test13 Flashcards
Which Azure service allows you to view the history of administrator-role assignments and send alerts to the Global Administrator on new assignments?
Azure AD Privileged Identity Management
Azure AD Privileged Identity Management (PIM) enables viewing the history of administrator-role assignments via its audit log and can be configured to send alerts to the Global Administrator when new assignments occur.
How can you ensure outbound traffic from Azure VMs is routed to the closest on-premises network when using multiple ExpressRoute circuits?
Border Gateway Protocol (BGP)
BGP routes can be defined to optimize traffic flow, ensuring outbound traffic from Azure virtual machines is directed to the nearest on-premises network via ExpressRoute circuits.
What is the minimum number of Azure Site Recovery Providers needed for 10 VMs across 3 Hyper-V nodes in a cluster?
3
The Azure Site Recovery Provider must be installed on each Hyper-V node in the cluster, so for 3 nodes, you need 3 providers, regardless of the number of VMs.
Which Azure service can collect logs from Azure AD, Azure subscriptions, and third-party providers, detect threats, and automate responses?
Microsoft Sentinel
Microsoft Sentinel is a SIEM solution that collects log and diagnostic data from multiple sources, detects known threats, and supports automated responses.
To notify when a VM’s CPU percentage deviates from historical norms, what should you create in Azure Monitor?
An alert based on metrics and a dynamic threshold
An alert with a dynamic threshold in Azure Monitor uses historical metric data to detect deviations in CPU percentage, unlike static thresholds which use fixed values.
Which Azure service can discover application components on Windows systems and map communication between services?
Service Map Solution in Azure
The Service Map Solution in Azure automatically discovers application components on Windows systems and maps their communication dependencies.
Which Azure service can analyze how many users return to an application?
Azure Application Insights
Azure Application Insights provides a retention feature to track user return rates, offering insights into application usage patterns.
Can you stream SQLInsights logs from an Azure SQL database to a storage account named appstore1000?
Yes
Yes, diagnostic settings for an Azure SQL database can stream SQLInsights logs to a storage account like appstore1000, provided it meets configuration requirements.
Can you stream SQLInsights logs from an Azure SQL database to a storage account named appstore2000 if it’s in a different location?
No
The storage account must be in the same location as the Azure SQL database to stream diagnostic logs, so appstore2000 in a different location cannot be used.
Can you stream SQLInsights logs from an Azure SQL database to a Log Analytics workspace named appworkspace?
Yes
A Log Analytics workspace can receive SQLInsights logs from an Azure SQL database, regardless of its location, making appworkspace a valid target.
What is the maximum retention duration for data in a Log Analytics workspace?
730 days
In a Log Analytics workspace, the maximum data retention period can be set to 730 days under the ‘Data Retention’ settings.
Which Azure service provides Layer-7 load balancing and protection against SQL Injection attacks for VMs hosting a web application?
Azure Application Gateway
Azure Application Gateway offers Layer-7 load balancing and includes a Web Application Firewall (WAF) to protect against attacks like SQL Injection.
Which hosting solution supports a .NET Core app needing to write to the Windows Event Log and local file system?
Azure Virtual Machine Scale Set
An Azure VM Scale Set provides control over the compute environment, allowing a .NET Core app to write to the Windows Event Log and local file system, unlike managed PaaS options.
For an Azure API Management instance using Azure Functions for read-only APIs, which HTTP method should be defined?
GET only
Since only read operations are allowed, the API Management instance should define only the GET method to restrict to read-only access.
Which Azure Policy effect ensures resources get a ‘Department’ tag with value ‘Information Technology’ if missing?
Modify
The ‘Modify’ effect in Azure Policy allows adding or updating tags on resources, ensuring compliance by applying the ‘Department: Information Technology’ tag.
What object in Azure AD is needed for Azure Policy to add tags to resources automatically?
Managed Identity with the Contributor Role
Azure Policy uses a Managed Identity with the Contributor Role to perform remediation tasks, like adding tags to resources.
Which Azure Blob Storage feature ensures database backup files are immutable for three years?
Time-based retention
Time-based retention policies in Azure Blob Storage prevent modification or deletion of files for a specified period, such as three years.
How can applications securely retrieve database passwords from Azure Key Vault?
Azure AD Managed Identity
An application (e.g., on an Azure Web App) can use a Managed Identity to securely access secrets in Azure Key Vault without hardcoding credentials.
Which service provides temporary access for users to create Azure Web Apps when needed?
Azure AD Privileged Identity Management
Azure AD PIM allows granting temporary, just-in-time access to users for tasks like creating Azure Web Apps, enhancing security.
At which level should an Azure Blueprint definition be created to minimize definitions across multiple subscriptions?
At ManagementGroupA
Defining the Blueprint at the top-level ManagementGroupA reduces the number of definitions needed, applying consistency across all subscriptions beneath it.
At which level should an Azure Blueprint assignment be applied to minimize assignments?
At each SubGroup Management Group
Assigning the Blueprint at each SubGroup Management Group level reduces the number of assignments while ensuring coverage across relevant subscriptions.
What is the ideal way to grant users access to Azure Blob Storage files for one month?
Shared Access Signatures (SAS)
SAS provides time-bound access to Blob Storage objects, allowing users to access files for a specified duration like one month.
Which service supports failover to another server for ApplicationA’s recovery needs?
Azure Site Recovery
Azure Site Recovery enables failover to another server, meeting ApplicationA’s requirement for disaster recovery with minimal downtime.
Which service provides backup for ApplicationB’s data with a suitable RTO?
Azure Backup
Azure Backup offers a straightforward backup solution for ApplicationB, allowing data restoration within the required recovery time objective (RTO).
Which service allows asynchronous communication via messages between Azure Web Apps and VMs?
Azure Service Bus
Azure Service Bus supports message queues, enabling asynchronous communication between application components like Web Apps and VMs.
What subnet IP range can be used for Azure VMs in a virtual network with a Site-to-Site VPN to an on-premises network (192.168.0.0/16)?
10.0.0.0/24
The Azure virtual network must use a non-overlapping IP range like 10.0.0.0/24 to avoid conflicts with the on-premises range of 192.168.0.0/16.
What gateway subnet IP range can be used for a Site-to-Site VPN in an Azure virtual network?
10.0.1.0/27
A gateway subnet like 10.0.1.0/27 can be carved out from the virtual network’s address space for the VPN gateway.
Which service is cost-effective for hosting containers that access Azure file shares and auto-restart on failure?
Azure Container Instances
Azure Container Instances (ACI) is cost-effective, supports Azure file share access, and automatically restarts failed containers.
What deployment strategy ensures a .NET app on VMs is available across regions with custom components?
Deploy on two Azure VMs in different regions with a Traffic Manager Profile
Traffic Manager provides global routing across regions, ensuring availability even if one region fails, while VMs support custom components.
Which Azure SQL feature automatically monitors and improves query performance?
Automatic Tuning
Automatic Tuning monitors queries on an Azure SQL database and optimizes performance by applying tuning recommendations.
Which Azure SQL feature shows the performance of top-consuming and longest-running queries?
Query Performance Insights
Query Performance Insights provides detailed metrics on resource-intensive and long-running queries in an Azure SQL database.
How many public IP addresses are needed for a VM (appvm2) behind a Standard Public Load Balancer?
0
VMs behind a public Load Balancer use private IPs for communication; no public IPs are required for the VMs themselves.
Which storage solution supports immutable database backups for three years?
Azure Blob Storage
Azure Blob Storage with immutable policies (e.g., time-based retention) is ideal for storing unmodifiable database backups.
Which service provides global routing, WAF protection, and URL-based routing for Azure Web Apps across regions?
Azure Front Door
Azure Front Door offers global routing, Web Application Firewall (WAF), and URL-based routing, ensuring availability and security across regions.
Can APIs in an API Management instance integrated with a virtual network be accessed from within that network?
Yes
When API Management is integrated with the same virtual network (e.g., app-network), APIs are accessible from within that network.
Can APIs in an API Management instance set to ‘External’ mode be accessed from the Internet?
Yes
The ‘External’ mode in API Management allows APIs to be accessible from the Internet, in addition to internal access if configured.
What is true about a file in the Archive access tier of Azure Blob Storage?
The file will be stored at the lowest storage cost
The Archive tier offers the lowest storage cost in Azure Blob Storage, though access costs are higher due to retrieval delays.
How can a file in the Archive tier be accessed immediately?
Change the access tier of the object
To access an archived file immediately, you must rehydrate it by changing its access tier (e.g., to Hot or Cool).
How does Azure Key Vault ensure redundancy for stored secrets and keys?
By replicating artifacts to another region
Azure Key Vault automatically replicates secrets and keys to a paired region for redundancy and disaster recovery.
During an Azure Key Vault failover, which operation is not allowed?
Delete secret
In failover mode, the Key Vault becomes read-only, preventing operations like deleting secrets until failover completes.
How can an ASP.NET Core app on an Azure VM authenticate users via Azure AD?
Azure AD Enterprise Application
Registering the app as an Azure AD Enterprise Application allows it to use Azure AD credentials for user authentication.
What should be configured to collect event data from Windows Server 2019 VMs into a Log Analytics workspace?
Windows event logs
Windows event logs must be configured to collect security and system events from Windows Server 2019 VMs into Log Analytics.
What should be configured to collect event data from Ubuntu Linux 20.04 VMs into a Log Analytics workspace?
Syslog
Syslog is used to collect event data from Linux-based VMs like Ubuntu 20.04 into a Log Analytics workspace.
Does an Azure Blueprint with only a resource group and role assignment include a policy assignment?
No
The Blueprint described only includes a resource group and role assignment, with no Azure Policy assignment defined.
Can an Azure Blueprint in ‘Draft’ status be assigned?
No
A Blueprint must be published (moved out of Draft status) before it can be assigned to a scope.
Which service enforces Multi-Factor Authentication for privileged users based on login location?
Azure AD Conditional Access
Conditional Access Policies can enforce MFA for specific users based on conditions like login location.
Which service integrates Azure Monitor alerts with ServiceNow to create work items?
IT Service Management Connector
The IT Service Management Connector links Azure Monitor alerts to external ITSM tools like ServiceNow for automated work item creation.
Which service allows monthly reviews of role assignments with automatic removal if unapproved?
Azure AD Access Reviews
Azure AD Access Reviews enables periodic review of role assignments, with automation to remove unapproved roles.
How can a Traffic Manager profile be converted from priority routing to an Active-Active setup?
Change the Traffic Manager routing method
Switching from Priority to a method like Weighted or Performance routing enables an Active-Active configuration across endpoints.
How many public IP addresses are needed for a VM (appvm1) behind a Standard Public Load Balancer?
0
VMs behind a public Load Balancer communicate via private IPs; the Load Balancer itself handles the public IP, so none are needed for appvm1.
