Microsoft Practice Exam Flashcards
You need to use Azure Cloud Shell to manage Linux virtual machines (VMs) that are already deployed and in use.
Which of the following tools can you use to manage Linux VMs in Cloud Shell?
A) Azure Command-line interface (CLI)
B) Azure PowerShell
C) Azure portal
A) Azure Command-line interface (CLI)
B) Azure PowerShell
The Azure Cloud Shell supports the use of Azure CLI, Azure Powershell, and Bash to manage Linux, Windows and Mac OS VMs. Azure Cloud Shell also supports common programming languages.
Azure Cloud Shell lets you open an authenticated, browser-based management shell from virtually anywhere.
You can access Cloud Shell through Azure portal or from shell.azure.com, but you cannot use Azure portal inside Cloud Shell.
Your company has a new policy to restrict administrative access to resources at the resource group and resources scopes in a detailed, granular way. Access will be granted to various groups and individual users
You need to implement a new policy.
What should you use?
A) Locks
B) Role-based access control (RBAC)
C) Azure Policy
D) Azure Advisor
B) Role-based access control (RBAC)
You should use RBAC. RBAC supports various scopes, including management groups, subscriptions, resource groups, and resources. Roles can be assigned to groups, users, other security principals, and managed identities. RBAC has over 70 built-in roles and supports the creation and assignment of custom roles.
You should not use Locks. Locks are used to limit access to a subscription, resource group, or resources by setting the access Lock level as CanNoDelete or ReadOnly. When a lock is set for a subscription or resource group, it applies to all of the resources contained in that scope. Locks apply to all users and roles and do not provide the granular control required by the scenario.
You should not use Azure Policy. Azure Policy is used to enforce rules that apply to resources to help ensure compliance and to meet Service Level Agreement (SLA) requirements. Resources are evaluated based on policies, and non-compliant resources are identified.
You should not use Azure Advisor. Azure Advisor integrates with Azure Security Center to provide a consolidated view of recommendations for all Azure resources. It can help you improve the cost effectiveness, performance, high availability, and security of Azure Resources.
A private cloud requires…
A) the use of custom developed software.
B) data to be stored in an on-premises datacenter.
C) the infrastructure to be on a private network.
D) each tenant to access applications and data through a different URL.
C) the infrastructure to be on a private network.
A private cloud’s services and infrastructure are maintained on a private network. An organization can implement its own private cloud, but it is more common to subscribe to a private cloud hosted and managed by a third-party provider.
A private cloud does not require the use of custom developed software, although it may have custom software depending on the tenant’s needs. It is common to find a mix of commercial applications with some custom applications.
A private cloud does not require data to be stored in an on-premises datacenter. It is possible to create a private cloud from an on-premises datacenter, but this is not a requirement.
A private cloud does not require each tenant to access applications and data through a different URL. A private cloud will have, by definition, a single tenant.
How can Azure lower capital expenditure (CapEx) costs?
A) Azure allows you to pay monthly based on usage rather than pay upfront for physical hardware.
B) Azure allows you to reduce the level of IT staffing that is required to maintain on-premises applications and services.
C) Azure reduces the amount of maintenance that is associated with the configuration of firewalls, which reduces costs.
D) Azure allows you to pay annually to reduce overall costs that are associated with its platform-as-a-service (PaaS) offerings
A) Azure allows you to pay monthly based on usage rather than pay upfront for physical hardware.
Azure allows you to pay for servers monthly based on usage, rather than pay upfront for physical hardware. CapEx refers to money that is spent up front on infrastructure hardware such a routers, switches and servers. With a public cloud deployment in Azure, you only need to pay for the usage of these devices. This eliminates CapEx costs. With a hybrid cloud deployment in Azure, you can lower CapEx costs because you only need to pay for devices that are on-premises.
Azure does not necessarily allow you to reduce the level of IT staffing that is required to maintain on-premises applications and services. Although there is no need for hardware IT support in a public cloud deployment, the company still needs IT personnel to maintain its on-premises applications and services.
Azure does not allow you to pay annually to reduce the overall costs that are associated with its platform-as-a-service (PaaS) offerings. It allows you to pay annually for some infrastructure-as-a-service (IaaS) offerings, such a virtual machines (VMs), through reserved VM instances.
Azure does not reduce the amount of maintenance that is associated with configuring firewalls, which would reduce costs. Although Azure eliminates the need to perform physical cabling of networks, it still requires you to configure software.
Application Security Groups (ASGs) let you…
A) directly allow or block connections to all servers running instances of the same server.
B) define templates for the rapid deployment of application instances in an orchestrated environment.
C) organize similar servers so you can easily define and implement security policies based on those groups.
D) control user access to serverless applications.
C) organize similar servers so you can easily define and implement security policies based on those groups.
ASGs let you organize similar servers so you can easily define and implement security policies based on those groups. ASGs let you apply security to the group as a whole.
ASGs do not let you directly allow or block connections to all servers running instances of the same servers. ASGs can be used as a part of the solution, but this is not configured through ASGs. You could, for example, create an ASG and then create a Network Security Group (NSG) definining connection filters, and apply it to the ASG.
ASGs do not let you control user access to serverless applications. ASGs apply to server applications only. Access to servelerss applications is managed through Azure Active Directory (Azure AD) and role-based access controls (RBACs).
ASGs do not let you define templates for the rapid deployment of application instances in an orchestrated environment. Azure provides tools to facilitate rapid deployment, such as Azure DevTest Labs.
Your Azure tenant includes an Azure Virtual Network (VNet) with several internet facing web servers. The web servers experience attacks that exhaust server resources and make the servers unavailable to legitimate users. You determine that the attacks are being launched from multiple locations.
You need to implement an Azure solution that:
- Detects and automatically tries to mitigate attacks
- Generates alerts when an active attack is underway.
What is the best option to implement your solution:
A) Azure Information Protection (AIP)
B) Azure Firewall
C) Azure DDoS Protection Standard
D) Azure Application Security Groups (ASG)
C) Azure DDoS Protection Standard
You should implement Azure DDoS Protection Standard. The type of attack described is a distributed denial of service (DDoS) attack. Azure DDoS Protection is designed to detect, prevent, and automatically mitigate against DDoS attacks. It uses automatic learning of per-customer traffic patterns to help to prevent false positives. The protection would apply to all devices on the virtual network (VNet) on which the web servers are deployed, not just the web servers.
You should not implement AIP as a protection against DDoS attacks. AIP provides a way to classify and organize documents and files through the use of labels. Optionally, it can add a layer of protection to documents and emails. It does not support the functionality to respond to a DDoS attack.
You should not implement Azure ASGs. ASGs let you group virtual machines (VMs) and define network security policies based on those groups. Configuring the web servers as ASGs, for example, does nothing to protect the web servers but lets you implement security protections that specifically target the web servers.
You should not implement Azure Firewall. You can use Azure Firewall to filter traffic between Azure virtual subnets and between Azure and an on-premises deployment. Azure Firewall can be implemented as a part of a security solution, but it does not have the capability to respond to and mitigate DDoS attacks.
Which two infrastructures are valid hybrid cloud infrastructures? Each correct answer presents part of the solution.
A) On-premises infrastructure and public cloud
B) Multiple private clouds
C) On-premises infrastructure and private cloud
D) Multiple public clouds
E) Public and private cloud
A) On-premises infrastructure and public cloud
E) Public and private cloud
A hybrid cloud is based on an on-premises architecture and a public cloud or a private cloud and a public cloud. This cloud model is most commonly used when leveraging benefits of running applications from a public cloud while providing additional security by storing data in a private cloud or an on-premises datacenter.
Multiple public clouds and multiple private clouds do not represent hybrid clouds. In each case, it is simply multiple instances of that cloud model.
While it is possible to have a federated configuration that includes an on-premises infrastructure and private cloud, this is not considered a hybrid cloud. This configuration might be used, for example, when transitioning from an on-premises to a cloud-based datacenter.
With ______, developers deploy code and pay for its runtime only, without worrying about the provisioning, configuration, and management of the underlying infrastructure.
A) Infrastructure-as-a-Service (IaaS)
B) serverless computing
C) Software-as-a-Service (SaaS)
B) serverless computing
With serverless computing, developers deploy code and pay for its run time only, without worrying about the provisioning, configuration, and management of the underlying infrastructure. A pay-per-execution model in serverless computing allows sub-second billing only for the time and resources required for the execution of code. All tasks related to the provisioning, configuration, and management of the underlying infrastructure are carried out by the cloud provider and are not visible to the developer.
With IaaS, the cloud service provider takes care of the the underlying physical infrastructure. However, as a customer, you are still responsible for the installation, configuration, and management of application components, such as the operating system, middleware, and applications. You can deploy your code, but IaaS billable charges would include the cost of all allocated compute resources.
With SaaS, the cloud service provider is responsible for the provision and management of both physical and software components. As a customer, you cannot change the code of a SaaS solution, because control and responsibility is limited to data and access. SaaS solutions are typically licensed and charged through a monthly or annual subscription.
You need to enable data redundancy for your organization’s cloud apps. Depending on the data, redundancy may be local only, or may require multiple copies stored in different locations.
Given the redundant storage descriptions below, which redundancy option is being described? To answer, select the appropriate redundancy option from the answer area.
1) It stores three copies in each of two regions
A) Geo-redundant storage (GRS)
B) Locally redundant storage (LRS)
C) Read-access GRS (RA-GRS)
2) It allows replicated data to be accessed in two zones
A) Geo-redundant storage (GRS)
B) Locally redundant storage (LRS)
C) Read-access GRS (RA-GRS)
3) It stores all replicas in one data center
A) Geo-redundant storage (GRS)
B) Locally redundant storage (LRS)
C) Read-access GRS (RA-GRS)
1) It stores three copies in each of two regions
A) Geo-redundant storage (GRS)
2) It allows replicated data to be accessed in two zones
C) Read-access GRS (RA-GRS)
3) It stores all replicas in one data center
B) Locally redundant storage (LRS)
Azure geo-redundant storage (GRS) is a storage replication option for geo-redundant systems. It stores three copies of your data in each of two regions. Azure GRS makes sure that your data remains available even if there is a complete failure at one location. In the event of a localized failure or network outage, your applications can still access data from the second location.
Like GRS, read-access GRS (RA-GRS) is a service that creates geo-redundant replicas of your data in two separate Azure regions, so that your data is always available, even in the event of a regional outage. Unlike GRS, however, RA-GRS is a storage redundancy type that provides read access from both locations simultaneously.
Locally redundant storage (LRS) stores all replicas in one datacenter. LRS protects data locally by writing to three disks within the datacenter.
Which example best describes authorization?
A) Students who enter their password to check their grades at university.
B) Banking customers who enter their personal identification number (PIN) number to log into an ATM.
C) Passengers who present their driver’s license to prove their identity before boarding a flight.
D) People who present their birth certificate to prove that they are eligible to receive government age-based benefits.
D) People who present their birth certificate to prove that they are eligible to receive government age-based benefits.
Authentication is the process of proving that somebody is who they say they are, whereas authorization is the act of granting an authenticated person permission to do something.
People presenting their birth certificate to prove that they are eligible to receive government age-based benefits is a good example of authorization. Authorization is the process of verifying that an authenticated user has access to certain functions. In this scenario, the person is already authenticated and now the age on the birth certificate verifies that the user has a right to receive government age-based benefits.
Passengers presenting their driver’s license to prove their identity before boarding a flight is not an example of authorization. It is an example of authentication. Authentication establishes the identity of a person. The picture on the driver’s license helps to prove that the person who holds the license is the person whose picture is on the license, but it does not necessarily authorize the person to board the plane.
Banking customers entering their PIN number to withdraw money from an ATM is not an example of authorization. The PIN (and other passwords) are a form of authentication and ensure that the person who has the bank card is the person who owns the bank account, but it does not necessarily grant the user permission to do something.
Students entering their password to check their grades at university is not an example of authorization. The password helps to determine whether the person that is checking the grades is the actual student, but it does not authorize the authenticated party to do something.
You work for a cloud solution provider. One of your company’s clients considers moving its on-premises infrastructure to the cloud. However, the client wants a better understanding of the different models before it makes a decision. A third-party will not be involved.
You need to describe the advantages of the different cloud models.
Which of the below statements are true?
A) The public cloud allows you to deploy resources without managing the underlying hardware.
B) The hybrid cloud allows you to deploy resources with no capital expenditure and minimal IT expertise.
C) The private cloud allows you to deploy resources by having minimal IT expertise.
A) The public cloud allows you to deploy resources without managing the underlying hardware.
The public cloud allows you to deploy resources without managing the underlying hardware. The servers, storage devices, and networking devices exist in Azure datacenters. You are only required to manage the configuration of those devices.
The hybrid cloud typically allows you to deploy resources with some capital expenditure. Capital expenditure (CapEx) involves spending money on physical resources up front. With the hybrid cloud, some resources exist in the cloud, while other resources usually exist on-premises. The CapEx costs come from the on-premises resources. Some hybrid deployments can also involve a combination of public and private clouds, which requires IT expertise.
The private cloud requires you to have IT expertise in order to deploy resources, unless you are using a third-party company as the private cloud provider. This is because on a private cloud that is not third-party hosted, you are responsible for managing the hardware, such as servers, storage devices, and networking devices, as well as for the configuration of these resources.
Match each Azure solution to a scenario.
SOLUTIONS:
A) Microsoft Sentinel
B) Azure Key Vault
C) Azure Firewall
D) Azure Monitor
SCENARIOS:
1) Build a baseline behavioral profile of organizational entities to identify anomalous activity
2) Securely store a database connection string to avoid its accidental exposure in a web site’s source code.
3) Deny traffic to your Azure Virtual Network resources from known malicious IP addresses.
1) Build a baseline behavioral profile of organizational entities to identify anomalous activity
A) Microsoft Sentinel
You should use Microsoft Sentinel to build a baseline behavioral profile of organizational entities to identify anomalous activity. Microsoft Sentinel is a security information and event manager (SIEM) platform that can analyze data across the enterprise to identify potential threats, including anomalous activities of users or applications, and help with a faster and smarter response.
2) Securely store a database connection string to avoid its accidental exposure in a web site’s source code.
B) Azure Key Vault
You should use Azure Key Vault to securely store a database connection string to avoid its accidental exposure in a web site’s source code. Key Vault is an Azure service that allows you securely store and access cryptographic keys, passwords, certificates, and other secrets. To avoid exposure of your backend database’s connection string in a web application’s source code, you can store it in Azure Key Vault and retrieve it in your application programmatically at run time.
3) Deny traffic to your Azure Virtual Network resources from known malicious IP addresses.
C) Azure Firewall
You should use Azure Firewall to deny traffic to your Azure Virtual Network resources from known malicious IP addresses. Azure Firewall is a firewall as a service in Azure that can protect your resources. Through integration with Microsoft Threat Intelligence, Azure Firewall can identify and deny traffic to or from malicious IP addresses and domains.
You should not use Azure Monitor for any of the listed scenarios. Azure Monitor is a monitoring solution that can collect telemetry from your resources to analyze their performance, create alerts, and build dashboards with a system health overview of your Azure and on-premises environments.
You have been asked to develop cloud migration plans for your organization.
As part of this assignment, you need to identify the most cost-effective cloud service type for each department in the organization. The solution should minimize management overhead.
Given each department’s requirements, which solution should you recommend?
A) IaaS
B) PaaS
C) SaaS
Finance: Use provider-managed hardware to run a customized database.
Sales: Use a provider-managed calendar to schedule appointments and meetings.
Marketing: Use provider-managed business intelligence services to analyze marketing trends.
Finance
A) IaaS
Sales
B) SaaS
Marketing
C) PaaS
The infrastructure as a service (IaaS) cloud service type will allow your organization to use provider-managed hardware to run a customized database. In IaaS, network, compute, and storage resources are offered by a cloud provider. These resources may be shared by multiple tenants, or they can be dedicated to a single tenant. Some cloud providers offer full data center IaaS solutions, including a physically secure room or building.
The software as a service (SaaS) cloud service type will allow your organization to use a provider-managed calendar to schedule appointments and meetings. SaaS is software that is hosted on the cloud and available to customers over the Internet. Microsoft Office 365 is an example of SaaS.
The platform as a service (PaaS) cloud service type will allow your organization to use provider-managed business intelligence services to analyze marketing trends. PaaS is a type of cloud computing that provides a platform for developers to build, run, and manage applications without the need for infrastructure management. Typically, PaaS providers offer a wide variety of services, including databases, analytics, workflow engines, and more.
Which two locations are valid destinations for platform logs and metrics collected by Azure Monitor? Each correct answer presents a complete solution.
A) A Resource Health dashboard
B) An Azure Advisor monitor
C) An Azure Log Analytics workspace
D) An Azure storage account
C) An Azure Log Analytics workspace
D) An Azure storage account
An Azure Log Analytics workspace is a valid destination for platform logs and metrics collected by Azure Monitor. An Azure Log Analytics workspace is a place in the cloud where you can collect and query your log data. You can use an Azure Log Analytics workspace to explore and analyze data from a variety of sources, including Azure services, on-premises systems, and other cloud providers.
An Azure storage account is a valid destination for platform logs and metrics collected by Azure Monitor. Azure Storage is a cloud-based storage service offered by Microsoft. It allows you to store data in the cloud for easy access from anywhere. You can use Azure Storage to store files, including photos, videos, and documents, to host websites and apps, and to store data for analytics purposes.
A Resource Health dashboard is not a valid destination for platform logs and metrics collected by Azure Monitor. Resource Health is a service you can use to get status information for your organization’s resources.
An Azure Advisor monitor is not a valid destination for platform logs and metrics collected by Azure Monitor. Azure Advisor is a cloud service that helps you optimize your Azure resources for cost, performance, and availability. It analyzes your resource configuration and usage telemetry to identify issues and recommend solutions that can help you improve efficiency and save money.
Which of the following statements about Azure Locks are true?
(Choose 2)
A) Locks can be applied in the context of specific users and roles.
B) When multiple locks are applied at different scopes, the most restrictive inherited lock applies.
C) A lock applies to all of the resources contained in a scope and any new resources added to the scope.
D) Role-based access control (RBAC) roles take precedence over locks.
B) When multiple locks are applied at different scopes, the most restrictive inherited lock applies.
C) A lock applies to all of the resources contained in a scope and any new resources added to the scope.
Locks cannot be applied in the context of specific users and roles. When a lock is applied to a scope or resource, it applies to all users and roles. Locks can be applied as CanNotDelete or ReadOnly. ReadOnly is more restrictive than CanNotDelete. In Azure portal the locks are referred to as Delete and Read-only.
When multiple locks are applied at different scopes, the most restrictive inherited lock applies. When a lock is applied at a scope, it applies to contained resources and scopes. Locks can be applied to the subscription, resource group, and resource scope.
A lock applies to all of the resources contained in a scope and any new resources added to the scope. The lock automatically applies to any resources contained in the scope and it is added to any resources added to or created in the scope.
RBAC roles do not take precedence over locks. Locks always take precedence.