Design Identity and Security - AZ 304 Exam notes

Design Identity and Security (25-30%)

Design authentication

•  recommend a solution for single-sign on

            See the simple yet fantastic explanation from Mr.Swaroop Krishnamurthy @ YouTube on How to setup the Single Sign-On (AD , ADFS and Passthrough Authentication)

https://www.youtube.com/watch?v=PyeAC85Gm7w and also Azure AD Passthrough Authentication

 https://www.youtube.com/watch?v=vt2R4P4xLQA

•  recommend a solution for authentication
•  recommend a solution for Conditional Access, including multi-factor authentication
•  recommend a solution for network access authentication
•  recommend a solution for a hybrid identity including Azure AD Connect and Azure AD
• Connect Health
•  recommend a solution for user self-service
•  recommend and implement a solution for B2B integration

Design authorization

•  choose an authorization approach
•  recommend a hierarchical structure that includes management groups, subscriptions and
• resource groups
• recommend an access management solution including RBAC policies, access reviews,
• role assignments, physical access, Privileged Identity Management (PIM), Azure AD
• Identity Protection, Just In Time (JIT) access

Design governance

•  recommend a strategy for tagging
•  recommend a solution for using Azure Policy
•  recommend a solution for using Azure Blueprint

Design security for applications

• recommend a solution that includes KeyVault

o What can be stored in KeyVault

o KeyVault operations

o KeyVault regions

•  recommend a solution that includes Azure AD Managed Identities
•  recommend a solution for integrating applications into Azure AD

Database Service Tier sizing - AZ 304 exam

 AZ - 304 Microsoft Azure Architect (beta)

[Its my own notes for preparing for the exam. You are advised to verify technical correctness on your own]

This is how I am trying to find the relevant Microsoft Document for self study and preparing the exam. Already I am AZ 203 Certified developer and well versed with Azure Storage , I decided to update my skills in advanced topics on "Design Data Storage" which is part of exam's skill measured topic.

Here is the sub topic "recommend database service tier sizing".

 Understanding the available database service in Azure.

1. General purpose service tier
2. Business critical
3. Hyper scale ( Only available for Azure SQL, not for Azure SQL Managed Instance)

You must understand features of the Azure SQL ,  Azure SQL Managed Instance, vCore or DTU Model (purchasing model).

General Purpose service tier is the recommended (Redundancy and High Availability) on for most of the time, as it truly allows you on controlling the Compute and Storage aspects. You can scale in and scale down the storage and compute based on your usage.

The reason behind on why we need for separate storage account for Azure SQL and Azure SQL Managed Instance is , A stateless and stateful compute layer.

Stateless layer managed by Azure Service Fabric to check the health of compute node and manage the perform the failover on the Azure.

Whenever the database engine or operating system is upgraded, some part of underlying infrastructure fails, or if some critical issue is detected in the sqlservr.exe process, Azure Service Fabric will move the stateless process to another stateless compute node.

Azure SQL Managed Instance will have the separate Compute and Storage option whereas Azure SQL will have only the Service features without any specific compute or Storage.

Hyper scale Service tier features

• Supports up to 100 TB database size (Other service tier supports 1 to 4 TB)
• Rapid scale up (read only database hot standby)  and scale out when the usage were lower as it relies on Compute and Storage.
• Fast database restores with in a minute rather than hours or even a day.
• Higher performance due to higher log throughput and faster commit irrespective of data volums.

Reference

https://docs.microsoft.com/en-in/azure/azure-sql/database/service-tier-general-purpose