AZ 305 Questions Answers File 4
AZ 305 Questions Answers File 4
AZ-305
Designing Microsoft Azure Infrastructure Solutions
http://killexams.com/exam-detail/AZ-305
Question: 1
HOTSPOT
You plan to deploy the backup policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information
presented in the graphic. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Question: 2
HOTSPOT
You are evaluating whether to use Azure Traffic Manager and Azure Application Gateway to meet the connection
requirements for App1.
What is the minimum numbers of instances required for each service? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:
Question: 3
A company is planning on deploying an application onto Azure. The application will be based on the .Net core
programming language. The application would be hosted using Azure Web apps. Below is part of the various
requirements for the application
Give the ability to correlate Azure resource usage and the performance data with the actual application configuration
and performance data
Give the ability to track requests and exceptions to specific lines of code from within the application Give the ability
to actually analyse how uses return to an application and see how often they only select a particular drop-down value
Which of the following service would be best suited for fulfilling the requirement of “Give the ability to correlate
Azure resource usage and the performance data with the actual application configuration and performance data”
A. Azure Application Insights
B. Azure Service Map
C. Azure Log Analytics
D. Azure Activity Log
Answer: C
Question: 4
HOTSPOT
How should the migrated databases DB1 and DB2 be implemented in Azure?
Answer:
Explanation:
Table
Description automatically generated
Scenario: Once migrated to Azure, DB1 and DB2 must meet the following requirements:
Maintain availability if two availability zones in the local Azure region fail.
The auto-failover groups feature allows you to manage the replication and failover of a group of databases on a server
or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing active
geo-replication feature, designed
to simplify deployment and management of geo-replicated databases at scale. You can initiate a geo-failover manually
or you can delegate it to the Azure service based on a user-defined policy. The latter option allows you to
automatically recover multiple related databases in a secondary region after a catastrophic failure or other unplanned
event that results in full or partial loss of the SQL Database or SQL Managed Instance availability in the primary
region.
General purpose: Designed for applications with typical performance and I/O latency requirements.
Business critical: Designed for applications with low I/O latency requirements and minimal impact of underlying
maintenance operations on the workload.
Question: 5
HOTSPOT
You need to recommend a storage solution for App1 that meets the security and compliance requirements.
Which type of storage should you recommend, and how should you recommend configuring the storage? To answer,
select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Text, table
Azure Storage provides data protection for Blob Storage and Azure Data Lake Storage Gen2.
Scenario:
On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Box 2: NFSv3
Blob storage now supports the Network File System (NFS) 3.0 protocol. This support provides Linux file system
compatibility at object storage scale and prices and enables Linux clients to mount a container in Blob storage from an
Azure Virtual Machine (VM) or a computer on-premises.
Question: 6
Topic 4, HABInsurance
Case Study
An insurance company, HABInsurance, operates in three states and provides home, auto, and boat insurance. Besides
the head office, HABInsurance has three regional offices.
Current environment
General
An insurance company, HABInsurance, operates in three states and provides home, auto, and boat insurance. Besides
the head office, HABInsurance has three regional offices. Technology assessment
The company has two Active Directory forests: main.habinsurance.com and region.habinsurance.com. HABInsurance’s
primary internal system is Insurance Processing System (IPS). It is an ASP.Net/C# application running on
IIS/Windows Servers hosted in a data center. IPS has three tiers: web, business logic API, and a datastore on a back
end. The company uses Microsoft SQL Server and MongoDB for the backend. The system has two parts: Customer
data and Insurance forms and documents. Customer data is stored in Microsoft SQL Server and Insurance forms and
documents ― in MongoDB.
The company also has 10 TB of Human Resources (HR) data stored on NAS at the head office location. Requirements
General
HABInsurance plans to migrate its workloads to Azure. They purchased an Azure subscription. Changes
During a transition period, HABInsurance wants to create a hybrid identity model along with a Microsoft Office 365
deployment. The company intends to sync its AD forests to Azure AD and benefit from Azure AD administrative
units functionality.
HABInsurance needs to migrate the current IPSCustomers SQL database to a new fully managed SQL database in
Azure that would be budget-oriented, balanced with scalable compute and storage options. The management team
expects the Azure database service to scale the database resources dynamically with minimal downtime. The technical
team proposes implementing a DTU-based purchasing model for the new database. HABInsurance wants to migrate
Insurance forms and documents to Azure database service. HABInsurance plans to move IPS first two tiers to Azure
without any modifications. The technology team discusses the possibility of running IPS tiers on a set of virtual
machines instances. The number of instances should be adjusted automatically based on the CPU utilization. An SLA
of 99.95% must be guaranteed for the compute infrastructure. The company needs to move HR data to Azure File
shares.
In their new Azure ecosystem, HABInsurance plans to use internal and third-party applications. The company
considers adding user consent for data access to the registered applications
Later, the technology team contemplates adding a customer self-service portal to IPS and deploying a new IPS to
multi-region ASK. But the management team is worried about performance and availability of the multi-region AKS
deployments during regional outages.
What two parameters would you recommend set up to ensure that the new IPSCustomers database will scale to meet
the workload demands?
A. Define the maximum of CPU cores
B. Define the maximum resource limit per group of databases
C. Define the maximum of Database Transaction Units
D. Define the maximum of the allocated storage
E. Define the maximum size for a database
Answer: C,E
Question: 7
Answer: D
Explanation:
Resource groups: You can scope your deployment to a resource group. You use an Azure Resource Manager
template (ARM template) for the deployment.
Regions: If you have a template spec in one region and want to move it to new region, you can export the template
spec and redeploy it.
RBAC: Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to
Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a
particular scope. In addition to using Azure PowerShell or the Azure CLI, you can assign roles using Azure Resource
Manager templates. Templates can be helpful if you need to deploy resources consistently and repeatedly
You can setup Virtual machines and virtual network configurations in an Azure Resource Manager template.
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/microsoft-resources-move-regions
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/template-description
Question: 8
You are developing a sales application that will contain several Azure cloud services and will handle different
components of a transaction. Different cloud services will process customer orders, billing, payment, inventory, and
shipping.
You need to recommend a solution to enable the cloud services to asynchronously communicate transaction
information by using REST messages.
Answer: A
Explanation:
Service Bus is a transactional message broker and ensures transactional integrity for all internal operations against its
message stores. All transfers of messages inside of Service Bus, such as moving messages to a dead-letter queue or
automatic forwarding of messages between entities, are transactional.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-transactions
Question: 9
DRAG DROP
You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.
Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Diagram
Question: 10
DRAG DROP
You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.
Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Diagram
Question: 11
Which two actions should you recommend? Each correct answer presents part of the solution. NOTE: Each correct
selection is worth one point.
A. Create a render farm that uses Azure Batch.
B. Enable parallel file systems on Azure.
C. Enable parallel task execution on compute nodes.
D. Create a render farm that uses virtual machine (VM) scale sets.
E. Create a render farm that uses virtual machines (VMs).
Answer: A,C
Question: 12
HOTSPOT
What should you implement to meet the identity requirements? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Contoso identifies the following requirements for managing Fabrikam access to resources: Every month, an account
manager at Fabrikam must review which Fabrikam users have access permissions to App1. Accounts that no longer
need permissions must be removed as guests.
Too many users in privileged roles: It’s a good idea to check how many users have administrative access, how many of
them are Global Administrators, and if there are any invited guests or partners that have not been removed after being
assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global
Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity
Management (PIM) experience.
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships,
access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure
only the right people have continued access.
Question: 13
CORRECT TEXT
You need to recommend a solution that meets the data requirements for App1.
What should you recommend deploying to each availability zone that contains an instance of App1?
A. an Azure Cosmos DB that uses multi-region writes
B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)
C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
D. an Azure SQL database that uses active geo-replication
Answer: A
Explanation:
Each instance will write data to a data store in the same availability zone as the instance.
Data written by any App1 instance must be visible to all App1 instances.
Azure Cosmos DB: Each partition across all the regions is replicated. Each region contains all the data partitions of an
Azure Cosmos container and can serve reads as well as serve writes when multi-region writes is enabled.
Question: 14
HOTSPOT
Your on-premises network contains a file server named Server1 that stores 500 GB of data.
You need to use Azure Data Factory to copy the data from Server1 to Azure Storage.
What should you do next? To answer, select the appropriate options in the answer area. NOTE: Each correct selection
is worth one point.
Answer:
Explanation:
The Integration Runtime is a customer-managed data integration infrastructure used by Azure Data Factory to provide
data integration capabilities across different network environments.
With ADF, existing data processing services can be composed into data pipelines that are highly available and
managed in the cloud. These data pipelines can be scheduled to ingest, prepare, transform, analyze, and publish data,
and ADF manages and orchestrates the complex data and processing dependencies
References:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-sql-azure-adf
https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory
"A self-hosted integration runtime can run copy activities between a cloud data store and a data store in a private
network"
https://docs.microsoft.com/en-us/azure/data-factory/introduction
"With Data Factory, you can use the Copy Activity in a data pipeline to move data from both on-premises and cloud
source data stores to a centralization data store in the cloud for further analysis"
Question: 15
You need to recommend a network connectivity solution for the Azure Storage account that will host the App1 data.
The solution must meet the security and compliance requirements.
Answer: A
Explanation:
Private Endpoint securely connect to storage accounts from on-premises networks that connect to the VNet using VPN
or ExpressRoutes with private-peering.
Private Endpoint also secure your storage account by configuring the storage firewall to block all connections on the
public endpoint for the storage service.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs#microsoft-peering
Question: 16
HOTSPOT
You design a solution for the web tier of WebApp1 as shown in the exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
Explanation:
Box 1: Yes
Any new deployments to Azure must be redundant in case an Azure region fails.
Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing
method and the health of the endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure.
Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different
application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an
entire Azure region.
Box 2: Yes
Recent changes in Azure brought some significant changes in autoscaling options for Azure Web Apps (i.e. Azure App
Service to be precise as scaling happens on App Service plan level and has effect on all Web Apps running in that App
Service plan).
Box 3: No
Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different
application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an
entire Azure region.
Question: 17
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/azure-sql/database/long-term-retention-overview
In Azure SQL Database, you can configure a database with a long-term backup retention policy (LTR) to
automatically retain the database backups in separate Azure Blob storage containers for up to 10 years
Question: 18
DRAG DROP
What should you recommend using to migrate the data? To answer, drag the appropriate tools to the correct data
sources-Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes
or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
References:
https://docs.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-azure-sql
https://docs.microsoft.com/en-us/azure/cosmos-db/import-data
Question: 19
You plan provision a High Performance Computing (HPC) cluster in Azure that will use a third-party scheduler.
You need to recommend a solution to provision and manage the HPC cluster node.
What should you include in the recommendation?
A. Azure Lighthouse
B. Azure CycleCloud
C. Azure Purview
D. Azure Automation
Answer: B
Explanation:
You can dynamically provision Azure HPC clusters with Azure CycleCloud.
Note: Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High Performance Computing
(HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar
HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale. Through CycleCloud,
users can create different types of file systems and mount them to the compute cluster nodes to support HPC
workloads.
Reference: https://docs.microsoft.com/en-us/azure/cyclecloud/overview
Question: 20
You have an Azure subscription that contains a Windows Virtual Desktop tenant.
Start and stop Windows Virtual Desktop session hosts based on business hours.
Answer: C
Explanation:
Reference:
https://www.ciraltos.com/automatically-start-and-stop-wvd-vms-with-azure-automation/
https://wvdlogix.net/windows-virtual-desktop-host-pool-automation-2
https://getnerdio.com/academy/how-to-optimize-windows-virtual-desktop-wvd-azure-costs-with-event-based-
autoscaling-and-azure-vm-scale-sets/
Question: 21
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have an Azure Storage account that contains two 1-GB data files named File1 and File2. The data files are set to
use the archive access tier.
You need to ensure that File1 is accessible immediately when a retrieval request is initiated.
Answer: A
Explanation:
The data in the cool tier is "considered / intended to be stored for 30 days". But this is not a must. You can store data
indefinitely in the cool tier. The mentioned reference (see below) even gives an example of large scientific or
otherwise large data which is stored for long duration in the cool tier.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal
Question: 22
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been
deployed and configured for on-premises to Azure connectivity.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps
you monitor network performance between various points in your network infrastructure. It also helps you monitor
network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
Note:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of
direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify
helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a
subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network
interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress
traffic to or from a virtual machine.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Question: 23
You plan to migrate App1 to Azure. The solution must meet the authentication and authorization requirements.
Answer: A
Explanation:
Scenario: To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host
the app.
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active
Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Question: 24
You need to recommend a strategy for migrating the database content of WebApp1 to Azure.
Answer: B
Explanation:
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard
disk (VHD or VHDX).
Scenario: WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs
Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
Question: 25
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure.
Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use the Azure Traffic Analytics solution in Azure Log Analytics to analyze the network traffic.
Answer: B
Explanation:
Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Question: 26
You are designing a microservices architecture that will support a web application.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview
Question: 27
HOTSPOT
You plan to move the data files to Azure Blob Storage In the West Europe Azure region,
You need to recommend a storage account type to store the data files and a replication solution for the storage
account.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-azure-storage-services
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#types-of-storage-accounts
Data must be available if a single Azure datacenter fails. It means the storage account must support ZRS replication.
Also, solution should support storage tiers. Only General-purpose V2 supports ZRS and storage tiers.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Question: 28
HOTSPOT
You plan to deploy an Azure web app named Appl that will use Azure Active Directory (Azure AD) authentication.
App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows
10 and are joined to Azure AD.
You need to recommend a solution to ensure that the users can connect to App1 without being prompted for
authentication and can access App1 only from company-owned computers.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Azure active directory (AD) provides cloud based directory and identity management services. You can use azure AD
to manage users of your application and authenticate access to your applications using azure active directory.
You register your application with Azure active directory tenant.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must
complete an action.
By using Conditional Access policies, you can apply the right access controls when needed to keep your organization
secure and stay out of your user’s way when not needed.
Timeline
Question: 29
DRAG DROP
You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must
be stored in Azure Cosmos DB.
Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets.
Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Diagram
Question: 30
HOTSPOT
You need to design an Azure policy that will implement the following functionality:
• For new resources, assign tags and values that match the tags and values of the resource group to which the resources
are deployed.
• For existing resources, identify whether the tags and values match the tags and values of the resource group that
contains the resources.
• For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.
The solution must use the principle of least privilege.
What should you include in the design? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:
Explanation:
Box 1: Modify
Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common
example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a
remediation task. A single Modify rule can have any number of operations.
Managed identity
How remediation security works: When Azure Policy runs the template in the deployIfNotExists policy definition, it
does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details
about what roles to grant the managed identity.
Contributor role
The Contributor role grants the required access to apply tags to any entity.
Question: 31
HOTSPOT
You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.
You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active
Directory (Azure AD) identity.
Ensure that the applications can authenticate only when running on the 10 virtual machines.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:
Explanation:
Graphical user interface, text, application, email
Question: 32
You need to recommend a solution that meets the data requirements for App1.
What should you recommend deploying to each availability zone that contains an instance of App1?
A. an Azure Cosmos DB that uses multi-region writes
B. an Azure Storage account that uses geo-zone-redundant storage (GZRS)
C. an Azure Data Lake store that uses geo-zone-redundant storage (GZRS)
D. an Azure SQL database that uses active geo-replication
Answer: A
Question: 33
You need to design a solution that will execute custom C# code in response to an event routed to Azure Event Grid.
The executed code must be able to access the private IP address of a Microsoft SQL Server instance that runs on an
Azure virtual machine.
Answer: B
Explanation:
When you create a function app in Azure, you must choose a hosting plan for your app.
There are three basic hosting plans available for Azure Functions: Consumption plan, Premium plan, and Dedicated
(App Service) plan.
For the Consumption plan, you don’t have to pay for idle VMs or reserve capacity in advance.
As enterprises continue to adopt serverless (and Platform-as-a-Service, or PaaS) solutions, they often need a way to
integrate with existing resources on a virtual network. These existing resources could be databases, file storage,
message queues or event streams, or REST APIs.
Reference:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale
https://techcommunity.microsoft.com/t5/azure-functions/connect-to-private-endpoints-with-azure-functions/ba-
p/1426615
https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale#hosting-plans-comparison
Question: 34
You migrate App1 to Azure. You need to ensure that the data storage for App1 meets the security and compliance
requirement
Answer: A
Explanation:
Scenario: Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the
modification of new and existing data is prevented for a period of three years.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user
might have.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Question: 35
You have SQL Server on an Azure virtual machine. The databases are written to nightly as part of a batch process.
Minimize costs.
Answer: D
Explanation:
RPO: One hour for application consistency and five minutes for crash consistency.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-sql
Question: 36
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft
Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory
Domain Services (AD DS), and Azure AD Connect
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an
Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription
of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The
solution must ensure that the Fabrikam developers use their existing credentials to access resources.
Answer: C
Explanation:
Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest
Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate
production hosts.
References:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-
reference-material
Question: 37
HOTSPOT
During testing the application fails under load. The application cannot handle more than 100 concurrent user sessions.
You enable the Always On feature. You also configure auto-scaling to increase counts from two to 10 based on HTTP
queue length.
Which solution should you use for each application scenario? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users.
CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to
minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth
content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also
accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs.
For example, route optimization to bypass Border Gateway Protocol (BGP).
Azure Cache for Redis is based on the popular software Redis. It is typically used as a cache to improve the
performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by
temporarily copying frequently accessed data to fast storage located close to the application. With Azure Cache for
Redis, this fast storage is located in-memory with Azure Cache for Redis instead of being loaded from disk by a
database.
References: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview
Question: 38
The network traffic for the solution must be securely distributed by providing the following features:
HTTPS protocol
Round robin routing
SSL offloading
Answer: D
Explanation:
If you are looking for Transport Layer Security (TLS) protocol termination ("SSL offload") or per-HTTP/HTTPS
Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS,
WebSocket, and HTTP/2). It supports capabilities such as SSL termination, cookie-based session affinity, and round
robin for load-balancing traffic. Load Balancer load-balances traffic at layer 4 (TCP or UDP).
References: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq
Question: 39
You have an Azure subscription. The subscription has a blob container that contains multiple blobs. Ten users in the
finance department of your company plan to access the blobs during the month of April. You need to recommend a
solution to enable access to the blobs during the month of April only.
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Question: 40
HOTSPOT
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:
Question: 41
Your company, named Contoso, Ltd, implements several Azure logic apps that have HTTP triggers: The logic apps
provide access to an on-premises web service.
Fabrikam does not have an existing Azure Active Directory (Azure AD) tenant and uses third-party OAuth 2.0 identity
management to authenticate its users.
Developers at Fabrikam plan to use a subset of the logics apps to build applications that will integrate with the on-
premises web service of Contoso.
You need to design a solution to provide the Fabrikam developers with access to the logic apps.
Requests to the logic apps from the developers must be limited to lower rates than the requests from the users at
Contoso.
The developers must be able to rely on their existing OAuth 2.0 provider to gain access to the logic apps.
Answer: C
Explanation:
API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential
of their data and services.
You can secure API Management using the OAuth 2.0 client credentials flow.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-key-concepts
https://docs.microsoft.com/en-us/azure/api-management/api-management-features
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#enable-
oauth-20-user-authorization-in-the-developer-console
Question: 42
HOTSPOT
You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual
machines are connected to VNET1.
You need to design a solution to manage the virtual machines from the internet.
• Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication
(MFA) before network connectivity is allowed.
• Incoming connections must use TLS and connect to TCP port 443.
What should you Include In the solution? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:
Question: 43
You have to deploy an Azure SQL database named db1 for your company. The databases must meet the following
security requirements
When IT help desk supervisors query a database table named customers, they must be able to see the full number of
each credit card
When IT help desk operators query a database table named customers, they must only see the last four digits of each
credit card number
A column named Credit Card rating in the customers table must never appear in plain text
in the database system. Only client applications must be able to decrypt the information that is stored in this column
Which of the following can be implemented for the Credit Card rating column security requirement?
A. Always Encrypted
B. Azure Advanced Threat Protection
C. Transparent Data Encryption
D. Dynamic Data Masking
Answer: A
Explanation:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?
view=sql-server-ver15
Question: 44
You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is
run manually after approval from the operations manager.
You need to recommend a serverless solution that performs the following actions:
Runs the script once an hour to identify whether duplicate files exist
Sends an email notification to the operations manager requesting approval to delete the duplicate files
Processes an email response from the operations manager specifying whether the deletion was approved
Answer: A
Explanation:
When you want to run code that performs a specific job in your logic apps, you can create your own function by using
Azure Functions. This service helps you create Node.js, C#, and F# functions so you don’t have to build a complete
app or infrastructure to run code. You can also call logic apps from inside Azure functions. Azure Functions provides
serverless computing in the cloud and is useful for performing tasks such as these examples:
Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions
Question: 45
You need to deploy resources to host a stateless web app in an Azure subscription.
• Grant administrators access to the operating system to install custom application dependencies.
Solution: You deploy an Azure virtual machine to two Azure regions, and you deploy an Azure Application Gateway.
Answer: B
Explanation:
You need to deploy two Azure virtual machines to two Azure regions, but also create a Traffic Manager profile.
Question: 46
HOTSPOT
You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant uses password hash
synchronization.
Prevent Active Directory domain user accounts from being locked out as the result of brute force attacks targeting
Azure AD user accounts.
Minimize costs.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Smart lockout helps lock out bad actors that try to guess your users’ passwords or use brute-force methods to get in.
Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and
other unknown sources.
Attackers get locked out, while your users continue to access their accounts and be productive.
If your environment is ready to block legacy authentication to improve your tenant’s protection, you can accomplish
this goal with Conditional Access.
How can you prevent apps using legacy authentication from accessing your tenant’s resources? The recommendation is
to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network
locations to use apps that are based on legacy authentication.
Question: 47
Overview:
Existing Environment
Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in
London and three branch offices in Amsterdam Berlin, and Rome.
Network Infrastructure:
Each office contains at least one domain controller from the corp.fabrikam.com domain.
The main office contains all the domain controllers for the rd.fabrikam.com forest.
An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by
customers to place and track orders. WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS)
and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual
machines that run on Hyper-V.
The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.
Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software
Assurance.
Problem Statement:
The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for
WebApp1 are underutilized.
Requirements:
Planned Changes:
Fabrikam plans to move most of its production workloads to Azure during the next few years.
As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft
Office 365 deployment All R&D operations will remain on-premises.
Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.
Technical Requirements:
• Any new deployments to Azure must be redundant in case an Azure region fails.
• Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).
• An email distribution group named IT Support must be notified of any issues relating to the directory
synchronization services.
• Directory synchronization between Azure Active Directory (Azure AD) and corp.fabhkam.com must not be affected
by a link failure between Azure and the on premises network.
Database Requirements:
• Database metrics for the production instance of WebApp1 must be available for analysis so that database
administrators can optimize the performance settings.
• To avoid disrupting customer access, database downtime must be minimized when databases are migrated.
• Database backups must be retained for a minimum of seven years to meet compliance requirement
Security Requirements:
* Company information including policies, templates, and data must be inaccessible to anyone outside the company
* Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.
* Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.
* All administrative access to the Azure portal must be secured by using multi-factor authentication.
* The testing of WebApp1 updates must not be visible to anyone outside the company.
You need to recommend a strategy for the web tier of WebApp1. The solution must minimize What should you
recommend?
A. Create a runbook that resizes virtual machines automatically to a smaller size outside of business hours.
B. Configure the Scale Up settings for a web app.
C. Deploy a virtual machine scale set that scales out on a 75 percent CPU threshold.
D. Configure the Scale Out settings for a web app.
Answer: A
Question: 48
HOTSPOT
You are planning an Azure Storage solution for sensitive data. The data will be accessed daily. The data set is less than
10 GB.
You need to recommend a storage solution that meets the following requirements:
• All the data written to storage must be retained for five years.
• Once the data is written, the data can only be read. Modifications and deletion must be prevented.
• After five years, the data can be deleted, but never modified.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:
Explanation:
Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency
requirements, on the order of hours.
Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources.
Note: You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-
only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this
lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Question: 49
A company has an on-premises file server cbflserver that runs Windows Server 2019.
Windows Admin Center manages this server. The company owns an Azure subscription.
You need to provide an Azure solution to prevent data loss if the file server fails.
Solution: You decide to create an Azure Recovery Services vault. You then decide to install the Azure Backup agent
and then schedule the backup.
Answer: B
Question: 50
Your company currently has an application that is hosted on their on-premises environment. The application currently
connects to two databases in the on-premises environment. The databases are named whizlabdb1 and whizlabdb2.
You have to move the databases onto Azure. The databases have to support server-side transactions across both of the
databases.
Solution: You decide to deploy the databases to an Azure SQL database-managed instance.
Question: 51
You ate designing a SQL database solution. The solution will include 20 databases that will be 20 GB each and have
varying usage patterns. You need to recommend a database platform to host the databases.
Answer: D
Explanation:
Azure SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases
that have varying and unpredictable usage demands. The databases in an elastic pool are on a single server and share a
set number of resources at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the
price performance for a group of databases within a prescribed budget while delivering performance elasticity for each
database.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-pool-overview
https://azure.microsoft.com/en-us/pricing/details/sql-database/elastic/
https://www.azure.cn/en-us/support/sla/virtual-machines/
https://techcommunity.microsoft.com/t5/azure-sql/optimize-price-performance-with-compute-auto-scaling-in-
azure/ba-p/966149
Question: 52
You use Azure virtual machines to run a custom application that uses an Azure SQL database on the back end.
You need to recommend a solution to minimize latency when accessing the database. The solution must minimize
costs
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Question: 53
Your company plans to publish APIs for its services by using Azure API Management.
You need to recommend a solution to remove AspNet-Version from the response of the published APIs.
Answer: C
Explanation:
References: https://docs.microsoft.com/en-us/azure/api-management/transform-api
Question: 54
HOTSPOT
You plan to move the data files to Azure Blob storage in the Central Europe region.
You need to recommend a storage account type to store the data files and a replication solution for the storage
account.
Minimize cost.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:
Explanation:
Question: 55
You plan to deploy 10 applications to Azure. The applications will be deployed to two Azure Kubernetes Service
(AKS) clusters. Each cluster will be deployed to a separate Azure region.
• Ensure that the applications remain available if a single AKS cluster fails.
• Ensure that the connection traffic over the internet is encrypted by using SSL without having to configure SSL on
each container.
Answer: C
Explanation:
"Azure Front Door, which focuses on global load-balancing and site acceleration, and Azure CDN Standard, which
offers static content caching and acceleration. The new Azure Front Door brings together security with CDN
technology for a cloud-based CDN with threat protection and additional capabilities. "
Question: 56
HOTSPOT
You have an Azure subscription that is linked to an Azure Active Directory Premium Plan 2 tenant. The tenant has
multi-factor authentication (MFA) enabled for all users.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selection is worth one point.
Answer:
Explanation:
A screenshot of a computer
Question: 57
HOTSPOT
You need to recommend a solution to ensure that App1 can access the third-party credentials and access strings. The
solution must meet the security requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:
Explanation:
All secrets used by Azure services must be stored in Azure Key Vault.
Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be
shared between services.
Note: Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is
responsible for authenticating the identity of any given security principal.
A security principal is an object that represents a user, group, service, or application that’s requesting access to Azure
resources. Azure assigns a unique object ID to every security principal.
You can provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
Question: 58
You need to deploy an Azure Kubernetes Service (AKS) solution that will use Linux nodes.
Minimize the time it takes to provision compute resources during scale-out operations.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/aks/virtual-nodes
Question: 59
Your company has an Azure Web App that runs via the Premium App Service Plan. A development team will be using
the Azure Web App. You have to configure the Azure Web app so that it can fulfil the below requirements.
Provide the ability to switch the web app from the current version to a newer version
Provide developers with the ability to test newer versions of the application before the switch to the newer version
occurs
Answer: B
Question: 60
What should you include in the identity management strategy to support the planned changes?
A. Move all the domain controllers from corp.fabrikam.com to virtual networks in Azure.
B. Deploy domain controllers for corp.fabrikam.com to virtual networks in Azure.
C. Deploy a new Azure AD tenant for the authentication of new R&D projects.
D. Deploy domain controllers for the rd.fabrikam.com forest to virtual networks in Azure.
Answer: B
Explanation:
Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected
by a link failure between Azure and the on-premises network. (This requires domain controllers in Azure)
Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails. (This
requires domain controllers on-premises)
Question: 61
Answer: B
Question: 62
You are planning an Azure IoT Hub solution that will include 50,000 IoT devices.
Each device will stream data, including temperature, device ID, and time data. Approximately 50,000 records will be
written every second. The data will be visualized in near real time.
You need to recommend a service to store and query the data.
Which two services can you recommend? Each correct answer presents a complete solution. NOTE: Each correct
selection is worth one point.
A. Azure Table Storage
B. Azure Event Grid
C. Azure Cosmos DB SQL API
D. Azure Time Series Insights
Answer: C,D
Explanation:
D: Time Series Insights is a fully managed service for time series data. In this architecture, Time Series Insights
performs the roles of stream processing, data store, and analytics and reporting. It accepts streaming data from either
IoT Hub or Event Hubs and stores, processes, analyzes, and displays the data in near real time.
C: The processed data is stored in an analytical data store, such as Azure Data Explorer, HBase, Azure Cosmos DB,
Azure Data Lake, or Blob Storage.
Reference: https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/time-series
Question: 63
HOTSPOT
You have an Azure Load Balancer named LB1 that balances requests to five Azure virtual machines.
The solution must generate an alert when any of the following conditions are met:
Which signal should you include in the solution for each condition? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Standard Load Balancer continuously exercises the data path from within a region to the load balancer front end, all
the way to the SDN stack that supports your VM. As long as healthy instances remain, the measurement follows the
same path as your application’s load-balanced traffic. The data path that your customers use is also validated. The
measurement is invisible to your application and does not interfere with other operations.
Note: Load balancer distributes inbound flows that arrive at the load balancer’s front end to backend pool instances.
These flows are according to configured load-balancing rules and health probes. The backend pool instances can be
Azure Virtual Machines or instances in a virtual machine scale set.
SYN (synchronize) count: Standard Load Balancer does not terminate Transmission Control Protocol (TCP)
connections or interact with TCP or UDP packet flows. Flows and their handshakes are always between the source and
the VM instance. To better troubleshoot your TCP protocol scenarios, you can make use of SYN packets counters to
understand how many TCP connection attempts are made. The metric reports the number of TCP SYN packets that
were received.
Question: 64
DRAG DROP
You need to configure an Azure policy to ensure that the Azure SQL databases have TDE enabled. The solution must
meet the security and compliance requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions
to the answer area and arrange them in the correct order.
Answer:
Explanation:
Scenario: All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE)
enabled.
Step 1: Create an Azure policy definition that uses the deployIfNotExists identity.
The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully
deploy the content of your included template.
When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles
defined in roleDefinitionIds.
Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through
Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the
modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a
management group, a subscription, a resource group, or an individual resource.
During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-
compliant resources or subscriptions. When non-compliant resources or subscriptions are found, the details are
provided on the Remediation page.
Question: 65
HOTSPOT
You are evaluating the components of the migration to Azure that require you to provision an Azure Storage account.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selection is worth one point.
Answer:
Question: 66
You have a PowerShell script that identifies and deletes duplicate files in the storage account. Currently, the script is
run manually after approval from the operations manager.
You need to recommend a serverless solution that performs the following actions:
Runs the script once an hour to identify whether duplicate files exist
Sends an email notification to the operations manager requesting approval to delete the duplicate files
Processes an email response from the operations manager specifying whether the deletion was approved
Explanation:
When you want to run code that performs a specific job in your logic apps, you can create your own function by using
Azure Functions. This service helps you create Node.js, C#, and F# functions so you don’t have to build a complete
app or infrastructure to run code. You can also call logic apps from inside Azure functions. Azure Functions provides
serverless computing in the cloud and is useful for performing tasks such as these examples:
Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions
Question: 67
HOTSPOT
You need to recommend a high-availability solution for App1. The solution must meet the resiliency requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:
Explanation:
Box 1: 3
Maintain availability if two availability zones in the local Azure region fail.
A host group is a resource that represents a collection of dedicated hosts. You create a host group in a region and an
availability zone, and add hosts to it.
Availability zones are unique physical locations within an Azure region. Each zone is made up of one or more
datacenters equipped with independent power, cooling, and networking. A host group is created in a single availability
zone. Once created, all hosts will be placed within that zone. To achieve high availability across zones, you need to
create multiple host groups (one per zone) and spread your hosts accordingly.
Box 2: 1
An Azure virtual machine scale set can automatically increase or decrease the number of VM instances that run your
application. This automated and elastic behavior reduces the management overhead to monitor and optimize the
performance of your application.
Question: 68
HOTSPOT
You have an Azure subscription named Subscription1 that is linked to a hybrid Azure Active Directory (Azure AD)
tenant.
You have an on-premises datacenter that does NOT have a VPN connection to Subscription1. The datacenter contains
a computer named Server1 that has Microsoft SQL Server 2016 installed. Server1 is prevented from accessing the
internet.
An Azure logic app named LogicApp1 requires write access to a database on Server1.
You need to recommend a solution to provide LogicApp1 with the ability to access Server1.
What should you recommend deploying on-premises and in Azure? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Question: 69
HOTSPOT
You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016.
You need to centrally monitor all warning events in the System logs of the virtual machines.
What should you include in the solutions? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:
Explanation:
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
Question: 70
HOTSPOT
You need to recommend a deployment and resiliency solution that meets the following requirements:
What should you recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:
Explanation:
Active geo-replication is a feature that lets you to create a continuously synchronized readable secondary database for
a primary database. The readable secondary database may be in the same Azure region as the primary, or, more
commonly, in a different region. This kind of readable secondary databases are also known as geo-secondaries, or
geo-replicas.
Question: 71
You need to recommend an App Service architecture that meets the requirements for Appl.
Answer: A
Question: 72
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
You create an Azure SQL database named DB1 that is hosted in the East US region.
To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends
SQLInsights to Workspace1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct
selections is worth one point.
Answer:
Explanation:
Box 1: Yes
Box 2: Yes
Box 3: Yes
For more information on Azure SQL diagnostics, you can visit the below link https://docs.microsoft.com/en-
us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure
Question: 73
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your company plans to deploy various Azure App Service instances that will use Azure SQL databases. The App
Service instances will be deployed at the same time as the Azure SQL databases.
The company has a regulatory requirement to deploy the App Service instances only to specific Azure regions. The
resources for the App Service instances must reside in the same region.
Solution: You recommend creating resource groups based on locations and implementing resource locks on the
resource groups.
Answer: B
Explanation:
Resource locks are not used for compliance purposes. Resource locks prevent changes from being made to resources.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Question: 74
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group’.
Group i is configured Tor assigned membership. Group I has 50 members. including 20 guest users.
You need To recommend a solution for evaluating the member ship of Group1.
• Users who report that they do not need to be in Group 1 must be removed from Group1 automatically
• Users who do not report whether they need to be m Group1 must be removed from Group1 automatically.
Answer: D
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#learn-about-access-
reviews
Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly,
monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or
deny access with a friendly interface and with the help of smart recommendations.
An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-
review. 50 licenses for each user as self-reviewers.* https://docs.microsoft.com/en-us/azure/active-
directory/governance/access-reviews-overview#example-license-scenarios
There are 4 requirements and every single one is only met by access reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-use-
access-reviews
Dynamic User is needed if a user must be automatically granted access on base of its attributes (department, jobtitle,
location, etc.)
https://techcommunity.microsoft.com/t5/itops-talk-blog/dynamic-groups-in-azure-ad-and-microsoft-365/ba-p/2267494
Implementing Azure AD PIM is no solution and absolutely not necessary for access reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#where-do-you-create-
reviews
Question: 75
Your company has 300 virtual machines hosted in a VMware environment. The virtual machines vary in size and have
various utilization levels.
You need to recommend how many and what size Azure virtual machines will be required to move the current
workloads to Azure. The solution must minimize administrative effort.
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/migrate/migrate-appliance#collected-data—vmware
"Metadata discovered by the Azure Migrate appliance helps you to figure out whether servers are ready for migration
to Azure, right-size servers, plans costs, and analyze application dependencies".
https://docs.microsoft.com/en-us/learn/modules/design-your-migration-to-azure/2-plan-your-azure-migration
Question: 76
HOTSPOT
You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events.
You need to recommend a solution to trigger the alerts based on the events.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:
Explanation:
To be able to create an alert we send the Azure AD logs to An Azure Log Analytics workspace.
Note: You can forward your AAD logs and events to either an Azure Storage Account, an Azure Event Hub, Log
Analytics, or a combination of all of these.
Box 2: Log
Ensure Resource Type is an analytics source like Log Analytics or Application Insights and signal type as Log.
Question: 77
Your company has an app named App1 that uses data from the on-premises Microsoft SQL Server databases shown in
the following table.
App1 and the data are used on the first day of the month only. The data is not expected to grow more than 3% each
year.
The company is rewriting App1 as an Azure web app and plans to migrate all the data to Azure.
You need to migrate the data to Azure SQL Database. The solution must minimize costs.
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-dtu
Question: 78
DRAG DROP
You are designing a virtual machine that will run Microsoft SQL Server and will contain two data disks. The first data
disk will store log files, and the second data disk will store data. Both disks are P40 managed disks.
You need to recommend a caching policy for each disk. The policy must provide the best overall performance for the
virtual machine.
Which caching policy should you recommend for each disk? To answer, drag the appropriate policies to the correct
disks. Each policy may be used once, more than once, or not at all. You may need to drag the split bar between panes
or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
References: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-
performance
Question: 79
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been
deployed and configured for on-premises to Azure connectivity.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use the Azure Traffic Analytics solution in Azure Log Analytics to analyze the network traffic.
Answer: B
Explanation:
Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Question: 80
Topic 3, Contoso
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage your
time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case
study. Case studies might contain exhibits and other resources that provide more information about the scenario that is
described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make
changes before you move to the next section of the exam. After you begin a new section, you cannot return to this
section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the
content of the case study before you answer the questions. Clicking these buttons displays information such as
business requirements, existing environment, and problem statements. If the case study has an All Information tab,
note that the information displayed is identical to the information displayed on the subsequent tabs. When you are
ready to answer a question, click the Question button to return to the question.
The on-premises network contains a single Active Directory domain named contoso.com.
Contoso has a business partnership with Fabrikam, Inc. Fabrikam users access some Contoso applications over the
internet by using Azure Active Directory (Azure AD) guest accounts.
Requirements: App1
App1 will be a Python web app hosted in Azure App Service that requires a Linux runtime.
App1 will access several services that require third-party credentials and access strings.
The credentials and access strings are stored in Azure Key Vault.
App1 will have six instances: three in the East US Azure region and three in the West Europe Azure region.
Each instance will write data to a data store in the same availability zone as the instance.
Data written by any App1 instance must be visible to all App1 instances.
App1 will only be accessible from the internet. App1 has the following connection requirements:
All connections to App1 from North America must be directed to the East US region. All other connections must be
directed to the West Europe region.
Every hour, you will run a maintenance task by invoking a PowerShell script that copies files from all the App1
instances. The PowerShell script will run from a central location.
Requirements: App2
App2 will be a NET app hosted in App Service that requires a Windows runtime.
Ensure that on-premises clients can read the files over the LAN by using the SMB protocol.
You need to monitor App2 to analyze how long it takes to perform different transactions within the application. The
solution must not require changes to the application code.
Application developers will constantly develop new versions of App1 and App2.
A staging instance of a new application version must be deployed to the application host before the new version is
used in production.
After testing the new version, the staging version of the application will replace the production version.
The switch to the new application version from staging to production must occur without any downtime of the
application.
Identity Requirements
Contoso identifies the following requirements for managing Fabrikam access to resources:
[email protected]
Security Requirement
All secrets used by Azure services must be stored in Azure Key Vault.
Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be
shared between services.
DRAG DROP
You need to recommend a solution that meets the file storage requirements for App2.
What should you deploy to the Azure subscription and the on-premises network? To answer, drag the appropriate
services to the correct locations. Each service may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Ensure that on-premises clients can read the files over the LAN by using the SMB protocol.
Use Azure File Sync to centralize your organization’s file shares in Azure Files, while keeping the flexibility,
performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick
cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data
locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
Question: 81
HOTSPOT
You have an Azure App Service web app that uses a system-assigned managed identity.
You need to recommend a solution to store their settings of the web app as secrets in an Azure key vault.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
Answer:
Question: 82
HOTSPOT
To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Question: 83
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage your
time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case
study. Case studies might contain exhibits and other resources that provide more information about the scenario that is
described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make
changes before you move to the next section of the exam. After you begin a new section, you cannot return to this
section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the
content of the case study before you answer the questions. Clicking these buttons displays information such as
business requirements, existing environment, and problem statements. If the case study has an All Information tab,
note that the information displayed is identical to the information displayed on the subsequent tabs. When you are
ready to answer a question, click the Question button to return to the question.
The network contains an Active Directory forest named Litware.com that is linked to an Azure Active Directory
(Azure AD) tenant named Litware.com. All users have Azure Active Directory Premium P2 licenses.
Litware has a second Azure AD tenant named dev.Litware.com that is used as a development environment.
The Litware.com tenant has a conditional acess policy named capolicy1. Capolicy1 requires that when users manage
the Azure subscription for a production environment by
using the Azure portal, they must connect from a hybrid Azure AD-joined device.
Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five Azure subscriptions that are
linked to the dev.Litware.com tenant. All the subscriptions are in an Enterprise Agreement (EA).
The Litware.com tenant contains a custom Azure role-based access control (Azure RBAC) role named Role1 that
grants the DataActions read permission to the blobs and files in Azure Storage.
Existing Environment. On-premises Environment
The on-premises network of Litware contains the resources shown in the following table.
Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.
Users that manage the production environment by using the Azure portal must connect from a hybrid Azure AD-
joined device and authenticate by using Azure Multi-Factor Authentication (MFA).
The Network Contributor built-in RBAC role must be used to grant permission to all the virtual networks in all the
Azure subscriptions.
To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.
Role1 must be used to assign permissions to the storage accounts of all the Azure subscriptions.
Once migrated to Azure, DB1 and DB2 must meet the following requirements:
– Maintain availability if two availability zones in the local Azure region fail.
– Maintain availability if two availability zones in the local Azure region fail.
Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of
new and existing data is prevented for a period of three years.
On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Minimize costs.
HOTSPOT
You need to ensure that users managing the production environment are registered for Azure MFA and must
authenticate by using Azure MFA when they sign in to the Azure portal. The solution must meet the authentication
and authorization requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is
worth one point.
Answer:
Explanation:
Azure AD Identity Protection helps you manage the roll-out of Azure AD Multi-Factor Authentication (MFA)
registration by configuring a Conditional Access policy to require MFA registration no matter what modern
authentication app you are signing in to.
Scenario: Users that manage the production environment by using the Azure portal must connect from a hybrid Azure
AD-joined device and authenticate by using Azure Multi-Factor Authentication (MFA).
Scenario: The Litware.com tenant has a conditional access policy named capolicy1. Capolicy1 requires that when users
manage the Azure subscription for a production
environment by using the Azure portal, they must connect from a hybrid Azure AD-joined device.
Identity Protection policies we have two risk policies that we can enable in our directory.
Question: 84
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains
a unique solution that might meet the stated goals. Some question sets might have more than one correct solution,
while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is being deployed and
configured for on-premises to Azure connectivity.
Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.
Answer: B
Explanation:
Instead use Azure Network Watcher IP Flow Verify, which allows you to detect traffic filtering issues at a VM level.
Note: IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of
direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify
helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises
environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
Question: 85
You need to recommend a notification solution for the IT Support distribution group.
Answer: D
Explanation:
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-
operations
Question: 86
HOTSPOT
You plan to create an Azure Storage account that will host file shares. The shares will be accessed from on-premises
applications that are transaction-intensive.
You need to recommend a solution to minimize latency when accessing the file shares.
The solution must provide the highest-level of resiliency for the selected storage tier.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Premium
Premium: Premium file shares are backed by solid-state drives (SSDs) and provide consistent high performance and
low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads.
Premium Azure file shares only support LRS and ZRS. Zone-redundant storage (ZRS): With ZRS, three copies of each
file stored, however these copies are physically isolated in three distinct storage clusters in different Azure availability
zones.
Question: 87
A company has an on-premises file server cbflserver that runs Windows Server 2019.
Windows Admin Center manages this server. The company owns an Azure subscription.
You need to provide an Azure solution to prevent data loss if the file server fails.
Solution: You decide to register Windows Admin Center in Azure and then configure Azure Backup.
Answer: A
Question: 88
You need to implement the Azure RBAC role assignments for the Network Contributor role.
Answer: B
Explanation:
Scenario: The Network Contributor built-in RBAC role must be used to grant permissions to the network
administrators for all the virtual networks in all the Azure subscriptions. RBAC roles must be applied at the highest
level possible.
Question: 89
HOTSPOT
A resource group
You need to use Azure Blueprints to deploy the application to each subscription.
What is the minimum number of objects required to deploy the application? To answer, select the appropriate options
in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: 2
When creating a blueprint definition, you’ll define where the blueprint is saved. Blueprints can be saved to a
management group or subscription that you have Contributor access to. If the location is a management group, the
blueprint is available to assign to any child subscription of that management group.
Box 2: 2
Box 3: 4
"Assigning a blueprint definition to a management group means the assignment object exists at the management group.
The deployment of artifacts still targets a subscription. To perform a management group assignment, the Create Or
Update REST API must be used and the request body must include a value for properties.scope to define the target
subscription." https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#blueprint-assignment
Question: 90
DRAG DROP
A company has an existing web application that runs on virtual machines (VMs) in Azure.
You need to ensure that the application is protected from SQL injection attempts and uses a layer-7 load balancer. The
solution must minimize disruption to the code for the existing web application.
What should you recommend? To answer, drag the appropriate values to the correct items. Each value may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Azure Application Gateway provides an application delivery controller (ADC) as a service. It offers various layer 7
load-balancing capabilities for your applications.
Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and
exploits.
This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
Question: 91
HOTSPOT
You need to estimate the compute costs for App1 in Azure. The solution must meet the security and compliance
requirements.
What should you use to estimate the costs, and what should you implement to minimize the costs? To answer, select
the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Text
The Total Cost of Ownership (TCO) Calculator estimates the cost savings you can realize by migrating your workloads
to Azure.
Note: The TCO Calculator recommends a set of equivalent services in Azure that will support your applications. Our
analysis will show each cost area with an estimate of your on-premises spend versus your spend in Azure. There are
several cost categories that either decrease or go away completely when you move workloads to the cloud.
Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads
in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL
Server licenses on Azure. And now, this benefit applies to RedHat and SUSE Linux subscriptions, too.
Scenario:
Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of
new and existing data is prevented for a period of three years.
On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Question: 92
You plan to deploy an application named App1 that will run on five Azure virtual machines.
Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to
an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines.
Answer: D
Explanation:
Managed identities for Azure resources is a feature of Azure Active Directory. User-assigned managed identity can be
shared. The same user-assigned managed identity can be associated with more than one Azure resource.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
For More exams visit https://killexams.com/vendors-exam-list