AZ-303 : Microsoft Azure Architect Technologies : Part 04

AZ-303 : Microsoft Azure Architect Technologies : Part 04

1. You manage an Active Directory domain named contoso.local.

   You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

   You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

   What should you do?

   • Use the Synchronization Service Manager to modify the Metaverse Designer tab.
   • Use Azure AD Connect to customize the synchronization options.
   • Use the Synchronization Rules Editor to create a synchronization rule.
   • Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.

   Explanation:

   Explanation:
   Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn’t cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., [email protected] would be synced while [email protected] would not).

   Filtering can be configured using either the GUI or PowerShell.
   Through GUI:
   Using The Synchronization Rules Editor

   1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.

   

   2. Click the Add new rule button on the View and manage your synchronization rules window.
   3. Fill out the appropriate fields on the Description tab and click Next >.
   4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute filter, and click Next >.

   Attribute: userPrincipalName
   Operator: ENDSWITH
   Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN suffix will NOT be synced with Office 365.

   

2. You have an Azure SQL database named DB1.

   You plan to create the following four tables in DB1 by using the following code.

   Table1.

   

   Table2.

   

   Table3.

   

   Table4.

   

   You need to identify which table must be created last.

   What should you identify?

   • Table1
   • Table2
   • Table3
   • Table4
   Explanation:

   Table1 references Table4. Therefore Table4 must be created before Table1.

   Table2 references Table1 and Table3. Therefore Table1 and Table3 must be created before Table2.

   Note: FOREIGN KEY REFERENCES is a constraint that provides referential integrity for the data in the column or columns. FOREIGN KEY constraints require that each value in the column exists in the corresponding referenced column or columns in the referenced table. FOREIGN KEY constraints can reference only columns that are PRIMARY KEY or UNIQUE constraints in the referenced table or columns referenced in a UNIQUE INDEX on the referenced table.

   Incorrect Answers:
   A: Table1 is referenced by Table2 and should be crated before Table2.
   C: Table3 is referenced by Table2 and should be crated before Table2.
   D: Table4 is referenced by Table1 and should be crated before Table1.

3. You have an Azure Cosmos DB account named Account1. Account1 includes a database named DB1 that contains a container named Container1. The partition key for Container1 is set to /city.

   You plan to change the partition key for Container1.

   What should you do first?

   • Delete Container1.
   • Create a new Azure Cosmos DB account.
   • Implement the Azure Cosmos DB .NET SDK.
   • Regenerate the keys for Account1.
   Explanation:

   The Change Feed Processor and Bulk Executor Library, in Azure Cosmos DB can be leveraged to achieve a live migration of your data from one container to another. This allows you to re-distribute your data to match the desired new partition key scheme, and make the relevant application changes afterwards, thus achieving the effect of “updating your partition key”.

   Incorrect Answers:
   A: It is not possible to “update” your partition key in an existing container.

4. You have an Azure subscription that contains the resource groups shown in the following table.

   

   You have the Azure SQL servers shown in the following table.

   

   You create an Azure SQL database named DB1 on Sql1 in an elastic pool named Pool1.

   You need to create an Azure SQL database named DB2 in Pool1.

   Where should you deploy DB2?

   • Sql1
   • Sql2
   • Sql3
   • Sql4
   Explanation:
   The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources at a set price.

5. HOTSPOT

   You deploy an Azure virtual machine scale set named VSS1 that contains 30 virtual machine instances across three zones in the same Azure region. The instances host an application named App1 that must be accessible by using HTTP and HTTPS traffic. Currently, VSS1 is inaccessible from the internet.

   You need to use Azure Load Balancer to provide access to App1 across all the instances from the internet by using a single IP address.

   What should you configure? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: 1

   Box 2: 30 network interfaces
   For a standard load balancer, the VMs in the backend address for are required to have network interfaces that belong to a network security group.

   Box 3: 2
   On for the HTTP traffic, and one for the HTTPs traffic.

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.

   You plan to move DB1 and DB2 to Azure.

   You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.

   Solution: You deploy DB1 and DB2 as Azure SQL databases each on a different Azure SQL Database server.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

   Note: Understanding distributed transactions.
   When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.

   You plan to move DB1 and DB2 to Azure.

   You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.

   Solution: You deploy DB1 and DB2 as Azure SQL databases on the same Azure SQL Database server.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

   Note: Understanding distributed transactions.
   When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.

8. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure Cosmos DB database that contains a container named Container1. The partition key for Container1 is set to /day. Container1 contains the items shown in the following table.

   

   You need to programmatically query Azure Cosmos DB and retrieve Item1 and Item2 only.

   Solution: You run the following query.

   SELECT day
   WHERE value = "10"

   You set the Enable Cross Partition Query property to False.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Returns Item1 only as Enable Cross Partition Query property to False. If Enable Cross Partition Query property is set to true, it will return Item1 and Item3.

9. HOTSPOT

   You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.

   You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.

   What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: 4
   Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
   The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

   

   Box 2: 2
   Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.

   Box 3: 2
   Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

10. You have an Azure subscription that contains an Azure Sentinel workspace. Sentinel is configured to monitor several Azure resources.

    You need to send notification emails to resource owners when alerts or recommendations are generated for a resource.

    What should you use?

    • Logic Apps Designer
    • Azure Security Center
    • Automation Runbook
    • Azure Machine Learning Studio
    Explanation:
    Currently there is no built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. However, you can set up an Azure Logic App playbook to send incident information to your email.

11. HOTSPOT

    You have an Azure subscription that contains the virtual networks shown in the following table.

    

    You create an Azure Cosmos DB account as shown in the exhibit. (Click the Exhibit tab.)

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    Connectivity Method: Private Network

    Box 2: Yes
    Private endpoint: Endpoint1 (Core (SQL)) (Vnet1)
    VM1 is in Vnet1.

    Box 3: No
    VM2 is not in Vnet1.

12. HOTSPOT

    You have an Azure subscription named Subscription1.

    Subscription1 contains the virtual machines in the following table.

    

    Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.

    

    VM3 has a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.

    You create a route table named RT1 that contains the routes in the following table.

    

    You apply RT1 to Subnet1 and Subnet2.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    IP forwarding enables the virtual machine a network interface is attached to:

    Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
    Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.

    The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.

    Box 1: Yes
    The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

    Box 2: No
    VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

    Box 3: Yes
    The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.

13. DRAG DROP

    You have an Azure virtual machine named VM1 that runs Windows Server 2016.

    You install a line-of-business application on VM1.

    You need to create a scale set by using VM1 as a custom image.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Run sysprep.exe on VM1.
    The final step to prepare your VM for use as a custom image is to generalize the VM. Sysprep removes all your personal account information and configurations, and resets the VM to a clean state for future deployments.

    Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized,
    To create an image, the VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set the state of the VM as generalized with Set-AzVm so that the Azure platform knows the VM is ready for use a custom image. You can only create an image from a generalized VM.
    It may take a few minutes to deallocate and generalize the VM.
    Then create an image of the VM with New-AzImageConfig and New-AzImage.

    Step 3: Create a virtual machine scale set.
    Create a scale set with New-AzVmss that uses the -ImageName parameter to define the custom VM image created in the previous step.

14. You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 contains 50 virtual machines. Twenty-five of the virtual machines are web servers and the other 25 are application servers.

    You need to filter traffic between the web servers and the application servers by using application security groups.

    Which additional resource should you provision?

    • Azure Firewall
    • a user-defined route
    • Azure Private Link
    • a network security group (NSG)
    Explanation:

    Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.

    You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group.

15. Your on-premises network contains several Hyper-V hosts.

    You have a hybrid deployment of Azure Active Directory (Azure AD).

    You create an Azure Migrate project.

    You need to ensure that you can evaluate virtual machines by using Azure Migrate.

    Which two actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Deploy the Azure Migrate appliance to an on-premises Hyper-V host.
    • Assign the migration account to the Administrators group on each Hyper-V virtual machine.
    • Deploy the Microsoft Monitoring Agent to each Hyper-V host.
    • Assign the migration account to the Administrators group on each Hyper-V host.
    • Deploy the Microsoft Monitoring Agent to each Hyper-V virtual machine.
    • Deploy the Azure Migrate appliance as an Azure virtual machine.
    Explanation:

    E: On each machine you want to analyze, install the following agents:
    – The Microsoft Monitoring agent (MMA).
    – The Dependency agent.

    A: You create the appliance VM.
    Azure Migrate: Server Assessment uses a lightweight Azure Migrate appliance. The appliance performs VM discovery and sends VM configuration and performance metadata to Azure Migrate. The appliance can be set up by deploying a VHD file that can be downloaded from the Azure Migrate project.

    You set up the appliance on a Hyper-V VM, as follows:
    1. Provide an appliance name and generate an Azure Migrate project key in the portal.
    2. Download a compressed Hyper-V VHD from the Azure portal.
    3. Create the appliance, and check that it can connect to Azure Migrate Server Assessment.
    4. Configure the appliance for the first time, and register it with the Azure Migrate project using the Azure Migrate project key.

    Note: Details
    1. Extract the zipped VHD file to a folder on the Hyper-V host that will host the appliance VM. Three folders are extracted.
    2. Open Hyper-V Manager. In Actions, click Import Virtual Machine.
    3. In the Import Virtual Machine Wizard > Before you begin, click Next.
    4. In Locate Folder, specify the folder containing the extracted VHD. Then click Next.
    5. In Select Virtual Machine, click Next.
    6. In Choose Import Type, click Copy the virtual machine (create a new unique ID). Then click Next.
    7. In Choose Destination, leave the default setting. Click Next.
    8. In Storage Folders, leave the default setting. Click Next.
    9. In Choose Network, specify the virtual switch that the VM will use. The switch needs internet connectivity to send data to Azure.
    10. In Summary, review the settings. Then click Finish.
    11. In Hyper-V Manager > Virtual Machines, start the VM.

16. HOTSPOT

    Your network contains an on-premises Active Directory domain. The domain contains the Hyper-V failover clusters shown in the following table.

    

    You plan to assess and migrate the virtual machines by using Azure Migrate.

    What is the minimum number of Azure Migrate appliances and Microsoft Azure Recovery Services (MARS) agents required?

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: 3
    One appliance for each cluster.

    Box 2: 12
    One MARS agent for each node.

17. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure Active Directory (Azure AD) tenant named contoso.com.

    A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.

    Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.

    You need to ensure that Admin1 can create access reviews in contoso.com.

    Solution: You assign the Service administrator role to Admin1.

    Does this meet the goal?

    • Yes
    • No
    Explanation:

    Instead use Azure AD Privileged Identity Management.

    Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
    Conduct access reviews to ensure users still need roles

18. You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.

    You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.

    Which two actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Reset GW1.
    • Delete GW1.
    • Create a route-based virtual network gateway.
    • Add a public IP address space to VNet1.
    • Add a connection to GW1.
    • Add a service endpoint to VNet1.
    Explanation:

    Need a Route Based VPN gateway.

    

19. You have an Azure subscription that contains the virtual networks shown in the following table.

    

    You need to recommend a connectivity solution that will enable the virtual machines on VNET1 and VNET2 to communicate through the Microsoft backbone infrastructure.

    What should you include in the recommendation?

    • Azure ExpressRoute
    • peering
    • a point-to-site VPN
    • a site-to-site VPN
    Explanation:
    Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only. Azure supports:
    – VNet peering – connecting VNets within the same Azure region
    – Global VNet peering – connecting VNets across Azure regions

20. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an app named App1 that uses data from two on-premises Microsoft SQL Server databases named DB1 and DB2.

    You plan to move DB1 and DB2 to Azure.

    You need to implement Azure services to host DB1 and DB2. The solution must support server-side transactions across DB1 and DB2.

    Solution: You deploy DB1 and DB2 to an Azure SQL Database managed instance.

    Does this meet the goal?

    • Yes
    • No
    Explanation:

    Instead deploy DB1 and DB2 to SQL Server on an Azure virtual machine.

    Note: Understanding distributed transactions.
    When both the database management system and client are under the same ownership (e.g. when SQL Server is deployed to a virtual machine), transactions are available and the lock duration can be controlled.