AZ-304 : Microsoft Azure Architect Design : Part 09

AZ-304 : Microsoft Azure Architect Design : Part 09

1. Case Study

   This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview. General Overview

   Litware, Inc. is a medium-sized finance company.

   Overview. Physical Locations

   Litware has a main office in Boston.

   Existing Environment. Identity Environment

   The network contains an Active Directory forest named Litware.com that is linked to an Azure Active Directory (Azure AD) tenant named Litware.com. All users have Azure Active Directory Premium P2 licenses.

   Litware has a second Azure AD tenant named dev.Litware.com that is used as a development environment.

   The Litware.com tenant has a conditional access policy named capolicy1. Capolicy1 requires that when users manage the Azure subscription for a production environment by using the Azure portal, they must connect from a hybrid Azure AD-joined device.

   Existing Environment. Azure Environment

   Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five Azure subscriptions that are linked to the dev.Litware.com tenant. All the subscriptions are in an Enterprise Agreement (EA).

   The Litware.com tenant contains a custom Azure role-based access control (Azure RBAC) role named Role1 that grants the DataActions read permission to the blobs and files in Azure Storage.

   Existing Environment. On-premises Environment

   The on-premises network of Litware contains the resources shown in the following table.

   

   Existing Environment. Network Environment

   Litware has ExpressRoute connectivity to Azure.

   Planned Changes and Requirements. Planned Changes

   Litware plans to implement the following changes:

   – Migrate DB1 and DB2 to Azure.
   – Migrate App1 to Azure virtual machines.
   – Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.

   Planned Changes and Requirements. Authentication and Authorization Requirements

   Litware identifies the following authentication and authorization requirements:

   – Users that manage the production environment by using the Azure portal must connect from a hybrid Azure AD-joined device and authenticate by using Azure Multi-Factor Authentication (MFA).
   – The Network Contributor built-in RBAC role must be used to grant permission to all the virtual networks in all the Azure subscriptions.
   – To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.
   – Role1 must be used to assign permissions to the storage accounts of all the Azure subscriptions.
   – RBAC roles must be applied at the highest level possible.

   Planned Changes and Requirements. Resiliency Requirements

   Litware identifies the following resiliency requirements:

   – Once migrated to Azure, DB1 and DB2 must meet the following requirements:
      – Maintain availability if two availability zones in the local Azure region fail.
      – Fail over automatically.
      – Minimize I/O latency.

   – App1 must meet the following requirements:
      – Be hosted in an Azure region that supports availability zones.
      – Be hosted on Azure virtual machines that support automatic scaling.
      – Maintain availability if two availability zones in the local Azure region fail.

   Planned Changes and Requirements. Security and Compliance Requirements

   Litware identifies the following security and compliance requirements:

   – Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
   – On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
   – Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
   – All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
   – App1 must not share physical hardware with other workloads.

   Planned Changes and Requirements. Business Requirements

   Litware identifies the following business requirements:

   – Minimize administrative effort.
   – Minimize costs.

   1. HOTSPOT

      You plan to migrate App1 to Azure.

      You need to recommend a high-availability solution for App1. The solution must meet the resiliency requirements.

      What should you include in the recommendation? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

      Explanation:

      Box 1: 3
      Scenario: App1 must meet the following requirements:
      Be hosted in an Azure region that supports availability zones.
      Maintain availability if two availability zones in the local Azure region fail.

      A host group is a resource that represents a collection of dedicated hosts. You create a host group in a region and an availability zone, and add hosts to it.

      Use Availability Zones for fault isolation
      Availability zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. A host group is created in a single availability zone. Once created, all hosts will be placed within that zone. To achieve high availability across zones, you need to create multiple host groups (one per zone) and spread your hosts accordingly.

      Box 2: 1
      Scenario: App1 must meet the following requirements:
      Be hosted on Azure virtual machines that support automatic scaling.

      An Azure virtual machine scale set can automatically increase or decrease the number of VM instances that run your application. This automated and elastic behavior reduces the management overhead to monitor and optimize the performance of your application.

2. You need to design a solution that will execute custom C# code in response to an event routed to Azure Event Grid. The solution must meet the following requirements:

   – The executed code must be able to access the private IP address of a Microsoft SQL Server instance that runs on an Azure virtual machine.
   – Costs must be minimized.

   What should you include in the solution?

   • Azure Logic Apps in the integrated service environment
   • Azure Functions in the Dedicated plan and the Basic Azure App Service plan
   • Azure Logic Apps in the Consumption plan
   • Azure Functions in the Consumption plan
   Explanation:

   When you create a function app in Azure, you must choose a hosting plan for your app. There are three basic hosting plans available for Azure Functions: Consumption plan, Premium plan, and Dedicated (App Service) plan.
   For the Consumption plan, you don’t have to pay for idle VMs or reserve capacity in advance.

   Connect to private endpoints with Azure Functions
   As enterprises continue to adopt serverless (and Platform-as-a-Service, or PaaS) solutions, they often need a way to integrate with existing resources on a virtual network. These existing resources could be databases, file storage, message queues or event streams, or REST APIs.

3. The developers at your company are building a containerized Python Django app.

   You need to recommend platform to host the app. The solution must meet the following requirements:

   – Support autoscaling.
   – Support continuous deployment from an Azure Container Registry.
   – Provide built-in functionality to authenticate app users by using Azure Active Directory (Azure AD).

   Which platform should you include in the recommendation?

   • Azure Container instances
   • an Azure App Service instance that uses containers
   • Azure Kubernetes Service (AKS)
   Explanation:

   To keep up with application demands in Azure Kubernetes Service (AKS), you may need to adjust the number of nodes that run your workloads. The cluster autoscaler component can watch for pods in your cluster that can’t be scheduled because of resource constraints. When issues are detected, the number of nodes in a node pool is increased to meet the application demand.

   Azure Container Registry is a private registry for hosting container images. It integrates well with orchestrators like Azure Container Service, including Docker Swarm, DC/OS, and the new Azure Kubernetes service. Moreover, ACR provides capabilities such as Azure Active Directory-based authentication, webhook support, and delete operations.

4. You have an on-premises network to which you deploy a virtual appliance.

   You plan to deploy several Azure virtual machines and connect the on-premises network to Azure by using a Site-to-Site connection.

   All network traffic that will be directed from the Azure virtual machines to a specific subnet must flow through the virtual appliance.

   You need to recommend solutions to manage network traffic.

   Which two options should you recommend? Each correct answer presents a complete solution.

   • Configure Azure Traffic Manager.
   • Implement Azure ExpressRoute.
   • Configure a routing table.
   • Implement an Azure virtual network.
   Explanation:

   B: Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.

   Forced tunneling in Azure is configured via virtual network user-defined routes.

   C: ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.

   Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

5. You are developing a sales application that will contain several Azure cloud services and will handle different components of a transaction. Different cloud services will process customer orders, billing, payment, inventory, and shipping.

   You need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using REST messages.

   What should you include in the recommendation?

   • Azure Service Bus
   • Azure Data Lake
   • Azure Traffic Manager
   • Azure Application Gateway
   Explanation:

   Asynchronous messaging can be implemented in a variety of different ways: with queues, topics, and subscriptions. Azure Service Bus supports asynchronism via a store and forward mechanism.

   Service Bus is a transactional message broker and ensures transactional integrity for all internal operations against its message stores. All transfers of messages inside of Service Bus, such as moving messages to a dead-letter queue or automatic forwarding of messages between entities, are transactional.

6. You are designing a message application that will run on an on-premises Ubuntu virtual machine. The application will use Azure Storage queues.

   You need to recommend a processing solution for the application to interact with the storage queues. The solution must meet the following requirements:

   – Create and delete queues daily.
   – Be scheduled by using a CRON job.
   – Upload messages every five minutes.

   What should developers use to interact with the queues?

   • Azure CLI
   • AzCopy
   • Azure Data Factory
   • .NET Core
   Explanation:

   Incorrect Answers:
   A: It is not possible to have Linux running in Windows Azure

   B: AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

7. You have a .NET web service named Service1 that has the following requirements:

   Must read and write temporary files to the local file system.
   Must write to the Application event log.

   You need to recommend a solution to host Service1 in Azure. The solution must meet the following requirements:

   – Minimize maintenance overhead.
   – Minimize costs.

   What should you include in the recommendation?

   • an App Service Environment
   • an Azure web app
   • an Azure virtual machine scale set
   • an Azure function

8. You are designing a microservices architecture that will support a web application.

   The solution must meet the following requirements:

   – Allow independent upgrades to each microservice.
   – Deploy the solution on-premises and to Azure.
   – Set policies for performing automatic repairs to the microservices.
   – Support low-latency and hyper-scale operations.

   You need to recommend a technology.

   • Azure Container Instance
   • Azure Virtual Machine Scale Set
   • Azure Service Fabric
   • Azure Logic App
   Explanation:

   Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers.

   You can use Azure Service Fabric to create Service Fabric clusters on any virtual machines or computers running Windows Server.

9. Your company has the infrastructure shown in the following table.

   

   The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD).

   Server1 runs an application named App1 that uses LDAP queries to verify user identities in the on-premises Active Directory domain.

   You plan to migrate Server1 to a virtual machine in Subscription1.

   A company security policy states that the virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network.

   You need to recommend a solution to ensure that App1 continues to function after the migration. The solution must meet the security policy.

   What should you include in the recommendation?

   • Azure AD Application Proxy
   • an Azure VPN gateway
   • Azure AD Domain Services (Azure AD DS)
   • the Active Directory Domain Services role on a virtual machine
   Explanation:
   You can join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain.

10. HOTSPOT

    Your company deploys an Azure App Service Web App.

    During testing the application fails under load. The application cannot handle more than 100 concurrent user sessions. You enable the Always On feature. You also configure auto-scaling to increase instance counts from two to 10 based on HTTP queue length.

    You need to improve the performance of the application.

    Which solution should you use for each application scenario? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Content Delivery Network
    A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.

    Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).

    Box 2: Azure Redis Cache
    Azure Cache for Redis is based on the popular software Redis. It is typically used as a cache to improve the performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by temporarily copying frequently accessed data to fast storage located close to the application. With Azure Cache for Redis, this fast storage is located in-memory with Azure Cache for Redis instead of being loaded from disk by a database.

11. You use Azure virtual machines to run a custom application that uses an Azure SQL Database instance on the back end.

    The IT department at your company recently enabled forced tunneling.

    Since the configuration change, developers have noticed degraded performance when they access the database from the Azure virtual machine.

    You need to recommend a solution to minimize latency when accessing the database. The solution must minimize costs.

    What should you include in the recommendation?

    • Virtual Network (VNET) service endpoints
    • Azure virtual machines that run Microsoft SQL Server servers
    • Azure SQL Database Managed Instance
    • Always On availability groups

12. DRAG DROP

    You are planning an Azure solution that will host production databases for a high-performance application. The solution will include the following components:

    – Two virtual machines that will run Microsoft SQL Server 2016, will be deployed to different data centers in the same Azure region, and will be part of an Always On availability group
    – SQL Server data that will be backed up by using the Automated Backup feature of the SQL Server IaaS Agent Extension (SQLIaaSExtension)

    You identify the storage priorities for various data types as shown in the following table.

    

    Which storage type should you recommend for each data type? To answer, drag the appropriate storage types to the correct data types. Each storage type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

13. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company plans to deploy various Azure App Service instances that will use Azure SQL databases. The App Service instances will be deployed at the same time as the Azure SQL databases.

    The company has a regulatory requirement to deploy the App Service instances only to specific Azure regions. The resources for the App Service instances must reside in the same region.

    You need to recommend a solution to meet the regulatory requirement.

    Solution: You recommend using the Regulatory compliance dashboard in Azure Security Center.

    Does this meet the goal?

    • Yes
    • No
    Explanation

    The Regulatory compliance dashboard in Azure Security Center is not used for regional compliance.

    Note: Instead Azure Resource Policy Definitions can be used which can be applied to a specific Resource Group with the App Service instances.

    Note 2: In the Azure Security Center regulatory compliance blade, you can get an overview of key portions of your compliance posture with respect to a set of supported standards. Currently supported standards are Azure CIS, PCI DSS 3.2, ISO 27001, and SOC TSP.

14. You have an application that sends events to an Azure event hub by using HTTP requests over the internet.

    You plan to increase the number of application instances.

    You need to recommend a solution to reduce the overhead associated with sending events to the hub.

    What should you recommend?

    • Configure the application to send events by using the AMQP protocol
    • Reduce the retention period of the event hub.
    • Replace the event hub with an Azure Service Bus instance.
    • Configure the application to send events by using the HTTPS protocol.
    Explanation:

    Compared to HTTP, AMQP is easy to scale.

    Note: Facts pro-AMQP
    Delivering messages with AMQP gives you reliability and being asynchronous allows you to not worry about the delivery at all.

    Incorrect Answers:
    B: Changing the retention period would not reduce the overhead.
    C: Azure event hub has a low latency compared to Azure Service Bus.
    D: Overhead increases with HTTPS compared to HTTP.

15. HOTSPOT

    Your company develops a web service that is deployed to an Azure virtual machine named VM1. The web service allows an API to access real-time data from VM1.

    The current virtual machine deployment is shown in the Deployment exhibit. (Click the Deployment tab).

    

    The chief technology officer (CTO) sends you the following email message: “Our developers have deployed the web service to a virtual machine named VM1. Testing has shown that the API is accessible from VM1 and VM2. Our partners must be able to connect to the API over the Internet. Partners will use this data in applications that they develop.”

    You deploy an Azure API Management (APIM) service. The relevant API Management configuration is shown in the API exhibit. (Click the API tab.)

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

16. DRAG DROP

    You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016 and Linux.

    You need to use Azure Monitor to design an alerting strategy for security-related events.

    Which Azure Monitor Logs tables should you query? To answer, drag the appropriate tables to the correct log types. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

17. DRAG DROP

    You are designing a network connectivity strategy for a new Azure subscription. You identify the following requirements:

    – The Azure virtual machines on a subnet named Subnet1 must be accessible only from the computers in your London office.
    – Engineers require access to the Azure virtual machines on a subnet named Subnet2 over the Internet on a specific TCP/IP management port.
    – The Azure virtual machines in the West Europe Azure region must be able to communicate on all ports to the Azure virtual machines in the North Europe Azure region.
    – Azure virtual machines on Subnet1 and Subnet2 have public IP addresses.

    You need to recommend which components must be used to meet the requirements. The solution must minimize costs and administrative effort whenever possible.

    What should you include in the recommendation? To answer, drag the appropriate components to the correct requirements. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

18. You are designing a container solution in Azure that will include two containers. One container will host a web API that will be available to the public. The other container will perform health monitoring of the web API and will remain private. The two containers will be deployed together as a group.

    You need to recommend a compute service for the containers. The solution must minimize costs and maintenance overhead.

    What should you include in the recommendation?

    • Azure Service Fabric
    • Azure Kubernetes Service (AKS)
    • Azure Container Instances
    • Azure Container registries
    Explanation:
    Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is useful when building an application sidecar for logging, monitoring, or any other configuration where a service needs a second attached process.

19. You plan to run an image rendering workload in Azure. The workload uses parallel compute processes.

    What is the best service to use to run the workload? More than one answer choice may achieve the goal. Select the BEST answer.

    • an Azure virtual machine scale set
    • Azure Function App
    • Azure Kubernetes Service (AKS)
    • Azure Batch
    Explanation:
    Azure Batch works well with intrinsically parallel (also known as “embarrassingly parallel”) workloads. Intrinsically parallel workloads are those where the applications can run independently, and each instance completes part of the work. When the applications are executing, they might access some common data, but they do not communicate with other instances of the application. Intrinsically parallel workloads can therefore run at a large scale, determined by the amount of compute resources available to run applications simultaneously.

20. You are designing a microservices architecture that will use Azure Kubernetes Service (AKS) to host pods that run containers. Each pod deployment will host a separate API. Each API will be implemented as a separate service.

    You need to recommend a solution to make the APIs available to external users from Azure API Management. The solution must meet the following requirements:

    – Control access to the APIs by using mutual TLS authentication between API Management and the AKS-based APIs.
    – Provide access to the APIs by using a single IP address.

    What should you recommend to provide access to the APIs?

    • the LoadBalancer service in AKS
    • custom network security groups (NSGs)
    • the Ingress Controller in AKS
    Explanation:
    An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.