test 2 Flashcards
You are securing your virtual network in Azure. Which of the following practices would be effective for establishing secure communication paths within your virtual network and controlling inbound and outbound traffic? (two answer)
Associate an NSG with the subnet.
Implement Azure Bastion for every virtual machine in the network.
Set up security rules in NSGs to define source, destination, and allowed traffic.
Assign a public IP address to each resource for direct access.
Associate an NSG with the subnet.
Set up security rules in NSGs to define source, destination, and allowed traffic.
To analyze system updates across multiple virtual machines, which feature of Azure Monitor should you utilize?
Metrics
Insights
Log Analytics
Alerts
Log Analytics
Explanation
Log Analytics in Azure Monitor allows you to collect, analyze, and visualize log and performance data from multiple sources, including virtual machines. By utilizing Log Analytics, you can track system updates, identify trends, and troubleshoot issues across multiple virtual machines effectively.
Which of the following statements are true regarding managing licenses in Microsoft Entra ID?
Licenses can be assigned to individual users.
Licenses are automatically provisioned when a new user is created.
Licenses can be assigned to groups.
Each user can have only one license.
Licenses can be assigned to individual users.
Explanation
Licenses can indeed be assigned to individual users in Microsoft Enterprise ID, allowing organizations to control access to specific features and services based on user roles and responsibilities.
Licenses can be assigned to groups.
Explanation
In Microsoft Enterprise ID, licenses can be assigned to groups as well, enabling organizations to manage licenses more efficiently by assigning them to groups of users with similar needs or roles.
In Azure, Role-Based Access Control (RBAC) can be assigned at various levels.
Which of the following scopes are valid levels for assigning roles in Azure?
Resource Group
Management Group
Subscription
Virtual Network
Resource Group
Explanation
Assigning roles at the Resource Group level in Azure allows for granular control over permissions for a specific set of resources that are grouped together. This level of scope is beneficial for managing access to resources that are related to a particular project or team, ensuring that only authorized users have the necessary permissions.
Management Group
Explanation
Management Groups in Azure serve as containers for organizing and managing resources, subscriptions, and policies. By assigning roles at the Management Group level, you can establish consistent access controls and governance practices across multiple subscriptions within the same hierarchy, making it a valid level for role assignment in Azure.
Subscription
Explanation
At the Subscription level in Azure, Role-Based Access Control (RBAC) enables administrators to define who has access to resources and what actions they can perform within a specific subscription. Assigning roles at this level ensures that permissions are managed effectively across all resources and services within the subscription.
Virtual Network
Explanation
While Virtual Networks in Azure play a crucial role in network connectivity and isolation, they are also valid levels for assigning roles in Role-Based Access Control (RBAC). The resource level is the most granular scope, referring to an individual resource like a virtual machine, storage account, or database. Assigning a role at the resource level means the role assignment applies only to that specific resource.
Which of the following statements are true regarding Azure resource management?
Tags can be used to organize resources and manage costs.
Resource groups are logical containers for resources deployed on Azure.
Every resource can be in only one resource group.
Policies can be used to enforce tags on resources.
all option
When configuring an Azure Storage account, which of the following redundancy options are available?
Local Redundancy Storage (LRS)
(Read-Access) Geo-Zone-Redundant Storage ((RA)-GZRS)
Object-Level Redundancy (OLR)
(Read-Access) Geo-Redundant Storage ((RA)-GRS)
Local Redundancy Storage (LRS)
(Read-Access) Geo-Zone-Redundant Storage ((RA)-GZRS)
(Read-Access) Geo-Redundant Storage ((RA)-GRS)
When examining an Azure Resource Manager (ARM) template, which of the following elements can be commonly found?
Resources
Outputs
Dependencies
Extensions
Variables
Resources
Outputs
Variables
You have successfully deployed resources using an ARM template. Now, you want to use the Bicep language to manage these resources in the future.
What command do you use to transition from ARM to Bicep?
bicep build
bicep compile
bicep version
bicep decompile
bicep decompile
Your organization follows strict security policies, and you are required to generate a SAS token for a container in a storage account. You also need to ensure that if the security requirements change, the SAS token permissions can be altered without regenerating the token.
What should you use?
Generate an account-level SAS without any stored access policy.
Generate a service-level SAS linked to a stored access policy.
Generate an account-level SAS and link it to a role-based access control (RBAC) policy.
Use managed identity to access the container.
Generate a service-level SAS linked to a stored access policy.
You are managing data between two storage accounts. You have just set up object replication between these accounts. Using AzCopy, you noticed that some blobs that existed before enabling replication haven’t been replicated.
What steps should you consider next? (Choose two)
Disabling and Re-enabling Replication
Use Azure Storage Explorer to manually copy the missing blobs.
Use AzCopy to copy the pre-existing blobs between the source and destination.
Changing Blob Types
Use Azure Storage Explorer to manually copy the missing blobs.
Use AzCopy to copy the pre-existing blobs between the source and destination.
A company wishes to optimize its costs related to Blob Storage. They have a mix of frequently accessed data, data that’s accessed occasionally, and archives. They also want data that hasn’t been accessed for 180 days to be deleted automatically.
Which actions should the company take? (Choose three)
Set infrequently accessed blobs to the “Cool” access tier.
Set archives to “Premium” access tier.
Configure a lifecycle management policy to delete blobs that haven’t been accessed in 180 days.
Use the “Hot” access tier for frequently accessed data.
Only use the Hot Access tier.
Set infrequently accessed blobs to the “Cool” access tier.
Configure a lifecycle management policy to delete blobs that haven’t been accessed in 180 days.
Use the “Hot” access tier for frequently accessed data.
Your organization has recently decided to adopt Bicep as the primary language for infrastructure as code on Azure.
Which of the following actions can you perform with Bicep?
Directly convert an ARM template JSON file to a Bicep file using Azure CLI.
Deploy resources to Azure using a Bicep file without any pre-compilation.
Translate a Bicep file into an equivalent ARM template JSON file.
Validate a Bicep file using Azure PowerShell without deploying it.
Directly convert an ARM template JSON file to a Bicep file using Azure CLI.
Deploy resources to Azure using a Bicep file without any pre-compilation.
Translate a Bicep file into an equivalent ARM template JSON file.
Validate a Bicep file using Azure PowerShell without deploying it.
You are tasked with ensuring the confidentiality and security of data at rest within your Azure virtual machines.
Which of the following actions will help you achieve this? (Choose two).
Encrypt VM OS and data disks using Azure Disk Encryption.
Convert unmanaged disks to managed disks.
Enable Defender for the virtual machines.
Store VM disks in Azure Blob Storage with a private access level.
Encrypt VM OS and data disks using Azure Disk Encryption.
Convert unmanaged disks to managed disks.
You are responsible for developing a containerized application workflow for your organization. You decide to use Azure to streamline deployment and scaling.
Which of the following actions are critical to successfully deploy and scale a containerized application in Azure?
Create an Azure Container Registry and store the Docker images.
Deploy the container using Azure Container Services for orchestration.
Provision the application using Azure Container Instances for rapid elasticity.
Enable auto-scaling and customize scaling rules in Azure Container Apps.
Create an Azure Container Registry and store the Docker images.
Enable auto-scaling and customize scaling rules in Azure Container Apps.
You are setting up a highly available e-commerce web application in Azure. You decide to use Azure App Service for hosting the application.
Which of the following configurations will ensure that the application remains operational during regional outages and maintenance?
Deploy the app to multiple regions and use Azure Front Door for load balancing
Deploy the App Service in a single region and enable Geo-Redundant backups.
Deploy the App Service in a single region with multiple deployment slots.
Use an Azure CDN in front of the App Service.
Deploy the app to multiple regions and use Azure Front Door for load balancing
You have been tasked to optimize a mission-critical Azure App Service for security, continuity, and agility.
Which of the following actions should you take?
Map a custom domain to the App Service and configure a managed certificate for Transport Layer Security (TLS).
Configure daily backups of the App Service with a retention period of 30 days.
Set up deployment slots for staging and testing new features before production deployment.
Disable the public endpoint and enable Azure Private Link for secure access to the App Service.
Map a custom domain to the App Service and configure a managed certificate for Transport Layer Security (TLS).
Configure daily backups of the App Service with a retention period of 30 days.
Set up deployment slots for staging and testing new features before production deployment.
Disable the public endpoint and enable Azure Private Link for secure access to the App Service.
You’ve been assigned to ensure that traffic from the Internet to your Azure virtual machine (VM) is restricted only to HTTP and HTTPS. However, internal traffic within your VNet should flow freely.
Which of the following configurations would best suit this requirement?
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the subnet of your VM.
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the VM’s network interface.
Implement an application security group and associate it with the VM. Allow only HTTP and HTTPS traffic.
Remove all security groups and use Azure Firewall for these rules.
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the VM’s network interface.
Explanation
Implementing an NSG with inbound security rules that allow only HTTP and HTTPS traffic and associating it with the VM’s network interface would ensure that only HTTP and HTTPS traffic from the Internet reaches the VM while allowing internal VNet traffic to flow freely. This configuration meets the requirement of restricting Internet traffic to HTTP and HTTPS.
You are architecting a secure Azure environment. You want to ensure that your VMs are accessible only from within the Azure portal and your Azure SQL Database is only accessible from a specific VNet.
Which of the following should you consider implementing?
Deploy Azure Bastion in the VNet where your VMs are located.
Implement Azure Private Link for your Azure SQL Database.
Configure a service endpoint on the VNet for Azure SQL Database.
Use Azure Front Door to secure VM access.
Deploy Azure Bastion in the VNet where your VMs are located.
Configure a service endpoint on the VNet for Azure SQL Database.
You are setting up a custom domain for your Azure Web App and plan to use Azure DNS. What type of record should you establish in Azure DNS to point to the hostname of your Azure Web App?
A Record
CNAME Record
MX Record
TXT Record
CNAME Record
Explanation
A CNAME Record, also known as Canonical Name Record, is used to alias one domain name to another. In the context of setting up a custom domain for an Azure Web App, a CNAME Record is the appropriate choice to point to the hostname of the Web App.
You have an Azure environment that uses a standard load balancer to distribute traffic across several VMs. Lately, some users report they cannot access the application. You suspect a load-balancing issue.
Which of the following steps should you take to troubleshoot the problem?
Check the backend health of the load balancer.
Verify the NSG rules associated with the subnet or NIC of the VMs to ensure traffic is allowed.
Ensure the VMs have a static public IP address.
Confirm that the health probes of the load balancer are correctly configured.
Check the backend health of the load balancer.
Verify the NSG rules associated with the subnet or NIC of the VMs to ensure traffic is allowed.
Ensure the VMs have a static public IP address.
Confirm that the health probes of the load balancer are correctly configured.
