305 Flashcards

Question 1

Q

Describe what an Azure Tenant is?

Answer

A

An Azure Tenant is a container for managing identity and security for an organization. It refers to the instance of Azure Active Directory (Azure AD) that is specific to an organization and allows them to manage users, groups, roles, and applications, as well as integrate with external service.

A tenant in Azure is a container for management groups, subscriptions, resource groups, and resources.

Question 2

Q

Describe what an Azure Subscription is?

Answer

A

An Azure Subscription is a container for Resource Groups and Resources and is a container for RBAC and Costs
An Azure Subscription is a container for resources, and it is linked to an Azure account for billing purposes. Subscriptions define the boundaries for billing, resource allocation, and administrative control. It is also where policies and role-based access control (RBAC) are applied to manage resource access and governance.

Question 3

Q

Is it possible to associate a subscription with two Azure Tenants?

Answer

A

No, an Azure Subscription can only be associated with a single Tenant.

Question 4

Q

Is it possible to associate three Azure Subscriptions with one Azure Tenants?

Answer

A

Yes, an Azure Tennant can have many subscriptions associated with it.

Question 5

Q

List all the Azure Identity types available in Azure Entra Id?

Answer

A

Users
Managed Identity
Service Principles
Groups
Device Identities

Question 6

Q

When would you use Managed identity?

Answer

A

When you wnat a service in Azure to access another service in Azure.

Question 7

Q

Describe a use case where you would use an Azure Entra ID Service Principle?

Answer

A

Where you have an Application that wants to access Azure Resources.

You create an Azure Service Principle by registering the application with Azure Entra ID and then making the Azure Entra ID Service principle assocated with the application. The service principle is then used by using the Service principle with RBAC to assign privileges to access Azure resources.

Question 8

Q

Describe what an Azure Entra ID User is?

Answer

A

An Azyre Entra ID User is either an internal or external user. Internal users are users thet are Members, and external users are Guests. Internal users belong to the Azure Entra Id domain or part pf the on-prem domain thet is synced with Azure Entra ID.

Question 9

Q

What is an Azure dynamic group?

Answer

A

An Azure Entra ID Group is a container for Users and Devices; this container can be assigned roles for both Azure Entra ID and Azure resources.

Question 10

Q

Describe what an Azure Entra ID Group is used for?

Answer

A

An Azure Entra ID Group is a container for both Devices and users to manage these Users and Devices as groups, where roles for both Azure Entra ID and Azure Resources can be assigned. This type of group is what we call an assigned group, meaning its manually managed by an administrator.

Question 11

Q

I require a way to manage groups of users automatically. When a user is created in Azure Entra ID, the user is automatically assigned to one of several groups. Each group represents an organization’s departments; we have accountancy, manufacturing, and HR. The user should be assigned to the relevant group based on properties like department. How can we achieve this?

Answer

A

We can set up dynamic groups for the departments in our organization and have the

Question 12

Q

Can I use dynamic groups on a standard subscription?

Answer

A

No. Azure Active Directory (Azure AD) Premium P1 or Premium P2 subscription.

Question 13

Q

What is the topmost level in Azure?

Answer

A

Azure teanant?

Question 14

Q

Can I assign a subscription to more than a single tenant?

Answer

A

No, a subscription can only be assigned to a single tenant.

Question 15

Q

How cna I have Azure SQL prefrom multi-master writes?

Answer

A

You can’t, but you could opt for CosmoDB.

Question 16

Q

Can I associate two subscriptions with a single tenant?

Answer

A

Yes, 100%

Question 17

Q

I want to create a group of users to whom I can assign permissions. How can I do this?

Answer

A

Use Azure Group under Entra ID.

Question 18

Q

I have an application, and I wnat to ab able to access Azure services; what do I require to access the Azyre service?

Answer

A

Register the application with Azure Entra ID and set up a service principle.

Question 19

Q

What is an assigned group in Azure

Answer

A

Admin or owner decides on membership; you manually control the member shop

Question 20

Q

I have added groups of users, and I want an easy way to automatically sign off on permissions for these groups; how can I do this?

Answer

A

Use dynamic groups and set up the attributes to automatically add new users to the dynamic group, then assign permission to the group.

Question 21

Q

What is a security group?

Answer

A

It depends. There are two types of security groups in Azure: an Azure network security group and an Azure ID security group.

Question 22

Q

What is a hybrid environment?

Answer

A

A hybrid environment consists of one or more Azure accounts and one or more on-prem data centers or locations.

Question 23

Q

What is a hybrid identity?

Answer

A

Is an identity that is used in both in Azure and on-prem

Question 24

Q

What is Azure AD B2B Connect (Entra ID B2B Connect)

Answer

A

It enables you toy use external identities by connecting with

Question 25

Q

What is Azure Domain Services (Entra Domain Services)

Question 26

Q

You need to establish a trust relationship with another Microsoft Entra External ID what services would you use?

Answer

A

B2B direct connect

Question 27

Q

What is Entra ID B2B direct connect?

Answer

A

Azure B2B (Business-to-Business) is a feature within Azure Active Directory (Azure AD) that allows organizations to securely share their applications and services with guest users from any other organization

Question 28

Q

Where would you use Entra ID B2B direct connect?

Question 29

Q

What are external identities in the context of Entra ID B2B direct connect?

Answer

A

An external identity in the context of Entra ID B2B direct connect is an identity thet gets invited from an external Microsoft Entra ID, and will be added to Azure Entra ID as a guest. And as they are a guest, they do not automatically have any rights to access resources, they will have to be explicitly granted access to resources.

Question 30

Q

Question 31

Q

List the types of identity groups types in Azure?

Answer

A

Internal identity, external identity, hybrid identity

Question 32

Q

What is a hybrid identity?

Answer

A

A hybrid identity services both on-prem and Azure Entra ID and enables the identity to be shared between on-prem and Azure of a seamless login experience.

Question 33

Q

What is an internal identity?

Answer

A

An internal Azure identity is an identity thet is part of Azure Entra ID and is one of three identities: a user, a service principle, and a managed identity.

Question 34

Q

What is an external identity?

Answer

A

An external identity can be a B2B identity or B2C

Question 35

Q

What is a service principle used for?

Question 36

Q

What is a managed identity?

Question 37

Q

What is a managed identity used for?

Question 38

Q

For external Azure identities, what types of external identitiesare supported?

Answer

A

Microsoft accounts, like Outlook, Hotmail or live

Question 39

Q

I have an individual contractor, and what to give them access to resources in my Azure tenant; how can I do this without setting up a new internal account?

Answer

A

You can invite them using their Microsoft account, outlook, life, or Hotmail.

Question 40

Q

How can I allow an external school to access resources in my Azure tenant?

Answer

A

If the school already has a Microsoft account for students, they can be added as an external identity.

Question 41

Q

I wnat to provide an external user with temporary access to an internal application; how can I do this?

Answer

A

You can use B2B Email one-time password OTP. This sends the user a one-time password in their email to sue, and when they log in, they get access; the password is time-limited.

Question 42

Q

How can I enable users in another organization with an Entra ID to access resources in my Azure Tennant?

Answer

A

You can use Azure B2B direct connect to allow access by creating a cross-tenant.

Question 43

Q

I wnat to use external B2B to invite users to access resources in my Azure tenant; what types of users can I ask?

Answer

A

Any email using the time-limited OTP. Entra ID, Facebook, Google, Microsoft

Question 44

Q

I wnat to ass en external orgnization team to access resources in my Azure Tennant; how can I do this?

Answer

A

You can use B2B Connect and cross-tenant access. You add an organization by using the domain name or tenant ID. Azure search will find the tenant for you to add.

Question 45

Q

I want my team in my orgnization, who has an Azure Entra ID set up and is using it already, to access resources in another organization’s Azure account; what do I need to have the other organizations do to give me?

Answer

A

You will wnat another orgnization to give your organization access to resources by inviting you to access using the B2B connect using the cross-tenant setup, using your domain name or tenant ID; they will ten have to assign permissions to access resources

Question 46

Q

When external users are added to your Azure Entra ID, what type of user are they?

Answer

A

The users are of type HUEST.

Question 47

Q

When external users are added to your Azure Entra ID, what access do they have as default?

Answer

A

They have no access to any resources. If RBAC has been used to allow guests access to a resource, then the newly added guests will have access to this resource.

Question 48

Q

Is it possible to give tenant access in both directions for Azure Entra ID in two tenants?

Question 49

Q

I am intending giving access to external identities using B2B external identities, but I wnat to ensure they have been authenticated using MFA; how can I accomplish this?

Answer

A

You can use ‘Conditional Access Policies’ to require an external user to use MFA; this can be configured

Question 50

Q

When using Azure Entra ID external cross-tenant settings, what are inbound settings?

Answer

A

They are the settings thet control how

Question 51

Q

Where in Azure are the settings for external identities located?

Answer

A

In Azure Entra ID

Question 52

Q

What are Azure Entra ID external cross-tenant settings?

Answer

A

There are several settings in the Azure Entra ID external identities under cross-tenant settings that enable you to control both incoming and outgoing access.

Question 53

Q

What are the default settings for outbound for Azure Entra ID external cross-tenant?

Answer

A

By default, there is no restriction on which users can be invited to collaborate with external tenants. However, specific configurations can be applied later.
The default setting allows all applications to be used in cross-tenant scenarios. This means your users can access apps in other tenants unless specific restrictions are configured.

Question 54

Q

I want to ensure that the orgnization users do not collaborate with other Azure tenants; how can I do this?

Question 55

Q

What are the default settings for inbound Azure Entra ID external cross-tenant?

Answer

A

B2B Collaboration - External Users and Groups: All allowed: External users from other Azure Entra tenants can collaborate with your users without any restrictions. This allows external users to be invited into your tenant as guests and access resources like SharePoint, Teams, or other applications that support B2B collaboration.
B2B Collaboration—Applications: All allowed: Explanation: External users from other tenants can use your organization’s applications if they are given appropriate permissions. This setting enables applications within your tenant to be accessed by users from external tenants.
-B2B Direct Connect - Applications: All blocked: Applications within your tenant cannot be accessed via B2B Direct Connect by users from external tenants. This blocks real-time direct connections for specific applications, enhancing security by limiting access to only internal users or specifically allowed external users.
Trust Settings: N/A (Disabled): This indicates that no special trust settings are applied to external tenants by default. For instance, your tenant does not automatically trust other tenants’ Multi-Factor Authentication (MFA) or compliant device settings. Any trust configurations must be set up explicitly in the organizational settings tab.

Question 56

Q

What is Azure Entra ID cross-tenant sync?

Answer

A

Azure Azure Entra ID cross-sync will enable you to add an external Azure Entra ID so they you can push

Question 57

Q

Your orgnization is acquiring an org called JetPack; they have an Azure tenant; how best to merge this tenant from an Azure Entra ID perspective to allow their users access resources in your organization’s current Azure tenant?

Answer

A

Use Azure Cross-Tenant Sync to enable users to be synced across tenants.

Question 58

Q

What service would you use in Azure to enable external individual users to get access to my resources

Answer

A

Azure B2B connect.

Question 59

Q

I have an organization called Koke, which purchased a company called Kepsi. I want Koke users to access Azure resources in Koke. How can I do this using Azure Entra ID, and what are the steps to set it up?

Answer

A

You can use Azure Entra ID Sync to sync the users in Kepsi into Koke. You must configure Azure Entra ID cross-tenant setting and cross-tennant sync to set this up.
Cross-tenant settings for Kepsi: set koke.com and set outbound access with Trust-suppress user consent.
Cross-tenant settings for Koke: set kepsi.com and set inbound access with Trust-suppress user consent, cross-tenant sync-> allowed
Cross-tenant sync for Kepsi: provisioned automatic, perform mapping of attributes

Question 60

Q

I have an organization called Koke, which purchased a company called Kepsi. I want Koke users to access Azure resources in Koke. How can I do this using Azure Entra ID?

Answer

A

You cna use Azure Entra ID Sync to sync the users in Kepsi into Koke.

Question 61

Q

Azure Entra ID cross-tenant sync: are syncs real-time?

Answer

A

No, it is every 40 minutes by default, but you can change this. But you can create a group and have users mapped as thet are created or altered.

Question 62

Q

Azure Entra ID cross-tenant sync, what are mappings?

Answer

A

When configuring Azure Entra ID cross-tenant sync, you map the attributes between tenants.

Question 63

Q

Azure Entra ID cross-tenant sync, can you see the sync logs?

Answer

A

Ues they are availab in the browser, API, CLI.

Question 64

Q

What is the hierarchy for RBAC in Azure?

Answer

A

Management group -> Subscriptions -> Resource groups -> Resources

Answer 57

A

To group resources with the same life cycle.

Answer 58

A

No, because resources are separate from the resource group and do not have to be in the same region as the resource group.

Answer 59

A

No, they are a single-flast structure

Answer 60

A

Azure Entra ID Conditional Access Policy

Answer 61

A

A management group, subscriptions, resource group, resource

Answer 62

A

Azure policy

Answer 63

A

Azure Identity Protection service that detects and mitigates identity-related risks using machine learning and threat intelligence. It helps protect user accounts by monitoring for suspicious activities and enforcing risk-based conditional access policies. The service provides automated responses, detailed security insights, and integrates with other Azure security tools.

Answer 64

A

No, it is a P2 feature.

Answer 65

A

Use conditional access policies thet are part of Azure Entra ID.

Answer 66

A

Use Identity protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky users across the enterprise.

Answer 67

A

Use Identity Protection, and sign up for a P2 subscription for Identity Protection. It has a dashboard to view risky logins across the enterprise.

Answer 68

A

Identify risk (Reporting)
Enforcement (Enforce on risk) (conditional access)
Investigate risk (Logs and information)
Remediate risk (automatic, administrator)

Answer 69

A

In the context of risk for Azure EntraID Identity Protection, it is when sign-in occurs, credential compromise,

Answer 70

A

Azure Entra ID Identity Protection uses machine learning to understand what is typical for a user sign-in and uses it to detect what is not regular sign-in.

Answer 71

A

Azure Entra ID Identity Protection leverages Microsoft’s Threat Intelligence network, which continuously monitors and collects data from various sources, including the dark web. This data is used to identify compromised credentials and other security threats.

Answer 72

A

When Azure Entra ID Identity Protection detects compromised credentials from the dark web, it flags the affected user accounts. It can automatically trigger responses such as requiring a password change, enforcing multi-factor authentication (MFA), or blocking access until the issue is resolved.

Answer 73

A

No, Azure Entra ID Identity Protection does not proactively scan the dark web for specific user credentials.

Instead, it relies on data collected by Microsoft’s Threat Intelligence network, which includes compromised credentials found on the dark web.

Answer 74

A

Azure Entra ID Identity Protection uses information from the dark web to identify when user credentials have been compromised. It then applies risk-based policies to protect the affected accounts, such as requiring additional verification or blocking access to prevent unauthorized use.

Answer 75

A

o, this is not correct. While Azure Entra ID Identity Protection uses information from the dark web as one source of threat intelligence, it also protects users by analyzing various other risk signals, such as unusual sign-in activity, and implementing risk-based policies.

Answer 76

A

Microsoft’s Threat Intelligence network plays a crucial role in Azure Entra ID Identity Protection. It gathers and analyzes data from numerous sources, including the dark web, to detect potential security threats and help protect user identities.

Answer 77

A

Yes, Azure Entra ID Identity Protection can take automated actions, such as enforcing password resets, blocking access, or requiring MFA, based on detecting compromised credentials from the dark web or other risk indicators.

Answer 78

A

Anomily Detection (Sign in, user activities) (Sign-in)(real-time)
Known attack patterns
Leaked credentials (User)
Anonymous IP address
Atypical travel (Sign-in) (Offline)
Malware-linked IP address
Unfamiliar sign-in property (Sign-in) (Realtime))

Answer 79

A

Real-time (Signin risk)
Offline (24hrs) (User risk)

Answer 80

A

Offline (24hs): Like user risk being leaked creds

Answer 81

A

Real-time: When the user tries to sign in, the risk is evaluated, and if action is required, like denying, it will be taken.

Answer 82

A

We use conditional access

Answer 83

A

Use Azure Entyra ID and access reviews

Answer 84

A

Azure Identity Protection

Answer 85

A

-Sign-in protection
–Has creds been leaked
–Is the user using anonymous IP
–Impossible travel
–Sign-in from an infected device
–Sign-in from IP with suspicious traffic
–Sign-in from an unfamiliar location

-User action protection

Answer 86

A

You can use risk policies to block, or you can ask the user to use MFA

Answer 87

A

Sign-in risk policy
Users risk policy

Answer 88

A

No, there are 24hrs

Answer 89

A

Block sign-in
Endorce users change password
MFA

Answer 90

A

Use conditional address.

Answer 91

A

I can use Azure Entra ID Identity Protection and its reporting capabilities.

Answer 92

A

I can use Azure Entra ID Identity Protection and its reporting capabilities.

Answer 93

A

Conditional access policy

Answer 94

A

Conditional access policy

Answer 95

A

Conditional access policy

Answer 96

A

Conditional access policy

Answer 97

A

Conditional access policy

Answer 98

A

Location
Country
Device
Browser
Risk

Answer 99

A

Add the countries in Azure Entra ID Conditional access and then use them in the conditional access policy.

Answer 100

A

Add the ip range in Azure Entra ID Conditional access and then use them in the conditional access policy.

Answer 101

A

Name, All Users, Group of users (Guests (as in external), Directory roles, users and groups),

Answer 102

A

Under the Exclude Users tab, you can select users and groups to be excluded from the policy.

Answer 103

A

Setup Privilege Identity management (PIM)

Answer 104

A

Setup Privilege Identity management (PIM)

Answer 105

A

Setup Privilege Identity management (PIM)

Answer 106

A

Access reviews

Answer 107

A

Access reviews

Answer 108

A

Using the Azure Entra ID, privileged Identity management and use review.

Answer 109

A

No change
Remove access
Approve access
Take recommendations

Answer 110

A

Azure Entra ID Identity Governanence Access Reviews

Answer 111

A

Container instance
Kubernetes
Cloud apps

Answer 112

A

Usine DOCKERFILE

Answer 113

A

FROM nginx:alpine
WORKDIR /usr/share/nginx/html
COPY ./index.html ./

Answer 114

A

Using a docker file?

Answer 115

A

Azure image registry

Answer 116

A

Because it an easy way to package content for docker or kubernetes

Answer 117

A

Fast and straightforward to get running and easy to manage small, simple individual running container instances.

Answer 118

A

You would have to use Azure file share and mount a volume.

Answer 119

A

Yes, but you can use a container group thet will share resources if required.

Answer 120

A

Use a container group, and this will schedule the containers on the same host and share resources.

Answer 121

A

None (batch), private( private network), public(public network)

Answer 122

A

Quick images
Axure container registry
Docker Huv or other registry

Answer 123

A

Azure kubernetes service, it supports managed disks

Answer 124

A

Azure Batch
Azure APP service using WebJobs

Answer 125

A

App service plan

Answer 126

A

Yes, app services provide for Windsows and Linux containers.

Answer 127

A

Shared: Container runs on same compute as other customers
Dedicated: Runs on dedicated compute
Isolated: Deployted to customers’ own network

Answer 128

A

Scale-out
Scale-up
Private networking
Public networking
File storage
Database
Redis (cache)

Answer 129

A

Postgres
MySql
MsSql
CosmoDB

Answer 130

A

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers.

Answer 131

A

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot.

Answer 132

A

You cna use the fully managed app services thet have deployment slots that will allow you to deploy prod, qa, and prod using containers. Slots have their configuration for each slot. App services have slots, also called staging, thet can be switched and will automatically scaled out to the required size.

Answer 133

A

App services enable splitting traffic between staging and production.

Answer 134

A

A -staging as in -<name> is used</name>

Answer 135

A

Fully managed HPC cluster and scheduling infrastructure.
There is no need to schedule an installation and manage
Devs can

Answer 136

A

Batch account

Answer 137

A

Account
Scheduler
Nodes/Node Pool

Answer 138

A

Azure Blob
Azure Files
Azure Disks
Azure Auto Storage

Answer 139

A

Azure Batch can automatically provision blob storage containers associated with your batch account. It’s often used to manage job input/output data for batch jobs automatically.

Answer 140

A

Through the API, using one of the supported application types, python, node, C#, PowerShell

Answer 141

A

An Azure batch account

Answer 142

A

Use a service endpoint, service endpoint enables a private connection from a private vNET to a service, including Azure Batch

Answer 143

A

Application
Pools
Jobs
Job schedules

Answer 144

A

Azure CycleCloud helps manage High-Performance Computing (HPC) clusters in Azure, enabling users to easily create, configure easily, and scale resources. It supports popular HPC schedulers like SLURM and PBS Pro, offering autoscaling based on workload demand. The tool simplifies cloud HPC management, integrates with Azure services like Monitor and Cost Management, and is ideal for data-heavy fields like genomics(MS Learn)(Microsoft Azure.

Answer 145

A

Entra ID -> Security -> Protect - > Conditional access

Answer 146

A

App service plan

Answer 147

A

App Service Environment is a single-tenant environment.

Answer 148

A

It is a single-tenant App Service Environment.

Answer 149

A

Use the Service endpoint to access all Azure Storage Accounts
Use a private endpoint to access only a single account

Answer 150

A

Use a private service endpoint. The private service endpoint will connect to a single Azure storage account and get an IP and NIC in the vNET to access it.

Answer 151

A

Use Azure service endpoint; Azure service endpoint gives access to all Azure storage accounts.

Answer 152

A

From a vNET to a whole service like an Azure Storage account

Answer 153

A

No, it uses the Azure public IP, but traffic is over the Azure network.

Answer 154

A

Yes, the endpoint is private, and it appears to be a NIC in your vNET

Answer 155

A

No, it is a one-to-one relationship; you can only access a single account.

Answer 156

A

No, you pay per hour and GB

Answer 157

A

Azure Entra ID App Proxy enables me to expose any application but use Azure Entra ID to secure it.

Answer 158

A

Azure App Service Hybrid Connections enables you to install the software locally and create an endpoint for your app service locally on-prem.

Answer 159

A

Several proxies for scale and availability.

Answer 160

A

You can use Azure Enbtra AD App Proxy, which is installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and ensure that the users have logged in using their Azure Entra ID credentials.

Answer 161

A

You can use Azure Enbtra AD App Proxy, installed on-prem and connects to Azure Entra ID. It can proxy the application to remote users and provide passthrough for auth.

Answer 162

A

Install the agent connector on-prem for Azure Enbtra AD App Proxy; you create a group of connectors.

Answer 163

A

Agent connectors groups enable me to separate different apps on my on-prem network.

Answer 164

A

Azure container instance, this is the least resources and lowest cost and is least management, and you can configure it for PRIVATE networking using a vNET.

Answer 165

A

Shared
dedicated
Isolated

Answer 166

A

App Container Services

Answer 167

A

Consumption (Pay-As-You-Go)
Flex Consumption
Function premium
App Service (Both Functions and Web Apps on same plan)
Container App Environment

Answer 168

A

Consumption

Answer 169

A

No, the consumption plan does not support vNETS.
But we now have a new plan called Flex Consumption thet will support events
Or you can use a premium plan

Answer 170

A

With both Functina and Web Apps on the same project, it may be best to use the app service plan thet enables the same plan to be used for both.

Answer 171

A

5min default, 10min max.

Answer 172

A

30min default, unlimited with configuration.

Answer 173

A

Yes, you will need to switch plans. The consumption plan does not support pre-warming, so you will need to use premium or flex consumption.

Answer 174

A

Yes, you will need to switch plans. The consumption plan does not support vNET, so you must use premium or flex consumption.

Answer 175

A

No, dedicated means you are on a shared host with dedicated resources not shared with any one else.

Answer 176

A

use a non-dedicated plan

Answer 177

A

Choose a Consumption Plan when you have sporadic workloads, want to pay only for actual usage, and don’t need constant running of your functions.

Answer 178

A

The main advantage is having dedicated VM instances, which provide better performance, more features, and the ability to run functions continuously.

Answer 179

A

Choose an Isolated Plan when you need the highest level of security, network isolation, and dedicated infrastructure for mission-critical applications with high compliance requirements.

Answer 180

A

The Consumption Plan is ideal for this scenario, as it automatically scales based on demand, and you only pay for the resources you use.

Answer 181

A

A Dedicated (App Service) Plan would be suitable, as it provides dedicated resources and consistent performance for high-traffic applications.

Answer 182

A

The Isolated (App Service Environment) Plan is the best choice for strict compliance and complete isolation requirements.

Answer 183

A

Dedicated (App Service) Plan with a Basic or Standard tier would be suitable for a small business website with moderate, consistent traffic.

Answer 184

A

It’s most cost-effective for applications with intermittent usage, where functions don’t need to run continuously, and when you want to pay only for actual execution time.

Answer 185

A

Choose a Dedicated (App Service) Plan, as it allows you to run continuous WebJobs and background tasks alongside your web application on the same VM instances.

Answer 186

A

Non-dedicated
Dedicated
Isolated

Answer 187

A

The plan is using shared resources, best suited

Answer 188

A

Sporadic or unpredictable workloads
Event-driven application
Small-scale or low-traffic applications
Development and testing
Cost optimization:

Answer 189

A

non -dedicated

Answer 190

A

Consumption plan

Answer 191

A

Basic
Standard
Premium
PremiumV2
PremiumV3

Answer 192

A

App Service Environment

Answer 193

A

Use Azure app service deployment slots

Answer 194

A

Create a single route table and associate it with each the of the subnets.

Answer 195

A

No, rout tables are associated with a subnet

Answer 196

A

Create a routing table and set the next hop to the internet

Answer 197

A

Create a routing table and set the next hop to the GW

Answer 198

A

Create a routing table and set the next hop to the IP of the appliance

Answer 199

A

Create a route table and associated with a subnet and set it to none.

Answer 200

A

Service (Using service tag)
Internet
IP (Appliance)
Virtual network
Virtual GW

Answer 201

A

Custom routes
BGP routes
System Routes

Answer 202

A

Routes you create in a custom route table3 and associated with a vNET subnet.

Answer 203

A

Routes from BGP

Answer 204

A

Routes generated by Azure

Answer 205

A

Custom routes
BGP Routes
System routes

Answer 206

A

Create a Network security security group, set it to block all traffic, and associate it with the single vNET Subnet.

Answer 207

A

You can not block a URL with an NSG; NSG are layer four only and block layer 4-only traffic. To

Answer 208

A

Azure network security groups are layer four-only firewalls

Answer 209

A

No, because an NSG on a subnet is the same as having it on the NIC of the VMs

Answer 210

A

Basic and Standard

Answer 211

A

Basic allows internet traffic with no NSG attached; standard blocks the IP traffic by default; you must enable it with an NSG.

Answer 212

A

Standard IP blocks all traffic; you must use an NSG to allow it.

Answer 213

A

No, NSG rules are stateful. Once a connection is made, it is tracked, and you do not have to create an outbound rule.

Answer 214

A

Yes, but this is changing.

Answer 215

A

You can use a Virtual network NAT

Answer 216

A

You cna add a pool of IP addresses.

Answer 217

A

using VPN GW with vnet perering

Answer 218

A

vNET peering is low cost and fast with low latency

Answer 219

A

vNET peering can be across subscriptions.

Answer 220

A

Global vNET peering can be across subscriptions and tenants

Answer 221

A

Global vNET peering is the ability to use vNET peering across tenants to connect vNETS, it also when you cross regions.

Answer 222

A

Global vNET peering can be across subscriptions and regions.

Answer 223

A

You can; overlapping will not work.

Answer 224

A

Use Private Link to set up conectivity to make available the app endpoint.

Answer 225

A

No, private link exposed service and proof of the exposed service.

Answer 226

A

With a private link, you can lock down to a single resource.

Answer 227

A

No, it can only be consumed using endpoints in the same region.

Answer 228

A

In a subnet of a vNET.

Answer 229

A

Use a VPN (sit-to-site)

Answer 230

A

No, vNET peering is not encrypted.

Answer 231

A

Azure VPN uses the public internet to securely connect your on-premises network to Azure through encrypted VPN tunnels. ExpressRoute, on the other hand, establishes a private connection between your on-premises infrastructure and Azure, bypassing the public internet entirely. This makes ExpressRoute more reliable, faster, and secure compared to Azure VPN.

Answer 232

A

You should choose Azure VPN. It’s ideal for small environments where cost is a concern, and the public internet is sufficient for your connectivity needs. Azure VPN allows you to quickly establish a secure connection without the complexity and cost of a dedicated line.

Answer 233

A

You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.

Answer 234

A

You should select ExpressRoute. ExpressRoute offers a private, dedicated connection with high bandwidth (up to 100 Gbps), low latency, and guaranteed uptime through a Service Level Agreement (SLA), making it ideal for mission-critical applications.

Answer 235

A

You should use Azure VPN. Its point-to-site functionality allows secure, encrypted access for remote users over the public internet, making it perfect for distributed workforces with moderate data traffic needs.

Answer 236

A

You should implement ExpressRoute. Since it avoids the public internet and uses a private connection, ExpressRoute ensures that sensitive data is transmitted in compliance with strict security and regulatory requirements.

Answer 237

A

You should choose ExpressRoute. The high bandwidth (up to 100 Gbps) and consistent performance of a private connection make ExpressRoute the ideal choice for large-scale data migrations.

Answer 238

A

You should go for Azure VPN. It’s a cost-effective solution for smaller, non-critical applications where high performance is not necessary, and you don’t need the guaranteed uptime or bandwidth provided by ExpressRoute.

Answer 239

A

Azure Service Endpoint. Service Endpoints secure PaaS resources by extending VNet identity to the service, allowing access over Azure’s backbone network. Public IP addresses can be blocked.

Answer 240

A

Use Azure Private Link. It provides private access to your services by mapping the service to a Private IP within the consumer’s VNet.

Answer 241

A

Answer: Use Azure Private Link. It supports cross-subscription connectivity via private IPs within the consumer’s VNet, keeping traffic within Azure’s backbone.

Answer 242

A

Answer: Use Azure Service Endpoint. Service Endpoints allow cross-region connections to Azure services, extending VNet identity without exposing the service to the internet.

Answer 243

A

Use Azure Private Link. Private Link allows private access to your services across regions and subscriptions without traversing the public internet.

Answer 244

A

How should the service provider present their service to clients?

Answer 245

A

Use paired regions to replicate your application and data. Azure automatically replicates resources between region pairs, ensuring data durability in the event of a regional failure. Always deploy to both regions in the pair for geographic redundancy.

Answer 246

A

Azure Paired Regions ensure that planned updates (e.g., maintenance) only occur in one pair region at a time. This minimizes downtime and allows services in the secondary region to continue running during the maintenance window.

Answer 247

A

Paired regions provide higher reliability because Azure guarantees data replication and failover capabilities between them, with a direct focus on minimizing latency and ensuring recovery in the event of a disaster. This is especially critical in high availability/disaster recovery setups where business continuity is essential.

Answer 248

A

Azure Paired Regions are often located in the same geopolitical zone, helping organizations comply with data sovereignty regulations. Data replication across regions within the same pair ensures that data remains within the required jurisdiction for compliance purposes.

Answer 249

A

Azure Paired Regions are designed to minimize latency between regions while supporting cross-region failover. By deploying your services to paired areas, you can achieve low-latency replication and quick recovery, ensuring your platform remains responsive during regional disruptions.

Answer 250

A

Several data centers are connected via low-latency connectivity and form several availability zones; an availability zone is not a data center but a fault domain with separate power, cooling, and network.

Answer 251

A

It is a second region in the same geopolitical space as the primary region, ensuring data sovereignty. It is used as a failover or backup region for the primary region for some Azure services.

Answer 252

A

An availability zone is a fault domain that consists of a zone with separate network, cooling, and power; services use availability zones to be fault-tolerant.

Answer 253

A

A Zonel service is a service where you get to select the zone to be used by the service.

Answer 254

A

Yes, these are the core of how an availability set works. It means they if you set the fault domain to three, you have three separate fault domains thet are independent of each other

Answer 255

A

They ensure thet only one updated domain is updated at a time, and we will see them in an availability set.

Answer 256

A

Set the aligned managed disks in the availability set to make the disk in the same fault domain as the VM

Answer 257

A

It is a layer four balancer, which means it works on the IP and transport layer layers of the TCP stack

Answer 258

A

App Gateway its a layer seven load balancer

Answer 259

A

Internal or external?

Answer 260

A

This layer four load balancer has an internal IP for external traffic.

Answer 261

A

This is a layer four load balancer with an external IP for external traffic

Answer 262

A

Backend pool

Answer 263

A

Nat
-LBRule

Answer 264

A

This is where, on Azure Loadbalancer, you will map the input IP to a backend IP

Answer 265

A

Use health probes.

Answer 266

A

One (and two, read on), it can be in one backend for external and one backend for internal, but it can be in both internal and external

Answer 267

A

No, a Azure load balancer is a regional resource.

Answer 268

A

Baseic, Standard

Answer 269

A

2, One for internal and one for external.

Answer 270

A

Not only with standard,

Answer 271

A

Azure load balancer.

Answer 272

A

The Azure load balancer can use internal IP on its front end to load balance, so Azure load balancer is an option.

Answer 273

A

No, a public load balancer enables outbound internet access.

Answer 274

A

No, its layer 7 LB

Answer 275

A

No across regions is not supported by the Azure Application Gateway. Azure Application Gateway is a regional service; there may be other options depending on requirements:
- Azure front door
- Azure traffic manager
- Azure global load balancer

Answer 276

A

It is a DNS load balancer

Answer 277

A

It’s like a back group for a load balancer

Answer 278

A

Source Port
Destination Port
Source IP
Destination IP
Protocol (TCP, UDP)

Answer 279

A

No, it is a layer four load balancer and only supports TCP and UDP.

Answer 280

A

No, you can not ping the Azure Load Balancer because it’s a layer four load balancer that only supports TCP and UDP for ping and not ICMP(Layer 3).

Answer 281

A

Azure Load Balancer Rule

Answer 282

A

To meet the requirements, use an Azure regional and layer four load balancer and add three front-end IPs. The regional load balancer is only in a single region. When creating the load balancer, you can select to use no-zone, zone-redundant, or zonal to meet requirement 4.

Answer 283

A

To meet the requirements, use an Azure regional and layer four load balancer and, at configuration time, select to use IPv6 front-end IP.

Answer 284

A

Use a load-balancing rule.

Answer 285

A

You have the options to use:
- None
- Client IP (Use just the hash of the client IP to select the backend)
- Client IP and Protocol (Use the hash of the client IP and protocol used to select the backend)

Answer 286

A

Yes, 100%. You can assign Devices to the group, which can be assigned to Roiles for both Azure Entra ID and Azure Resources.

Answer 287

A

Yes, 100%.

Answer 288

A

Yes, 100%.

Answer 289

A

To apply the same RBAC controls and Cost management to all three subscriptions, you would use Azure Management Groups, place all three Azure Subscriptions under a management group node, and apply Budget and RBAC controls to the node.

Answer 290

A

RBAC (Access control)
Cost Budgets
Cost analysis
Policies (Complience and governanence)

Answer 291

A

Azure database instance
Azure Elastic Pools
SQL running on VM

Answer 292

A

Managed database service
Dedicated environment
SQL Server, PostgreSQL, MySQL, or MariaDB.
Patching
Backups
Scaling while offering high availability
Security features
Single databases or elastic pools
Automated backups
Monitoring, and
performance tuning

Answer 293

A

Azure SQL Database with Elastic Pools: Using Azure SQL Database with Elastic Pools enables several databases to share a single pool of resources, such as CPU, Memory, and Storage.

Answer 294

A

You can not share an elastic pool with more than a single server. An elastic pool is only allocated to a single Azure SQL Database Server.

Answer 295

A

Central Management Point: Centralized management for all databases in the pool (configurations, settings).
Authentication and Security: Handles user authentication, access control, firewall settings, and security policies.
Resource Allocation: Governs the allocation of compute (vCores or DTUs), memory, and storage across databases in the pool.
Billing: Associated with the cost of the elastic pool and provides a single billing entity.
Backup and Disaster Recovery: Manages backups, point-in-time restore, and geo-replication across databases in the pool.
Endpoint Management: Provides a single connection string/endpoint for accessing all databases in the elastic pool.

Answer 296

A

Use Azure SQL Database service with elastic pools.
Use Azure Managed Identities to authenticate for the databases without using passwords and username
Use Azure Service endpoint to access the databases without using the internet

Answer 297

A

Use Azure SQL Instance, which gives you a single database instance with no shared resources.
Azure Sql Instance is a fully managed instance, so you do not have to manage the resources
All resources are dedicated and not shared.

Answer 298

A

Use Azure SQL Instance, which gives you a single database instance thet can be deployed into a vNET
Azure Sql Instance is a fully managed instance, so you do not have to manage the resources

Answer 299

A

As this is a new development, we can ensure compatibility with the SQL app code. We should select Azure SQL Database, which offers complete automated management and shared elastic pools.

Answer 300

A

SQL running on Azure VM, as it gives the best compatibility for the bespoke services and modifications to the OS and SQL layers.

Answer 301

A

You can use Azure SQL on a VM or Azure SQL Managed Instance; select Azure Managed Instance as it is managed and has less input.

Answer 302

A

SQL FILESTREAM is a feature in Microsoft SQL Server that allows you to store and manage unstructured data, such as documents, images, and videos, directly in the file system while still maintaining transactional consistency through SQL Server. It provides an efficient way to store large binary objects (BLOBs) like files that need access or manipulation in combination with relational data.

Answer 303

A

Because DCT has been used, this is a Windows component, and we will need to use SQL on a VM as DCT is not supported in Azure Managed Instance or Azure SQL Database.

Answer 304

A

DCT is the distributed transaction coordinator, which can be used with SQL to perform operations like distributed commit and rollback.

Answer 305

A

Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.

Answer 306

A

Use Azure Site Recovery because the SQL runs on a virtual machine, and ASR can move the whole VM to Azure.

Answer 307

A

It’s a test VM, thet no one cares about the data, so the disk should be an LRS type managed disk.

Answer 308

A

3 copies of the data
Srtored in a single datacenter of Zone
99.9
Lowest cost of the tiers

Answer 309

A

3 copies of the data
Srtored in separate zones
99.99
Second lowest cost of the tiers

Answer 310

A

3 copies of the data + one in the secondary region
Srtored in separate zones + one in secondary region
99.99
Second lowest cost of the tiers

Answer 311

A

Snapshots
RBAC
Availability zones
Images
Availability sets (When virtual managed disks are used with availability sets, you can configure the availability set to ensure the virtual disks are aligned.

Answer 312

A

The provisioned capacity is what you pay for.

Answer 313

A

Use Premium SSD with a P30 (1024 GiB) or higher. Premium SSDs offer low latency and high IOPS for mission-critical workloads.

Answer 314

A

Ultra Disks
Premium SSD v2
Premium SSDs (solid-state drives)
Standard SSDs
Standard HDDs (hard disk drives)

Answer 315

A

Performance: Ultra Disks provide the highest performance and lowest latency among all Azure-managed disk types. You can configure performance (IOPS and throughput) independently from the disk size.

OPS: Up to 160,000 IOPS per disk.
Throughput: Up to 4,000 MBps per disk.
Latency: As low as sub-millisecond latency.
Use Case: Ideal for mission-critical workloads such as high-performance databases (e.g., SQL Server, Oracle), large-scale transaction systems, SAP HANA, and NoSQL databases.
Scaling: Ultra Disks allow dynamic scaling of performance without downtime.

Answer 316

A

Ulta Disk because of its high IOPS, Throughput, and latency

Answer 317

A

Premium SSDs (Solid-State Drives)
Performance: Premium SSDs provide high performance with consistent low latency, ideal for applications requiring fast data access.
IOPS: Up to 20,000 IOPS.
Throughput: Up to 900 MBps.
Latency: Typically 1-2 milliseconds.
Use Case: Common for production workloads such as databases, OLTP applications, and data-intensive applications needing higher IOPS and low latency.
Cost: Less expensive than Ultra Disks but still premium.

Answer 318

A

Performance: Standard SSDs are a more cost-effective alternative to Premium SSDs, with better performance and lower latency compared to Standard HDDs.
IOPS: Up to 6,000 IOPS.
Throughput: Up to 750 MBps.
Latency: Typically 4-10 milliseconds.
Use Case: Suitable for web servers, small databases, and development/test environments where cost is a concern but moderate performance is still required.

Answer 319

A

Performance: Standard HDDs provide the least performance but are the most cost-effective option. They use magnetic spinning disks.
IOPS: Up to 2,000 IOPS.
Throughput: Up to 500 MBps.
Latency: Typically 10 milliseconds or higher.
Use Case: Best for backup storage, archival, cold storage, or workloads with infrequent access to data. Also suitable for development and low-priority workloads that are not performance-sensitive.

Answer 320

A

Ultra Disks: Maximum performance for critical, low-latency apps.
Premium SSD v2: Balanced high-performance at a flexible cost.
Premium SSDs: Reliable performance for high-transaction applications.
Standard SSDs: Cost-efficient with moderate performance for typical workloads.
Standard HDDs: Low-cost storage for backups and less frequent use.

Answer 321

A

Standard HDD Disks. They are the most cost-effective option for scenarios where data is accessed infrequently, such as backup storage or disaster recovery.

Answer 322

A

Answer: Standard HDD Disks. They are the most economical option, ideal for low-performance needs such as development, testing, and prototypes where minimizing costs is more important than disk speed.

Answer 323

A

Answer: Standard HDD Disks. These are well-suited for cold storage, where data is infrequently accessed but needs to be kept for a long duration, and keeping costs low is a priority.

Answer 324

A

Answer: Ultra Disks. They provide the highest performance with ultra-low latency and are ideal for mission-critical databases that demand maximum throughput and minimal latency.

Answer 325

A

Answer: Ultra Disks. These are ideal for real-time analytics scenarios requiring high IOPS and low-latency storage to ensure fast data ingestion and processing.

Answer 326

A

Higher maximum throughput and IOPS compared to Premium SSD.
IOPS: Supports up to 80,000 IOPS.
Throughput: Can provide up to 1,200 MB/s.
Allows more granular control over performance settings, offering
greater flexibility in scaling disk performance.
Pricing is more flexible, as you can scale IOPS and throughput independently of capacity. This means you can pay only for the performance you need, potentially saving costs.
Charges are typically based on the disk capacity, IOPS, and throughput.

Answer 327

A

Answer:
Premium SSD.
Premium SSDs offer low latency and high throughput, making them ideal for mission-critical production applications with high transaction rates and low-latency requirements, such as databases.

Answer 328

A

Answer:
Premium SSD v2.
Premium SSD v2 offers flexible performance with scalable IOPS and throughput, allowing for dynamic adjustment to handle workload spikes efficiently without sacrificing performance during normal operations.

Answer 329

A

Answer:
Premium SSD.
Premium SSDs are designed for production workloads that require high IOPS and throughput, making them ideal for OLTP systems and other performance-sensitive applications.

Answer 330

A

For extreme performance
Mission-critical databases (e.g., SQL Server, Oracle, high-end NoSQL databases).
High-performance, latency-sensitive applications such as financial systems.
Workloads requiring predictable, high throughput (e.g., large-scale OLTP).

Answer 331

A

high throughput and low latency,

Answer 332

A

Answer:
Premium SSD is the best option for this scenario. Premium SSDs provide high performance with up to 20,000 IOPS and 900 MBps of throughput, making them ideal for mission-critical applications requiring high transaction throughput and low latency.

Answer 333

A

Ultra Disk (1 - 160,999 IOPS) Extreme performance.
Premium Disk v2 (1 - 80,000 IOPS) Enterprise performance.
Premium Disk (1 - 20,000 IOPS) CRM.
Standard SSD Disk (1 - 6000 IOPS) Test/Dev .
Standard HDD Disk (1 - 2000 IOPS) Archive, backup.

Answer 334

A

Disks range from P1 - P40 and range from 120 - 2,048 GB and 120 - 7500 IOPS, and so does the throughput 25 - 250Mb/sec

Answer 335

A

S1 to S40

Answer 336

A

Standard HDD

Answer 337

A

Yes, because Standard HDD is lower preformance.

Answer 338

A

Standard HDD

Answer 339

A

10ms write, 20ms Read

Answer 340

A

Single digit ms

Answer 341

A

Premium Disk.

Answer 342

A

It will inherit DDOS protection from the vNET

Answer 343

A

Option A: You cna create the VM in an availability set across three zones and have the virtual disks as zone redundant; you can restart the VM if a zone fault occurs or use an automated script.
Option B: You can use site-to-site recovery and failover between zones.

Answer 344

A

Yes, Azure Firewall allows inspection of layer seven traffic and can block it.

Answer 345

A

No, it’s currently not supported.

Answer 346

A

You can configure it on a VM and have the VM disks replicated to another zone or region.

Answer 347

A

Use Azure Site Recovery (ASR) to configure regional failover, replicating the VM from East US to another region, such as West US. This ensures business continuity during regional outages.

Answer 348

A

Use Azure Site Recovery with VMware as the source to replicate your on-premises VMs to Azure. ASR provides automated failover and failback between on-premises VMware VMs and Azure.

Answer 349

A

Use Azure Site Recovery to replicate Hyper-V VMs from your on-premises environment to Azure, enabling disaster recovery for Hyper-V workloads with seamless failover and failback.

Answer 350

A

Ensure application consistency by using Application Consistent Snapshots in Azure Site Recovery. This ensures that data is consistent across application tiers during the failover process.

Answer 351

A

Use Azure Ultra Disk or Premium SSD with ZRS (Zone-Redundant Storage) replication. This ensures that the disks are replicated across multiple zones within the same region, providing high durability and availability for critical workloads.

Answer 352

A

Use Standard HDD and configure Azure Site Recovery for less critical VMs, setting up asynchronous replication to another region with longer recovery point objectives (RPO) to reduce costs.

Answer 353

A

Use Azure Site Recovery’s Test Failover feature to simulate a failover scenario without impacting your production environment. This creates a temporary failover to a different network for testing purposes.

Answer 354

A

Use Recovery Plans in Azure Site Recovery to orchestrate the failover of multiple VMs, configure dependencies, and define the recovery sequence for services across VMs and applications.

Answer 355

A

Use Zone-Redundant Storage (ZRS) for the VM’s managed disks. This ensures that data is replicated across multiple zones within the same region, providing protection against zone-level failures.

Answer 356

A

It installs an agent and replicates data from one VM to another. This could be from one of the supported vm environments like hyper-v or VMware to Azure.

Answer 357

A

Global service

Answer 358

A

Global service

Answer 359

A

Global service

Answer 360

A

Recovery Time Objective: The amount it takes to recover the solution.

Answer 361

A

Recovery Point Objective: RPO is the amount of data one could lose in a replication situation.

Answer 362

A

Yes, you can have parent child policies, like a global policy and then children policies for each region.

Answer 363

A

Azure Firewall supports IDS

Answer 364

A

Azure Firewall supports TLS inspections

Answer 365

A

Azure Firewall supports Threat intelligence

Answer 366

A

Azure Firewall supports integration with the Azure WAN Hub.

Answer 367

A

Use the parent (Global policies)

Answer 368

A

Front door, as it uses direct access

Answer 369

A

Traffic Manager

Answer 370

A

You need to enable multi-site or path-based routing.

Answer 371

A

DNS queries redirect

Answer 372

A

It’s used in layer seven when you route based on the URL path.

Answer 373

A

It is a layer seven LB and provides path based routing

Answer 374

A

No, multiple instances

Answer 375

A

C. A zonal service is a service that can be deployed to a specific availability zone (AZ) within a given region.

Answer 376

A

A. When using Traffic Manager, client traffic is proxied through Microsoft’s edge network.

Answer 377

A

D. WAFs protect against common web application vulnerabilities and exploits, such as SQL injection, cross-site scripting, and more. WAF can be deployed with Application Gateways, Azure Front Door, or even Azure CDN.

Answer 378

A

Azure Service Bus
Azure Storage Queues
Azurre Event Hub
Azure Event Grid
Azure Relay
Azurre SignalR
Azure Notification Hub

Answer 379

A

Azure Notification Hub is a good choice; it sends messages using the broadcast feature of Android, iOS, and Desktop apps.

Answer 380

A

In this scenario, Azure Queue Storage would be the best choice for the following reasons:

Asynchronous Processing: Since the backend tasks (inventory management, payment processing, shipping preparation) don’t need to happen in real-time and can be processed asynchronously, Azure Queue Storage is ideal. It allows for tasks to be queued and processed at a later time by backend services without blocking the customer’s checkout experience.

Decoupling Services: Azure Queue Storage helps decouple your e-commerce application from backend systems. This way, the main application doesn’t wait for the backend tasks to complete, allowing it to handle customer orders more efficiently.

No Complex Workflow or Ordering Requirements: There is no specific requirement for task ordering or advanced workflow capabilities in this scenario, which makes the simplicity of Azure Queue Storage a good fit compared to more complex services like Azure Service Bus.

Scalability and Cost-Effectiveness: Azure Queue Storage is highly scalable and cost-effective, especially for simple scenarios where tasks just need to be queued and processed later. It supports large volumes of messages at a low cost, which is suitable for handling the potentially high number of orders in an e-commerce platform.

Simplicity: Since there are no complex messaging patterns like pub/sub or guaranteed message ordering, Azure Queue Storage’s simplicity makes it easier to implement and manage for this type of application.

Would you like further clarification or more detailed information on how to implement this solution?

Answer 381

A

In this scenario, Azure Event Grid is the ideal choice for the following reasons:

Event-Driven Architecture:
Azure Event Grid is designed for event-driven architectures where events need to trigger responses in multiple services. In this case, events from the IoT sensors (such as location updates, engine status, or fuel levels) need to notify multiple subscribers (real-time dashboard, notification service, analytics service).
Event Grid allows each component to subscribe to specific types of events without being tightly coupled to the event producers (the IoT devices), creating a scalable and flexible event-driven system.
Fan-out to Multiple Services:
In this scenario, multiple systems need to react to the same event (location updates, engine status). Azure Event Grid supports the fan-out pattern, which allows a single event (e.g., truck location update) to trigger actions across multiple systems, such as:
Updating the real-time dashboard.
Sending notifications through the notification service if a critical event is detected.
Storing the event in the analytics service for further processing and optimization.
This ability to broadcast an event to many services simultaneously makes Event Grid a perfect fit.
Real-Time Event Handling:
Azure Event Grid is designed to handle real-time event distribution with low latency, ensuring that the dashboard, notification service, and analytics receive and process events almost instantaneously.
This is critical for a logistics system where real-time tracking and monitoring are essential for operational efficiency and quick decision-making.
Dynamic Event Subscription:
Different components of the system may be interested in different events (e.g., the real-time dashboard may only care about location updates, while the notification service is interested in critical events like maintenance alerts). Azure Event Grid allows for dynamic filtering and routing of events based on event types, ensuring that each service only processes the events that matter to it.
This flexibility simplifies the architecture and reduces unnecessary event handling by unrelated services.
Scalability:
Azure Event Grid is highly scalable and can handle millions of events per second, making it ideal for this scenario where thousands of trucks with IoT sensors generate a high volume of events. As the number of trucks grows, the system can scale automatically without any significant changes to the architecture.
Serverless Integration:
Event Grid integrates seamlessly with other Azure services such as Azure Functions, Logic Apps, and Azure Stream Analytics, enabling the company to build serverless workflows and analytics pipelines. For example:
Azure Functions can be triggered by events from Event Grid to handle real-time notifications or data transformation.
Logic Apps can be used to automate workflows based on events.
Why Not Use Other Services?
Azure Queue Storage: This service is better suited for simple message queuing and asynchronous task processing but does not support event fan-out or real-time event handling. It also requires polling to retrieve messages, which adds unnecessary complexity to a real-time system.

Azure Service Bus: While Service Bus supports more complex messaging workflows and guarantees message delivery, it is more suited for scenarios where messages must be processed in a specific order or transactionally. It’s not ideal for high-volume, real-time event broadcasting as required in this scenario.

Azure Event Hubs: Event Hubs is primarily designed for ingesting large streams of telemetry or log data but does not provide the event routing and subscription capabilities of Event Grid. Event Hubs would be better for scenarios focused purely on high-throughput data ingestion and processing, rather than multi-subscriber event handling.

Answer 382

A

Use Azure Event Grid to subscribe to Blob Storage events and route them to the appropriate services. Event Grid enables event-driven architecture with high scalability, ensuring that multiple services can respond to events without polling.

Answer 383

A

Azure Event Grid is the ideal Azure service to help you decouple these services and provide reliable event routing.

Azure Event Grid is designed for event-based architectures and supports a highly scalable, serverless event routing mechanism. It enables you to connect and decouple your microservices by:

Allowing each function to subscribe to events (like when a new order is placed).
Routing events to all relevant services in a reliable and scalable manner.
Ensuring services can respond to the events without being tightly coupled to the event source, which enhances flexibility and maintainability.

In your use case, Azure Event Grid would publish the event (new order) and route it to all subscribed Azure Functions, ensuring that each service is notified and can process the event independently.

Answer 384

A

Use Azure Event Grid to monitor Azure Resource Manager (ARM) events, such as the creation of a new subscription. Event Grid triggers workflows in response to these events, allowing for automated provisioning and resource management.

Answer 385

A

Azure Event Hubs is a native data-streaming service
Can stream millions of events per second, with low latency
From any source to any destination
Compatible with Apache Kafka, no need to change any code.

Answer 386

A

Data producers
Azure Event Hubs EndPoint (HTTPs API, AMQP, Kafka)
Namespace
Shards
4, Consumers

Answer 387

A

Register the application with Azure Entra ID and have the application use OAUTH to have the user login

Answer 388

A

OAuth (Open Authorization) is a standard for granting access to resources without sharing credentials. In Azure Entra ID, it allows apps to access resources on behalf of users through access tokens, while protecting user credentials.

Answer 389

A

Delegated permissions allow an application to act on behalf of a signed-in user. The app uses the user’s credentials and accesses resources with the permissions granted to the user, subject to the consent of the user or an administrator.

Answer 390

A

In Azure Entra ID, when an application requests delegated permissions, the user or admin must provide consent, allowing the app to access resources on their behalf. The user is presented with a consent prompt outlining what data the app will access.

Answer 391

A

The two main OAuth token types are Access Tokens, which are used to access APIs or resources, and Refresh Tokens, which allow the app to obtain a new access token without requiring the user to log in again.

Answer 392

A

OAuth with delegated permissions is typically used when an application needs to access APIs or resources on behalf of a user, such as accessing their mail, calendar, or files in Microsoft Graph, while respecting the user’s consent and security settings.

Answer 393

A

Answer: The developer should use the Authorization Code flow with Delegated permissions. Delegated permissions allow the app to act on behalf of the user after they sign in.

Explanation: The Authorization Code flow is the standard OAuth 2.0 flow for apps that need access to resources on behalf of a user. Delegated permissions are used when the app requires access to user-specific resources while the user is actively involved.

Answer 394

A

Answer: The app should use the Client Credentials flow with Application permissions, as it doesn’t rely on user interaction and acts independently.

Explanation: The Client Credentials flow is ideal for server-to-server communication where no user is involved. Application permissions allow the app to act as itself, not on behalf of a user, making it suitable for background services.

Answer 395

A

Answer: The app should request Delegated permissions through OAuth. The user’s consent will determine the access, and the app will only have permissions as long as the user grants them.
Explanation: Delegated permissions are used when the user is actively involved in granting access, ensuring that the app only accesses resources within the user’s consent scope.

Answer 396

A

Answer: The platform should implement the Authorization Code flow with Delegated permissions. Access is granted only while the user is actively using the app.

Explanation: The Authorization Code flow is ideal when an app acts on behalf of a user. Delegated permissions ensure that access is limited to the user’s consent and is active only when the user is involved in the app.

Answer 397

A

Answer: The admin should grant Application permissions. This allows the tool to act independently of any user context and access data for all users across the organization.

Explanation: Application permissions are used when apps need wide-reaching access to data that is not user-specific. This allows the app to operate autonomously without requiring user consent for each access.

Answer 398

A

They are used when an application accesses API and form part of the permissions thet need to be granted on behalf of the user.

Answer 399

A

Delegated permissions are when a user consents to the requested permissions required by the application as part of the OAutrth process.

Application permissions are applied to the application

Answer 400

A

These are permissions given by an admin to the application to call the API

Answer 401

A

Securely store and manage sensitive information like secrets, encryption keys, and certificates.

Answer 402

A

Azure Key Vault stores API keys, passwords, connection strings, and other sensitive information.

Answer 403

A

Secrets: Store sensitive information like passwords and API keys.
Keys: Store encryption keys used for cryptographic operations like encryption and decryption.
Certificates: Manage SSL/TLS certificates used for secure communications.

Answer 404

A

Azure Key Vault supports software-protected keys and hardware security module (HSM)-protected keys.

Answer 405

A

Azure Key Vault integrates with Azure AD to authenticate users and applications using role-based access control (RBAC) to manage permissions.

Answer 406

A

Azure Key Vault encrypts stored data using keys that can be either software-protected or HSM-protected, ensuring compliance with security standards.

Answer 407

A

Azure Key Vault is used in cloud applications to securely store sensitive configuration data, such as connection strings, API keys, and credentials, keeping them out of source code.

Answer 408

A

Azure Key Vault provides activity logs for all operations, helping organizations meet compliance requirements and perform security audits.

Answer 409

A

Azure-managed identities allow applications to authenticate to Azure Key Vault without storing credentials, improving security.

Answer 410

A

A: HSM-backed keys provide a higher level of security, ensuring that encryption keys are stored in hardware, which meets strict compliance requirements for some industries.

Answer 411

A

Azure Key Vault can store and manage SSL/TLS certificates, automatically renewing them and ensuring secure communication for applications and services.

Answer 412

A

The Secrets Client Library provides a programmatic interface for accessing, storing, and managing secrets in Azure Key Vault from applications.

Answer 413

A

You would use Azure Key Vault to securely store and retrieve API keys, database connection strings, or other sensitive data needed by cloud applications.

Answer 414

A

Integrating Azure Key Vault with Azure DevOps enables secure storage and access to secrets during the CI/CD pipeline without hardcoding sensitive data into build scripts.

Answer 415

A

By centralizing secret storage and using RBAC and Azure AD for authentication, Azure Key Vault reduces the risk of application secret exposure by avoiding hardcoded secrets.

Answer 416

A

Secrets
key
Certs

Answer 417

A

It is how keys are encrypted and stored in memory and on disk rather than an HSM.

Answer 418

A

Azure Key Vault offers two tiers with different levels of FIPS (Federal Information Processing Standards) compliance:

- Standard Tier: This tier provides software-protected keys and is compliant with FIPS 140-2 Level 1.

- Premium Tier: This tier offers hardware security module (HSM)-protected keys, achieving FIPS 140-2 Level 3 compliance.

Therefore, the software-protected storage in Azure Key Vault’s Standard Tier is FIPS 140-2 Level 1 compliant.

Answer 419

A

No, only software-protected storage.

Answer 420

A

Premium plan, as it used HSM and is FIPS compliant.

Answer 421

A

Certificate Storage: Azure Key Vault can securely store SSL/TLS certificates, along with their private keys, ensuring that they are protected and easily accessible when needed.

Lifecycle Management: Azure Key Vault simplifies managing the entire lifecycle of a certificate, including creation, renewal, and expiration notifications. You can automate much of this process to reduce the manual effort required for managing certificates.

Issuance and Renewal: Key Vault integrates with trusted certificate authorities (CAs) such as DigiCert, GlobalSign, or your own custom CA, enabling the issuance and renewal of certificates directly within Key Vault.

Access Control: Role-based access control (RBAC) is applied to manage who can read, create, delete, or update certificates, ensuring only authorized users or applications can access the certificates.

Policy Enforcement: You can define policies for certificate management, such as renewal periods and notifications before expiration. Key Vault will follow these policies and can send alerts before a certificate expires.

Answer 422

A

Azure Key Vault has RBAC on the data plane.

Answer 423

A

Yes, 100% it is a regional service.

Answer 424

A

No, the critical vault has the option to retail deleted items for a period.

Answer 425

A

Vault access policy
Azure RBAC

Answer 426

A

Vault access policies enforce access at the vault level, compared to Azure RBAC, which has tighter control and can lock things to individual keys, certs or passwords

Answer 427

A

User-assigned and System-assigned

Answer 428

A

Managed identities are assigned to Azure resources, and the platform manages authentication.

Answer 429

A

This is where the SQL client encrypts the data, and it’s encrypted for transit and also at rest.

Answer 430

A

Azure SQL Database uses the latest SQL engine, and since you can tailor your code to the database’s requirements, this is your best option.

Answer 431

A

For the standard tier, the datbase is deployed in a single data center (AZ) in a given region; availability is achieved through local redundancy within the same data center. It does not span availability zones.

Answer 432

A

Select to use ge-redundancy backup storage

Answer 433

A

Azure Blob Storage
Azure File Storage
Azure Tables and Queues

Answer 434

A

Local Redundant storage (LRS)
Zone Redundant Storage (ZRS)
Global Redundant Storage (GRS)
Geo Zone Redundant Storage (GZRS)

Answer 435

A

LRS with Blob storage.

Answer 436

A

GZRS storage is Geo Zone Redundant Storage, offering both zone redundant and geo-replicated storage.

Answer 437

A

Block Blob Storage

Answer 438

A

Azure Page

Answer 439

A

Append Blob

Answer 440

A

Block Blob (Suited for large files such as media)

Answer 441

A

For uploading large files, block blob allows uploading chunks of data.

Answer 442

A

Azure Append Storage is great for logging operations, allowing data to be appended to the end of the blob.

Answer 443

A

Blob Block (Uploading large files)
Blob Append (Good for logs)
Blob Page (Good for frequent updates)

Answer 444

A

Built on top of Azure Blob Storage.
Designed for big data analytics and hierarchical data management.
Hierarchical namespace: Allows directories and file structures similar to a file system, making file organization and data analytics more efficient.
Optimized for Hadoop Distributed File System (HDFS): Seamless integration with analytics frameworks like Hadoop, Spark, and Azure Synapse Analytics.
Performance: Lower-cost operations for file-based workloads and higher throughput for batch processing or massive file ingestion.

Answer 445

A

A minimum of three copies of data is stored within a single data center (Zone)

Answer 446

A

In Azure, DNS is used as follows:

Blob service name is account name + the Microsoft domain HTTPS://myacc/blob.core.qwindows.net
Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.blob.core.qwindows.net
Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting/blob.core.qwindows.net

And you also get secondary endpoints.

And for file

Blob service name is account name + the Microsoft domain HTTPS://myacc/file.core.qwindows.net
Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.file.core.qwindows.net
Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.file.core.qwindows.net
and for table

And for table

Blob service name is account name + the Microsoft domain HTTPS://myacc/table.core.qwindows.net
Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.table.core.qwindows.net
Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.table.core.qwindows.net
, and for table

And for queue

Blob service name is account name + the Microsoft domain HTTPS://myacc/queue.core.qwindows.net
Internet service name is account name + the Microsoft domain HTTPS://myacc.internetrouting.queue.core.qwindows.net
Microsoft network service name is the account name + the Microsoft domain HTTPS://myacc/microsoftrouting.queue.core.qwindows.net
, and for table

Answer 447

A

Blob
Table
Queue
File

Answer 448

A

Synchronous (within a region) (stream layer)
Async (To another region) (partition layer)

Answer 449

A

Three copies are created in the secondary regions.

Answer 450

A

It is regional, but it will depend on the configuration if it is LRS or ZRS. You can also have GRS make an async copy of the data to another region, where three copies will be created.

Answer 451

A

Premium storage
Limited to Page Blob, File Share, Page Blob.

Answer 452

A

1, Azure Blob
2. Azure File
3. Azure Page

Answer 453

A

The durability is :
11x9 for LRS
12 x 9 for ZRS
16 x 9 for GRS

Answer 454

A

It is four nines

Answer 455

A

Three copies of the data in a single availability zone in a region

Answer 456

A

In three separate availability zones in a single region

Answer 457

A

Three copies in a single availability zone in a single region + three copies in a separate zone.

Answer 458

A

In three separate availability zones in a single region + In three in single availability zones in a secondary region

Answer 459

A

The replication is at the Storage account level. Meaning Blob, Table and Queues are all replicated. But you can also replicate Blob Block Objects individually

Answer 460

A

GRS for Azure Files replicates the entire storage account’s file shares

Answer 461

A

Using Azure Storage Block Blob Replication Policies (container and prefixes)

Answer 462

A

Data plan.
Management plane.

Answer 463

A

Two account keys
Azure Entra ID
Shared Access Signature (SAS)

Answer 464

A

Hot (Access data often) (More to store, less to access)
Cold (Store data and access infrequent) (less to store and more to access)
Archive (archive data and do not access it seldom) (a lot less to store and expensive to access)

Answer 465

A

No, it is the cost of the storage

Answer 466

A

Performance is based on storage size; more storage capacity, more performance.

Answer 467

A

Yes, you are paying intr region transfer per GB of data.

Answer 468

A

Azure Table storage is a NoSQL datastore that allows you to store large amounts of structured, non-relational data, which can be accessed quickly and affordably using key/attribute pairs.

Answer 469

A

Yes, but no-relation.

Answer 470

A

Azure Table Storage is typically used for scenarios requiring:

Highly scalable.
Structured data storage.
Such as logging dat.
User information storage.
Applications needing fast access.

Answer 471

A

Entity is made up of:

Partation Key : value (you supply the value)
Row key: value (you supply the value)
3: and any numbers of properties thet are key and value and you provide both key and value

Answer 472

A

Data is organized into tables
Each table contains entities.
Entities comprise key/value, pairs (properties) with a primary key, consisting of a PartitionKey and a RowKey to ensure uniqueness.

Answer 473

A

The two key properties are PartitionKey and RowKey. Together, these properties uniquely identify an entity within a table.

Answer 474

A

Azure Table storage uses geo-redundant storage (GRS) to replicate data to a secondary region, ensuring availability in case of a regional failure.

Answer 475

A

Data in Azure Table storage can be queried using OData (Open Data Protocol) with LINQ or REST API calls, filtering on PartitionKey and RowKey for efficient lookups.

Answer 476

A

Azure Table storage provides strong consistency within a partition but only eventual consistency across partitions. This means updates within a partition are immediately visible, but updates across partitions may take time to propagate.

Answer 477

A

The maximum size of a single entity (row) in Azure Table storage is 1 MB.

Answer 478

A

Azure Table storage supports batch transactions, but only within the same partition (same PartitionKey). This allows multiple operations to be executed atomically.

Answer 479

A

Azure Table storage offers the following replication options: Locally Redundant Storage (LRS), Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), and Read-Access Geo-Redundant Storage (RA-GRS).

Answer 480

A

Hierarchical Namespace

Answer 481

A

Azure Storage with SFTP enabled and alos hierarchical namespace

Answer 482

A

It is a administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. It can contain

Answer 483

A

Users
Groups
Devices.

Answer 484

A

Azure Data Factory is a cloud-based data integration service.
It enables you to create data-driven workflows to orchestrate and automate data movement and transformation.

Answer 485

A