0% found this document useful (0 votes)
86 views94 pages

AZ 305 Questions Answers File 4

The document outlines various questions and scenarios related to the AZ-305 exam for designing Microsoft Azure Infrastructure Solutions. It covers topics such as backup policies, Azure services for application performance, migration strategies, and security requirements for Azure storage. Each question includes specific requirements and recommended solutions for implementing Azure services effectively.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
86 views94 pages

AZ 305 Questions Answers File 4

The document outlines various questions and scenarios related to the AZ-305 exam for designing Microsoft Azure Infrastructure Solutions. It covers topics such as backup policies, Azure services for application performance, migration strategies, and security requirements for Azure storage. Each question includes specific requirements and recommended solutions for implementing Azure services effectively.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 94

Microsoft

AZ-305
Designing Microsoft Azure Infrastructure Solutions

http://killexams.com/exam-detail/AZ-305
Question: 1

HOTSPOT

You plan to deploy the backup policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information
presented in the graphic. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Question: 2

HOTSPOT

You are evaluating whether to use Azure Traffic Manager and Azure Application Gateway to meet the connection
requirements for App1.

What is the minimum numbers of instances required for each service? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.

Answer:

Question: 3

A company is planning on deploying an application onto Azure. The application will be based on the .Net core
programming language. The application would be hosted using Azure Web apps. Below is part of the various
requirements for the application

Give the ability to correlate Azure resource usage and the performance data with the actual application configuration
and performance data

Give the ability to visualize the relationships between application components

Give the ability to track requests and exceptions to specific lines of code from within the application Give the ability
to actually analyse how uses return to an application and see how often they only select a particular drop-down value

Which of the following service would be best suited for fulfilling the requirement of “Give the ability to correlate
Azure resource usage and the performance data with the actual application configuration and performance data”
A. Azure Application Insights
B. Azure Service Map
C. Azure Log Analytics
D. Azure Activity Log

Answer: C
Question: 4

HOTSPOT

How should the migrated databases DB1 and DB2 be implemented in Azure?

Answer:

Explanation:

Table
Description automatically generated

Box 1: SQL Managed Instance

Scenario: Once migrated to Azure, DB1 and DB2 must meet the following requirements:

Maintain availability if two availability zones in the local Azure region fail.

Fail over automatically.

Minimize I/O latency.

The auto-failover groups feature allows you to manage the replication and failover of a group of databases on a server
or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing active
geo-replication feature, designed

to simplify deployment and management of geo-replicated databases at scale. You can initiate a geo-failover manually
or you can delegate it to the Azure service based on a user-defined policy. The latter option allows you to
automatically recover multiple related databases in a secondary region after a catastrophic failure or other unplanned
event that results in full or partial loss of the SQL Database or SQL Managed Instance availability in the primary
region.

Box 2: Business critical

SQL Managed Instance is available in two service tiers:

General purpose: Designed for applications with typical performance and I/O latency requirements.

Business critical: Designed for applications with low I/O latency requirements and minimal impact of underlying
maintenance operations on the workload.

Question: 5

HOTSPOT

You plan to migrate App1 to Azure.

You need to recommend a storage solution for App1 that meets the security and compliance requirements.

Which type of storage should you recommend, and how should you recommend configuring the storage? To answer,
select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Text, table

Description automatically generated

Box 1: Standard general-purpose v2

Standard general-purpose v2 supports Blob Storage.

Azure Storage provides data protection for Blob Storage and Azure Data Lake Storage Gen2.

Scenario:

Litware identifies the following security and compliance requirements:


Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of
new and existing data is prevented for a period of three years.

On-premises users and services must be able to access the Azure Storage account that will host the data in App1.

Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.

All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.

App1 must NOT share physical hardware with other workloads.

Box 2: NFSv3

Scenario: Plan: Migrate App1 to Azure virtual machines.

Blob storage now supports the Network File System (NFS) 3.0 protocol. This support provides Linux file system
compatibility at object storage scale and prices and enables Linux clients to mount a container in Blob storage from an
Azure Virtual Machine (VM) or a computer on-premises.

Question: 6

Topic 4, HABInsurance

Case Study

An insurance company, HABInsurance, operates in three states and provides home, auto, and boat insurance. Besides
the head office, HABInsurance has three regional offices.

Current environment

General

An insurance company, HABInsurance, operates in three states and provides home, auto, and boat insurance. Besides
the head office, HABInsurance has three regional offices. Technology assessment

The company has two Active Directory forests: main.habinsurance.com and region.habinsurance.com. HABInsurance’s
primary internal system is Insurance Processing System (IPS). It is an ASP.Net/C# application running on
IIS/Windows Servers hosted in a data center. IPS has three tiers: web, business logic API, and a datastore on a back
end. The company uses Microsoft SQL Server and MongoDB for the backend. The system has two parts: Customer
data and Insurance forms and documents. Customer data is stored in Microsoft SQL Server and Insurance forms and
documents ― in MongoDB.

The company also has 10 TB of Human Resources (HR) data stored on NAS at the head office location. Requirements

General

HABInsurance plans to migrate its workloads to Azure. They purchased an Azure subscription. Changes

During a transition period, HABInsurance wants to create a hybrid identity model along with a Microsoft Office 365
deployment. The company intends to sync its AD forests to Azure AD and benefit from Azure AD administrative
units functionality.

HABInsurance needs to migrate the current IPSCustomers SQL database to a new fully managed SQL database in
Azure that would be budget-oriented, balanced with scalable compute and storage options. The management team
expects the Azure database service to scale the database resources dynamically with minimal downtime. The technical
team proposes implementing a DTU-based purchasing model for the new database. HABInsurance wants to migrate
Insurance forms and documents to Azure database service. HABInsurance plans to move IPS first two tiers to Azure
without any modifications. The technology team discusses the possibility of running IPS tiers on a set of virtual
machines instances. The number of instances should be adjusted automatically based on the CPU utilization. An SLA
of 99.95% must be guaranteed for the compute infrastructure. The company needs to move HR data to Azure File
shares.

In their new Azure ecosystem, HABInsurance plans to use internal and third-party applications. The company
considers adding user consent for data access to the registered applications

Later, the technology team contemplates adding a customer self-service portal to IPS and deploying a new IPS to
multi-region ASK. But the management team is worried about performance and availability of the multi-region AKS
deployments during regional outages.

What two parameters would you recommend set up to ensure that the new IPSCustomers database will scale to meet
the workload demands?
A. Define the maximum of CPU cores
B. Define the maximum resource limit per group of databases
C. Define the maximum of Database Transaction Units
D. Define the maximum of the allocated storage
E. Define the maximum size for a database

Answer: C,E

Question: 7

Your company develops Azure applications.

You need to recommend a solution for the deployment of Azure subscriptions.

The solution must meet the following requirements:

What should you include in the recommendation?


A. Provision resource groups.
B. Support deployments across all Azure regions.
C. Create custom role-based access control (RBAC) roles.
D. Provide consistent virtual machine and virtual network configurations.

Answer: D

Explanation:

Resource groups: You can scope your deployment to a resource group. You use an Azure Resource Manager
template (ARM template) for the deployment.

Regions: If you have a template spec in one region and want to move it to new region, you can export the template
spec and redeploy it.

RBAC: Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to
Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a
particular scope. In addition to using Azure PowerShell or the Azure CLI, you can assign roles using Azure Resource
Manager templates. Templates can be helpful if you need to deploy resources consistently and repeatedly

You can setup Virtual machines and virtual network configurations in an Azure Resource Manager template.

Reference:

https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/microsoft-resources-move-regions

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/template-description

Question: 8

You are developing a sales application that will contain several Azure cloud services and will handle different
components of a transaction. Different cloud services will process customer orders, billing, payment, inventory, and
shipping.

You need to recommend a solution to enable the cloud services to asynchronously communicate transaction
information by using REST messages.

What should you include in the recommendation?


A. Azure Service Bus
B. Azure Blob storage
C. Azure Notification Hubs
D. Azure Application Gateway

Answer: A

Explanation:

Service Bus is a transactional message broker and ensures transactional integrity for all internal operations against its
message stores. All transfers of messages inside of Service Bus, such as moving messages to a dead-letter queue or
automatic forwarding of messages between entities, are transactional.

Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-transactions

Question: 9

DRAG DROP

You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.

Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:

Diagram

Description automatically generated

Question: 10

DRAG DROP

You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.

Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:

Diagram

Description automatically generated

Question: 11

You architect a solution that calculates 3D geometry from height-map data.

You have the following requirements:

Perform calculations in Azure.

Each node must communicate data to every other node.

Maximize the number of nodes to calculate multiple scenes as fast as possible.

Require the least amount of effort to implement.


You need to recommend a solution.

Which two actions should you recommend? Each correct answer presents part of the solution. NOTE: Each correct
selection is worth one point.
A. Create a render farm that uses Azure Batch.
B. Enable parallel file systems on Azure.
C. Enable parallel task execution on compute nodes.
D. Create a render farm that uses virtual machine (VM) scale sets.
E. Create a render farm that uses virtual machines (VMs).

Answer: A,C

Question: 12

HOTSPOT

What should you implement to meet the identity requirements? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Requirements: Identity Requirements

Contoso identifies the following requirements for managing Fabrikam access to resources: Every month, an account
manager at Fabrikam must review which Fabrikam users have access permissions to App1. Accounts that no longer
need permissions must be removed as guests.

The solution must minimize development effort.

Box 1: The Azure AD Privileged Identity Management (PIM)

When should you use access reviews?

Too many users in privileged roles: It’s a good idea to check how many users have administrative access, how many of
them are Global Administrators, and if there are any invited guests or partners that have not been removed after being
assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global
Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity
Management (PIM) experience.

Box 2: Access reviews

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships,
access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure
only the right people have continued access.

Question: 13

CORRECT TEXT

You need to recommend a solution that meets the data requirements for App1.
What should you recommend deploying to each availability zone that contains an instance of App1?
A. an Azure Cosmos DB that uses multi-region writes
B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)
C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
D. an Azure SQL database that uses active geo-replication

Answer: A

Explanation:

Scenario: App1 has the following data requirements:

Each instance will write data to a data store in the same availability zone as the instance.

Data written by any App1 instance must be visible to all App1 instances.

Azure Cosmos DB: Each partition across all the regions is replicated. Each region contains all the data partitions of an
Azure Cosmos container and can serve reads as well as serve writes when multi-region writes is enabled.

Question: 14

HOTSPOT

Your on-premises network contains a file server named Server1 that stores 500 GB of data.

You need to use Azure Data Factory to copy the data from Server1 to Azure Storage.

You add a new data factory.

What should you do next? To answer, select the appropriate options in the answer area. NOTE: Each correct selection
is worth one point.

Answer:
Explanation:

Graphical user interface, text, application, email

Description automatically generated

Box 1: Install a self-hosted integration runtime

The Integration Runtime is a customer-managed data integration infrastructure used by Azure Data Factory to provide
data integration capabilities across different network environments.

Box 2: Create a pipeline

With ADF, existing data processing services can be composed into data pipelines that are highly available and
managed in the cloud. These data pipelines can be scheduled to ingest, prepare, transform, analyze, and publish data,
and ADF manages and orchestrates the complex data and processing dependencies

References:

https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-sql-azure-adf

https://docs.microsoft.com/pl-pl/azure/data-factory/tutorial-hybrid-copy-data-toolsyu31svc 3 months, 4 weeks ago

https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory

"A self-hosted integration runtime can run copy activities between a cloud data store and a data store in a private
network"

https://docs.microsoft.com/en-us/azure/data-factory/introduction

"With Data Factory, you can use the Copy Activity in a data pipeline to move data from both on-premises and cloud
source data stores to a centralization data store in the cloud for further analysis"

Question: 15

You plan to migrate App1 to Azure.

You need to recommend a network connectivity solution for the Azure Storage account that will host the App1 data.
The solution must meet the security and compliance requirements.

What should you include in the recommendation?


A. a private endpoint
B. a service endpoint that has a service endpoint policy
C. Azure public peering for an ExpressRoute circuit
D. Microsoft peering for an ExpressRoute circuit

Answer: A

Explanation:

Private Endpoint securely connect to storage accounts from on-premises networks that connect to the VNet using VPN
or ExpressRoutes with private-peering.

Private Endpoint also secure your storage account by configuring the storage firewall to block all connections on the
public endpoint for the storage service.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs#microsoft-peering

Question: 16

HOTSPOT

You design a solution for the web tier of WebApp1 as shown in the exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:

Explanation:

Box 1: Yes

Any new deployments to Azure must be redundant in case an Azure region fails.

Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing
method and the health of the endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure.
Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different
application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an
entire Azure region.

Box 2: Yes

Recent changes in Azure brought some significant changes in autoscaling options for Azure Web Apps (i.e. Azure App
Service to be precise as scaling happens on App Service plan level and has effect on all Web Apps running in that App
Service plan).

Box 3: No

Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different
application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an
entire Azure region.

Question: 17

You need to recommend a solution to meet the database retention requirement.

What should you recommend?


A. Configure a long-term retention policy for the database.
B. Configure Azure Site Recovery.
C. Configure geo replication of the database.
D. Use automatic Azure SQL Database backups.

Answer: A

Explanation:

https://docs.microsoft.com/en-us/azure/azure-sql/database/long-term-retention-overview
In Azure SQL Database, you can configure a database with a long-term backup retention policy (LTR) to
automatically retain the database backups in separate Azure Blob storage containers for up to 10 years

Question: 18

DRAG DROP

You plan to import data from your on-premises environment to Azure.

The data Is shown in the following table.

What should you recommend using to migrate the data? To answer, drag the appropriate tools to the correct data
sources-Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes
or scroll to view content. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

References:

https://docs.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-azure-sql

https://docs.microsoft.com/en-us/azure/cosmos-db/import-data

Question: 19

You plan provision a High Performance Computing (HPC) cluster in Azure that will use a third-party scheduler.

You need to recommend a solution to provision and manage the HPC cluster node.
What should you include in the recommendation?
A. Azure Lighthouse
B. Azure CycleCloud
C. Azure Purview
D. Azure Automation

Answer: B

Explanation:

You can dynamically provision Azure HPC clusters with Azure CycleCloud.

Azure CycleCloud is the simplest way to manage HPC workloads.

Note: Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High Performance Computing
(HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar
HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale. Through CycleCloud,
users can create different types of file systems and mount them to the compute cluster nodes to support HPC
workloads.

Reference: https://docs.microsoft.com/en-us/azure/cyclecloud/overview

Question: 20

You have an Azure subscription that contains a Windows Virtual Desktop tenant.

You need to recommend a solution to meet the following requirements:

Start and stop Windows Virtual Desktop session hosts based on business hours.

Scale out Windows Virtual Desktop session hosts when required.

Minimize compute costs.

What should you include in the recommendation?


A. Microsoft Intune
B. a Windows Virtual Desktop automation task
C. Azure Automation
D. Azure Service Health

Answer: C

Explanation:

Reference:

https://www.ciraltos.com/automatically-start-and-stop-wvd-vms-with-azure-automation/

https://wvdlogix.net/windows-virtual-desktop-host-pool-automation-2
https://getnerdio.com/academy/how-to-optimize-windows-virtual-desktop-wvd-azure-costs-with-event-based-
autoscaling-and-azure-vm-scale-sets/

Question: 21

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You have an Azure Storage account that contains two 1-GB data files named File1 and File2. The data files are set to
use the archive access tier.

You need to ensure that File1 is accessible immediately when a retrieval request is initiated.

Solution: For File1, you set Access tier to Cool.

Does this meet the goal?


A. Yes
B. No

Answer: A

Explanation:

The data in the cool tier is "considered / intended to be stored for 30 days". But this is not a must. You can store data
indefinitely in the cool tier. The mentioned reference (see below) even gives an example of large scientific or
otherwise large data which is stored for long duration in the cool tier.

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal

Question: 22

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been
deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic
Does the solution meet the goal?
A. Yes
B. No

Answer: A

Explanation:

The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps
you monitor network performance between various points in your network infrastructure. It also helps you monitor
network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.

Note:

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of
direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify
helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.

IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a
subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network
interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress
traffic to or from a virtual machine.

Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question: 23

You plan to migrate App1 to Azure. The solution must meet the authentication and authorization requirements.

Which type of endpoint should App1 use to obtain an access token?


A. Azure Instance Metadata Service (IMDS)
B. Azure AD
C. Azure Service Management
D. Microsoft identity platform

Answer: A

Explanation:

Scenario: To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host
the app.

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active
Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Question: 24

You need to recommend a strategy for migrating the database content of WebApp1 to Azure.

What should you include in the recommendation?


A. Use Azure Site Recovery to replicate the SQL servers to Azure.
B. Use SQL Server transactional replication.
C. Copy the BACPAC file that contains the Azure SQL database file to Azure Blob storage.
D. Copy the VHD that contains the Azure SQL database files to Azure Blob storage

Answer: B

Explanation:

Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard
disk (VHD or VHDX).

Scenario: WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs
Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image

Question: 25

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure.

Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use the Azure Traffic Analytics solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?


A. Yes
B. No

Answer: B

Explanation:
Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question: 26

You are designing a microservices architecture that will support a web application.

The solution must meet the following requirements:

Allow independent upgrades to each microservice

Deploy the solution on-premises and to Azure

Set policies for performing automatic repairs to the microservices

Support low-latency and hyper-scale operations

You need to recommend a technology.

What should you recommend?


A. Azure Service Fabric
B. Azure Container Service
C. Azure Container Instance
D. Azure Virtual Machine Scale Set

Answer: A

Explanation:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview

Question: 27

HOTSPOT

You have an on-premises file server that stores 2 TB of data files.

You plan to move the data files to Azure Blob Storage In the West Europe Azure region,

You need to recommend a storage account type to store the data files and a replication solution for the storage
account.

The solution must meet the following requirements:

• Be available if a single Azure datacenter fails.

• Support storage tiers.


• Minimize cost.

What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:

Account Type: StorageV2

Replication solution: Zone-redundant storage (ZRS)

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-azure-storage-services

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#types-of-storage-accounts

Data must be available if a single Azure datacenter fails. It means the storage account must support ZRS replication.
Also, solution should support storage tiers. Only General-purpose V2 supports ZRS and storage tiers.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

Question: 28

HOTSPOT

You plan to deploy an Azure web app named Appl that will use Azure Active Directory (Azure AD) authentication.
App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows
10 and are joined to Azure AD.

You need to recommend a solution to ensure that the users can connect to App1 without being prompted for
authentication and can access App1 only from company-owned computers.

What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application, chat or text message

Description automatically generated

Box 1: An Azure AD app registration

Azure active directory (AD) provides cloud based directory and identity management services. You can use azure AD
to manage users of your application and authenticate access to your applications using azure active directory.
You register your application with Azure active directory tenant.

Box 2: A conditional access policy

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must
complete an action.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization
secure and stay out of your user’s way when not needed.

Timeline

Description automatically generated

Question: 29

DRAG DROP

You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.

Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:

Diagram

Description automatically generated

Question: 30

HOTSPOT

You need to design an Azure policy that will implement the following functionality:

• For new resources, assign tags and values that match the tags and values of the resource group to which the resources
are deployed.

• For existing resources, identify whether the tags and values match the tags and values of the resource group that
contains the resources.

• For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.

What should you include in the design? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application, chat or text message

Description automatically generated

Box 1: Modify

Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common
example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a
remediation task. A single Modify rule can have any number of operations.

Box 2: A managed identity with the Contributor role

Managed identity

How remediation security works: When Azure Policy runs the template in the deployIfNotExists policy definition, it
does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details
about what roles to grant the managed identity.

Contributor role

The Contributor role grants the required access to apply tags to any entity.

Question: 31

HOTSPOT

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active
Directory (Azure AD) identity.

The solution must meet the following requirements:

Ensure that the applications can authenticate only when running on the 10 virtual machines.

Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:
Graphical user interface, text, application, email

Description automatically generated

Question: 32

You need to recommend a solution that meets the data requirements for App1.

What should you recommend deploying to each availability zone that contains an instance of App1?
A. an Azure Cosmos DB that uses multi-region writes
B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)
C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
D. an Azure SQL database that uses active geo-replication

Answer: A

Question: 33

You need to design a solution that will execute custom C# code in response to an event routed to Azure Event Grid.

The solution must meet the following requirements:

The executed code must be able to access the private IP address of a Microsoft SQL Server instance that runs on an
Azure virtual machine.

Costs must be minimized.

What should you include in the solution?


A. Azure Logic Apps in the integrated service environment
B. Azure Functions in the Dedicated plan and the Basic Azure App Service plan
C. Azure Logic Apps in the Consumption plan
D. Azure Functions in the Consumption plan

Answer: B

Explanation:

When you create a function app in Azure, you must choose a hosting plan for your app.

There are three basic hosting plans available for Azure Functions: Consumption plan, Premium plan, and Dedicated
(App Service) plan.

For the Consumption plan, you don’t have to pay for idle VMs or reserve capacity in advance.

Connect to private endpoints with Azure Functions

As enterprises continue to adopt serverless (and Platform-as-a-Service, or PaaS) solutions, they often need a way to
integrate with existing resources on a virtual network. These existing resources could be databases, file storage,
message queues or event streams, or REST APIs.
Reference:

https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale

https://techcommunity.microsoft.com/t5/azure-functions/connect-to-private-endpoints-with-azure-functions/ba-
p/1426615

https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale#hosting-plans-comparison

Question: 34

You migrate App1 to Azure. You need to ensure that the data storage for App1 meets the security and compliance
requirement

What should you do?


A. Create an access policy for the blob
B. Modify the access level of the blob service.
C. Implement Azure resource locks.
D. Create Azure RBAC assignments.

Answer: A

Explanation:

Scenario: Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the
modification of new and existing data is prevented for a period of three years.

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user
might have.

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Question: 35

You have SQL Server on an Azure virtual machine. The databases are written to nightly as part of a batch process.

You need to recommend a disaster recovery solution for the data.

The solution must meet the following requirements:

Provide the ability to recover in the event of a regional outage.

Support a recovery time objective (RTO) of 15 minutes.

Support a recovery point objective (RPO) of 24 hours.

Support automated recovery.

Minimize costs.

What should you include in the recommendation?


A. Azure virtual machine availability sets
B. Azure Disk Backup
C. an Always On availability group
D. Azure Site Recovery

Answer: D

Explanation:

Replication with Azure Site Recover:

RTO is typically less than 15 minutes.

RPO: One hour for application consistency and five minutes for crash consistency.

Reference: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-sql

Question: 36

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft
Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory
Domain Services (AD DS), and Azure AD Connect

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an
Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription
of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The
solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?


A. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
B. Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
C. In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers.
D. Configure an AD FS relying party trust between the fabrikam and Contoso AD FS infrastructures.

Answer: C

Explanation:

Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest

A one-way trust is required from production environment to the admin forest.

Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate
production hosts.
References:

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-
reference-material

Question: 37

HOTSPOT

Your company deploys an Azure App Service Web App.

During testing the application fails under load. The application cannot handle more than 100 concurrent user sessions.
You enable the Always On feature. You also configure auto-scaling to increase counts from two to 10 based on HTTP
queue length.

You need to improve the performance of the application.

Which solution should you use for each application scenario? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Graphical user interface, text

Description automatically generated with medium confidence

Box 1: Content Delivery Network

A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users.
CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to
minimize latency.

Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth
content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also
accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs.
For example, route optimization to bypass Border Gateway Protocol (BGP).

Box 2: Azure Redis Cache

Azure Cache for Redis is based on the popular software Redis. It is typically used as a cache to improve the
performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by
temporarily copying frequently accessed data to fast storage located close to the application. With Azure Cache for
Redis, this fast storage is located in-memory with Azure Cache for Redis instead of being loaded from disk by a
database.

References: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview

Question: 38

You are designing an Azure solution.

The network traffic for the solution must be securely distributed by providing the following features:

HTTPS protocol
Round robin routing

SSL offloading

You need to recommend a load balancing option.

What should you recommend?


A. Azure Load Balancer
B. Azure Traffic Manager
C. Azure Internal Load Balancer (ILB)
D. Azure Application Gateway

Answer: D

Explanation:

If you are looking for Transport Layer Security (TLS) protocol termination ("SSL offload") or per-HTTP/HTTPS

request, application-layer processing, review Application Gateway.

Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS,
WebSocket, and HTTP/2). It supports capabilities such as SSL termination, cookie-based session affinity, and round
robin for load-balancing traffic. Load Balancer load-balances traffic at layer 4 (TCP or UDP).

References: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

Question: 39

You have an Azure subscription. The subscription has a blob container that contains multiple blobs. Ten users in the
finance department of your company plan to access the blobs during the month of April. You need to recommend a
solution to enable access to the blobs during the month of April only.

Which security solution should you include in the recommendation?


A. shared access signatures (SAS)
B. access keys
C. conditional access policies
D. certificates

Answer: A

Explanation:

Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Question: 40

HOTSPOT

You plan to migrate DB1 and DB2 to Azure.


You need to ensure that the Azure database and the service tier meet the resiliency and business requirements.

What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Question: 41

Your company, named Contoso, Ltd, implements several Azure logic apps that have HTTP triggers: The logic apps
provide access to an on-premises web service.

Contoso establishes a partnership with another company named Fabrikam, Inc.

Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-party OAuth 2.0 identity
management to authenticate its users.

Developers at Fabrikam plan to use a subset of the logics apps to build applications that will integrate with the on-
premises web service of Contoso.

You need to design a solution to provide the Fabrikam developers with access to the logic apps.

The solution must meet the following requirements:

Requests to the logic apps from the developers must be limited to lower rates than the requests from the users at
Contoso.

The developers must be able to rely on their existing OAuth 2.0 provider to gain access to the logic apps.

The solution must NOT require changes to the logic apps.


The solution must NOT use Azure AD guest accounts.

What should you include in the solution?


A. Azure AD business-to-business (B2B)
B. Azure Front Door
C. Azure API Management
D. Azure AD Application Proxy

Answer: C

Explanation:

API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential
of their data and services.

You can secure API Management using the OAuth 2.0 client credentials flow.

Reference:

https://docs.microsoft.com/en-us/azure/api-management/api-management-key-concepts

https://docs.microsoft.com/en-us/azure/api-management/api-management-features

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#enable-
oauth-20-user-authorization-in-the-developer-console

Question: 42

HOTSPOT

You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual
machines are connected to VNET1.

You need to design a solution to manage the virtual machines from the internet.

The solution must meet the following requirements:

• Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication
(MFA) before network connectivity is allowed.

• Incoming connections must use TLS and connect to TCP port 443.

• The solution must support RDP and SSH.

What should you Include In the solution? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:

Question: 43

You have to deploy an Azure SQL database named db1 for your company. The databases must meet the following
security requirements

When IT help desk supervisors query a database table named customers, they must be able to see the full number of
each credit card

When IT help desk operators query a database table named customers, they must only see the last four digits of each
credit card number

A column named Credit Card rating in the customers table must never appear in plain text

in the database system. Only client applications must be able to decrypt the information that is stored in this column

Which of the following can be implemented for the Credit Card rating column security requirement?
A. Always Encrypted
B. Azure Advanced Threat Protection
C. Transparent Data Encryption
D. Dynamic Data Masking

Answer: A

Explanation:

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?
view=sql-server-ver15

Question: 44

You have an Azure subscription that contains a storage account.

An application sometimes writes duplicate files to the storage account.

You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is
run manually after approval from the operations manager.

You need to recommend a serverless solution that performs the following actions:

Runs the script once an hour to identify whether duplicate files exist

Sends an email notification to the operations manager requesting approval to delete the duplicate files

Processes an email response from the operations manager specifying whether the deletion was approved

Runs the script if the deletion was approved

What should you include in the recommendation?


A. Azure Logic Apps and Azure Functions
B. Azure Pipelines and Azure Service Fabric
C. Azure Logic Apps and Azure Event Grid
D. Azure Functions and Azure Batch

Answer: A

Explanation:

You can schedule a powershell script with Azure Logic Apps.

When you want to run code that performs a specific job in your logic apps, you can create your own function by using
Azure Functions. This service helps you create Node.js, C#, and F# functions so you don’t have to build a complete
app or infrastructure to run code. You can also call logic apps from inside Azure functions. Azure Functions provides
serverless computing in the cloud and is useful for performing tasks such as these examples:

Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions

Question: 45

You need to deploy resources to host a stateless web app in an Azure subscription.

The solution must meet the following requirements:

• Provide access to the full .NET framework.

• Provide redundancy if an Azure region fails.

• Grant administrators access to the operating system to install custom application dependencies.

Solution: You deploy an Azure virtual machine to two Azure regions, and you deploy an Azure Application Gateway.

Does this meet the goal?


A. Yes
B. No

Answer: B
Explanation:

You need to deploy two Azure virtual machines to two Azure regions, but also create a Traffic Manager profile.

Question: 46

HOTSPOT

You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant uses password hash
synchronization.

You need to recommend a solution to meet the following requirements:

Prevent Active Directory domain user accounts from being locked out as the result of brute force attacks targeting
Azure AD user accounts.

Block legacy authentication attempts to Azure AD integrated apps.

Minimize costs.

What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: Smart lockout

Smart lockout helps lock out bad actors that try to guess your users’ passwords or use brute-force methods to get in.
Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and
other unknown sources.

Attackers get locked out, while your users continue to access their accounts and be productive.

Box 2: Conditional access policies

If your environment is ready to block legacy authentication to improve your tenant’s protection, you can accomplish
this goal with Conditional Access.

How can you prevent apps using legacy authentication from accessing your tenant’s resources? The recommendation is
to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network
locations to use apps that are based on legacy authentication.

Question: 47

Topic 2, Fabrikam, inc Case Study A

Overview:

Existing Environment

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in
London and three branch offices in Amsterdam Berlin, and Rome.

Active Directory Environment:


The network contains two Active Directory forests named corp.fabnkam.com and rd.fabrikam.com. There are no trust
relationships between the forests. Corp.fabrikam.com is a production forest that contains identities used for internal
user and computer authentication. Rd.fabrikam.com is used by the research and development (R&D) department only.
The R&D department is restricted to using on-premises resources only.

Network Infrastructure:

Each office contains at least one domain controller from the corp.fabrikam.com domain.

The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by
customers to place and track orders. WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS)
and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual
machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software
Assurance.

Problem Statement:

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for
WebApp1 are underutilized.

Requirements:

Planned Changes:

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft
Office 365 deployment All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements:

Fabrikam identifies the following technical requirements:

• Web site content must be easily updated from a single point.

• User input must be minimized when provisioning new app instances.

• Whenever possible, existing on premises licenses must be used to reduce cost.

• Users must always authenticate by using their corp.fabrikam.com UPN identity.

• Any new deployments to Azure must be redundant in case an Azure region fails.

• Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).
• An email distribution group named IT Support must be notified of any issues relating to the directory
synchronization services.

• Directory synchronization between Azure Active Directory (Azure AD) and corp.fabhkam.com must not be affected
by a link failure between Azure and the on premises network.

Database Requirements:

Fabrikam identifies the following database requirements:

• Database metrics for the production instance of WebApp1 must be available for analysis so that database
administrators can optimize the performance settings.

• To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

• Database backups must be retained for a minimum of seven years to meet compliance requirement

Security Requirements:

Fabrikam identifies the following security requirements:

* Company information including policies, templates, and data must be inaccessible to anyone outside the company

* Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

* Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

* All administrative access to the Azure portal must be secured by using multi-factor authentication.

* The testing of WebApp1 updates must not be visible to anyone outside the company.

You need to recommend a strategy for the web tier of WebApp1. The solution must minimize What should you
recommend?
A. Create a runbook that resizes virtual machines automatically to a smaller size outside of business hours.
B. Configure the Scale Up settings for a web app.
C. Deploy a virtual machine scale set that scales out on a 75 percent CPU threshold.
D. Configure the Scale Out settings for a web app.

Answer: A

Question: 48

HOTSPOT

You are planning an Azure Storage solution for sensitive data. The data will be accessed daily. The data set is less than
10 GB.

You need to recommend a storage solution that meets the following requirements:

• All the data written to storage must be retained for five years.
• Once the data is written, the data can only be read. Modifications and deletion must be prevented.

• After five years, the data can be deleted, but never modified.

• Data access charges must be minimized

What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: General purpose v2 with Archive acce3ss tier for blobs

Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency
requirements, on the order of hours.
Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days.

Hot – Optimized for storing data that is accessed frequently.

Box 2: Storage account resource lock

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources.

The lock overrides any permissions the user might have.

Note: You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-
only respectively.

CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.

ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this
lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Question: 49

A company has an on-premises file server cbflserver that runs Windows Server 2019.

Windows Admin Center manages this server. The company owns an Azure subscription.

You need to provide an Azure solution to prevent data loss if the file server fails.

Solution: You decide to create an Azure Recovery Services vault. You then decide to install the Azure Backup agent
and then schedule the backup.

Would this meet the requirement?


A. Yes
B. No

Answer: B

Question: 50

Your company currently has an application that is hosted on their on-premises environment. The application currently
connects to two databases in the on-premises environment. The databases are named whizlabdb1 and whizlabdb2.

You have to move the databases onto Azure. The databases have to support server-side transactions across both of the
databases.

Solution: You decide to deploy the databases to an Azure SQL database-managed instance.

Would this fulfill the requirement?


A. Yes
B. No
Answer: A

Question: 51

You ate designing a SQL database solution. The solution will include 20 databases that will be 20 GB each and have
varying usage patterns. You need to recommend a database platform to host the databases.

The solution must meet the following requirements:

• The compute resources allocated to the databases must scale dynamically.

• The solution must meet an SLA of 99.99% uptime.

• The solution must have reserved capacity.

• Compute charges must be minimized.

What should you include in the recommendation?


A. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine
B. 20 instances of Azure SQL Database serverless
C. 20 databases on a Microsoft SQL server that runs on an Azure virtual machine in an availability set
D. an elastic pool that contains 20 Azure SQL databases

Answer: D

Explanation:

Azure SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases
that have varying and unpredictable usage demands. The databases in an elastic pool are on a single server and share a
set number of resources at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the
price performance for a group of databases within a prescribed budget while delivering performance elasticity for each
database.

Guaranteed 99.995 percent uptime for SQL Database

Reference:

https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-pool-overview

https://azure.microsoft.com/en-us/pricing/details/sql-database/elastic/

https://www.azure.cn/en-us/support/sla/virtual-machines/

https://techcommunity.microsoft.com/t5/azure-sql/optimize-price-performance-with-compute-auto-scaling-in-
azure/ba-p/966149

Question: 52

You use Azure virtual machines to run a custom application that uses an Azure SQL database on the back end.

The IT apartment at your company recently enabled forced tunneling,


Since the configuration change, developers have noticed degraded performance when they access the database

You need to recommend a solution to minimize latency when accessing the database. The solution must minimize
costs

What should you include in the recommendation?


A. Azure SQL Database Managed instance
B. Azure virtual machines that run Microsoft SQL Server servers
C. Always On availability groups
D. virtual network (VNET) service endpoint

Answer: D

Explanation:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Question: 53

Your company plans to publish APIs for its services by using Azure API Management.

You discover that service responses include the AspNet-Version header.

You need to recommend a solution to remove AspNet-Version from the response of the published APIs.

What should you include in the recommendation?


A. a new product
B. a modification to the URL scheme
C. a new policy
D. a new revision

Answer: C

Explanation:

References: https://docs.microsoft.com/en-us/azure/api-management/transform-api

Question: 54

HOTSPOT

You have an on-premises file server that stores 2 TB of data files.

You plan to move the data files to Azure Blob storage in the Central Europe region.

You need to recommend a storage account type to store the data files and a replication solution for the storage
account.

The solution must meet the following requirements:


Be available if a single Azure datacenter fails.

Support storage tiers.

Minimize cost.

What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application, chat or text message

Description automatically generated

Account Type: StorageV2


Replication solution: Zone-redundant storage (ZRS)

Question: 55

Topic 5, Misc. Questions

You plan to deploy 10 applications to Azure. The applications will be deployed to two Azure Kubernetes Service
(AKS) clusters. Each cluster will be deployed to a separate Azure region.

The application deployment must meet the following requirements:

• Ensure that the applications remain available if a single AKS cluster fails.

• Ensure that the connection traffic over the internet is encrypted by using SSL without having to configure SSL on
each container.

Which service should you include in the recommendation?


A. AKS ingress controller
B. Azure Traffic Manager
C. Azure Front Door
D. Azure Load Balancer

Answer: C

Explanation:

"Azure Front Door, which focuses on global load-balancing and site acceleration, and Azure CDN Standard, which
offers static content caching and acceleration. The new Azure Front Door brings together security with CDN
technology for a cloud-based CDN with threat protection and additional capabilities. "

Question: 56

HOTSPOT

You have an Azure subscription that is linked to an Azure Active Directory Premium Plan 2 tenant. The tenant has
multi-factor authentication (MFA) enabled for all users.

You have the named locations shown in the following table.

You have the users shown in the following table.


You plan to deploy the Conditional Access policies shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:

A screenshot of a computer

Description automatically generated with medium confidence

Question: 57

HOTSPOT

You need to recommend a solution to ensure that App1 can access the third-party credentials and access strings. The
solution must meet the security requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, text, application, table

Description automatically generated

Scenario: Security Requirement

All secrets used by Azure services must be stored in Azure Key Vault.

Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be
shared between services.

Box 1: A service principal


A service principal is a type of security principal that identifies an application or service, which is to say, a piece of
code rather than a user or group. A service principal’s object ID is known as its client ID and acts like its username.
The service principal’s client secret acts like its password.

Note: Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is
responsible for authenticating the identity of any given security principal.

A security principal is an object that represents a user, group, service, or application that’s requesting access to Azure
resources. Azure assigns a unique object ID to every security principal.

Box 2: A role assignment

You can provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.

Question: 58

You have an Azure subscription.

You need to deploy an Azure Kubernetes Service (AKS) solution that will use Linux nodes.

The solution must meet the following requirements:

Minimize the time it takes to provision compute resources during scale-out operations.

Support autoscaling of Linux containers.

Minimize administrative effort.

Which scaling option should you recommend?


A. Virtual Kubelet
B. cluster autoscaler
C. horizontal pod autoscaler
D. AKS virtual nodes

Answer: D

Explanation:

https://docs.microsoft.com/en-us/azure/aks/virtual-nodes

Question: 59

Your company has an Azure Web App that runs via the Premium App Service Plan. A development team will be using
the Azure Web App. You have to configure the Azure Web app so that it can fulfil the below requirements.

Provide the ability to switch the web app from the current version to a newer version

Provide developers with the ability to test newer versions of the application before the switch to the newer version
occurs

Ensure that the application version can be rolled back


Minimize downtime

Which of the following can be used for this requirement?


A. Create a new App Service Plan
B. Make use of deployment slots
C. Map a custom domain
D. Backup the Azure Web App

Answer: B

Question: 60

What should you include in the identity management strategy to support the planned changes?
A. Move all the domain controllers from corp.fabrikam.com to virtual networks in Azure.
B. Deploy domain controllers for corp.fabrikam.com to virtual networks in Azure.
C. Deploy a new Azure AD tenant for the authentication of new R&D projects.
D. Deploy domain controllers for the rd.fabrikam.com forest to virtual networks in Azure.

Answer: B

Explanation:

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected
by a link failure between Azure and the on-premises network. (This requires domain controllers in Azure)

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails. (This
requires domain controllers on-premises)

Question: 61

You need to recommend a data storage strategy for WebApp1.

What should you include in in the recommendation?


A. an Azure SQL Database elastic pool
B. a vCore-based Azure SQL database
C. an Azure virtual machine that runs SQL Server
D. a fixed-size DTU AzureSQL database.

Answer: B

Question: 62

You are planning an Azure IoT Hub solution that will include 50,000 IoT devices.

Each device will stream data, including temperature, device ID, and time data. Approximately 50,000 records will be
written every second. The data will be visualized in near real time.
You need to recommend a service to store and query the data.

Which two services can you recommend? Each correct answer presents a complete solution. NOTE: Each correct
selection is worth one point.
A. Azure Table Storage
B. Azure Event Grid
C. Azure Cosmos DB SQL API
D. Azure Time Series Insights

Answer: C,D

Explanation:

D: Time Series Insights is a fully managed service for time series data. In this architecture, Time Series Insights
performs the roles of stream processing, data store, and analytics and reporting. It accepts streaming data from either
IoT Hub or Event Hubs and stores, processes, analyzes, and displays the data in near real time.

C: The processed data is stored in an analytical data store, such as Azure Data Explorer, HBase, Azure Cosmos DB,
Azure Data Lake, or Blob Storage.

Reference: https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/time-series

Question: 63

HOTSPOT

You have an Azure Load Balancer named LB1 that balances requests to five Azure virtual machines.

You need to develop a monitoring solution for LB1.

The solution must generate an alert when any of the following conditions are met:

A virtual machine is unavailable.

Connection attempts exceed 50,000 per minute.

Which signal should you include in the solution for each condition? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: Data path availability

Standard Load Balancer continuously exercises the data path from within a region to the load balancer front end, all
the way to the SDN stack that supports your VM. As long as healthy instances remain, the measurement follows the
same path as your application’s load-balanced traffic. The data path that your customers use is also validated. The
measurement is invisible to your application and does not interfere with other operations.

Note: Load balancer distributes inbound flows that arrive at the load balancer’s front end to backend pool instances.
These flows are according to configured load-balancing rules and health probes. The backend pool instances can be
Azure Virtual Machines or instances in a virtual machine scale set.

Box 2: SYN count

SYN (synchronize) count: Standard Load Balancer does not terminate Transmission Control Protocol (TCP)
connections or interact with TCP or UDP packet flows. Flows and their handshakes are always between the source and
the VM instance. To better troubleshoot your TCP protocol scenarios, you can make use of SYN packets counters to
understand how many TCP connection attempts are made. The metric reports the number of TCP SYN packets that
were received.

Question: 64

DRAG DROP

You need to configure an Azure policy to ensure that the Azure SQL databases have TDE enabled. The solution must
meet the security and compliance requirements.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions
to the answer area and arrange them in the correct order.

Answer:
Explanation:

A picture containing text

Description automatically generated

Scenario: All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE)
enabled.

Step 1: Create an Azure policy definition that uses the deployIfNotExists identity.

The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully
deploy the content of your included template.

Step 2: Create an Azure policy assignment

When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles
defined in roleDefinitionIds.

Step 3: Invoke a remediation task

Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through
Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the
modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a
management group, a subscription, a resource group, or an individual resource.

During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-
compliant resources or subscriptions. When non-compliant resources or subscriptions are found, the details are
provided on the Remediation page.

Question: 65

HOTSPOT
You are evaluating the components of the migration to Azure that require you to provision an Azure Storage account.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selection is worth one point.

Answer:

Question: 66

You have an Azure subscription that contains a storage account.

An application sometimes writes duplicate files to the storage account.

You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is
run manually after approval from the operations manager.

You need to recommend a serverless solution that performs the following actions:

Runs the script once an hour to identify whether duplicate files exist

Sends an email notification to the operations manager requesting approval to delete the duplicate files

Processes an email response from the operations manager specifying whether the deletion was approved

Runs the script if the deletion was approved

What should you include in the recommendation?


A. Azure Logic Apps and Azure Functions
B. Azure Pipelines and Azure Service Fabric
C. Azure Logic Apps and Azure Event Grid
D. Azure Functions and Azure Batch
Answer: A

Explanation:

You can schedule a powershell script with Azure Logic Apps.

When you want to run code that performs a specific job in your logic apps, you can create your own function by using
Azure Functions. This service helps you create Node.js, C#, and F# functions so you don’t have to build a complete
app or infrastructure to run code. You can also call logic apps from inside Azure functions. Azure Functions provides
serverless computing in the cloud and is useful for performing tasks such as these examples:

Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions

Question: 67

HOTSPOT

You plan to migrate App1 to Azure.

You need to recommend a high-availability solution for App1. The solution must meet the resiliency requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:

Graphical user interface, text, application, email

Description automatically generated

Box 1: 3

Scenario: App1 must meet the following requirements:

Be hosted in an Azure region that supports availability zones.

Maintain availability if two availability zones in the local Azure region fail.

A host group is a resource that represents a collection of dedicated hosts. You create a host group in a region and an
availability zone, and add hosts to it.

Use Availability Zones for fault isolation

Availability zones are unique physical locations within an Azure region. Each zone is made up of one or more
datacenters equipped with independent power, cooling, and networking. A host group is created in a single availability
zone. Once created, all hosts will be placed within that zone. To achieve high availability across zones, you need to
create multiple host groups (one per zone) and spread your hosts accordingly.

Box 2: 1

Scenario: App1 must meet the following requirements:

Be hosted on Azure virtual machines that support automatic scaling.

An Azure virtual machine scale set can automatically increase or decrease the number of VM instances that run your
application. This automated and elastic behavior reduces the management overhead to monitor and optimize the
performance of your application.

Question: 68

HOTSPOT

You have an Azure subscription named Subscription1 that is linked to a hybrid Azure Active Directory (Azure AD)
tenant.

You have an on-premises datacenter that does NOT have a VPN connection to Subscription1. The datacenter contains
a computer named Server1 that has Microsoft SQL Server 2016 installed. Server1 is prevented from accessing the
internet.

An Azure logic app named LogicApp1 requires write access to a database on Server1.

You need to recommend a solution to provide LogicApp1 with the ability to access Server1.

What should you recommend deploying on-premises and in Azure? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, text, application, chat or text message

Description automatically generated

Box 1: An on-premises data gateway


For logic apps in global, multi-tenant Azure that connect to on-premises SQL Server, you need to have the on-
premises data gateway installed on a local computer and a data gateway resource that’s already created in Azure.

Box 2: A connection gateway resource

Question: 69

HOTSPOT

You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016.

You need to centrally monitor all warning events in the System logs of the virtual machines.

What should you include in the solutions? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application, email


Description automatically generated

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

Question: 70

HOTSPOT

You plan to migrate on-premises Microsoft SQL Server databases to Azure.

You need to recommend a deployment and resiliency solution that meets the following requirements:

Supports user-initiated backups

Supports multiple automatically replicated instances across Azure regions

Minimizes administrative effort to implement and maintain business continuity

What should you recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application, chat or text message

Description automatically generated


Box 1: An Azure SQL Database single database.

SQL Server Managed instance versus SQL Server Virtual Machines

Active geo-replication is not supported by Azure SQL Managed Instance.

Box 2: Active geo-replication

Active geo-replication is a feature that lets you to create a continuously synchronized readable secondary database for
a primary database. The readable secondary database may be in the same Azure region as the primary, or, more
commonly, in a different region. This kind of readable secondary databases are also known as geo-secondaries, or
geo-replicas.

Question: 71

You need to recommend an App Service architecture that meets the requirements for Appl.

The solution must minimize costs.

What should few recommend?


A. one App Service Environment (ASE) per availability zone
B. one App Service plan per availability zone
C. one App Service plan per region
D. one App Service Environment (ASE) per region

Answer: A

Question: 72

HOTSPOT

You have an Azure subscription that contains the resources shown in the following table.

You create an Azure SQL database named DB1 that is hosted in the East US region.

To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends
SQLInsights to Workspace1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selections is worth one point.
Answer:

Explanation:

Box 1: Yes

Box 2: Yes

Box 3: Yes

For more information on Azure SQL diagnostics, you can visit the below link https://docs.microsoft.com/en-
us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure

Question: 73

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

Your company plans to deploy various Azure App Service instances that will use Azure SQL databases. The App
Service instances will be deployed at the same time as the Azure SQL databases.

The company has a regulatory requirement to deploy the App Service instances only to specific Azure regions. The
resources for the App Service instances must reside in the same region.

You need to recommend a solution to meet the regulatory requirement.

Solution: You recommend creating resource groups based on locations and implementing resource locks on the
resource groups.

Does this meet the goal?


A. Yes
B. No

Answer: B

Explanation:

Resource locks are not used for compliance purposes. Resource locks prevent changes from being made to resources.

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Question: 74

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group’.
Group i is configured Tor assigned membership. Group I has 50 members. including 20 guest users.

You need To recommend a solution for evaluating the member ship of Group1.

The solution must meet the following requirements:

• The evaluation must be repeated automatically every three months

• Every member must be able to report whether they need to be in Group1

• Users who report that they do not need to be in Group 1 must be removed from Group1 automatically

• Users who do not report whether they need to be m Group1 must be removed from Group1 automatically.

What should you include in me recommendation?


A. implement Azure AU Identity Protection.
B. Change the Membership type of Group1 to Dynamic User.
C. Implement Azure AD Privileged Identity Management.
D. Create an access review.

Answer: D

Explanation:

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#learn-about-access-
reviews

Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly,
monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or
deny access with a friendly interface and with the help of smart recommendations.

An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-
review. 50 licenses for each user as self-reviewers.* https://docs.microsoft.com/en-us/azure/active-
directory/governance/access-reviews-overview#example-license-scenarios

There are 4 requirements and every single one is only met by access reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-use-
access-reviews

Dynamic User is needed if a user must be automatically granted access on base of its attributes (department, jobtitle,
location, etc.)

https://techcommunity.microsoft.com/t5/itops-talk-blog/dynamic-groups-in-azure-ad-and-microsoft-365/ba-p/2267494

Implementing Azure AD PIM is no solution and absolutely not necessary for access reviews.

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#where-do-you-create-
reviews

Question: 75

Your company has 300 virtual machines hosted in a VMware environment. The virtual machines vary in size and have
various utilization levels.

You plan to move all the virtual machines to Azure.

You need to recommend how many and what size Azure virtual machines will be required to move the current
workloads to Azure. The solution must minimize administrative effort.

What should you use to make the recommendation?


A. Azure Cost Management
B. Azure Pricing calculator
C. Azure Migrate
D. Azure Advisor

Answer: C

Explanation:

https://docs.microsoft.com/en-us/azure/migrate/migrate-appliance#collected-data—vmware

"Metadata discovered by the Azure Migrate appliance helps you to figure out whether servers are ready for migration
to Azure, right-size servers, plans costs, and analyze application dependencies".

https://docs.microsoft.com/en-us/learn/modules/design-your-migration-to-azure/2-plan-your-azure-migration

Question: 76

HOTSPOT

You have an Azure Active Directory (Azure AD) tenant.

You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events.

You need to recommend a solution to trigger the alerts based on the events.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: An Azure Log Analytics workspace

To be able to create an alert we send the Azure AD logs to An Azure Log Analytics workspace.

Note: You can forward your AAD logs and events to either an Azure Storage Account, an Azure Event Hub, Log
Analytics, or a combination of all of these.

Box 2: Log

Ensure Resource Type is an analytics source like Log Analytics or Application Insights and signal type as Log.

Question: 77

Your company has an app named App1 that uses data from the on-premises Microsoft SQL Server databases shown in
the following table.
App1 and the data are used on the first day of the month only. The data is not expected to grow more than 3% each
year.

The company is rewriting App1 as an Azure web app and plans to migrate all the data to Azure.

You need to migrate the data to Azure SQL Database. The solution must minimize costs.

Which service tier should you use?


A. vCore-based Business Critical
B. vCore-based General Purpose
C. DTU-based Standard
D. DTU-based Basic

Answer: B

Explanation:

DTU-based Standard supports databases up to 1 TB in size.

Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-dtu

Question: 78

DRAG DROP

You are designing a virtual machine that will run Microsoft SQL Server and will contain two data disks. The first data
disk will store log files, and the second data disk will store data. Both disks are P40 managed disks.

You need to recommend a caching policy for each disk. The policy must provide the best overall performance for the
virtual machine.

Which caching policy should you recommend for each disk? To answer, drag the appropriate policies to the correct
disks. Each policy may be used once, more than once, or not at all. You may need to drag the split bar between panes
or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, application

Description automatically generated

References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-
performance

Question: 79

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been
deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use the Azure Traffic Analytics solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?


A. Yes
B. No

Answer: B

Explanation:

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question: 80

Topic 3, Contoso

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage your
time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case
study. Case studies might contain exhibits and other resources that provide more information about the scenario that is
described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make
changes before you move to the next section of the exam. After you begin a new section, you cannot return to this
section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the
content of the case study before you answer the questions. Clicking these buttons displays information such as
business requirements, existing environment, and problem statements. If the case study has an All Information tab,
note that the information displayed is identical to the information displayed on the subsequent tabs. When you are
ready to answer a question, click the Question button to return to the question.

Existing Environment: Technical Environment

The on-premises network contains a single Active Directory domain named contoso.com.

Contoso has a single Azure subscription.

Existing Environment: Business Partnerships

Contoso has a business partnership with Fabrikam, Inc. Fabrikam users access some Contoso applications over the
internet by using Azure Active Directory (Azure AD) guest accounts.

Requirements: Planned Changes


Contoso plans to deploy two applications named App1 and App2 to Azure.

Requirements: App1

App1 will be a Python web app hosted in Azure App Service that requires a Linux runtime.

Users from Contoso and Fabrikam will access App1.

App1 will access several services that require third-party credentials and access strings.

The credentials and access strings are stored in Azure Key Vault.

App1 will have six instances: three in the East US Azure region and three in the West Europe Azure region.

App1 has the following data requirements:

Each instance will write data to a data store in the same availability zone as the instance.

Data written by any App1 instance must be visible to all App1 instances.

App1 will only be accessible from the internet. App1 has the following connection requirements:

Connections to App1 must pass through a web application firewall (WAF).

Connections to App1 must be active-active load balanced between instances.

All connections to App1 from North America must be directed to the East US region. All other connections must be
directed to the West Europe region.

Every hour, you will run a maintenance task by invoking a PowerShell script that copies files from all the App1
instances. The PowerShell script will run from a central location.

Requirements: App2

App2 will be a NET app hosted in App Service that requires a Windows runtime.

App2 has the following file storage requirements:

Save files to an Azure Storage account.

Replicate files to an on-premises location.

Ensure that on-premises clients can read the files over the LAN by using the SMB protocol.

You need to monitor App2 to analyze how long it takes to perform different transactions within the application. The
solution must not require changes to the application code.

Application Development Requirements

Application developers will constantly develop new versions of App1 and App2.

The development process must meet the following requirements:

A staging instance of a new application version must be deployed to the application host before the new version is
used in production.
After testing the new version, the staging version of the application will replace the production version.

The switch to the new application version from staging to production must occur without any downtime of the
application.

Identity Requirements

Contoso identifies the following requirements for managing Fabrikam access to resources:

[email protected]

The solution must minimize development effort.

Security Requirement

All secrets used by Azure services must be stored in Azure Key Vault.

Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be
shared between services.

DRAG DROP

You need to recommend a solution that meets the file storage requirements for App2.

What should you deploy to the Azure subscription and the on-premises network? To answer, drag the appropriate
services to the correct locations. Each service may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:

Explanation:

Graphical user interface, application

Description automatically generated

Box 1: Azure Files

Scenario: App2 has the following file storage requirements:

Save files to an Azure Storage account.

Replicate files to an on-premises location.

Ensure that on-premises clients can read the files over the LAN by using the SMB protocol.

Box 2: Azure File Sync

Use Azure File Sync to centralize your organization’s file shares in Azure Files, while keeping the flexibility,
performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick
cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data
locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

Question: 81

HOTSPOT

You have an Azure App Service web app that uses a system-assigned managed identity.
You need to recommend a solution to store their settings of the web app as secrets in an Azure key vault.

The solution must meet the following requirements:

• Minimize changes to the app code,

• Use the principle of least privilege.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answer:

Question: 82

HOTSPOT

To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Question: 83

Topic 1, Litware, Inc

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage your
time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case
study. Case studies might contain exhibits and other resources that provide more information about the scenario that is
described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make
changes before you move to the next section of the exam. After you begin a new section, you cannot return to this
section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the
content of the case study before you answer the questions. Clicking these buttons displays information such as
business requirements, existing environment, and problem statements. If the case study has an All Information tab,
note that the information displayed is identical to the information displayed on the subsequent tabs. When you are
ready to answer a question, click the Question button to return to the question.

Overview. General Overview

Litware, Inc. is a medium-sized finance company.

Overview. Physical Locations

Litware has a main office in Boston.

Existing Environment. Identity Environment

The network contains an Active Directory forest named Litware.com that is linked to an Azure Active Directory
(Azure AD) tenant named Litware.com. All users have Azure Active Directory Premium P2 licenses.

Litware has a second Azure AD tenant named dev.Litware.com that is used as a development environment.

The Litware.com tenant has a conditional acess policy named capolicy1. Capolicy1 requires that when users manage
the Azure subscription for a production environment by

using the Azure portal, they must connect from a hybrid Azure AD-joined device.

Existing Environment. Azure Environment

Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five Azure subscriptions that are
linked to the dev.Litware.com tenant. All the subscriptions are in an Enterprise Agreement (EA).

The Litware.com tenant contains a custom Azure role-based access control (Azure RBAC) role named Role1 that
grants the DataActions read permission to the blobs and files in Azure Storage.
Existing Environment. On-premises Environment

The on-premises network of Litware contains the resources shown in the following table.

Existing Environment. Network Environment

Litware has ExpressRoute connectivity to Azure.

Planned Changes and Requirements. Planned Changes

Litware plans to implement the following changes:

Migrate DB1 and DB2 to Azure.

Migrate App1 to Azure virtual machines.

Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.

Planned Changes and Requirements. Authentication and Authorization Requirements

Litware identifies the following authentication and authorization requirements:

Users that manage the production environment by using the Azure portal must connect from a hybrid Azure AD-
joined device and authenticate by using Azure Multi-Factor Authentication (MFA).

The Network Contributor built-in RBAC role must be used to grant permission to all the virtual networks in all the
Azure subscriptions.

To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.

Role1 must be used to assign permissions to the storage accounts of all the Azure subscriptions.

RBAC roles must be applied at the highest level possible.

Planned Changes and Requirements. Resiliency Requirements

Litware identifies the following resiliency requirements:

Once migrated to Azure, DB1 and DB2 must meet the following requirements:

– Maintain availability if two availability zones in the local Azure region fail.

– Fail over automatically.


– Minimize I/O latency.

App1 must meet the following requirements:

– Be hosted in an Azure region that supports availability zones.

– Be hosted on Azure virtual machines that support automatic scaling.

– Maintain availability if two availability zones in the local Azure region fail.

Planned Changes and Requirements. Security and Compliance Requirements

Litware identifies the following security and compliance requirements:

Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of
new and existing data is prevented for a period of three years.

On-premises users and services must be able to access the Azure Storage account that will host the data in App1.

Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.

All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.

App1 must not share physical hardware with other workloads.

Planned Changes and Requirements. Business Requirements

Litware identifies the following business requirements:

Minimize administrative effort.

Minimize costs.

HOTSPOT

You need to ensure that users managing the production environment are registered for Azure MFA and must
authenticate by using Azure MFA when they sign in to the Azure portal. The solution must meet the authentication
and authorization requirements.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is
worth one point.
Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: Azure AD Identity Protection

Azure AD Identity Protection helps you manage the roll-out of Azure AD Multi-Factor Authentication (MFA)
registration by configuring a Conditional Access policy to require MFA registration no matter what modern
authentication app you are signing in to.

Scenario: Users that manage the production environment by using the Azure portal must connect from a hybrid Azure
AD-joined device and authenticate by using Azure Multi-Factor Authentication (MFA).

Box 2: Sign-in risk policy…

Scenario: The Litware.com tenant has a conditional access policy named capolicy1. Capolicy1 requires that when users
manage the Azure subscription for a production

environment by using the Azure portal, they must connect from a hybrid Azure AD-joined device.

Identity Protection policies we have two risk policies that we can enable in our directory.

Sign-in risk policy

User risk policy

Question: 84

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is being deployed and
configured for on-premises to Azure connectivity.

Several virtual machines exhibit network connectivity issues.


You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual
machines.

Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.

Does this meet the goal?


A. Yes
B. No

Answer: B

Explanation:

Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic filtering issues at a VM level.

Note: IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of
direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify
helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Question: 85

You need to recommend a notification solution for the IT Support distribution group.

What should you include in the recommendation?


A. Azure Network Watcher
B. an action group
C. a SendGrid account with advanced reporting
D. Azure AD Connect Health

Answer: D

Explanation:

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-

operations

Question: 86
HOTSPOT

You plan to create an Azure Storage account that will host file shares. The shares will be accessed from on-premises
applications that are transaction-intensive.

You need to recommend a solution to minimize latency when accessing the file shares.

The solution must provide the highest-level of resiliency for the selected storage tier.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:

Box 1: Premium

Premium: Premium file shares are backed by solid-state drives (SSDs) and provide consistent high performance and
low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads.

Box 2: Zone-redundant storage (ZRS):

Premium Azure file shares only support LRS and ZRS. Zone-redundant storage (ZRS): With ZRS, three copies of each
file stored, however these copies are physically isolated in three distinct storage clusters in different Azure availability
zones.

Question: 87

A company has an on-premises file server cbflserver that runs Windows Server 2019.

Windows Admin Center manages this server. The company owns an Azure subscription.
You need to provide an Azure solution to prevent data loss if the file server fails.

Solution: You decide to register Windows Admin Center in Azure and then configure Azure Backup.

Would this meet the requirement?


A. Yes
B. No

Answer: A

Question: 88

You need to implement the Azure RBAC role assignments for the Network Contributor role.

The solution must meet the authentication and authorization requirements.

What is the minimum number of assignments that you must use?


A. 1
B. 2
C. 5
D. 10
E. 15

Answer: B

Explanation:

Scenario: The Network Contributor built-in RBAC role must be used to grant permissions to the network
administrators for all the virtual networks in all the Azure subscriptions. RBAC roles must be applied at the highest
level possible.

Question: 89

HOTSPOT

Your company has the divisions shown in the following table.

You plan to deploy a custom application to each subscription.

The application will contain the following:

A resource group

An Azure web app


Custom role assignments

An Azure Cosmos DB account

You need to use Azure Blueprints to deploy the application to each subscription.

What is the minimum number of objects required to deploy the application? To answer, select the appropriate options
in the answer area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Box 1: 2

One management group for East, and one for West.

When creating a blueprint definition, you’ll define where the blueprint is saved. Blueprints can be saved to a
management group or subscription that you have Contributor access to. If the location is a management group, the
blueprint is available to assign to any child subscription of that management group.

Box 2: 2

Box 3: 4

One assignment for each subscription.

"Assigning a blueprint definition to a management group means the assignment object exists at the management group.
The deployment of artifacts still targets a subscription. To perform a management group assignment, the Create Or
Update REST API must be used and the request body must include a value for properties.scope to define the target
subscription." https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-assignment

Question: 90

DRAG DROP

A company has an existing web application that runs on virtual machines (VMs) in Azure.

You need to ensure that the application is protected from SQL injection attempts and uses a layer-7 load balancer. The
solution must minimize disruption to the code for the existing web application.
What should you recommend? To answer, drag the appropriate values to the correct items. Each value may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Box 1: Azure Application Gateway

Azure Application Gateway provides an application delivery controller (ADC) as a service. It offers various layer 7
load-balancing capabilities for your applications.

Box 2: Web Application Firwewall (WAF)

Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and
exploits.

This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9.

There are rules that detects SQL injection attacks.

References:

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

Question: 91

HOTSPOT

You plan to migrate App1 to Azure.

You need to estimate the compute costs for App1 in Azure. The solution must meet the security and compliance
requirements.

What should you use to estimate the costs, and what should you implement to minimize the costs? To answer, select
the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:

Text

Description automatically generated

Box 1: The Azure Total Cost of Ownership (TCO) Calculator

The Total Cost of Ownership (TCO) Calculator estimates the cost savings you can realize by migrating your workloads
to Azure.

Note: The TCO Calculator recommends a set of equivalent services in Azure that will support your applications. Our
analysis will show each cost area with an estimate of your on-premises spend versus your spend in Azure. There are
several cost categories that either decrease or go away completely when you move workloads to the cloud.

Box 2: Azure Hybrid Benefit

Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads
in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL
Server licenses on Azure. And now, this benefit applies to RedHat and SUSE Linux subscriptions, too.

Scenario:

Litware identifies the following security and compliance requirements:

Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of
new and existing data is prevented for a period of three years.

On-premises users and services must be able to access the Azure Storage account that will host the data in App1.

Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.

All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.

App1 must not share physical hardware with other workloads.

Question: 92

You plan to deploy an application named App1 that will run on five Azure virtual machines.

Additional virtual machines will be deployed later to run App1.


You need to recommend a solution to meet the following requirements for the virtual machines that will run App1:

Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to

an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.

Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines.

Avoid storing secrets and certificates on the virtual machines.

Which type of identity should you include in the recommendation?


A. a service principal that is configured to use a certificate
B. a system-assigned managed identity
C. a service principal that is configured to use a client secret
D. a user-assigned managed identity

Answer: D

Explanation:

Managed identities for Azure resources is a feature of Azure Active Directory. User-assigned managed identity can be
shared. The same user-assigned managed identity can be associated with more than one Azure resource.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
For More exams visit https://killexams.com/vendors-exam-list

You might also like