Section Baseeed - Describe Azure Architecture and Services (Dojo) Flashcards
Which service analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost-effectiveness, performance, reliability, and security of your Azure resources?
A. Azure Information Protection
B. Azure Resource Manager
C. Compliance Manager
D. Azure Advisor
D. Azure Advisor
Explanation:
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost-effectiveness, performance, reliability (formerly called High availability), and security of your Azure resources.
With Advisor, you can:
– Get proactive, actionable, and personalized best practices recommendations.
– Improve the performance, security, and reliability of your resources as you identify
– opportunities to reduce your overall Azure spend.
– Get recommendations with proposed actions inline.
You can access Advisor through the Azure portal. Sign in to the portal, locate Advisor in the navigation menu, or search for it in the All services menu.
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific subscriptions and resource types. The recommendations are divided into five categories:
– Reliability (formerly called High Availability): To ensure and improve the continuity of your business-critical applications.
– Security: To detect threats and vulnerabilities that might lead to security breaches.
– Performance: To improve the speed of your applications.
– Cost: To optimize and reduce your overall Azure spending.
– Operational Excellence: To help you achieve process and workflow efficiency, resource manageability, and deployment best practices.
Hence, the correct answer is: Azure Advisor.
Compliance Manager is incorrect because this is just a free workflow-based risk assessment tool in the Microsoft Service Trust Portal for managing regulatory compliance activities related to Microsoft cloud services.
Azure Information Protection is incorrect because this is simply a service that helps organizations in labeling their documents and emails.
Azure Resource Manager is incorrect because this is only a deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account.
You are tasked to monitor your on-premises identity infrastructure and ensure a reliable connection to Office 365 and Microsoft Online Services.
What service should you use?
A. Azure Application Gateway
B. Microsoft Entra Connect Health
C. Azure App Service
D. Azure Application Insights
B. Microsoft Entra Connect Health
Explanation:
Microsoft Entra Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
Use the Microsoft Entra Connect Health portal to view alerts, performance monitoring, usage analytics, and other information. Microsoft Entra Connect Health enables the single lens of health for your key identity components in one place.
Hence, the correct answer is: Microsoft Entra Connect Health.
Azure Application Insights is incorrect because this is just an extensible Application Performance Management (APM) service for developers and DevOps professionals. You can use it to monitor your live applications. It will automatically detect performance anomalies and include powerful analytics tools to help you diagnose issues and understand what users actually do with your app.
Azure Application Gateway is incorrect because this service is simply a web traffic load balancer that enables you to manage traffic to your web applications.
Azure App Service is incorrect because this only enables you to build and host web apps, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.
A company has multiple virtual machines in a virtual machine scale set named TDScale1 in its Azure environment. You need to recommend a solution that will evenly distribute Internet traffic to your virtual machines.
What Azure service should you use to satisfy this requirement?
A. Public Load Balancer
B. Azure Traffic Manager
C. Private Load Balancer
D. Azure Front Door
A. Public Load Balancer
Explanation:
Public Load Balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance Internet traffic to your VMs.
Public Load Balancers map the public IP and port of incoming traffic to the private IP and port of the VM. Load balancer maps traffic the other way around for the response traffic from the VM. You can distribute specific types of traffic across multiple VMs or services by applying load-balancing rules. For example, you can spread the load of web request traffic across multiple web servers.
Hence, the correct answer is: Azure Public Load Balancer.
Private Load Balancer is incorrect because this service is primarily used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a virtual network. Take note that the scenario mentioned that you have to evenly distribute Internet traffic to your virtual machines.
Azure Traffic Manager is incorrect because this is simply a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness. However, you cannot use this to distribute traffic evenly to virtual machines.
Azure Front Door is incorrect because this service just enables you to define, manage, and monitor the global routing for your web traffic by optimizing performance and ensuring quick global failover for high availability that works at Layer 7 or HTTP/HTTPS layer. You cannot use this for network layer load balancing, unlike Azure Public Load Balancer.
What are the available access tiers in Azure Blob Storage? (Select THREE.)
A. Hot
B. Archive
C. Standard
D. Magnetic
E. Cool
F. Premium
A. Hot
B. Archive
E. Cool
Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.
Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner. The available access tiers include:
Hot – Optimized for storing data that is accessed frequently.
Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours).
Hence, the correct answers are: Hot, Cool, and Archive.
Standard and Premium are incorrect because these are the performance tiers of Azure Blob Storage.
Magnetic is incorrect because there is no such tier or service in azure.
A company wants to migrate to the cloud. The requirement is to have a VPN connection to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
What is the most suitable type of VPN connection that you should use?
A. Point-to-Site VPN connection
B. ExpressRoute Connection
C. VNet peering connection
D. Site-to-Site VPN Connection
D. Site-to-Site VPN Connection
Explanation:
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. Virtual network gateway VMs contain routing tables and run specific gateway services. These VMs are created when you create a virtual network gateway.
There are various configurations available for your VPN gateway connections. You have to determine which configuration meets your requirements. You can set up a Site-to-Site, Multi-Site, Point-to-Site, VNet-to-VNet, and other VPN gateway connections.
Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
Hence, the correct answer is: Site-to-Site VPN Connection.
Point-to-Site (P2S) VPN gateway connection is incorrect because this only allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.
VNet peering connection is incorrect because this connection type simply provides a low-latency, high-bandwidth connection between resources in different Azure virtual networks. This is not suitable for connecting your on-premises network to an Azure virtual network.
ExpressRoute connection is incorrect because it is not a VPN connection in the first place. It also doesn’t connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. Using ExpressRoute, the connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet, unlike an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
Which of the following lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider?
A. Azure Virtual WAN
B. Azure ExpressRoute
C. Azure Content Delivery Network (CDN)
D. Azure Private Link
B. Azure ExpressRoute
Explanation:
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Office 365.
Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.
Each ExpressRoute circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs) at an ExpressRoute Location from the connectivity provider/your network edge. Microsoft requires dual BGP connection from the connectivity provider/your network edge – one to each MSEE. You may choose not to deploy redundant devices/Ethernet circuits at your end. However, connectivity providers use redundant devices to ensure that your connections are handed off to Microsoft in a redundant manner. A redundant Layer 3 connectivity configuration is a requirement for our SLA to be valid.
Hence, the correct answer is: Azure ExpressRoute.
Azure Traffic Manager is incorrect because this is only a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.
Azure Content Delivery Network (CDN) is incorrect because this is simply a global CDN solution for delivering high-bandwidth content. This service does not let you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
Azure Private Link is incorrect because this just enables you to access Azure PaaS Services (e.g. Azure Storage and SQL Database) and Azure-hosted customer-owned/partner services over a private endpoint in your virtual network.
What service enables you to correlate trace events from multiple Azure VMs and other resources into a centralized repository?
A. Azure Resource Manager
B. Azure Repos
C. Azure Event Hubs
D. Azure Monitor
D. Azure Monitor
Explanation:
Azure Monitor maximizes the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It works for apps on a wide variety of platforms including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public cloud.
Application Insights is aimed at the development team, to help you understand how your app is performing and how it’s being used. It monitors:
– Request rates, response times, and failure rates – Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
– Dependency rates, response times, and failure rates – Find out whether external services are slowing you down.
– Exceptions – Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
– Pageviews and load performance – reported by your users’ browsers.
AJAX calls from web pages – rates, response times, and failure rates.
– User and session count.
– Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.
– Host diagnostics from Docker or Azure.
– Diagnostic trace logs from your app – so that you can correlate trace events with requests.
– Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold or games won.
You install a small instrumentation package (SDK) in your application or enable Application Insights using the Application Insights Agent when supported. The instrumentation monitors your app and directs the telemetry data to an Azure Application Insights Resource using a unique GUID that we refer to as an Instrumentation Key.
Hence, the correct answer is Azure Monitor.
Azure Event Hubs is incorrect because this is just a big data streaming platform and event ingestion service. It’s not suitable to be used to correlate trace events from multiple Azure VMs.
Azure Repos is incorrect because this is simply a set of version control tools that you can use to manage your code.
Azure Resource Manager is incorrect because this is only a deployment and management service that enables you to create, update, and delete resources in your Azure account. This service is not suitable for monitoring and correlating trace events from various VMs and resources.
What Azure service should you use if you want your application to have a higher level of availability and to evenly distribute internal traffic across virtual machines within a VNET?
A. Private Load Balancer
B. Public Load Balancer
C. Application Gateway
D. Network Security Group
A. Private Load Balancer
Explanation:
Private (or Internal) Load balancer provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs). Private load balancer distributes traffic to resources that are inside a virtual network.
Azure restricts access to the frontend IP addresses of a virtual network that are load balanced. Front-end IP addresses and virtual networks are never directly exposed to an Internet endpoint. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources.
Internal load balancers balance traffic within a VNET while external load balancers balance traffic to and from an internet-connected endpoint.
Hence, the correct answer is: Private Load balancer.
Network security group is incorrect because this is used to filter network traffic to and from Azure resources in an Azure virtual network. It contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Application Gateway is incorrect because this service is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 – TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Public Load Balancer is incorrect because this service is primarily used for providing outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance Internet traffic to your VMs. Take note that the scenario mentioned that you have to evenly distribute internal traffic across virtual machines within a VNET only.
Which Azure Service enables various types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks?
A. Public IP
B. Microsoft Sentinel
C. Azure Content Delivery Network (CDN)
D. Azure Virtual Network
D. Azure Virtual Network
Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
A Virtual Network (VNet) is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets. VNets serve as a trust boundary to host your compute resources such as Azure Virtual Machines and Cloud Services (web/worker roles). A VNet allows direct private IP communication between the resources hosted in it. You can link a virtual network to an on-premises network through a VPN Gateway or ExpressRoute.
Hence, the correct answer is: Azure Virtual Network.
Microsoft Sentinel is incorrect because this service just provides you with a birds-eye view across the enterprise. Sentinel provides a proactive and responsive cloud-native SIEM that will help customers simplify their security operations and scale as they grow.
Public IP is incorrect because this feature simply allows Internet traffic to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to the Internet and public-facing Azure services.
Azure Content Delivery Network (CDN) is incorrect because this is primarily used to accelerate the delivery of high-bandwidth content to customers worldwide—from applications and stored content to streaming video
A company has hundreds of virtual machines that are dispersedly hosted across multiple virtual networks and subscriptions. You are tasked to limit the amount of outbound HTTPS traffic to a specified list of fully qualified domain names (FQDN) as well as limit the inbound traffic to the virtual networks.
What must be done to satisfy the above requirement?
A. Launch a single network security group.
B. Launch a single Azure ExpressRoute connection.
C. Integrate Azure virtual network TAP (Terminal Access Point) to your network architecture.
D. Integrate Azure Firewall to your network architecture.
D. Integrate Azure Firewall to your network architecture.
Explanation:
Correct
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
The Azure Firewall service complements network security group functionality. Together, they provide better “defense-in-depth” network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.
Hence, the correct answer is: Integrate Azure Firewall to your network architecture.
The option that says: Integrate Azure virtual network TAP (Terminal Access Point) to your network architecture is incorrect because this just allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool.
The option that says: Launch a single Azure ExpressRoute connection is incorrect because this service is primarily used to create private connections between Azure and your on-premises network or in a colocation environment.
The option that says: Launch a single network security group is incorrect because a network security group simply provides a distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Remember that it’s mentioned in the scenario that the virtual machines are dispersedly hosted across multiple virtual networks and subscriptions.
You have several hundreds of servers in a single Azure region.
You need to recommend an Azure service that will automatically deploy the same set of servers to another region.
What Azure service should you use?
A. Azure Policy
B. Azure availability set
C. Azure scale set
D. Azure Resource Manager Templates
D. Azure Resource Manager Templates
Explanation:
Incorrect
Azure Resource Manager is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted. It provides a consistent management layer that allows you to automate the deployment and configuration of resources using different automation and scripting tools, such as Microsoft Azure PowerShell, Azure Command-Line Interface (Azure CLI), Azure portal, REST API, and client SDKs.
Instead of creating resources manually, you can automate deployments and use the practice of infrastructure as code. In code, you define the infrastructure that needs to be deployed. The infrastructure code becomes part of your project. Just like application code, you store the infrastructure code in a source repository and version it. Anyone on your team can run the code and deploy similar environments.
To implement infrastructure as code for your Azure solutions, use Azure Resource Manager (ARM) templates. The template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.
Azure Resource Manager allows you to repeatedly deploy your infrastructure throughout the development lifecycle and have confidence your resources are deployed in a consistent manner. Templates are idempotent, which means you can deploy the same template many times and get the same resource types in the same state. You can develop one template that represents the desired state, rather than developing lots of separate templates to represent updates.
Hence, the correct answer is: Azure Resource Manager Templates.
Azure availability set is incorrect because this feature simply is a logical grouping capability that ensures the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational.
Azure scale set is incorrect because this only lets you create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule and provides high availability to your applications. It is not capable of running (JSON) file that defines the infrastructure and configuration for your project.
Azure Policy is incorrect because this service just helps enforce organizational standards and assess compliance at scale. You cannot use this to deploy resources repeatedly.
Your company is planning to migrate some of its servers to Azure. You need to recommend a solution wherein users can work remotely by having a secure connection to your Azure virtual machines.
What should you include in the recommendation?
A. Point-to-Site VPN Connection
B. ExpressRoute
C. Traffic Manager
D. Site-to-Site VPN Connection
A. Point-to-Site VPN Connection
Explanation:
Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.
As part of the Point-to-Site configuration, you install a certificate and a VPN client configuration package, which contains the settings that allow your computer to connect to any virtual machine or role instance within the virtual network.
Hence, the correct answer is: Point-to-Site VPN connection.
ExpressRoute is incorrect because this service simply lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet and offer better reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet. You cannot use this to provide a secure connection to your virtual machines from a user working remotely.
Site-to-Site VPN Connection is incorrect because this is simply used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
Traffic Manager is incorrect because this is primarily a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.
