AZ-303 : Microsoft Azure Architect Technologies : Part 02

AZ-303 : Microsoft Azure Architect Technologies : Part 02

1. DRAG DROP

   You are designing a solution to secure a company’s Azure resources. The environment hosts 10 teams. Each team manages a project and has a project manager, a virtual machine (VM) operator, developers, and contractors.

   Project managers must be able to manage everything except access and authentication for users. VM operators must be able to manage VMs, but not the virtual network or storage account to which they are connected. Developers and contractors must be able to manage storage accounts.

   You need to recommend roles for each member.

   What should you recommend? To answer, drag the appropriate roles to the correct employee types. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

2. You have an Azure virtual machine named VM1 and an Azure Active Directory (Azure AD) tenant named adatum.com.

   VM1 has the following settings:

   – IP address: 10.10.0.10
   – System-assigned managed identity: On

   You need to create a script that will run from within VM1 to retrieve the authentication token of VM1.

   Which address should you use in the script?

   • vm1.adatum.com.onmicrosoft.com
   • 169.254.169.254
   • 10.10.0.10
   • vm1.adatum.com
   Explanation:
   Your code that’s running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token

3. HOTSPOT

   Your company has a virtualization environment that contains the virtualization hosts shown in the following table.

   

   The virtual machines are configured as shown in the following table.

   

   All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).

   You plan to migrate the virtual machines to Azure by using Azure Site Recovery.

   You need to identify which virtual machines can be migrated.

   Which virtual machines should you identify for each server? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Incorrect Answers:
   VM1 cannot be migrates as it has BitLocker enabled.
   VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
   VMC cannot be migrates as the Data disk on VMC is larger than 4TB.

4. You are designing an Azure solution.

   The solution must meet the following requirements:

   – Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules.
   – Provide SSL offloading capabilities.

   You need to recommend a solution to distribute network traffic.

   Which technology should you recommend?

   • Azure Application Gateway
   • Azure Load Balancer
   • Azure Traffic Manager
   • server-level firewall rules
   Explanation:

   If you require “SSL offloading”, application layer treatment, or wish to delegate certificate management to Azure, you should use Azure’s layer 7 load balancer Application Gateway instead of the Load Balanacer.

   Incorrect Answers:
   D: Because Load Balancer is agnostic to the TCP payload and TLS offload (“SSL”) is not provided.

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage an Active Directory domain named contoso.local.

   You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

   You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

   Solution: You use Azure AD Connect to customize the synchronization options.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead use Synchronization Rules Editor to create a synchronization rule.

   Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., [email protected] would be synced while [email protected] would not).

   Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage an Active Directory domain named contoso.local.

   You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

   You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

   Solution: You use Synchronization Rules Editor to create a synchronization rule.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., [email protected] would be synced while [email protected] would not).

   Filtering can be configured using either the GUI or PowerShell.
   Through GUI:
   Using The Synchronization Rules Editor

   1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.

   

   2. Click the Add new rule button on the View and manage your synchronization rules window.
   3. Fill out the appropriate fields on the Description tab and click Next >.
   4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute filter, and click Next >.

   Attribute: userPrincipalName
   Operator: ENDSWITH
   Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN suffix will NOT be synced with Office 365.

   

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage an Active Directory domain named contoso.local.

   You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

   You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

   Solution: You use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead use Synchronization Rules Editor to create a synchronization rule.

   Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., [email protected] would be synced while [email protected] would not).

   Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

8. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.

   You plan to move DB1 and DB2 to Azure.

   You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.

   Solution: You deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Understanding distributed transactions.
   When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.

9. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.

   

   You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.

   Solution: You run the following query.

   SELECT id FROM c
   WHERE c.day = "Mon" OR c.day = "Tue"

   You set the EnableCrossPartitionQuery property to False.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Returns Item1 only as EnableCrossPartitionQuery property to False. If EnableCrossPartitionQuery property is set to true, it will return Item1, Item2, and Item3.

10. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.

    

    You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.

    Solution: You run the following query.

    SELECT day FROM c
    WHERE c.value = "10" OR c.value = "15"

    You set the EnableCrossPartitionQuery property to True.

    Does this meet the goal?

    • Yes
    • No
    Explanation:
    Returns Item1, Item2, Item3, and Item4.

11. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.

    

    You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.

    Solution: You run the following query.

    

    You set the EnableCrossPartitionQuery property to True.

    Does this meet the goal?

    •  Yes
    • No
    Explanation:
    Returns Item1 and Item2 only.

12. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You manage an Active Directory domain named contoso.local.

    You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

    You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

    Solution: You use the Synchronization Service Manager to modify the Metaverse Designer tab.

    Does this meet the goal?

    • Yes
    • No
    Explanation:

    Instead use Synchronization Rules Editor to create a synchronization rule.

    Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., [email protected] would be synced while [email protected] would not).

    Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.

13. HOTSPOT

    You have an Azure subscription that contains a resource group named RG1.

    You have a group named Group1 that is assigned the Contributor role for RG1.

    You need to enhance security for the virtual machines in RG1 to meet the following requirements:

    – Prevent Group1 from assigning external IP addresses to the virtual machines.
    – Ensure that Group1 can establish a Remote Desktop connection to the virtual machines through a shared external IP address.

    What should you use to meet each requirement? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Azure Policy
    There is a built-in policy in the Azure Policy service that allows you to block public IPs on all NICs of a VM.

    Note: Azure Policy is a powerful tool in your Azure toolbox. It allows you to enforce specific governance principals you want to see implemented in your environment. Some key examples of what Azure Policy allows you to do is:
    – Automatically tag resources
    – Block VMs from having a public IP
    – Enforce specific regions
    – Enforce VM size

    Box 2: Azure Bastion
    Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal.
    Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.

    Incorrect Answers:
    Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

14. You create a container image named Image1 on a developer workstation.

    You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1.

    You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use Image1.

    To which storage type should you upload Image1?

    • an Azure Storage account that contains a blob container
    • Azure Container Instances
    • Azure Container Registry
    • an Azure Storage account that contains a file share
    Explanation:
    Configure registry credentials in web app.
    App Service needs information about your registry and image to pull the private image. In the Azure portal, go to Container settings from the web app and update the Image source, Registry and save.

15. You have an Azure Service Bus and two clients named Client1 and Client2.

    You create a Service Bus queue named Queue1 as shown in the exhibit. (Click the Exhibit tab.)

    

    Client1 send messages to Queue1 as shown in the following table.

    

    Client2 reads the messages from Queue1 at 12:01:05.

    How will the messages be presented to Client2?

    • Client2 will read three messages in the following order: M1, M2, and then M3.
    • Client2 will read three messages in the following order: M3, M1, and then M2.
    • Client2 will read four messages in the following order: M3, M1, M2 and then M3.
    • Client2 will read four messages in the following order: M3, M2, M1 and then M3.
    Explanation:

    It should be M3, M2, M1 as duplicate detection is enabled, and the duplication detection window is set to 10 minutes. The second M3 message in the queue would be discarded.

    Note 1: Duplicate detection enables the sender resend the same message, and the queue or topic discards any duplicate copies.

    Note 2: Queues offer First In, First Out (FIFO) message delivery to one or more competing consumers. That is, receivers typically receive and process messages in the order in which they were added to the queue, and only one message consumer receives and processes each message.

16. You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.

    You plan to change the partition key for Container1.

    What should you do first?

    • Delete Container1.
    • Create a new container in DB1.
    • Implement the Azure Cosmos DB.NET.SDK.
    • Regenerate the keys for Account1.
    Explanation:

    The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to achieve a live migration of your data from one container to another. This allows you to re-distribute your data to match the desired new partition key scheme, and make the relevant application changes afterwards, thus achieving the effect of “updating your partition key”.

    Incorrect Answers:
    A: It is not possible to “update” your partition key in an existing container.

17. HOTSPOT

    You have an Azure subscription that contains the Azure SQL servers shown in the following table.

    

    The subscription contains the elastic pools shown in the following table.

    

    The subscription contains the Azure SQL databases shown in the following table.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Note: You cannot add databases from different servers into the same pool

    Box 1: Yes
    Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2.

    Box 2: Yes
    Pool3 is empty.

    Box 3: Yes
    Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1.

18. HOTSPOT

    You have an Azure subscription that contains the storage accounts shown in the following table.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes
    General purpose version 2 (GPv2) storage accounts: GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based (HDD-based) hardware.

    Box 2: No
    Four not six copies.
    Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region.

    Box 3: Yes
    You can switch a storage account from one type of replication to any other type.
    To switch from LRS to GRS use Azure portal, PowerShell, or CLI to change the replication setting.

19. You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table.

    

    Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template.

    You need to view the template used for the deployment.

    From the Azure Portal, for which blade can you view the template that was used for the deployment?

    • container1
    • VM1
    • RG1
    • storage2
    Explanation:
    You can verify the deployment by exploring the resource group from the Azure portal

20. You have an Azure subscription that contains a resource group named RG1. RG1 contains multiple resources.

    You need to trigger an alert when the resources in RG1 consume $1,000 USD.

    What should you do?

    • From Cost Management + Billing, add a cloud connector.
    • From the subscription, create an event subscription.
    • From Cost Management + Billing, create a budget.
    • From RG1, create an event subscription.
    Explanation:

    Create budgets to manage costs and create alerts that automatically notify you are your stakeholders of spending anomalies and overspending.

    To set it up, go to the Azure Portal, select ‘Cost Management + Billing’ -> ‘Cost Management’ -> ‘Go to Cost Management’.

    

    Note: Cost alerts are automatically generated based when Azure resources are consumed. Alerts show all active cost management and billing alerts together in one place. When your consumption reaches a given threshold, alerts are generated by Cost Management. There are three types of cost alerts: budget alerts, credit alerts, and department spending quota alerts.