AZ-120 : Planning and Administering Microsoft Azure for SAP Workloads : Part 03

AZ-120 : Planning and Administering Microsoft Azure for SAP Workloads : Part 03

1. You have an Azure subscription.

   You deploy Active Directory domain controllers to Azure virtual machines.

   You plan to deploy Azure for SAP workloads.

   You plan to segregate the domain controllers from the SAP systems by using different virtual networks.

   You need to recommend a solution to connect the virtual networks. The solution must minimize costs.

   What should you recommend?

   • a site-to-site VPN
   • virtual network peering
   • user-defined routing
   • ExpressRoute
   Explanation:
   You can create custom, or user-defined, routes in Azure to override Azure’s default system routes, or to add additional routes to a subnet’s route table. In Azure, you create a route table, then associate the route table to zero or more virtual network subnets.

   Incorrect Answers:
   D: ExpressRoute is a costly solution.

2. You deploy an SAP environment on Azure.

   Your company has a Service Level Agreement (SLA) of 99.99% for SAP.

   You implement Azure Availability Zones that have the following components:
   – Redundant SAP application servers
   – ASCS/ERS instances that use a failover cluster
   – Database high availability that has a primary instance and a secondary instance

   You need to validate the high availability configuration of the ASCS/ERS cluster.

   What should you use?

   • SAP Web Dispatcher
   • Azure Traffic Manager
   • SAPControl
   • SAP Solution Manager

   Explanation:

   Incorrect Answers:
   C: You can use SAPControl to start or stop an SAP system from the command line.

3. DRAG DROP

   You are validating an SAP HANA on Azure (Large Instances) deployment.

   You need to ensure that sapconf is installed and the kernel parameters are set appropriately for the active profile.

   How should you complete the commands? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: sapconf
   The configuration is split into two parts:
   /etc/sysconfig/sapconf
   /usr/lib/tuned//tuned.conf

   Box 2: tuned

4. You are deploying an SAP environment on Azure that will use an SAP HANA database server.

   You provision an Azure virtual machine for SAP HANA by using the M64s virtual machine SKU.

   You need to set the swap space by using the Microsoft Azure Linux Agent (waagent) configuration file.

   Which two settings should you configure? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • ResourceDisk.EnableSwapEncryption=n

   • AutoUpdate.Enabled=n

   • ResourceDisk.SwapSizeMB=229376

   • ResourceDisk.EnableSwap=y

   Explanation:

   To create a swap file in the directory that’s defined by the ResourceDisk.MountPoint parameter, you can update the /etc/waagent.conf file by setting the following three parameters:
   ResourceDisk.Format=y
   ResourceDisk.EnableSwap=y
   ResourceDisk.SwapSizeMB=xx

5. HOTSPOT

   You have the following Azure Resource Manager template.

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Yes
   Count is 6.

   Box 2: No
   Mode is serial.

   Box 3: Yes

6. You plan to deploy an SAP environment on Azure.

   You plan to store all SAP connection strings securely in Azure Key Vault without storing credentials on the Azure virtual machines that host SAP.

   What should you configure to allow the virtual machines to access the key vault?

   • Azure Active Directory (Azure AD) Privilege Identity Manager (PIM)
   • role-based access control (RBAC)
   • a Managed Service Identity (MSI)
   • the Custom Script Extension
   Explanation:

   To reference a credential stored in Azure Key Vault, you need to:
   1. Retrieve data factory managed identity
   2. Grant the managed identity access to your Azure Key Vault
   3. Create a linked service pointing to your Azure Key Vault.
   4. Create data store linked service, inside which reference the corresponding secret stored in key vault.

7. HOTSPOT

   You deploy SAP HANA by using SAP HANA on Azure (Large Instances).

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: No

   Box 2: Yes
   The SAP Azure Enhanced Monitoring Extension allows for collecting diagnostic data including OS and Application performance counters from Azure VMs running SAP workloads.

   Box 3: No

8. You plan to deploy SAP application servers that run Windows Server 2016.

   You need to use PowerShell Desired State Configuration (DSC) to configure the SAP application server once the servers are deployed.

   Which Azure virtual machine extension should you install on the servers?

   • the Azure DSC VM Extension
   • the Azure virtual machine extension
   • the Azure Chef extension
   • the Azure Enhanced Monitoring Extension for SAP
   Explanation:

   The Azure Desired State Configuration (DSC) VM Extension is updated as-needed to support enhancements and new capabilities delivered by Azure, Windows Server, and the Windows Management Framework (WMF) that includes Windows PowerShell.

9. You deploy an SAP environment on Azure by following the SAP workload on Azure planning and deployment checklist.

   You need to verify whether Azure Diagnostics is enabled.

   Which cmdlet should you run?

   • Get-AzureVMAvailableExtension
   • Get-AzVmDiagnosticsExtension
   • Test-AzDeployment
   • Test-VMConfigForSAP
   Explanation:
   The Get-AzVMDiagnosticsExtension cmdlet gets the settings of the Azure Diagnostics extension on a virtual machine.

   Incorrect Answers:
   D: You can check the configuration of a virtual machine by calling the Test-VMConfigForSAP_GUI commandlet.

10. DRAG DROP

    You need to connect SAP HANA on Azure (Large Instances) to an Azure Log Analytics workspace.

    Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Install the Azure Enhanced Monitoring.
    The SAP Azure Enhanced Monitoring Extension allows for collecting diagnostic data including OS and Application performance counters from Azure VMs running SAP workloads.

    Step 2: Install the Log Analytics client on the SAP HANA on Azure (Large Instances) instance.

    Step 3: Configure a Log Analytics gateway on the virtual network.

    Step 4: On the gateway, run.

11. HOTSPOT

    You are planning the Azure network infrastructure for an SAP environment.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes

    Box 2: No
    A design that’s not supported is the segregation of the SAP application layer and the DBMS layer into different Azure virtual networks that aren’t peered with each other. We recommend that you segregate the SAP application layer and DBMS layer by using subnets within an Azure virtual network instead of by using different Azure virtual networks.

    Box 3: Yes
    Be aware that network traffic between two peered Azure virtual networks is subject to transfer costs. Huge data volume that consists of many terabytes is exchanged between the SAP application layer and the DBMS layer. You can accumulate substantial costs if the SAP application layer and DBMS layer are segregated between two peered Azure virtual networks.

12. DRAG DROP

    You plan to deploy multiple SAP HANA virtual machines to Azure by using an Azure Resource Manager template.

    How should you configure Accelerated Networking and Write Accelerator in the template? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: true
    enable Accelerated Networking: If the network interface is accelerated networking enabled.
    To further reduce network latency between Azure VMs, we [Micorosoft] recommend that you choose Azure Accelerated Networking. Use it when you deploy Azure VMs for an SAP workload, especially for the SAP application layer and the SAP DBMS layer.

    Box 2: true
    Write Accelerator should be used for the volumes that contain the transaction log or redo logs of a DBMS. It is not recommended to use Write Accelerator for the data volumes of a DBMS as the feature has been optimized to be used against log disks.

13. This question requires that you evaluate the underlined text to determine if it is correct.

    You have an Azure resource group that contains the virtual machines for an SAP environment.

    You must be assigned the Contributor role to grant permissions to the resource group.

    Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

    • No change is needed
    • User Access Administrator
    • Managed Identity Contributor
    • Security Admin
    Explanation:
    Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
    User Access Administrator – Lets you manage user access to Azure resources.

14. HOTSPOT

    Your on-premises network contains SAP and non-SAP applications.

    You have JAVA-based SAP systems that use SPNEGO for single-sign on (SSO) authentication.

    Your external portal uses multi-factor authentication (MFA) to authenticate users.

    You plan to extend the on-premises authentication features to Azure and to migrate the SAP applications to Azure.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    Need AD FS for MFA. See box 3.

    Note: Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature is an alternative to Azure AD Password Hash Synchronization (see Box 2).

    Box 2: Yes
    Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a users password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

    Password hash synchronization is an extension to the directory synchronization feature implemented by Azure AD Connect sync. You can use this feature to sign in to Azure AD services like Office 365. You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance.

    Box 3: Yes
    If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS resources, both on-premises and in the cloud. Azure MFA enables you to eliminate passwords and provide a more secure way to authenticate.

15. HOTSPOT

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    To log in to a Linux VM with Azure AD credentials, install the Azure Active Directory login VM extension.

    Note: Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.

    Box 2: Yes
    If you deploy SAP VMs in a cross-premises scenario, where on-premises Active Directory and DNS are extended in Azure, it is expected that the VMs are joining an on-premises domain.

    Box 3: No

16. HOTSPOT

    You are integrating SAP HANA and Azure Active Directory (Azure AD).

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes
    To configure Azure AD single sign-on with SAP HANA, perform the following steps:

    1. In the Azure portal, on the SAP HANA application integration page, select Single sign-on.

    2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.

    

    Box 2: No

    Box 3: No
    Key security considerations for deploying SAP on Azure

17. HOTSPOT

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes
    The SAP Azure Enhanced Monitoring Extension builds on top of the Azure Diagnostic extension, which stores its data in an Azure Storage account that you specify.

    Box 2: Yes
    The Set-AzVMAEMExtension cmdlet updates the configuration of a virtual machine to enable or update the support for monitoring for SAP systems that are installed on the virtual machine. The cmdlet installs the Azure Enhanced Monitoring (AEM) extension that collects the performance data and makes it discoverable for the SAP system.
    The -OSType specifies the OS. Either Windows or Linux.

    Box 3: Yes

18. DRAG DROP

    You deploy an SAP environment on Azure.

    You need to grant an SAP administrator read-only access to the Azure subscription. The SAP administrator must be prevented from viewing network information.

    How should you configure the role-based access control (RBAC) role definition? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: “*/read”
    “*/read” allows you to view everything in the subscription.

    You need to grant an SAP administrator read-only access to the Azure subscription

    Box 2: “Microsoft. Network/*/read”
    The SAP administrator must be prevented from viewing network information.

19. You plan to migrate an SAP environment to Azure.

    You need to design an Azure network infrastructure to meet the following requirements:

    – Prevent end users from accessing the database servers.
    – Isolate the application servers from the database servers.
    – Ensure that end users can access the SAP systems over the Internet.
    – Minimize the costs associated to the communications between the application servers and database servers.

    Which two actions should you include in the solution? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • In the same Azure virtual network, segregate the SAP application servers and database servers by using different subnets and network security groups.
    • Segregate the SAP application servers and database servers by using different Azure virtual networks.
    • Create a site-to-site VPN between the on-premises network and Azure.
    • Configure an internal Azure Standard Load Balancer for incoming connections.
    • Configure Azure Traffic Manager to route incoming connections.

20. You are deploying SAP Fiori to an SAP environment on Azure.

    You are configuring SAML 2.0 for an SAP Fiori instance named FPP that uses client 100 to authenticate to an Azure Active Directory (Azure AD) tenant.

    Which provider named should you use to ensure that the Azure AD tenant recognizes the SAP Fiori instance?

    • https://FPP
    • ldap://FPP
    • https://FPP100
    • ldap://FPP-100
    Explanation:
    By default, the provider name is in the format <sid><client>. Azure AD expects the name in the format <protocol>://<name>. We recommend that you maintain the provider name as https://<sid><client> so you can configure multiple SAP Fiori ABAP engines in Azure AD.

    Example: