Az-303 - Certification Questions
You have an Azure subscription that contains 10 virtual machines on a virtual network.
You need to create a graph visualization to display the traffic flow between the virtual machines.
What should you do from Azure Monitor?
- A. From Activity log, use quick insights.
- B. From Metrics, create a chart.
- C. From Logs, create a new query.
- D. From Workbooks, create a workbook.
Correct Answer: C
Navigate to Azure Monitor and select Logs to begin querying the data
Reference:
https://azure.microsoft.com/en-us/blog/analysis-of-network-connection-data-with-azure-monitor-for-virtual-machines/
HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously
✑ Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
HOTSPOT -
You plan to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager template.
You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Within your template, the dependsOn element enables you to define one resource as a dependent on one or more resources. Its value can be a comma- separated list of resource names.
Box 1: 'Microsoft.Network/networkInterfaces'
This resource is a virtual machine. It depends on two other resources:
Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces
Box 2: 'Microsoft.Network/virtualNetworks/'
The dependsOn element enables you to define one resource as a dependent on one or more resources. The resource depends on two other resources:
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-create-templates-with-dependent-resources
HOTSPOT -
Your network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.
Adatum.onmicrosoft.com contains the user accounts in the following table.
You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use in Adatum.com and Adatum.onmicrosoft.com to implement Azure AD Connect? To answer select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: User5 -
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.
Box 2: UserA -
Azure AD Global Admin credentials are only used during the installation and are not used after the installation has completed. It is used to create the Azure AD
Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
You have an Azure subscription that contains 100 virtual machines.
You have a set of Pester tests in PowerShell that validate the virtual machine environment.
You need to run the tests whenever there is an operating system update on the virtual machines. The solution must minimize implementation time and recurring costs.
Which three resources should you use to implement the tests? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Azure Automation runbook
- B. an alert rule
- C. an Azure Monitor query
- D. a virtual machine that has network access to the 100 virtual machines
- E. an alert action group
Correct Answer: ABE
AE: You can call Azure Automation runbooks by using action groups or by using classic alerts to automate tasks based on alerts.
B: Alerts are one of the key features of Azure Monitor. They allow us to alert on actions within an Azure subscription
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook https://techsnips.io/snips/how-to-create-and-test-azure-monitor-alerts/?page=13
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
You create an Azure Resource Manager template named Template1 as shown in the following exhibit.
From the Azure portal, you deploy Template1 four times by using the settings shown in the following table.
What is the result of the deployment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
HOTSPOT -
You have an Azure subscription that contains multiple resource groups.
You create an availability set as shown in the following exhibit.
You deploy 10 virtual machines to AS1.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: 6 -
Two out of three update domains would be available, each with at least 3 VMs.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions
You have an Azure subscription that contains an Azure Log Analytics workspace.
You have a resource group that contains 100 virtual machines. The virtual machines run Linux.
You need to collect events from the virtual machines to the Log Analytics workspace.
Which type of data source should you configure in the workspace?
- A. Syslog
- B. Linux performance counters
- C. custom fields
Correct Answer: A
Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
- A. Configure a service endpoint on VNet2.
- B. Add a gateway subnet to VNet1.
- C. Create a subnet on VNEt1 and VNet2.
- D. Modify the address space of VNet1.
Correct Answer: D
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
HOTSPOT -
You have an Azure Resource Manager template for a virtual machine named Template1. Template1 has the following parameters section.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes -
The Resource group is not specified.
Box 2: No -
The default value for the operating system is Windows 2016 Datacenter.
Box 3: Yes -
Location is no default value.
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/virtual-machines/windows/ps-template
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
- A. Metrics
- B. Customer insights
- C. Monitor
- D. Advisor
Correct Answer: D
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The tenant contains computers that run Windows 10. The computers are configured as shown in the following table.
You enable Enterprise State Roaming in contoso.com for Group1 and GroupA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device.
Box 1: Yes -
Box 2: No -
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure//////active-directory/devices/enterprise-state-roaming-overview
HOTSPOT -
You have an Azure Resource Manager template named Template1 in the library as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax
HOTSPOT -
Your company hosts multiple websites by using Azure virtual machine scale sets (VMSS) that run Internet Information Server (IIS).
All network communications must be secured by using end to end Secure Socket Layer (SSL) encryption. User sessions must be routed to the same server by using cookie-based session affinity.
The image shown depicts the network traffic flow for the websites to the VMSS.
Use the drop-down menus to select the answer choice that answers each question.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Azure Application Gateway
You can create an application gateway with URL path-based redirection using Azure PowerShell.
Box 2: Path-based redirection and Websockets
Reference:
https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/tutorial-url-redirect-powershell
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer: 
Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
DRAG DROP -
You are designing a solution to secure a company's Azure resources. The environment hosts 10 teams. Each team manages a project and has a project manager, a virtual machine (VM) operator, developers, and contractors.
Project managers must be able to manage everything except access and authentication for users. VM operators must be able to manage VMs, but not the virtual network or storage account to which they are connected. Developers and contractors must be able to manage storage accounts.
You need to recommend roles for each member.
What should you recommend? To answer, drag the appropriate roles to the correct employee types. Each role may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer: 
You have an Azure virtual machine named VM1 and an Azure Active Directory (Azure AD) tenant named adatum.com.
VM1 has the following settings:
✑ IP address: 10.10.0.10
✑ System-assigned managed identity: On
You need to create a script that will run from within VM1 to retrieve the authentication token of VM1.
Which address should you use in the script?
- A. vm1.adatum.com.onmicrosoft.com
- B. 169.254.169.254
- C. 10.10.0.10
- D. vm1.adatum.com
Correct Answer: B
Your code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
HOTSPOT -
Your company has a virtualization environment that contains the virtualization hosts shown in the following table.
The virtual machines are configured as shown in the following table.
All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-requirements
You are designing an Azure solution.
The solution must meet the following requirements:
✑ Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules.
✑ Provide SSL offloading capabilities.
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?
- A. Azure Application Gateway
- B. Azure Load Balancer
- C. Azure Traffic Manager
- D. server-level firewall rules
Correct Answer: A
If you require "SSL offloading", application layer treatment, or wish to delegate certificate management to Azure, you should use Azure's layer 7 load balancer
Application Gateway instead of the Load Balanacer.
Incorrect Answers:
D: Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided.
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/overview
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Azure AD Connect to customize the synchronization options.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Instead use Synchronization Rules Editor to create a synchronization rule.
Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use Synchronization Rules Editor to create a synchronization rule.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.
2. Click the Add new rule button on the View and manage your synchronization rules window.
3. Fill out the appropriate fields on the Description tab and click Next >.
4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute filter, and click Next >.
Attribute: userPrincipalName -
Operator: ENDSWITH -
Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN suffix will NOT be synced with Office 365.
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Instead use Synchronization Rules Editor to create a synchronization rule.
Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
SELECT id FROM c -
WHERE c.day = "Mon" OR c.day = "Tue"
You set the EnableCrossPartitionQuery property to False.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery property is set to true, it will return Item1, Item2, and Item3.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure-dotnet
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
SELECT day FROM c -
WHERE c.value = "10" OR c.value = "15"
You set the EnableCrossPartitionQuery property to True.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Returns Item1, Item2, Item3, and Item4.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
You set the EnableCrossPartitionQuery property to True.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
Returns Item1 and Item2 only.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.documents.client.feedoptions.enablecrosspartitionquery?view=azure-dotnet
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use the Synchronization Service Manager to modify the Metaverse Designer tab.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Instead use Synchronization Rules Editor to create a synchronization rule.
Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
HOTSPOT -
You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to enhance security for the virtual machines in RG1 to meet the following requirements:
✑ Prevent Group1 from assigning external IP addresses to the virtual machines.
✑ Ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address.
What should you use to meet each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Azure Policy -
There is a built-in policy in the Azure Policy service that allows you to block public IPs on all NICs of a VM.
Note: Azure Policy is a powerful tool in your Azure toolbox. It allows you to enforce specific governance principals you want to see implemented in your environment. Some key examples of what Azure Policy allows you to do is:
Automatically tag resources -
Block VMs from having a public IP
Enforce specific regions -
Enforce VM size -
Box 2: Azure Bastion -
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure
Portal.
Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.
Incorrect Answers:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://blog.nillsf.com/index.php/2019/11/02/using-azure-policy-to-deny-public-ips-on-specific-vnets/ https://azure.microsoft.com/en-us/services/azure-bastion/
You create a container image named Image1 on a developer workstation.
You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1.
You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use Image1.
To which storage type should you upload Image1?
- A. an Azure Storage account that contains a blob container
- B. Azure Container Instances
- C. Azure Container Registry
- D. an Azure Storage account that contains a file share
Correct Answer: C
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure portal, go to Container settings from the web app and update the Image source, Registry and save.
Reference:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux
You have an Azure Service Bus and two clients named Client1 and Client2.
You create a Service Bus queue named Queue1 as shown in the exhibit. (Click the Exhibit tab.)
Client1 send messages to Queue1 as shown in the following table.
Client2 reads the messages from Queue1 at 12:01:05.
How will the messages be presented to Client2?
- A. Client2 will read three messages in the following order: M1, M2, and then M3.
- B. Client2 will read three messages in the following order: M3, M1, and then M2.
- C. Client2 will read four messages in the following order: M3, M1, M2 and then M3.
- D. Client2 will read four messages in the following order: M3, M2, M1 and then M3.
Correct Answer: D
It should be M3, M2, M1 as duplicate detection is enabled, and the duplication detection window is set to 10 minutes. The second M3 message in the queue would be discarded.
Note 1: Duplicate detection enables the sender resend the same message, and the queue or topic discards any duplicate copies.
Note 2: Queues offer First In, First Out (FIFO) message delivery to one or more competing consumers. That is, receivers typically receive and process messages in the order in which they were added to the queue, and only one message consumer receives and processes each message.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions https://docs.microsoft.com/en-us/azure/service-bus-messaging/duplicate-detection
You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.
You plan to change the partition key for Container1.
What should you do first?
- A. Delete Container1.
- B. Create a new container in DB1.
- C. Implement the Azure Cosmos DB.NET.SDK.
- D. Regenerate the keys for Account1.
Correct Answer: B
The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to achieve a live migration of your data from one container to another. This allows you to re-distribute your data to match the desired new partition key scheme, and make the relevant application changes afterwards, thus achieving the effect of "updating your partition key".
Incorrect Answers:
A: It is not possible to "update" your partition key in an existing container.
Reference:
https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/
HOTSPOT -
You have an Azure subscription that contains the Azure SQL servers shown in the following table.
The subscription contains the elastic pools shown in the following table.
The subscription contains the Azure SQL databases shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Note: You cannot add databases from different servers into the same pool
Box 1: Yes -
Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2.
Box 2: Yes -
Pool3 is empty.
Box 3: Yes -
Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1.
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool
HOTSPOT -
You have an Azure subscription that contains the storage accounts shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes -
General purpose version 2 (GPv2) storage accounts: GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based (HDD-based) hardware.
Box 2: No -
Four not six copies.
Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region.
Box 3: Yes -
You can switch a storage account from one type of replication to any other type.
To switch from LRS to GRS use Azure portal, PowerShell, or CLI to change the replication setting.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table.
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From the Azure Portal, for which blade can you view the template that was used for the deployment?
- A. container1
- B. VM1
- C. RG1
- D. storage2
Correct Answer: C
You can verify the deployment by exploring the resource group from the Azure portal
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-manager-tutorial https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
You have an Azure subscription that contains a resource group named RG1. RG1 contains multiple resources.
You need to trigger an alert when the resources in RG1 consume $1,000 USD.
What should you do?
- A. From Cost Management + Billing, add a cloud connector.
- B. From the subscription, create an event subscription.
- C. From Cost Management + Billing, create a budget.
- D. From RG1, create an event subscription.
Correct Answer: C
Create budgets to manage costs and create alerts that automatically notify you are your stakeholders of spending anomalies and overspending.
To set it up, go to the Azure Portal, select 'Cost Management + Billing' -> 'Cost Management' -> 'Go to Cost Management'.
Note: Cost alerts are automatically generated based when Azure resources are consumed. Alerts show all active cost management and billing alerts together in one place. When your consumption reaches a given threshold, alerts are generated by Cost Management. There are three types of cost alerts: budget alerts, credit alerts, and department spending quota alerts.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/getting-started
HOTSPOT -
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to 6 when the 2 extra instances of VMs are added.
Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot be reduced to
0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Upload a configuration script.
- B. Create an Azure policy.
- C. Modify the extensionProfile section of the Azure Resource Manager template.
- D. Create a new virtual machine scale set in the Azure portal.
- E. Create an automation account.
Correct Answer: CD
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
HOTSPOT -
You have several Azure virtual machines on a virtual network named VNet1. Vnet1 has two subnets that have 10.2.0.0/24 and 10.2.9.0/24 address spaces.
You configure an Azure Storage account as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: always -
Endpoint status is enabled.
Box 2: Never -
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-with-azure-storage-firewalls-and-virtual-networks/
HOTSPOT -
You create and save an Azure Resource Manager template named Template1 that includes the following four sections.
Section1.
Section2.
Section3.
Section4.
You deploy Template1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
DRAG DROP -
You have virtual machines (VMs) that run a mission-critical application.
You need to ensure that the VMs never experience down time.
What should you recommend? To answer, drag the appropriate solutions to the correct scenarios. Each solution may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point
Select and Place:
Correct Answer: 
Box 1: Scale set -
A virtual machine scale set allows you to deploy and manage a set of identical, autoscaling virtual machines.
Box 2: Availability Set -
An Availability Set is a logical grouping capability for isolating VM resources from each other when they're deployed. Azure makes sure that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational. Availability Sets are essential for building reliable cloud solutions.
Box 3: Fault domain -
A fault domain is a logical group of underlying hardware that share a common power source and network switch, similar to a rack within an on-premises datacenter. As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these fault domains. This approach limits the impact of potential physical hardware failures, network outages, or power interruptions.
Incorrect Answers:
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-create-vmss https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
You have an Azure subscription.
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
- A. the memory
- B. Integration Services
- C. the hard drive
- D. the network adapters
Correct Answer: C
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=azure virtual-machines windows toc.json
Your company has an office in Seattle.
You have an Azure subscription that contains a virtual network named VNET1.
You create a site-to-site VPN between the Seattle office and VNET1.
VNET1 contains the subnets shown in the following table.
You need to route all Internet-bound traffic from Subnet1 to the Seattle office.
What should you create?
- A. a route for GatewaySubnet that uses the virtual network gateway as the next hop
- B. a route for Subnet1 that uses the local network gateway as the next hop
- C. a route for Subnet1 that uses the virtual network gateway as the next hop
- D. a route for GatewaySubnet that uses the local network gateway as the next hop
Correct Answer: C
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is not within the address prefix of any other route in a subnet's route table. When a subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next hop type. We need to create a custom route in Azure to use a virtual network gateway in the Seattle office as the next hop.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts -
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1.
What should you do?
- A. From the VM1 blade, configure Connection troubleshoot.
- B. From Diagnostic settings for VM1, configure the performance counters to include network counters.
- C. From the VM1 blade, install performance diagnostics and run advanced performance analysis.
- D. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
Correct Answer: C
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the performance analysis, and collects one or more of the traces, as listed in the following sections. Use this scenario to troubleshoot complex issues that require additional traces. Running this scenario for longer periods will increase the overall size of diagnostics output, depending on the size of the VM and the trace options that are selected.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using
Azure ExpressRoute.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Create a gateway subnet.
- B. Create a VPN gateway that uses the VpnGw1 SKU.
- C. Create a connection.
- D. Create a local site VPN gateway.
- E. Create a VPN gateway that uses the Basic SKU.
Correct Answer: CDE
Reference:
https://docs.microsoft.com/en-za/archive/blogs/canitpro/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-premise
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.
You plan to install Azure AD Connect and enable SSO.
You need to specify which user to use to enable SSO. The solution must use the principle of least privilege.
Which user should you specify?
- A. User3
- B. User2
- C. User1
- D. User4
Correct Answer: C
You need to have domain administrator credentials for each Active Directory forest that:
✑ You synchronize to Azure AD through Azure AD Connect.
✑ Contains users you want to enable for Seamless SSO.
Note: The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They're used only to enable Seamless SSO through Azure AD
Connect.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the virtual machines shown in the following table.
RG2 contains the virtual machines shown in the following table.
All the virtual machines are configured to use premium disks and are accessible from the Internet.
VM1 and VM2 are in an availability set named AVSET1. VM3 and VM4 are in the same availability zone. VM5 and VM6 are in different availability zones.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: Yes -
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.
Box 2: No -
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.
Box 3: Yes -
VM5 and VM6 are in different availability zones.
For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.
Reference:
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
A company plans to use third-party application software to perform complex data analysis processes. The software will use up to 500 identical virtual machines
(VMs) based on an Azure Marketplace VM image.
You need to design the infrastructure for the third-party application server. The solution must meet the following requirements:
✑ The number of VMs that are running at any given point in time must change when the user workload changes.
✑ When a new version of the application is available in Azure Marketplace it must be deployed without causing application downtime.
✑ Use VM scale sets.
✑ Minimize the need for ongoing maintenance.
Which two technologies should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. single placement group
- B. single storage account
- C. managed disks
- D. autoscale
Correct Answer: CD
You have a resource group named RG1 that contains the following:
✑ A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
✑ An Azure Storage account named contososa1
✑ An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
- A. Modify the Firewalls and virtual networks settings for contososa1.
- B. Create a stored access policy for contososa1.
- C. Implement a virtual network service endpoint.
- D. Remove the Azure firewall.
Correct Answer: C
Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
Note: Storage accounts have a public endpoint that is accessible through the internet. ou can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The
Azure storage firewall provides access control access for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
You have an Azure subscription that contains 100 virtual machines.
You have a set of PowerShell scripts that validate the virtual machine environment.
You need to run the scripts whenever there is an operating system update on the virtual machines. The solution must minimize implementation time and recurring costs.
Which three resources should you use to implement the scripts? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. an alert action group
- B. an Azure Monitor query
- C. an Azure Automation runbook
- D. a virtual machine that has network access to the 100 virtual machines
- E. an alert rule
Correct Answer: ACE
E: Step 1: Create alert -
In your Automation account, select Alerts under Monitoring, and then select New alert rule.
A: Step 2: Configure action groups for your alerts
Once you have your alerts configured, you can set up an action group, which is a group of actions to use across multiple alerts. The actions can include email notifications, runbooks, webhooks, and much more.
C: Use a Azure Automation runbook to run the powershell scipts.
Note: The Azure Automation Process Automation feature supports several types of runbooks, such as the PowerShell runbook, which is a text runbook based on
Windows PowerShell.scripting.
Reference:
https://docs.microsoft.com/en-us/azure/automation/update-management/configure-alerts https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types
You have an Active Directory forest named contoso.com.
You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?
- A. Run Azure AD Connect and disable staging mode.
- B. From Synchronization Service Manager, run a full import.
- C. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
- D. From Azure PowerShell, run Start-AdSyncSyncCycle ""PolicyType Initial.
Correct Answer: A
In staging mode, the server is active for import and synchronization, but it does not run any exports. A server in staging mode is not running password sync or password writeback, even if you selected these features during installation. When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-operations
Your on-premises network contains 100 virtual machines that run Windows Server 2019.
You have an Azure subscription that contains an Azure Log Analytics workspace named Workspace1.
You need to collect errors from the Windows event logs on the virtual machines.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Create an Azure Event Grid domain.
- B. Deploy the Microsoft Monitoring Agent.
- C. Configure Windows Event Forwarding on the virtual machines.
- D. Create an Azure Sentinel workspace.
- E. Configure the Data Collection settings for Workspace1.
Correct Answer: BE
The Azure Log Analytics agent collects telemetry from Windows and Linux virtual machines in any cloud, on-premises machines, and those monitored by System
Center Operations Manager and sends it collected data to your Log Analytics workspace in Azure Monitor.
Note: You may also see the Log Analytics agent referred to as the Microsoft Monitoring Agent (MMA) or OMS Linux agent.
Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
You have an Azure subscription named Subscription1.
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
- A. Azure HDInsight
- B. Azure Analysis Services
- C. Linux Diagnostic Extension (LAD) 3.0
- D. the AzurePerformanceDiagnostics extension
Correct Answer: D
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring
HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: 5 -
We have five virtual machines. Each virtual machine will have a public IP address and a private IP address. Each will require a network interface.
Box 2: 1 -
Each virtual machine requires the same inbound and outbound security rules. We can add tem to one group.
Reference:
https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/ https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
You have an Azure subscription named Subscription1 that includes an Azure File share named share1.
You create several Azure virtual machines in Subscription1. All of the virtual machines belong to the same virtual network.
You have an on-premises Hyper-V server named Server1. Server1 hosts a virtual machine named VM1.
You plan to replicate VM1 to Azure.
You need to create additional objects in Subscription1 to support the planned deployment.
Which three objects should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Hyper-V site
- B. Azure Recovery Services Vault
- C. storage account
- D. replication policy
- E. Azure Traffic Manager instance
- F. endpoint
Correct Answer: ABD
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
What should you do?
- A. Use the Synchronization Service Manager to modify the Metaverse Designer tab.
- B. Use Azure AD Connect to customize the synchronization options.
- C. Use the Synchronization Rules Editor to create a synchronization rule.
- D. Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
Correct Answer: C
Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI or PowerShell.
Through GUI:
Using The Synchronization Rules Editor
1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.
2. Click the Add new rule button on the View and manage your synchronization rules window.
3. Fill out the appropriate fields on the Description tab and click Next >.
4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute filter, and click Next >.
Attribute: userPrincipalName -
Operator: ENDSWITH -
Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN suffix will NOT be synced with Office 365.
Reference:
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/
You have an Azure SQL database named DB1.
You plan to create the following four tables in DB1 by using the following code.
Table1.
Table2.
Table3.
Table4.
You need to identify which table must be created last.
What should you identify?
- A. Table1
- B. Table2
- C. Table3
- D. Table4
Correct Answer: B
Table1 references Table4. Therefore Table4 must be created before Table1.
Table2 references Table1 and Table3. Therefore Table1 and Table3 must be created before Table2.
Note: FOREIGN KEY REFERENCES is a constraint that provides referential integrity for the data in the column or columns. FOREIGN KEY constraints require that each value in the column exists in the corresponding referenced column or columns in the referenced table. FOREIGN KEY constraints can reference only columns that are PRIMARY KEY or UNIQUE constraints in the referenced table or columns referenced in a UNIQUE INDEX on the referenced table.
Incorrect Answers:
A: Table1 is referenced by Table2 and should be crated before Table2.
C: Table3 is referenced by Table2 and should be crated before Table2.
D: Table4 is referenced by Table1 and should be crated before Table1.
Reference:
https://docs.microsoft.com/en-us/sql/t-sql/statements/create-table-transact-sql?view=sql-server-ver15
You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.
You plan to change the partition key for Container1.
What should you do first?
- A. Delete Container1.
- B. Create a new Azure Cosmos DB account.
- C. Implement the Azure Cosmos DB.NET.SDK.
- D. Regenerate the keys for Account1.
Correct Answer: B
The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to achieve a live migration of your data from one container to another. This allows you to re-distribute your data to match the desired new partition key scheme, and make the relevant application changes afterwards, thus achieving the effect of "updating your partition key".
Incorrect Answers:
A: It is not possible to "update" your partition key in an existing container.
Reference:
https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/
You have an Azure subscription that contains the resource groups shown in the following table.
You have the Azure SQL servers shown in the following table.
You create an Azure SQL database named DB1 on Sql1 in an elastic pool named Pool1.
You need to create an Azure SQL database named DB2 in Pool1.
Where should you deploy DB2?
- A. Sql1
- B. Sql2
- C. Sql3
- D. Sql4
Correct Answer: A
The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources at a set price.
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool
HOTSPOT -
You deploy an Azure virtual machine scale set named VSS1 that contains 30 virtual machine instances across three zones in the same Azure region. The instances host an application named App1 that must be accessible by using HTTP and HTTPS traffic. Currently, VSS1 is inaccessible from the internet.
You need to use Azure Load Balancer to provide access to App1 across all the instances from the internet by using a single IP address.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: 1 -
Box 2: 30 network interfaces -
For a standard load balancer, the VMs in the backend address for are required to have network interfaces that belong to a network security group.
Box 3: 2 -
On for the HTTP traffic, and one for the HTTPs traffic.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-cli
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases each on a different Azure SQL Database server.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Note: Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.
You plan to move DB1 and DB2 to Azure.
You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.
Solution: You deploy DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.
Note: Understanding distributed transactions.
When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.
Reference:
https://docs.particular.net/nservicebus/azure/understanding-transactionality-in-azure
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.
You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.
Solution: You run the following query.
SELECT day -
WHERE value = "10"
You set the EnableCrossPartitionQuery property to False.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery property is set to true, it will return Item1 and Item3.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-where
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: 
Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
You have an Azure subscription that contains an Azure Sentinel workspace. Sentinel is configured to monitor several Azure resources.
You need to send notification emails to resource owners when alerts or recommendations are generated for a resource.
What should you use?
- A. Logic Apps Designer
- B. Azure Security Center
- C. Azure Pipelines
- D. Azure Machine Learning Studio
Correct Answer: A
Currently there is no built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. However, you can set up an Azure
Logic App playbook to send incident information to your email.
Reference:
https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-automatically/
Implement and Monitor an Azure Infrastructure
-
#1 You want to create ARM templates to provision virtual machines with secure passwords that are not visible in the ARM template file. Whi...
-
SQL Blogs https://sqlwithmanoj.com http://www.techbrothersit.com/ http://www.gandhipritesh.com/ -- https://technet.microsoft.com/...
-
Content Congratulations on making it all the way through this learning path. If you’re preparing to write the Microsoft AZ-304 exam, note ...
No comments:
Post a Comment