AZ-400 : Microsoft Azure DevOps Solutions : Part 03

AZ-400 : Microsoft Azure DevOps Solutions : Part 03

1. Your company hosts a web application in Azure. The company uses Azure Pipelines for the build and release management of the application.

   Stakeholders report that the past few releases have negatively affected system performance.

   You configure alerts in Azure Monitor.

   You need to ensure that new releases are only deployed to production if the releases meet defined performance baseline criteria in the staging environment first.

   What should you use to prevent the deployment of releases that fall to meet the performance baseline?

   • an Azure Scheduler job
   • a trigger
   • a gate
   • an Azure function

   Explanation:

   Scenarios and use cases for gates include:
   – Quality validation. Query metrics from tests on the build artifacts such as pass rate or code coverage and deploy only if they are within required thresholds.

   Use Quality Gates to integrate monitoring into your pre-deployment or post-deployment. This ensures that you are meeting the key health/performance metrics (KPIs) as your applications move from dev to production and any differences in the infrastructure environment or scale is not negatively impacting your KPIs.

   Note: Gates allow automatic collection of health signals from external services, and then promote the release when all the signals are successful at the same time or stop the deployment on timeout. Typically, gates are used in connection with incident management, problem management, change management, monitoring, and external approval systems.

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage a project in Azure DevOps.

   You need to prevent the configuration of the project from changing over time.

   Solution: Perform a Subscription Health scan when packages are created.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead implement Continuous Assurance for the project.

   Note: The Subscription Security health check features in AzSK contains a set of scripts that examines a subscription and flags off security issues, misconfigurations or obsolete artifacts/settings which can put your subscription at higher risk.

3. Your company uses the following resources:

   – Windows Server 2019 container images hosted in an Azure Container Registry.
   – Azure virtual machines that run the latest version of Ubuntu
   – An Azure Log Analytics workspace
   – Azure Active Directory (Azure AD)
   – An Azure key vault

   For which two resources can you receive vulnerability assessments in Azure Security Center? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • the Azure Log Analytics workspace
   • the Azure key vault
   • the Azure virtual machines that run the latest version of Ubuntu
   • Azure Active Directory (Azure AD)
   • The Windows Server 2019 container images hosted in the Azure Container Registry.
   Explanation:

   B: Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.

   C: When Security Center discovers a connected VM without a vulnerability assessment solution deployed, it provides the security recommendation “A vulnerability assessment solution should be enabled on your virtual machines”.

   Ubuntu supported versions: 12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS

4. You use Azure Pipelines to manage build pipelines, GitHub to store source code, and Dependabot to manage dependencies.

   You have an app named App1.

   Dependabot detects a dependency in App1 that requires an update.

   What should you do first to apply the update?

   • Create a pull request.
   • Approve the pull request.
   • Create a branch.
   • Perform a commit.
   Explanation:
   DependaBot is a useful tool to regularly check for dependency updates. By helping to keep your project up to date, DependaBot can reduce technical debt and immediately apply security vulnerabilities when patches are released. How does DependaBot work?
   1. DependaBot regularly checks dependencies for updates
   2. If an update is found, DependaBot creates a new branch with this upgrade and Pull Request for approval
   3. You review the new Pull Request, ensure the tests passed, review the code, and decide if you can merge the change

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage a project in Azure DevOps.

   You need to prevent the configuration of the project from changing over time.

   Solution: Add a code coverage step to the build pipelines.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Instead implement Continuous Assurance for the project.

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage a project in Azure DevOps.

   You need to prevent the configuration of the project from changing over time.

   Solution: Implement Continuous Integration for the project.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Instead implement Continuous Assurance for the project.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You manage a project in Azure DevOps.

   You need to prevent the configuration of the project from changing over time.

   Solution: Implement Continuous Assurance for the project.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   The basic idea behind Continuous Assurance (CA) is to setup the ability to check for “drift” from what is considered a secure snapshot of a system. Support for Continuous Assurance lets us treat security truly as a ‘state’ as opposed to a ‘point in time’ achievement. This is particularly important in today’s context when ‘continuous change’ has become a norm.

   There can be two types of drift:
   – Drift involving ‘baseline’ configuration: This involves settings that have a fixed number of possible states (often pre-defined/statically determined ones). For instance, a SQL DB can have TDE encryption turned ON or OFF…or a Storage Account may have auditing turned ON however the log retention period may be less than 365 days.
   – Drift involving ‘stateful’ configuration: There are settings which cannot be constrained within a finite set of well-known states. For instance, the IP addresses configured to have access to a SQL DB can be any (arbitrary) set of IP addresses. In such scenarios, usually human judgment is initially required to determine whether a particular configuration should be considered ‘secure’ or not. However, once that is done, it is important to ensure that there is no “stateful drift” from the attested configuration. (E.g., if, in a troubleshooting session, someone adds the IP address of a developer machine to the list, the Continuous Assurance feature should be able to identify the drift and generate notifications/alerts or even trigger ‘auto-remediation’ depending on the severity of the change).

8. You are designing a configuration management solution to support five apps hosted on Azure App Service. Each app is available in the following three environments: development, test, and production.

   You need to recommend a configuration management solution that meets the following requirements:

   – Supports feature flags
   – Tracks configuration changes from the past 30 days
   – Stores hierarchically structured configuration values
   – Controls access to the configurations by using role-based access control (RBAC) permissions
   – Stores shared values as key/value pairs that can be used by all the apps

   Which Azure service should you recommend as the configuration management solution?

   • Azure Cosmos DB
   • Azure App Service
   • Azure App Configuration
   • Azure Key Vault
   Explanation:

   The Feature Manager in the Azure portal for App Configuration provides a UI for creating and managing the feature flags that you use in your applications.

   App Configuration offers the following benefits:
   – A fully managed service that can be set up in minutes
   – Flexible key representations and mappings
   – Tagging with labels
   – Point-in-time replay of settings
   – Dedicated UI for feature flag management
   – Comparison of two sets of configurations on custom-defined dimensions
   – Enhanced security through Azure-managed identities
   – Encryption of sensitive information at rest and in transit
   – Native integration with popular frameworks

   App Configuration complements Azure Key Vault, which is used to store application secrets.

9. You have a containerized solution that runs in Azure Container Instances. The solution contains a frontend container named App1 and a backend container named DB1. DB1 loads a large amount of data during startup.

   You need to verify that DB1 can handle incoming requests before users can submit requests to App1.

   What should you configure?

   • a liveness probe
   • a performance log
   • a readiness probe
   • an Azure Load Balancer health probe
   Explanation:

   For containerized applications that serve traffic, you might want to verify that your container is ready to handle incoming requests. Azure Container Instances supports readiness probes to include configurations so that your container can’t be accessed under certain conditions.

   Incorrect Answers:
   A: Containerized applications may run for extended periods of time, resulting in broken states that may need to be repaired by restarting the container. Azure Container Instances supports liveness probes so that you can configure your containers within your container group to restart if critical functionality is not working.

10. You are designing a strategy to monitor the baseline metrics of Azure virtual machines that run Windows Server.

    You need to collect detailed data about the processes running in the guest operating system.

    Which two agents should you deploy? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • the Telegraf agent
    • the Azure Log Analytics agent
    • the Azure Network Watcher Agent for Windows
    • the Dependency agent
    Explanation:

    The following table provide a quick comparison of the Azure Monitor agents for Windows.

    

11. DRAG DROP

    You use Azure Pipelines to automate Continuous Integration/Continuous Deployment (CI/CD) for an Azure web app named WebApp1.

    You configure an Azure Monitor alert that is triggered when WebApp1 generates an error.

    You need to configure the alert to forward details of the error to a third-party system. The solution must minimize administrative effort.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Box 1: Create an Azure logic app.

    Box 2: Select the HTTP request trigger.

    Box 3: Updated the action group in Azure Monitor.

12. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure DevOps organization named Contoso and an Azure subscription. The subscription contains an Azure virtual machine scale set named VMSS1 that is configured for autoscaling.

    You have a project in Azure DevOps named Project1. Project1 is used to build a web app named App1 and deploy App1 to VMSS1.

    You need to ensure that an email alert is generated whenever VMSS1 scales in or out.

    Solution: From Azure DevOps, configure the Notifications settings for Project1.

    Does this meet the goal?

    • Yes
    • No
    Explanation:
    Notifications help you and your team stay informed about activity that occurs within your projects in Azure DevOps. You can get notified when changes occur to the following items:
    – work items
    – code reviews
    – pull requests
    – source control files
    – builds

13. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure DevOps organization named Contoso and an Azure subscription. The subscription contains an Azure virtual machine scale set named VMSS1 that is configured for autoscaling.

    You have a project in Azure DevOps named Project1. Project1 is used to build a web app named App1 and deploy App1 to VMSS1.

    You need to ensure that an email alert is generated whenever VMSS1 scales in or out.

    Solution: From Azure DevOps, configure the Service hooks settings for Project1.

    Does this meet the goal?

    • Yes
    • No

14. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have an Azure DevOps organization named Contoso and an Azure subscription. The subscription contains an Azure virtual machine scale set named VMSS1 that is configured for autoscaling.

    You have a project in Azure DevOps named Project1. Project1 is used to build a web app named App1 and deploy App1 to VMSS1.

    You need to ensure that an email alert is generated whenever VMSS1 scales in or out.

    Solution: From Azure Monitor, create an action group.

    Does this meet the goal?

    • Yes
    • No

15. Case Study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Litware, Inc. is an independent software vendor (ISV). Litware has a main office and five branch offices.

    Existing Environment

    Application Architecture

    The company’s primary application is a single monolithic retirement fund management system based on ASP.NET web forms that use logic written in VB.NET. Some new sections of the application are written in C#.

    Variations of the application are created for individual customers. Currently, there are more than 80 live code branches in the application’s code base.

    The application was developed by using Microsoft Visual Studio. Source code is stored in Team Foundation Server (TFS) in the main office. The branch offices access the source code by using TFS proxy servers.

    Architectural Issues

    Litware focuses on writing new code for customers. No resources are provided to refactor or remove existing code. Changes to the code base take a long time, as dependencies are not obvious to individual developers.

    Merge operations of the code often take months and involve many developers. Code merging frequently introduces bugs that are difficult to locate and resolve.

    Customers report that ownership costs of the retirement fund management system increase continually. The need to merge unrelated code makes even minor code changes expensive.

    Customers report that bug reporting is overly complex.

    Requirements

    Planned Changes

    Litware plans to develop a new suite of applications for investment planning. The investment planning applications will require only minor integration with the existing retirement fund management system.

    The investment planning applications suite will include one multi-tier web application and two iOS mobile applications. One mobile application will be used by employees; the other will be used by customers.

    Litware plans to move to a more agile development methodology. Shared code will be extracted into a series of packages.

    Litware has started an internal cloud transformation process and plans to use cloud-based services whenever suitable.

    Litware wants to become proactive in detecting failures, rather than always waiting for customer bug reports.

    Technical Requirements

    The company’s investment planning applications suite must meet the following technical requirements:

    – New incoming connections through the firewall must be minimized.
    – Members of a group named Developers must be able to install packages.
    – The principle of least privilege must be used for all permission assignments.
    – A branching strategy that supports developing new functionality in isolation must be used.
    – Members of a group named Team Leaders must be able to create new packages and edit the permissions of package feeds.
    – Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.
    – By default, all releases must remain available for 30 days, except for production releases, which must be kept for 60 days.
    – Code quality and release quality are critical. During release, deployments must not proceed between stages if any active bugs are logged against the release.
    – The mobile applications must be able to call the share pricing service of the existing retirement fund management system. Until the system is upgraded, the service will only support basic authentication over HTTPS.
    – The required operating system configuration for the test servers changes weekly. Azure Automation State Configuration must be used to ensure that the operating system on each test server is configured the same way when the servers are created and checked periodically.

    Current Technical Issue

    The test servers are configured correctly when first deployed, but they experience configuration drift over time. Azure Automation State Configuration fails to correct the configurations.

    Azure Automation State Configuration nodes are registered by using the following command.

    

    1. HOTSPOT

       How should you complete the code to initialize App Center in the mobile application? To answer, select the appropriate options in the answer area.

       NOTE: Each correct selection is worth one point.

       

       

       Explanation:

       Scenario: Visual Studio App Center must be used to centralize the reporting of mobile application crashes and device types in use.

       In order to use App Center, you need to opt in to the service(s) that you want to use, meaning by default no services are started and you will have to explicitly call each of them when starting the SDK.

       Insert the following line to start the SDK in your app’s AppDelegate class in the didFinishLaunchingWithOptions method.

       MSAppCenter.start(“{Your App Secret}”, withServices: [MSAnalytics.self, MSCrashes.self])

16. Case Study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Contoso, Ltd. is a manufacturing company that has a main office in Chicago.

    Existing Environment

    Contoso plans to improve its IT development and operations processes by implementing Azure DevOps principles. Contoso has an Azure subscription and creates an Azure DevOps organization.

    The Azure DevOps organization includes:

    – The Docker extension
    – A deployment pool named Pool7 that contains 10 Azure virtual machines that run Windows Server 2019

    The Azure subscription contains an Azure Automation account.

    Requirements

    Planned changes

    Contoso plans to create projects in Azure DevOps as shown in the following table.

    

    Technical requirements

    Contoso identifies the following technical requirements:

    – Implement build agents for Project1.
    – Whenever possible, use Azure resources.
    – Avoid using deprecated technologies.
    – Implement a code flow strategy for Project2 that will:
        – Enable Team2 to submit pull requests for Project2.
        – Enable Team2 to work independently on changes to a copy of Project2.
        – Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.
    – Whenever possible, implement automation and minimize administrative effort.
    – Implement Project3, Project5, Project6, and Project7 based on the planned changes.
    – Implement Project4 and configure the project to push Docker images to Azure Container Registry.

17. You add the virtual machines as managed nodes in Azure Automation State Configuration.

    You need to configure the managed computers in Pool7.

    What should you do next?

    • Modify the RefreshMode property of the Local Configuration Manager (LCM).
    • Run the Register-AzureRmAutomationDscNode Azure Powershell cmdlet.
    • Modify the ConfigurationMode property of the Local Configuration Manager (LCM).
    • Install PowerShell Core.
    Explanation:

    The Register-AzureRmAutomationDscNode cmdlet registers an Azure virtual machine as an APS Desired State Configuration (DSC) node in an Azure Automation account.

    Scenario: The Azure DevOps organization includes:
    The Docker extension
    A deployment pool named Pool7 that contains 10 Azure virtual machines that run Windows Server 2019

    

18. DRAG DROP

    You need to implement the code flow strategy for Project2 in Azure DevOps.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Create a repository
    A Git repository, or repo, is a folder that you’ve told Git to help you track file changes in. You can have any number of repos on your computer, each stored in their own folder.

    Step 2: Create a fork

    Step 3: Add a build policy for the fork
    Build policies help teams protect their important branches of development. Policies enforce your team’s code quality and change management standards.

    Scenario:
    Implement a code flow strategy for Project2 that will:
    Enable Team2 to submit pull requests for Project2.
    Enable Team2 to work independently on changes to a copy of Project2.
    Ensure that any intermediary changes performed by Team2 on a copy of Project2 will be subject to the same restrictions as the ones defined in the build policy of Project2.

    

19. DRAG DROP

    You need to configure Azure Automation for the computers in Pool7.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Create a Desired State Configuration (DSC) configuration file that has an extension of .ps1.

    Step 2: Run the Import-AzureRmAutomationDscConfiguration Azure Powershell cmdlet
    The Import-AzureRmAutomationDscConfiguration cmdlet imports an APS Desired State Configuration (DSC) configuration into Azure Automation. Specify the path of an APS script that contains a single DSC configuration.

    Example:
    PS C:\>Import-AzureRmAutomationDscConfiguration -AutomationAccountName “Contoso17”-ResourceGroupName “ResourceGroup01” -SourcePath “C:\DSC\client.ps1” -Force

    This command imports the DSC configuration in the file named client.ps1 into the Automation account named Contoso17. The command specifies the Force parameter. If there is an existing DSC configuration, this command replaces it.

    Step 3: Run the Start-AzureRmAutomationDscCompilationJob Azure Powershell cmdlet
    The Start-AzureRmAutomationDscCompilationJob cmdlet compiles an APS Desired State Configuration (DSC) configuration in Azure Automation.

20. You plan to provision a self-hosted Linux agent.

    Which authentication mechanism should you use to register the self-hosted agent?

    • personal access token (PAT)
    • SSH key
    • Alternate credentials
    • certificate
    Explanation:

    Note: PAT Supported only on Azure Pipelines and TFS 2017 and newer. After you choose PAT, paste the PAT token you created into the command prompt window. Use a personal access token (PAT) if your Azure DevOps Server or TFS instance and the agent machine are not in a trusted domain. PAT authentication is handled by your Azure DevOps Server or TFS instance instead of the domain controller.