azure AD Application Proxy do?
    1. You use it to identify applications in your instance of Azure AD.
    2. You use it to add on-premises applications to your instance of Azure AD.
    3. You use it to add Azure AD Gallery applications to your instance of Azure AD.
  30. Docker Desktop is an app for building and sharing containerized apps and microservices available on which of the following operating systems?
    1. macOS only
    2. Linux only
    3. Windows, macOS, and Windows Subsystem for Linux (WSL)
  31. Which is correct Docker command to rebuild a container image?
    1. docker rebuild
    2. docker compile
    3. docker build
  32. Which of the following sentences describe a container image the best?
    1. A container image is a read-only portable package that contains software and may include an operating system.
    2. A container image is a set of commands that builds a container.
    3. A container image is a read-only portable package that contains software.
  33. A container is launched using the –publish 80:8080 flag. Which of the following options is the most likely network configured used for the container?
    1. none
    2. bridge
    3. host
  34. Which storage option is the best choice that allows the host and container to share a file to manage name server resolution, for example the resolve.conf file on Linux?
    1. A volume
    2. Bind mount
  35. A JSON file is an example of which type of data?
    1. Structured
    2. Semi-structured
    3. Unstructured
  36. A video is an example of which type of data?
    1. Structured
    2. Semi-structured
    3. Unstructured
  37. Which type of transactional database system would work best for product data?
    1. OLAP
    2. OLTP
  38. Suppose the operations to update inventory and process payments are in the same transaction. A user is attempting to apply store credit for the full amount of an order, and submitted the exact same order (for the full amount) using their phone and laptop at the same time – so two identical orders are received. The database behind the scenes is an ACID-compliant database, what would happen?
    1. Both orders would be processed and use the in-store credit.
    2. One order would be processed and use the in-store credit, and the other order would update the remaining inventory for the items in the basket, but would not complete the order.
    3. One order would be processed and use the in-store credit, and the other order would not be processed.


  1. a. Azure RBAC enables you to create roles that define access permissions. You might create one role that limits access only to virtual machines and a second role that provides administrators with access to everything. Resource groups are meant to contain related resources. Although you can likely split the environment into separate resource groups, this approach would likely be more complex than is needed.
  2. a. After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones. Azure Policy also evaluates any current virtual machines in your environment.
  3. c. Tags provide extra information, or metadata, about your resources. The team might create a tag that’s named BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure that the proper tags are assigned when resources are provisioned.
  4. b. Compute optimized virtual machines are designed to have a high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers.
  5. a. Resource Manager templates are JSON files that define the resources you need to deploy for your solution. The template can then be used to easily re-create multiple versions of your infrastructure, such as staging and production.
  6. c. Network standards are designed to ensure that hardware and software made by different vendors work seamlessly together.
  7. b. Hubs offer the simplest form of network. They allow multiple Ethernet-based network-enabled devices to communicate with each other.
  8. a. Hub routing sends all packets to all connected devices. Switch routing sends packets to specific devices.
  9. c. A router is an essential part of your network. A router connects different networks and also connects to the internet.
  10. a. A thin client makes requests of a server, and is incapable of running apps or storing data locally.
  11. b. An application server provides application access to a client.
  12. a. After the user or client is confirmed to have the right permissions, they can access the resource.
  13. a. The server and the client exchange a number of messages like this before communication can start flowing officially between the two.
  14. b. You can enable it again once you’ve established a VPN tunnel for your connections.
  15. c. A proxy server helps you hide details about the requesting client.
  16. b. Log Analytics can help you run complex queries over your log data.
  17. a. Syslog helps you log your events.
  18. c. You only need to install the Azure CLI. You will use a shell to issue the CLI commands, but every platform has at least one built-in shell.
  19. a. The CLI is cross-platform and can be installed on Linux, macOS, and Windows. After installation, the CLI commands that you run are the same everywhere. This means you can learn the commands once and use them with any local installation or in the Azure Cloud Shell.
  20. b. The table parameter formats the output as a table. This can make things much more readable for commands that produce a large amount of output.
  21. b. The three tools offer almost the same set of services. Generally, this is not a factor in deciding which tool is best for your tasks.
  22. a. The portal is a good choice for one-off operations like creating a long-lived storage account. The portal gives you a GUI containing all the storage-account properties and provides tool tips to help you select the right options for your needs.
  23. b. You need both the base PowerShell product and the Az module. The base product gives you the shell itself, a few core commands, and programming constructs like loops, variables, etc. The Az modules adds the cmdlets you need to work with Azure resources.
  24. a. You create a tenant for your organization so that your internal users can be managed by Azure AD.
  25. b. Use an identity security score to see how secure your Azure AD instance is.
  26. a. An identity represents a user, or sometimes a service or an application, that needs access to do something.
  27. c. Identity Protection helps you configure risk-based conditional access for your applications to protect them from identity-based risks.
  28. c. If your company works with external contractors, those contractors can be invited as guest users. When the work is done, access for those contractors can be revoked.
  29. b. By using Application Proxy in this way, you create secure remote access for your on-premises applications.
  30. c. While Docker Desktop is only available for Windows and macOS. It does support using a Linux command line via Windows Subsystem for Linux (WSL). For more information and set up, see the WSL + Docker documentation.
  31. c. You use the docker build command to rebuild a container image. Once you’ve built an image, the image can’t be changed. The only way to change an image is to create a new image.
  32. a. A container image is an immutable package that contains all the application code, system packages, binaries, libraries, configuration files, and the operating system running in the container. Docker containers running on Linux share the host OS kernel and don’t require a container OS as long as the binary can access the OS kernel directly.
  33. b. The Bridge network configuration is an internal, private network used by the container and isolates the container network from the Docker host network. We use the publish flag to map ports between the container and host ports.
  34. b. A bind mount, like a volume, is stored on the host filesystem at a specific folder location. However, bind mount data is expected to be updated by the host. The resolve.conf contents is expected to change by the host and used by both the container and host.A volume is stored on the host filesystem at a specific folder location. However, volume data isn’t meant to be updated by the host.
  35. b. Semi-structured data contains tags that make the organization and hierarchy of the data apparent.
  36. c. Unstructured data is often delivered in files. A video may have an overall structure but the data that comprises the video itself is unstructured.
  37. b. OLTP systems support a large set of users, have quick response times, handle large volumes of data, are highly available, and are great for small or relatively simple transactions.
  38. c. Once the second order determined that the in-store credit has already been used, it would roll back the transaction.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

%d bloggers like this: