AZ-303 : Microsoft Azure Architect Technologies : Part 09

AZ-303 : Microsoft Azure Architect Technologies : Part 09

1. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your company is deploying an on-premises application named App1. Users will access App1 by using a URL of https://app1.contoso.com.

   You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD Application Proxy.

   You need to ensure that App1 appears in the My Apps portal for all the users.

   Solution: You create a conditional access policy for App1.

   Does this meet the goal?

   • Yes
   • No

   Explanation:
   Instead you modify User and Groups for App1.

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your company is deploying an on-premises application named App1. Users will access App1 by using a URL of https://app1.contoso.com.

   You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD Application Proxy.

   You need to ensure that App1 appears in the My Apps portal for all the users.

   Solution: You modify User and Groups for App1.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Assigning users and groups to individual applications in Azure AD controls the visibility of the link.
   If you want only a subset of your users to see the link in the Azure AD My Apps portal, configure user assignment as follows:
   1. In the menu on the left, select Properties.
   2. Set User assignment required to Yes.
   3. Click Save.
   4. In the menu on the left, click Manage > Users and groups.
   5. Click Add user.
   6. Select Users.
   7. Select the users or groups that you want to provision. If you select a group, all members of the group are provisioned.
   8. Click Select.
   9. Click Assign.
   10. It might take several minutes for a link to show up in the My Apps portal.

3. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your company is deploying an on-premises application named App1. Users will access App1 by using a URL of https://app1.contoso.com.

   You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD Application Proxy.

   You need to ensure that App1 appears in the My Apps portal for all the users.

   Solution: You create an offer for App1 and publish the offer to Azure Marketplace.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead you modify User and Groups for App1.

   Note: The Microsoft commercial marketplace is a catalog of solutions from our independent software vendor (ISV) partners. As an ISV member of the Microsoft Partner Network, you can create, publish, and manage your commercial marketplace offers in Partner Center. Your solutions are listed in our online stores, alongside our own Microsoft solutions, connecting you with businesses, organizations, and government agencies around the world.

4. Your network contains an on-premises Active Directory domain named contoso.com that contains a member server named Server1.

   You have the accounts shown in the following table.

   

   You are installing Azure AD Connect on Server1.

   You need to specify the account for Azure AD Connect synchronization. The solution must use the principle of least privilege.

   Which account should you specify?

   •  CONTOSO\User2
   • SERVER1\User4
   • CONTOSO\User1
   • CONTOSO\User3
   Explanation:
   The default Domain User permissions are sufficient

5. HOTSPOT

   A company runs multiple Windows virtual machines (VMs) in Azure.

   The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.

   You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required.

   What should you recommend? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Join the VMs to a new domain controller VM in Azure
   Azure provides two solutions for implementing directory and identity services in Azure:
   – (Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
   – Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.

   Box 2: Set up VPN connectivity.
   This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.

6. You have an Azure subscription that contains the web apps shown in the following table.

   

   For which web app can you configure a WebJob?

   • WebApp1
   • WebApp4
   • WebApp2
   • WebApp3
   Explanation:
   Publishing a .NET Core WebJob to App Service from Visual Studio uses the same tooling as publishing an ASP.NET Core app.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.

   You are creating a Dockerfile to build a container image.

   You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container image.

   Solution: You add the following line to the Dockerfile.

   COPY File1.txt /Folder1/

   You then build the container image.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Copy is the correct command to copy a file to the container image.

8. You have an Azure Kubernetes Service (AKS) cluster named aks1.

   You need to enable the cluster autoscaler on aks1.

   Which command should you run in Azure CLI?

   • kubectl autoscale

   • az aks scale

   • kubectl apply

   • az aks update

9. DRAG DROP

   You have an Azure subscription that contains a Basic App Service plan named webapp1plan. Webapp1plan contains a web app named webapp1.

   You need to deploy a new version of webapp1. The solution must meet the following requirements:

   – Enable testing of new versions before their production release.
   – Minimize downtime of webapp1 during the deployment.
   – Minimize costs.

   Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

   Explanation:

   When you deploy your web app to Azure App Service, you can use a separate deployment slot instead of the default production slot when you’re running in the Standard, Premium, or Isolated App Service plan tier. Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.

   Box 1: Upgrade webapp1plan to Standard.
   The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.

   Box 2: Add a deployment slot to webapp1.

   Box 3: Deploy the new version of webapp1.
   The new deployment slot has no content, even if you clone the settings from a different slot. You can deploy to the slot from a different repository branch or a different repository.

   Box 4: Perform a slot swap.

10. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company is deploying an on-premises application named App1. Users will access App1 by using a URL of https://app1.contoso.com.

    You register App1 in Azure Active Directory (Azure AD) and publish App1 by using the Azure AD Application Proxy.

    You need to ensure that App1 appears in the My Apps portal for all the users.

    Solution: You configure the delegated permission for App1 in Azure AD.

    Does this meet the goal?

    • Yes
    • No
    Explanation:
    Instead, you modify User and Groups for App1.

11. Case study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study

    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

    Contoso products are manufactured by using blueprint files that the company authors and maintains.

    Existing Environment

    Currently, Contoso uses multiple types of servers for business operations, including the following:

    – File servers
    – Domain controllers
    – Microsoft SQL Server servers

    Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

    You have a public-facing application named App1. App1 is comprised of the following three tiers:

    – A SQL database
    – A web front end
    – A processing middle tier

    Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

    Requirements

    Planned Changes

    Contoso plans to implement the following changes to the infrastructure:

    – Move all the tiers of App1 to Azure.
    – Move the existing product blueprint files to Azure Blob storage.
    – Create a hybrid directory to support an upcoming Microsoft 365 migration project.

    Technical Requirements

    Contoso must meet the following technical requirements:

    – Move all the virtual machines for App1 to Azure.
    – Minimize the number of open ports between the App1 tiers.
    – Ensure that all the virtual machines for App1 are protected by backups.
    – Copy the blueprint files to Azure over the Internet.
    – Ensure that the blueprint files are stored in the archive storage tier.
    – Ensure that partner access to the blueprint files is secured and temporary.
    – Prevent user passwords or hashes of passwords from being stored in Azure.
    – Use unmanaged standard storage for the hard disks of the virtual machines.
    – Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
    – Minimize administrative effort whenever possible.

    User Requirements

    Contoso identifies the following requirements for users:

    – Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
    – Designate a new user named Admin1 as the service admin for the Azure subscription.
    – Admin1 must receive email alerts regarding service outages.
    – Ensure that a new user named User3 can create network objects for the Azure subscription.

    1. HOTSPOT

       You need to recommend a solution for App1. The solution must meet the technical requirements.

       What should you include in the recommendation? To answer, select the appropriate options in the answer area.

       NOTE: Each correct selection is worth one point.

       

       

12. Case Study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview. General Overview

    Litware, Inc. is a medium-sized finance company. Litware recently acquired a financial services company named Fabrikam, Ltd.

    Overview. Physical Locations

    Litware has a datacenter in Boston. Fabrikam has a datacenter in San Francisco.

    Existing Environment. Identity Environment

    The network of Litware contains an Active Directory forest named Litware.com that syncs to an Azure Active Directory (Azure AD) tenant named Litware.com by using Azure AD Connect.

    Azure AD Seamless Single Sign-on (Azure AD Seamless SSO) is enabled for the Litware.com tenant.

    Users at Litware have a UPN suffix of Litware.com

    Litware has an internal certification authority (CA) that is trusted by all devices.

    The network of Fabrikam contains an Active Directory forest named fabrikam.com. Users at Fabrikam have a UPN suffix of fabrikam.com.

    Existing Environment. Azure Environment

    Litware has an Azure subscription named Sub1 that is linked to the Litware.com tenant. Sub1 contains the resources shown in the following table.

    

    Litware has Azure Resource Manager (ARM) templates that deploy Azure Policy definitions and assignments to a management group.

    Fabrikam does NOT have an Azure environment.

    Existing Environment. On-Premises Environment

    The on-premises network of Litware contains the resources shown in the following table.

    

    The on-premises network of Fabrikam contains a domain member server named SERVER1 that runs Windows Server 2019.

    Existing Environment. Network Environment

    Litware has a site-to-site VPN connection to VNet1.

    The Litware and Fabrikam datacenters are not connected.

    Requirements. Planned Changes

    Litware plans to implement the following changes:

    – Establish a trust relationship between the Litware and Fabrikam forests.
    – Migrate data from the on-premises NoSQL datastores to Azure Table storage.
    – Containerize WebApp1 and deploy the app to an Azure Kubernetes Service (AKS) cluster on VNet1.
    – Create an Azure blueprint named BP1 and use the blueprint to provision a resource group named RG1.

    Requirements. Deployment Requirements

    Litware identifies the following deployment requirements:

    – The existing ARM templates must be used for deployments to Sub1.
    – WebApp1 must be deployed to the AKS cluster without having to change the source code.

    Requirements. Authentication and Authorization Requirements

    Litware identifies the following authentication and authorization requirements:

    – The Fabrikam users must be able to authenticate to the Litware.com tenant by using Azure AD Seamless SSO.
    – The Fabrikam users and the Litware users must be able to manage the Azure resources in Sub1.
    – Company policy must prohibit the creation of guest user accounts in the Litware.com tenant.
    – You must be able to configure deny permissions for RG1 and for the resources in RG1.
    – WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1.

    Requirements. Security Requirements

    Litware identifies the following security requirements:

    – On-premises Litware users must access KVI by using the private IP address of the key vault.
    – Azure virtual machines must have all their disks encrypted, including the temporary disks.
    – Azure Storage must encrypt all data by using keys issued by the internal CA of Litware.
    – Inbound HTTPS traffic to WebApp1 must be inspected for SQL injection attacks.
    – The principle of least privilege must be used.

    1. HOTSPOT

       You plan to migrate WebApp1 to Azure.

       You need to implement the AKS cluster that will host WebApp1. The solution must meet the deployment requirements.

       What should you do? To answer, select the appropriate options in the answer area.

       NOTE: Each correct selection is worth one point.

       

       

13. HOTSPOT

    You have the Azure SQL Database servers shown in the following table.

    

    You have the Azure SQL databases shown in the following table.

    

    You create a failover group named failover1 that has the following settings:

    – Primary server: sqlserver1
    – Secondary server: sqlserver2
    – Read/Write failover policy: Automatic
    – Read/Write grace period (hours): 1 hour

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes
    DB1 is on the primary server

    Box 2: No
    DB3 is on the secondary server.

    You can put all or several databases within an elastic pool into the same failover group.

    Box 3: No
    A failover group is a named group of databases managed by a single server or within a managed instance that can fail over as a unit to another region in case all or some primary databases become unavailable due to an outage in the primary region.

    The secondary cannot be in the same region as the primary.

14. Your company plans to develop an application that will use a NoSQL database. The database will be used to store transactions and customer information by using JSON documents.

    Which two Azure Cosmos DB APIs can developers use for the application? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Gremlin (graph)
    • MongoDB
    • Cassandra
    • Core (SQL)
    • Azure Table
    Explanation:

    D: The SQL API supports cross-document transactions expressed as JavaScript-stored procedures and triggers. Transactions are scoped to a single partition within each container and executed with ACID semantics as “all or nothing,” isolated from other concurrently executing code and user requests. If exceptions are thrown through the server-side execution of JavaScript application code, the entire transaction is rolled back.

    A: Azure Cosmos DB is Microsoft’s globally distributed, multi-model database service. Where multi-model means Azure Cosmos DB supports multiple APIs and multiple data models, different APIs use different data formats for storage and wire protocol. For example, SQL uses JSON, MongoDB uses BSON, Table uses EDM, Cassandra uses CQL, Gremlin uses JSON format. As a result, we recommend using the same API for all access to the data in a given account.

    Each API operates independently, except the Gremlin and SQL API, which are interoperable.

15. The developers at your company request that you create databases in Azure Cosmos DB as shown in the following table.

    

    You need to create the Azure Cosmos DB databases to meet the developer request. The solution must minimize costs.

    What are two possible ways to achieve the goal? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Create three Azure Cosmos DB accounts, one for the databases that use the Core (SQL) API, one for CosmosDB2, and one for CosmosDB4.
    • Create two Azure Cosmos DB accounts, one for CosmosDB2 and CosmosDB4 and one for CosmosDB1 and CosmosDB3.
    • Create one Azure Cosmos DB account for each database.
    • Create three Azure Cosmos DB accounts, one for the databases that use the MongoDB API, one for CosmosDB1, and one for CosmosDB3.
    Explanation:

    Note:
    Microsoft recommends using the same API for all access to the data in a given account.

    One throughput provisioned container per subscription for SQL, Gremlin API, and Table accounts.
    Up to three throughput provisioned collections per subscription for MongoDB accounts.
    The throughput provisioned on an Azure Cosmos container is exclusively reserved for that container. The container receives the provisioned throughput all the time.

    Incorrect Answers:
    A: DB2 and DB4 can use the same account.
    C: The most costly alternative.

16. You have the Azure SQL Database servers shown in the following table.

    

    You plan to specify sqlserver1 as the primary server in a failover group.

    Which servers can be used as a secondary server?

    • sqlserver4 and sqlserver5 only
    • sqlserver2 and sqlserver3 only
    • sqlserver2, sqlserver3, sqlserver4, and sqlserver5
    • sqlserver2 and sqlserver4 only
    Explanation:
    The Resource Group must be the same.
    The secondary server can have another location.
    The secondary server cannot be the same as the primary server.

17. You have two Azure SQL Database managed instances in different Azure regions.

    You plan to configure the managed instances in an instance failover group.

    What should you configure before you can add the managed instances to the instance failover group?

    • an internal Azure Load Balancer instance that has managed instance endpoints in a backend pool
    • Azure Private Link that has endpoints on two virtual networks
    • an Azure Application Gateway that has managed instance endpoints in a backend pool
    • a Site-to-Site VPN between the virtual networks that contain the instances
    Explanation:
    For two managed instances to participate in a failover group, there must be either ExpressRoute or a gateway configured between the virtual networks of the two managed instances to allow network communication.
    You create the two VPN gateways and connect them.
    1.Create the gateway for the virtual network of your primary managed instance using the Azure portal.
    2.Create the gateway for the virtual network of your secondary managed instance using the Azure portal.
    3. Create a bidirectional connection between the two gateways of the two virtual networks.