Topic 5: Misc. Questions
You have two app registrations named App1 and App2 in Azure AD. App1 supports rolebased access control (RBAC) and includes a role named Writer.
You need to ensure that when App2 authenticates to access App1, the tokens issued by Azure AD include the Writer role claim.
Which blade should you use to modify each app registration? To answer, drag the appropriate blades to the correct app registrations. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
You are developing an app that will use Azure Functions to process Azure Event Hubs events. Request processing is estimated to take between five and 20 minutes. You need to recommend a hosting solution that meets the following requirements:
• Supports estimates of request processing runtimes
• Supports event-driven autoscaling for the app
Which hosting plan should you recommend?
A.
Consumption
B.
App Service
C.
Dedicated
D.
Premium
App Service
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company plans to deploy various Azure App Service instances that will use Azure SQL databases. The App Service instances will be deployed at the same time as the Azure SQL databases.
The company has a regulatory requirement to deploy the App Service instances only to specific Azure regions. The resources for the App Service instances must reside in the same region.
You need to recommend a solution to meet the regulatory requirement.
Solution: You recommend using the Regulatory compliance dashboard in Azure Security Center.
Does this meet the goal?
A.
Yes
B.
No
No
Explanation:
The Regulatory compliance dashboard in Azure Security Center is not used for regional compliance.
Note 1: Instead Azure Resource Policy Definitions can be used which can be applied to a specific Resource Group with the App Service instances.
Note 2: In the Azure Security Center regulatory compliance blade, you can get an overview of key portions of your compliance posture with respect to a set of supported standards. Currently supported standards are Azure CIS, PCI DSS 3.2, ISO 27001, and SOC TSP.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://azure.microsoft.com/en-us/blog/regulatory-compliance-dashboard-in-azure-securitycenter-now-available/
You plan to move a web application named App1 from an on-premises data center to Azure.
App1 depends on a custom COM component that is installed on the host server.
You need to recommend a solution to host App1 in Azure. The solution must meet the following requirements:
App1 must be available to users if an Azure data center becomes unavailable. Costs must be minimized.
What should you include in the recommendation?
A.
In two Azure regions, deploy a load balancer and a virtual machine scale set.
B.
In two Azure regions, deploy a Traffic Manager profile and a web app.
C.
In two Azure regions, deploy a load balancer and a web app.
Explanation: (https://docs.microsoft.com/en-us/dotnet/azure/migration/app-service#comand-com-components)
Azure App Service does not allow the registration of COM components on the platform. If your app makes use of any COM components, these need to be rewritten in managed code and deployed with the site or application.
https://docs.microsoft.com/enus/dotnet/azure/migration/app-service
Azure App Service with Windows Containers If your app cannot be migrated directly to App Service, consider App Service using Windows Containers, which enables usage of the GAC, COM components, MSIs, full access to .NET FX APIs, DirectX, and more.
You have an Azure subscription.
You plan to deploy five storage accounts that will store block blobs and five storage accounts that will host file shares. The file shares will be accessed by using the SMB protocol.
You need to recommend an access authorization solution for the storage accounts. The solution must meet the following requirements:
• Maximize security.
• Prevent the use of shared keys.
• Whenever possible, support time-limited access.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must be stored in Azure Cosmos DB.
Which Azure services should you include in the design? To answer, drag the appropriate services to the correct targets. Each service may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Your on-premises network contains a server named Server1 that runs an ASP.NET application named App1.
You have a hybrid deployment of Azure Active Directory (Azure AD).
You need to recommend a solution to ensure that users sign in by using their Azure AD account and Azure Multi-Factor Authentication (MFA) when they connect to App1 from the internet.
Which three Azure services should you recommend be deployed and configured in sequence? To answer, move the appropriate services from the list of services to the answer area and arrange them in the correct order.
Your company develops a web service that is deployed to an Azure virtual machine named VM1. The web service allows an API to access real-time data from VM1.
The current virtual machine deployment is shown in the Deployment exhibit. (Click the Deployment tab).
You have an on-premises network and an Azure subscription. The on-premises network has several branch offices.
A branch office in Toronto contains a virtual machine named VM1 that is configured as a file server. Users access the shared files on VM1 from all the offices.
You need to recommend a solution to ensure that the users can access the shares files as quickly as possible if the Toronto branch office is inaccessible.
What should you include in the recommendation?
A.
a Recovery Services vault and Azure Backup
B.
an Azure file share and Azure File Sync
C.
Azure blob containers and Azure File Sync
D.
a Recovery Services vault and Windows Server Backup
an Azure file share and Azure File Sync
Explanation:
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You need an Azure file share in the same region that you want to deploy Azure File Sync.
You have an Azure subscription that contains a Basic Azure virtual WAN named Virtual/WAN1 and the virtual hubs shown in the following table.
You have an ExpressRoute circuit in the US East region.
You need to create an ExpressRoute association to VirtualWAN1.
What should you do first?
A.
Upgrade VirtualWAN1 to Standard.
B.
Create a gateway on Hub1.
C.
Create a hub virtual network in US East.
D.
Enable the ExpressRoute premium add-on.
Upgrade VirtualWAN1 to Standard.
Explanation: US East and US West are in the same geopolitical region so there is no need for enabling ExpressRoute premium add-on https://docs.microsoft.com/en-us/azure/virtualwan/virtual-wan-about#basicstandard
The current config of virtual WAN is only Basic as given, so it can connect to only site to site VPN, to connect to express route it needs to be upgraded from basic to standard.
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
You are designing a microservices architecture that will be hosted in an Azure Kubernetes Service (AKS) cluster. Apps that will consume the microservices will be hosted on Azure virtual machines. The virtual machines and the AKS cluster will reside on the same virtual network.
You need to design a solution to expose the microservices to the consumer apps. The solution must meet the following requirements:
• Ingress access to the microservices must be restricted to a single private IP address and protected by using mutual TLS authentication.
• The number of incoming microservice calls must be rate-limited.
• Costs must be minimized.
What should you include in the solution?
A.
Azure API Management Premium tier with virtual network connection
B.
Azure Front Door with Azure Web Application Firewall (WAF)
C.
Azure API Management Standard tier with a service endpoint
D.
Azure App Gateway with Azure Web Application Firewall (WAF)
Azure API Management Premium tier with virtual network connection
Explanation:
One option is to deploy APIM (API Management) inside the cluster VNet. The AKS cluster and the applications that consume the microservices might reside within the same VNet, hence there is no reason to expose the cluster publicly as all API traffic will remain within the VNet. For these scenarios, you can deploy API Management into the cluster VNet. API Management Premium tier supports VNet deployment.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-kubernetes
Your company has an app named App1 that uses data from the on-premises Microsoft SQL Server databases shown in the following table.
App1 and the data are used on the first day of the month only. The data is not expected to grow more than 3% each year.
The company is rewriting App1 as an Azure web app and plans to migrate all the data to Azure.
You need to migrate the data to Azure SQL Database. The solution must minimize costs.
Which service tier should you use?
A.
vCore-based Business Critical
B.
vCore-based General Purpose
C.
DTU-based Standard
D.
DTU-based Basic
DTU-based Standard
Explanation: DTU-based Standard supports databases up to 1 TB in size.
| Page 7 out of 24 Pages |
| Previous |