AZ-304 Flashcards
•Your company has an Azure subscription that is linked to an Azure AD tenant.
The subscription has resources that are being used by several departments.
Each department has its own allotted budget for spending on Azure resources.
You have to ensure that as soon as the department reaches its spending limit, the compute resources of the department are automatically shut down. You have to design a solution for this requirement You decide to include Azure Logic Apps and Azure Monitor alerts in this solution
No AM cannot be used for billing, use Azure Cost Management
What is used to monitor connection health with ADFS?
AAD Connect Health
How can KV be backed up/restored?
Can restore backed up KV in the same Geo and Sub
Hyper-V Cluster with 20 VMs (Linux and Windows). What solution is used to replicate disks of VMs to Azure while the VMs remain available when disk migration is in progress?
ASR and Recovery Services Vault - this allows for keeping workloads online during planned/unplanned changes
Site Recovery Services replicate workloads on physical/VMs from primary to secondary
Hyper-V Failover Clusters, plan to assess/migrate VMs using Azure Migrate, what is the minimum # of ASR agents needed with 18 Hyper-V nodes in 3 clusters across 60 VMs?
3 - ASR agents go onto Hyper-V Nodes
Availability solution for Web Tier of Apps when moved to Azure (handles region failure and can use priority routing)
Traffic Manager
Standard and Basic LBs and App GW CANNOT perform DR if a region fails
When configuring API Management, will it be able to access data from an Azure VM
APIM Instance will create an ELB which allows access from the Internet and access to resources within the VNet
App using Azure Cloud Services, recommend a solution that allows to asynchronously communicate transaction info with REST messages
Azure Queue Storage - decouples components of an app
Ensures DB tables are encrypted at rest and that data values never appear in plain text in the DB, also only client apps have encryption key to decrypt data
SQL Always Encrypted
Need to run image rendering solution in Azure and use parallel compute processing
Azure Batch - run large-scale parallel and high-perf computing batch processing jobs
Container solution with 2 containers, 1 hosts web API available to the Internet and the other performs health monitoring of the container hosting the Web API, but is private, both need to be deployed as a group
Azure Container Instances - Can deploy containers as a group and save on costs b/c simple solution, AKS is NOT cost efficient
Secure connection from on-prem to Azure over private network and ensure connection offers redundant pair for HA
Azure Express Route
VPN GW does not establish connections over a private network
App hosted in multiple regions, data storage solution that can store at least 1 TB of data, support multiple consistency levels and perform R/W operations in Azure Region local to app instance
Cosmos DB - supports global distro, replicates data wherever users are and can interact with data closest to them Add/remove regions Supports 5 consistence levels: Bounded Staleness Eventual Consistent Prefix Session Strong
AKS Apps in 2 different regions hosted on clusters requires the following:
App availability if a single AKS cluster fails
Connection traffic over Internet is encrypted using SSL
Do not need SSL configured on each container instance
Azure Front Door -
App-based global traffic manager
Supports SSL termination instead of in app backends
Supports routing traffic to different clusters
Deploying apps in diff environments without a need of installing dependencies and app developers can have flexibility when architecting code
AKS -
Best accomplished by container based apps that can be deployed to AKS
App needs to listen and process events that are emitted from other Azure Services
Event Grid -
Build apps with event-based architectures
Select Azure resource to subscribe, give the event handler or WebHook endpoint to send event to
Supports events from Azure services such as storage blobs and RG
Supports Custom Topics
Build apps with event-based architectures
Select Azure resource to subscribe, give the event handler or WebHook endpoint to send event to
Supports events from Azure services such as storage blobs and RG
Supports Custom Topics
Event Grid
Import on-prem SQL server to SQL Server in Azure, what is best used? What Storage Type and Tier?
BACPAC File can be used to import to Azure Blob Storage (standard only) from local storage on-prem
Messaging requirements to send/receive messages based on FIFO message pattern
Azure Service Bus (Queues)
Messaging Requirements to receive and process millions of messages at a time
Event Hub
Big data streaming platform and event ingestion service
Can receive and process millions of EPS
Event Hub
of Hyper-V VMs supported for 1 Migration Appliance
5000
Plan and assess Hyper-V cluster migration plan with Azure Migrate, what is the minimum # of Azure Migrate appliances required with 3 clusters (10, 30 and 30 VMs across the 3 clusters)
3 Appliances required, 1 for each cluster
Migration of on-prem MSSQL requires a solution to host the existing SQL Server Integration Services Package
ADF
Azure SSIS Integration Runtime is a component of ADF
SQL Server Storage Requirements for backups that are the lowest cost option for storage
Standard Managed Disk
Should NOT use geo-redundant storage, should be in the same DC as SQL Server VMs to reduce transfer delays
SQL Server storage requirements, what SA not to use and where to place
Standard Managed Disk
Should NOT use geo-redundant storage, should be in the same DC as SQL Server VMs to reduce transfer delays
VM that will host SQL Server, has 2 data disks, one for log files and other for data files, recommend a caching policy for each disk for log files
None - do NOT enable caching on disks hosting log files
New Azure Web App using blobl SA for static content and using large # of JS and CSS files, users of web app are global and need to ensure individual load times are minimized, what service to use?
Azure CDN
Distribute traffic globally and deliver web content to users
of IP addresses reserved by Azure within each subnet
5
1 Root Mgmt Group
5 Child Mgmt Groups
5 Subscriptions within each Mgmt Group
Need to minimize the # of definitions and assignments for blueprints, where to assign the blueprint?
BP should be defined at the Root Mgmt group b/c you want to ensure you minimize the # of blueprints/assignments
Authentication of Web App via AAD, app needs to be accessed by company users from the Internet and would have computers based on W10 joined to AAD.
Need to ensure app access without being prompted for Authentication and access from company-owned computers, what to use for this?
AAD App Registration - this grants access to devices which are AAD joined?
What grants access to devices that are AAD joined?
AAD App Reg
What allows access from one Azure service to another?
Managed Identity
What is used to secure remote access to on-prem web apps?
AAD App Proxy
Azure sub with multiple RGs, need to design a resource governance solution with the following:
- ExpressRoute resources are created in a specific RG
- Creation of ER resources is delegated to AAD group
- Principle of least priv
What is needed for Req 2?
Custom role assigned to the RG - this ensures access for the creation of ER resources in the RG
On-prem network with AD domain and recently purchased AAD tenant. Want to sync users from on-prem to AAD and enable SSO for the users as well, what will fulfill this requirement?
AAD Connect
What is used to allow protection of an Azure SQL DB connection strings and only allow access to the connection strings at app runtime?
Azure Key Vault
Azure Subscription with several RGs. Resource named group1 and contains critical resources. User named admin1 and is Owner of the sub. Need to prevent this admin from being able to modify resources in Group1. The admin should still be able to modify resources in other RGs.
Deny RBAC role for the admin on the RG via Azure Blueprints
Minimum # of custom domains required to add to Azure?
1
AAD User assigned the User Admin Role can change the Job Info Attribute for the following users
AAD Created
Microsoft Guest Account
AAD User assigned User Admin role can changed Authentication Contact info Attribute for the following users and not for what users?
Can change for AAD created users but not for users synced to AAD
What does P2 PIM provide?
JIT Time bound access Approvals Enforcement of MFA Justification Notification Access Reviews Audit History
Sync on-prem to AAD and enable SSO
Setup ADFS and Sync with AAD
Sign-in ensures all AuthN occurs on-prem
What is used to restrict access to Key Vault?
RBAC
Key requirement is to authenticate identities on-prem via AD, but sync to AAD, what is used?
Pass through Auth
Key requirement is to authenticate identities in Azure and sync to AAD, what is used?
Password Hash Sync
Azure SQL DB deployment, only select workstations with static public IPs can be allowed to connect and perform admin work on the DB, what is used?
Server-level IP FW Rules
This enables client access to entire Azure SQL Server
Where are Server-level IP FW Rules stored for Azure SQL DB and where are they configured?
Stored in the Master DB
Configured via Azure Portal or Transact-SQL Statements
What is created and managed by Azure to protect resources?
Deny assignments used by Azure blueprints and Azure managed apps
Cannot directly create own deny assignments
What licensing is used for cloud-only users to change their PW?
AAD Free
What licensing is used for cloud-only users to do SSPR?
AAD P1 or P2
What licensing is used for hybrid user PW change or reset with on-prem writeback?
AAD P1 or P2
Azure AD to handle sign-in completely in the cloud
Do NOT enforce user-level AD security policies during sign-in
NO sign-in requirement not natively supported by AAD
Password Hash Sync + Seamless SSO
Azure AD to handle sign-in completely in the cloud
Do enforce user-level AD security policies during sign-in
NO sign-in requirement not natively supported by AAD
No sign-in DR or leaked credentials report
PTA + Seamless SSO
Azure AD to handle sign-in completely in the cloud
Do enforce user-level AD security policies during sign-in
NO sign-in requirement not natively supported by AAD
Do require sign-in DR or leaked credentials report
PTA + Seamless SSO with PHS
Azure AD to NOT handle sign-in completely in the cloud
Do NOT want to integrate with existing federation provider
NO sign-in requirement not natively supported by AAD
Do NOT require sign-in DR or leaked credentials report
PTA + Seamless SSO
Azure AD to NOT handle sign-in completely in the cloud
Do NOT want to integrate with existing federation provider
NO sign-in requirement not natively supported by AAD
Do require sign-in DR or leaked credentials report
PTA + Seamless SSO + PHS
Azure AD to NOT handle sign-in completely in the cloud
Do want to integrate with existing federation provider
Do NOT require sign-in DR or leaked credentials report
Federation
Azure AD to NOT handle sign-in completely in the cloud
Do want to integrate with existing federation provider
Do require sign-in DR or leaked credentials report
Federation with PHS
What is a data engineering solution that is used for hosting data warehouse?
Azure Synapse Analytics
Migrate on-prem SQL server to Azure and make use of existing SQL Server licenses that is part of the Software Assurance contract with MSFT, decide to use Azure SQL DB service with v-core licensing model, does this work?
Yes, this will work because you can make use of Azure hybrid benefit
What data store requires storing documents where they need to be accessed by end users and should be able to provide access to the documents via ACLs
Azure Storage Account GPv2
Migrate on-prem to Azure Apps, requires daily RPO at a granular level and a 15 minute RTO, what service is used?
Azure Backup - used for granular level
What service is used to backup at a granular level?
Azure Backup
What service is used to backup/restore presentation on a corrupted laptop?
Azure Backup
What service is used to replicate configs and data on VMs across another DC?
Azure Site Recovery
v-core based Azure SQL DB, can you use Hybrid Benefit?
Yes
Can you use Hybrid Benefit on Azure SQL DB with elastic pool and fixed size DTU-based Azure SQL instance?
No
On-prem network with File Server that contains 500 GB of data using ADF service to copy data to Azure Storage, what is implemented on the file server?
Self-hosted integration runtime
Compute infra that ADF uses to provide data integration capabilities across different network environments
Can copy activities between cloud data store and data store in private network
Self-hosted integration runtime
On-prem network with File Server that contains 500 GB of data using ADF service to copy data to Azure Storage, what is implemented on Azure Data Factory?
Create a Pipeline
ADF is a managed cloud service for ETL and ELT and data integration operations
Logical group of activities (steps) that perform a unit of work
Each activity consists of tasks and can be implement steps to transfer data from on-prem file server to Azure Storage
Pipelines
SA Type that supports file shares
SA Premium and Standard
SA Type that can support mixed services (FS, Table, Blob, etc.)
SA Standard
SA Type can store file shares only and cannot deploy any types of storage
Premium SA
