test8 Flashcards
Your organization plans to utilize Azure Blueprints to make sure that sets of Azure resources meet company standards, patterns, and requirements. The blueprints in development consist of: * Role Assignments * Policy Assignments * ARM Templates * Resource Groups
You need to determine the features and capabilities of Azure Blueprints.
For the statement below, choose Yes if it is correct. If not, choose No.
STATEMENT: Does deploying a resource using a blueprint create a persistent link between the blueprint and the resource?
Yes
No
Yes
Explanation
When you use a blueprint to deploy a resource, it keeps a link between the blueprint and the resource. This is different from just using an ARM template alone. The link helps with better tracking and checking of the deployments.
Your organization plans to utilize Azure Blueprints to make sure that sets of Azure resources meet company standards, patterns, and requirements. The blueprints in development consist of: * Role Assignments * Policy Assignments * ARM Templates * Resource Groups You need to determine the features and capabilities of Azure Blueprints.
For the statement below, choose Yes if it is correct. If not, choose No. STATEMENT: A subscription owner can bypass the blueprint’s Read Only and Do Not Delete resource locking settings.
Yes
No
No.
Explanation
A subscription owner cannot override the Read Only and Do Not Delete settings applied by Azure Blueprints. These locks are designed to enforce security and prevent accidental changes or deletions, ensuring adherence to organizational policies. Consequently, the correct answer is NO.
Your organization plans to utilize Azure Blueprints to make sure that sets of Azure resources meet company standards, patterns, and requirements. The blueprints in development consist of: * Role Assignments * Policy Assignments * ARM Templates * Resource Groups You need to determine the features and capabilities of Azure Blueprints.
For the statement below, choose Yes if it is correct. If not, choose No.
STATEMENT: RBAC roles can be assigned at the subscription level or for specific resource groups within a blueprint.
Yes
No
Yes
Explanation
Role-based access control (RBAC) roles can be set up for either a subscription or specific resource groups within a blueprint. These RBAC role assignments can be included as artifacts in an Azure Blueprint, with specified roles and permissions.
Company A uses an Azure Logic App called LApp1 to handle some HR workflows. LApp1 requires access to employee data stored in a SQL database named DB1, which is hosted on-premises (DC). Company policy restricts DB1 from accessing the internet. You need to create a solution that allows LApp1 to query data from DB1. Which two resources should be part of your design? Each correct answer is a component of the solution.
An on-premises data gateway
An Azure connection gateway resource
Microsoft Entra Application Proxy
Azure application registration
An on-premises data gateway
Explanation
For your design, you should include both an on-premises data gateway and an Azure connection gateway resource. The on-premises data gateway enables Azure cloud services to securely connect to on-premises data sources like SQL databases, even if those sources do not have internet access. This gateway is used by various Azure services, including Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps, and acts as a connection broker between cloud and on-premises resources.
An Azure connection gateway resource
Explanation
Additionally, you should add an Azure connection gateway resource and link it to your on-premises setup.
Your company operates an Active Directory Domain Services (AD DS) forest with a single domain, named company.com, and has several geographic locations. The forest functional level is Windows Server 2016. The company has legacy on-premises applications that depend on AD DS and Kerberos authentication, and there are no plans to rewrite or replace these applications. The company is exploring options to migrate its applications to the cloud and has acquired an Azure subscription, but Microsoft Entra ID has not been configured. For testing purposes, you need to move the legacy applications to Azure and set up a test environment that: - Supports Kerberos authentication from the cloud without needing access to the on-premises network. - Minimizes changes to the applications. - Reduces additional AD management tasks. - Requires minimal effort to configure. You have already set up a single virtual network (VNet) in Azure and a site-to-site (S2S) VPN Gateway connection between the VNet and the on-premises network. To complete the setup and test the applications, what steps should you take?
Create a new VNet and create a new AD DS forest root domain on the new VNet.
Configure a Microsoft Entra domain named company.com.
Deploy one or more domain controllers for company.com on the existing VNet.
Create a child domain of company.com on the existing Vnet
Deploy one or more domain controllers for company.com on the existing VNet.
Explanation
You should install one or more domain controllers for company.com within the existing VNet. By replicating your Active Directory Domain Services (AD DS) environment in the cloud, you ensure support for Kerberos authentication. This approach minimizes changes to the applications, as they will continue to operate within the familiar AD DS environment.
You manage a sophisticated inventory management application named App1, which is running on Azure. When a new client joins, you must add a new data connector to App1. However, as additional connectors are added, App1 suffers from performance slowdowns. To ensure that the addition of new data connectors does not impact App1’s performance, you need to come up with a solution. Both App1 and the data connectors for each client are implemented as microservices. STATEMENT: Use Azure Kubernetes Service (AKS) to automatically scale your App1. Select Yes if the statement is true. Otherwise, select No.
Yes
No
Yes
Explanation
You should utilize Azure Kubernetes Service (AKS) to enable automatic scaling for your App1. AKS provides strong orchestration capabilities that let you deploy additional pods based on compute metrics such as CPU or memory usage. It can automatically scale according to the demands from the data connectors.
You manage a sophisticated inventory management application named App1, which is running on Azure. When a new client joins, you must add a new data connector to App1. However, as additional connectors are added, App1 suffers from performance slowdowns. To ensure that the addition of new data connectors does not impact App1’s performance, you need to come up with a solution. Both App1 and the data connectors for each client are implemented as microservices. STATEMENT: Deploy additional Docker containers using virtual machines (VMs).
Yes
No
No
Explanation
You should avoid using VMs to deploy additional Docker containers. Simply adding more containers won’t provide auto-scaling capabilities. These containers operate independently and require significant operational expertise to enable communication between them. Instead, you should use a container orchestrator like Kubernetes to manage the interactions between applications.
You have an on-premises network and an Azure subscription. The on-premises network has several branch offices.
A branch office in Toronto contains a virtual machine named VM1 that is configured as a file server. Users access the shared files on VM1 from all the offices.
You need to recommend a solution to ensure that the users can access the shared files as quickly as possible if the Toronto branch office is inaccessible.
What should you include in the recommendation?
a Recovery Services vault and Windows Server Backup
Azure blob containers and Azure File Sync
an Azure file share and Azure File Sync
an Azure file share and Azure File Sync
Explanation
Use Azure File Sync to centralize your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share.
You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,
Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the Microsoft 365 E5 plan.
You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
If the manager does not verify an access permission, automatically revoke that permission.
Minimize development effort.
What should you recommend?
In Microsoft Entra ID, create an access review of Application1.
In Microsoft Entra ID Privileged Identity Management, create a custom role assignment for
the Application1 resources.
Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.
In Microsoft Entra ID, create an access review of Application1.
Explanation
In Microsoft Entra ID, create an access review of Application1.
You have an Azure virtual machine named VM1 that runs Windows Server 2019 and contains 500 GB of data files. You are designing a solution that will use Azure Data Factory to transform the data files, and then load the files to Azure Data Lake Storage. What should you deploy on VM1 to support the design?
the On-premises data gateway
the Azure Pipelines agent
Self-hosted integration runtime
the Azure File Sync agent
Self-hosted integration runtime
Explanation
The integration runtime (IR) is the compute infrastructure that Azure Data Factory and Synapse pipelines use to provide data-integration capabilities across different network environments. A self-hosted integration runtime can run copy activities between a cloud data store and a data store in a private network. It also can dispatch transform activities against compute resources in an on-premises network or an Azure virtual network. The installation of a self-hosted integration runtime needs an on-premises machine or a virtual machine inside a private network.
You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription.
What should you include in the recommendation?
Azure Arc
Azure Monitor metrics
Azure Advisor
Azure Log Analytics
Azure Log Analytics
Explanation
Azure Log Analytics is a service that collects and analyzes data from various sources, including Azure resources, applications, and operating systems. It provides a centralized location for storing and querying log data, making it an ideal solution for monitoring and analyzing resource deployments. By configuring Log Analytics to collect and store the deployment logs, you can easily query and filter the data to generate a report of all the new ARM resource deployments within a specific time frame, such as a month.
You need to recommend most effective method to stream monitoring data to a third-party tool.
What should you recommend ?
Azure Logic Apps
Azure Event Grid
Azure Service Bus
Azure Event Hub
Azure Event Hub
Explanation
Azure Event Hub is a big data streaming platform and event ingestion service that can handle millions of events per second. It is specifically designed for high-throughput, real-time event streaming scenarios, making it the most effective method for streaming monitoring data to a third-party tool compared to other options.
You are planning to move online shop application to Azure and deploy it in the East US and West US regions.
Your solution must meet the following requirements:
> East US is the primary region where all customer requests should go.
> If the East US region fails, the web application in the West US region must take over automatically.
You need to recommend the solution for this.
Routing Configuration: Azure Load Balancer
Routing Method: Priority routing
Routing Configuration: Azure Traffic Manager
Routing Method: Priority routing
Routing Configuration: Azure Traffic Manager
Routing Method: Weighted routing
Routing Configuration: Azure Traffic Manager
Routing Method: Priority routing
Explanation
Azure Traffic Manager is the correct choice for this scenario as it provides DNS-based traffic routing to different Azure regions or global datacenters. By using the Priority routing method, you can specify the order in which endpoints should be used, ensuring that customer requests are directed to the primary region (East US) first. In case of a failure in the primary region, traffic will automatically failover to the secondary region (West US).
https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
Which Compute service should you recommend for the below statement:
Statement: To migrate an on-premises, cloud-optimized, HPC workload application.
Azure Batch
Azure Kubernetes Service
Azure Functions
Azure Batch
Explanation
Azure Batch is the correct choice for migrating an on-premises, cloud-optimized, HPC workload application. Azure Batch allows you to run large-scale parallel and high-performance computing (HPC) applications efficiently in the cloud. It provides job scheduling, auto-scaling of compute resources, and management of tasks, making it ideal for HPC workloads.
https://learn.microsoft.com/en-us/azure/batch/batch-technical-overview
You are designing a database solution for databases hosted in an on-premises environment. Currently, there are 15 databases hosted on individual VMs. Each database has varying usage patterns, and the resources on the VMs are underutilized. You need to recommend a database solution that minimizes costs and reduces administrative overhead. The solution should meet the following requirements:
The solution should have a 99.99% uptime SLA.
The resources in the solution can scale dynamically.
The solution should have geo-replication capabilities.
Which solution should you recommend?
15 Azure SQL databases
15 Azure SQL Managed Instances
15 databases running in SQL Server VMs
An Azure SQL Database elastic pool hosting 15 databases
An Azure SQL Database elastic pool hosting 15 databases
Explanation
An Azure SQL Database elastic pool allows you to share resources among multiple databases, providing cost savings and reducing administrative overhead. The elastic pool can automatically scale resources based on the workload of the databases, ensuring optimal performance and cost efficiency. Additionally, geo-replication capabilities can be configured for individual databases, simplifying disaster recovery and ensuring high availability.
As given in the below architecture, there is virtual network named VNET1 and subnet named subnet1.
The organization has two groups of servers: Web Servers and Management Servers.
You should be able to RDP into the Management Servers, but not the Web Servers.
The Web Servers should display the IIS web page when accessed from the internet.
Private IP Address of VMs changes frequently.
How would you group virtual machines into - Web Servers and Management Servers ?
Network Rule
Network Security group (NSGs)
Application security groups (ASGs)
Azure Firewall
Application security groups (ASGs)
Explanation
Application Security Groups (ASGs) are used to group virtual machines based on their application roles or functions. By assigning virtual machines to ASGs, you can define network security rules based on the group membership. This allows you to control access to different groups of servers, such as Web Servers and Management Servers, based on their roles.
Your company has offices in North America and Europe.
You plan to migrate to Azure.
You need to recommend a networking solution for the new Azure infrastructure. The solution must meet the following requirements:
- The Point-to-Site (P2S) VPN connections of mobile users must connect automatically to the closest Azure region.
- The offices in each region must connect to their local Azure region by using an ExpressRoute circuit.
- Transitive routing between virtual networks and on-premises networks must be supported.
- The network traffic between virtual networks must be filtered by using FQDNs.
What should you include in the recommendation?
Azure Virtual WAN with a secured virtual hub
Virtual network peering and application security groups
Azure Route Server
Azure Network Function Manager
Azure Virtual WAN with a secured virtual hub
Explanation
Azure Virtual WAN with a secured virtual hub is the correct choice as it provides a centralized and scalable solution for connecting multiple Azure regions. It allows for automatic connection of mobile users to the closest Azure region through Point-to-Site VPN connections. Additionally, it supports ExpressRoute circuits for connecting offices in each region to their local Azure region. Transitive routing between virtual networks and on-premises networks is also supported, along with the ability to filter network traffic between virtual networks using FQDNs.
You are designing a point of sale (POS) solution that will be deployed across multiple locations and will use an Azure Databricks workspace in the Standard tier. The solution will include multiple apps deployed to the on-premises network of each location.
You need to configure the authentication method that will be used by the app to access the workspace. The solution must minimize the administrative effort associated with staff turnover and credential management.
What should you configure?
a managed identity
a service principal
a personal access token
a service principal
Explanation
Configuring a service principal is the correct choice for configuring authentication for the app to access the Azure Databricks workspace. A service principal is a security identity used by applications or services to access specific Azure resources. It allows for secure authentication without the need for storing credentials in the app, minimizing administrative effort and improving security.
Managed identity can be used only between Azure resources, here we have on-prem application communicating to Azure resources, then you need a service principal
Given below is the hierarchy
You need to assign role-based access control (RBAC) permissions to the IT assistant. Your solution must require minimal maintenance.
Which scope should you apply the permissions to ?
Resource Group
Management Group
Resource
Subscription
Management Group
Explanation
Applying RBAC permissions at the Management Group level allows you to centrally manage permissions for multiple subscriptions, resource groups, and resources. This approach reduces the need for individual permission assignments and simplifies maintenance tasks, making it the ideal choice for minimal maintenance
You are developing an auditing application developed as multiple Azure functions that will:
Subscribe to events like virtual machine creation.
Receive events from resources as soon as they happen.
Deploy all infrastructure resources related to the application using Infrastructure as Code (IaC).
Which two Azure services should you recommend ?
Azure Service Bus
Azure Event Grid
Azure Bicep
Azure Batch
Azure Event Grid
Explanation
Azure Event Grid is a fully managed event routing service that allows you to react to events from various Azure services in near real-time. You can create an Azure Event Grid topic for subscribing to events like virtual machine creation and handler function will execute events as soon as they happen, making it a perfect fit for the auditing application’s requirements.
Azure Bicep
Explanation
Azure Bicep is a domain-specific language for deploying Azure resources declaratively using Infrastructure as Code (IaC). It allows you to define the infrastructure resources related to the application in a structured and repeatable manner, ensuring consistency and efficiency in deployment. Using Azure Bicep aligns with the requirement to deploy all infrastructure resources related to the application using IaC.
You need to create a Custom Azure Policy for the below requirement:
Restrict the types of VMs that can be deployed.
Deny the creation of resources without a environment tag when they are created.
What is the Minimum number of Custom Policies required ?
Correct answer
1
2
3
4
1
Explanation
Only one custom policy is required to address both requirements. By creating a single policy that combines the restrictions for VM types and the presence of an environment tag, you can enforce both conditions simultaneously.
You need to create a Custom Azure Policy for the below requirement:
Restrict the types of VMs that can be deployed.
Append an automatic tag when they are created.
What is the Minimum number of Custom Policies required ?
1
2
3
4
2
Explanation
Single Policy should produce a single effect like Deny or Append. But, in this case there are Two effect - Deny and Append. So, We need to create two policies, first one with deny effect, and second one with append effect.
Your company has an on-premises Active Directory (AD) forest and a Microsoft Entra ID P1 tenant. All Microsoft Entra users are assigned a P1 license. You plan to have users use the same usernames and passwords for on-premises and Microsoft Entra authentication. Password changes are currently managed through the helpdesk to ensure that passwords remain synchronized.
Your company is considering deploying Microsoft Entra Connect on the on-premises network. You need to identify features from this action that will help to reduce the management overhead for your network infrastructure and helpdesk personnel.
Which two features could you use?
Password writeback
Self-service password reset
Identity Protection
Privileged Identity Management (PIM)
Password writeback
Explanation
Password writeback feature in Microsoft Entra Connect allows password changes made in the cloud to be written back to the on-premises Active Directory. This helps to ensure that passwords remain synchronized between on-premises and cloud environments, reducing the need for manual password management by the helpdesk.
Self-service password reset
Explanation
Self-service password reset feature in Microsoft Entra Connect allows users to reset their own passwords without the need to contact the helpdesk. This reduces the workload on helpdesk personnel and allows users to manage their passwords more efficiently, ultimately reducing management overhead for the network infrastructure.
Your organization - ABC has a contract with other organization - XYZ. XYZ does not have accounts in ABC’s Microsoft Entra Tenant. ABC need to provide access to the images stored in ABC’s blob storage account.
You need to design a strategy to allow secure access to the images to XYZ organization.
Provide the Primary Access Keys
Provide the Secondary Access Keys
Create a Shared access signature (SAS)
Create a Shared access signature (SAS)
Explanation
Creating a Shared Access Signature (SAS) is the correct choice as it allows you to grant limited access to specific resources in the storage account for a specific period of time. This way, you can securely share access to the images stored in the blob storage account with XYZ organization without exposing the account keys.
