CIS-131 - Azure Cloud Administration

¡Supera tus tareas y exámenes ahora con Quizwiz!

What statistic would you look at to determine the sum total of storage occupied in your storage account?

Capacity

You can use either the REST API or the Azure client library to programmatically access a storage account. What is the primary advantage of using the client library?

Code that uses the client library is much shorter and simpler than code that uses the REST API. The client library handles assembling requests and parsing responses for you.

Desired State Configuration

Configuration block(s) have a name. ▪ Node blocks define the computers or VMs that you are configuring. ▪ Resource block(s) configure the resource and its properties. ▪ There are many built-in configuration resources.

Your company has a website that allows users to customize their experience by downloading an app. Demand for the app has increased so you have added another virtual network with two virtual machines. These machines are dedicated to serving the app downloads. You need to ensure the additional download requests do not affect the website performance. Your solution must route all download requests to the two new servers you have installed. What action will you recommend? Select one.

Configure Traffic Manager.

Application firewall rules

Configure fully qualified domain names (FQDNs) that can be accessed from a subnet

You are interested in finding a single tool to help identity high VM CPU utilization, DNS resolution failures, firewall rules that are blocking traffic, and misconfigured routes. Which tool can you use? Select one.

Network Watcher Connection Troubleshoot

Suppose an administrator wants to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?

Contributor

You want to connect different VNets in the same region as well as different regions and decide to use VNet peering to accomplish this. Which of the following statements are true benefits of VNet peering? Select two.

Network traffic between peered virtual networks is private. Peering is easy to configure and manage, requiring little to no downtime.

What tool can you use to gain greater visibility into your spending patterns?

Cost Analysis

You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup. What is the first thing you need to do? Select one.

Create a Recovery Services vault.

You are planning your Azure network implementation to support your company's migration to Azure. Your first task is to prepare for the deployment of the first set of VMs. The first set of VMs that you are deploying have the following requirements: ▪ Consumers on the internet must be able to communicate directly with the web application on the VMs. ▪ The IP configuration must be zone redundant.You need to configure the environment to prepare for the first VM. Additionally, you need to minimize costs, whenever possible, while still meeting the requirements. What should you do?

Create a standard public IP address. During the creation of the first VM, associate the public IP address with the VM's NIC.

You have two Azure subscriptions named Sub1 and Sub2. Sub1 has an existing virtual network named VNET1. Sub2 does not have a virtual network. You need to configure the environment so VMs in one subscription can communicate with VMs in the other subscription. What should you do?

Create a virtual network named VNET2 in Sub2. Create a VNet-to-VNet connection.

Review Question 7 You're currently using network security groups (NSGs) to control how your network traffic flows in and out of your virtual network subnets and network interfaces. You want to customize how your NSGs work. For all incoming traffic, you need to apply your security rules to both the virtual machine and subnet level. Which of the following options will let you accomplish this? (Choose two)

Create rules for both NICs and subnets with an 'allow' action. Add rules with a higher priority than the default rules.

Create Azure Storage accounts before deploying your app. Create containers in your application as needed.

Creating an Azure Storage account is an administrative activity and can be done prior to deploying an application. Container creation is lightweight and is often driven by run-time data which makes it a good activity to do in your application

Which is the most efficient way for the testing team to save costs on virtual machines on weekends, when testers are not at work?

Deallocate virtual machines when they're not in use

You are planning to configure networking in Microsoft Azure. Your company has a new Microsoft Azure presence with the following network characteristics: 1 Virtual Network. 1 subnet using 192.168.0.0/23 (does not have existing resources). Your on-premises data center has the following network characteristics: 10 subnets using 192.168.1.0/24 through 192.168.10.0/24. The company intends to use 192.168.1.0/24 on-premises and 192.168.0.0/24 in Azure. You need to update your company's environment to enable the needed functionality. What should you do? (Each answer represents part of the solution. Choose two.)

Delete 192.168.0.0/23 from Azure. Create a subnet for 192.168.0.0/24 in Azure.

Your company is deploying a critical business application to Microsoft Azure. The uptime of the application is of utmost importance. The application has the following components: ▪ 2 web servers ▪ 2 application servers ▪ 2 database servers You need to design the layout of the VMs to meet the following requirements: ▪ Each VM in a tier must run on different hardware ▪ Uptime for the application must be maximized You need to deploy the VMs to meet the requirements. What should you do?

Deploy the application and database VMs in one availability set and the web VMs into a separate availability set.

You need to backup files and folders to Azure. Which three steps must you perform?

Download, install and register the backup agent. Back up files and folders. Create a recovery services vault.

Tags applied at a resource group level are propagated to resources within the resource group.

False

Tags can be applied to any type of resource on Azure

False

What is the default distribution type for traffic through a load balancer?

Five-tuple hash

Which of the following two features of Azure networking provide the ability to redirect all Internet traffic back to your company's on-premises servers for packet inspection? Select two.

Forced Tunneling User Defined Routes

You need to provide a contingent staff employee temporary read-only access to the contents of an Azure storage account container named media. It is important that you grant access while adhering to the security principle of least-privilege. What should you do?

Generate a shared access signature (SAS) token for the container.

What are the key elements of Account SAS tokens?

Granted at the account level to grant permissions to services within the account

What are the key elements of Service SAS tokens?

Grants access to a specific service within a Storage Account

Which of these changes between access tiers will happen immediately?

Hot to Cool

You plan to use virtual machine soft delete. Which of the following statements are true? Select two.

If you delete a backup, soft delete still provides recovery of data. Soft delete is built-in protection at no additional cost.

You've created a new database in Azure SQL Database. When will the first full backup run?

Immediately

Your company is preparing for a major migration to Microsoft Azure. Before the migration, the company wants to establish network connectivity from the on-premises environment. The company has established the following requirements for connectivity: Connectivity must be persistent connectivity must provide for the entire on-premises site Connectivity must not go over the public Internet You need to implement a connectivity solution that meets the requirements. What should you do?

Implement Azure ExpressRoute.

Where are SQL Server backups stored, by default?

In a read-access geo-redundant storage account

How are NotActions used in a role definition?

Not Actions are subtracted from the Actions to define the list of permissible operations.

Your company is preparing to implement a Site-to-Site VPN to Microsoft Azure. You are selected to plan and implement the VPN. Currently, you have an Azure subscription, an Azure virtual network, and an Azure gateway subnet. You need to prepare the on-premises environment and Microsoft Azure to meet the prerequisites of the Site-to-Site VPN. Later, you will create the VPN connection and test it. What should you do? (Each answer presents part of the solution. Select three.

Obtain a VPN device for the on-premises environment. Create a virtual network gateway (VPN) and the local network gateway in Azure. Obtain a public IPv4 IP address without NAT for the VPN device.

How does IIS in particular benefit from application replication?

One-click failover, script integration, network mapping

Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual machines in another virtual network. You need to install an Azure load balancer to direct traffic between the virtual networks. What should you do? Select one.

Install an internal load balancer.

You are deploying the Application Gateway and want to ensure incoming requests are checked for common security threats like cross-site scripting and crawlers. To address your concerns what should you do? Select one.

Install the Web Application Firewall

NAT firewall rule

Configure DNAT rules to allow incoming connections

What are the steps to remove a custom role?

Delete the role assignments and then delete the custom role.

Your company runs a web-based massively multiplayer online game (MMO). The game is popular worldwide. The company is planning to move the game to Microsoft Azure. A migration project starts and you have been assigned the task of handling game traffic. The project has identified the following requirements for the game: Host the game from every Azure region direct users to the closest region off load SSL from the servers Maximize the performance for players Distribute the traffic evenly to servers within each region You need to deploy technologies to meet the requirements. What should you do?

Deploy Azure Load Balancer, Azure Traffic Manager, and Azure Application Gateway.

You are creating a connection between two virtual networks. Performance is a key concern. Which of the following will most influence performance? Select one.

Ensuring you select an appropriate Gateway SKU.

What is the correct order for the four stages of failover and failback when you replicate your on-premises environment to Azure?

Fail over to the secondary site on Azure. Reprotect the Azure virtual machines by replicating back to on-premises. Fail back to the primary on-premises site. Reprotect the on-premises virtual machines by replicating to Azure.

What is the main advantage of an availability set?

It allows virtual machines to be available across physical server failures.

Which criteria does Application Gateway use to route requests to a web server? Select one.

The hostname, port, and path in the URL of the request.

Which of the following statement about external load balancers is correct?

They have a public IP address.

When configuring network access to your Azure Storage Account, what is the default network rule?

To allow all connections from all networks

standard

You are administering a production web app. The app requires scaling to five instances, 40GB of storage, and a custom domain name. Which App Service Plan should you select? Select one

Azure database for MySQL, app configuration

You are backing up your App Service. Which of the following is included in the backup? Select two.

Blob or queue storage access

best done by creating authorized apps in AD

network contributor role

lets you manage networks, but not access them

Cross-Origin Resource Sharing (CORS)

use of HTTP headers so web applications at one domain can access resources from a server at another. Used by Azure Storage

You need to ensure that Azure DNS can resolve names for your registered domain. What should you implement? Select one

zone delegation

Implementing Scale Sets

▪ Instance count: Number of VMs in the scale set (0 to 1000). ▪ Instance size: The size of each virtual machine in the scale set. ▪ Azure Spot Instance: Unused capacity at a discounted rate. ▪ Use managed disks. ▪ Enable scaling beyond 100 instances.

Network Security Groups

▪ Limit network traffic to resources in a virtual network. ▪ Contains a list of security rules that allow or deny inbound or outbound network traffic. ▪ Can be associated to a subnet or a network interface.

Benefits of Azure DNS

▪ Removes the need for custom DNS solutions. ▪ Use all common DNS record types. ▪ Automatic hostname record management. ▪ Hostname resolution between virtual networks. ▪ Familiar tools and user experience. ▪ Split-horizon DNS support. ▪ Available in all Azure regions.

Scale Sets

▪ Scale sets deploy a set of identical VMs. ▪ No pre-provisioning of VMs is required. ▪ As demand goes up VMs are added. ▪ As demand goes down VM are removed. ▪ The process can be manual, automated, or a combination of both.

Two types of disks: Unmanaged and Managed

▪ Unmanaged disks require you to manage the storage accounts and VHDs. ▪ Managed disks are maintained by Azure (recommended).

Azure Domains and Custom Domains

▪ When you create an Azure subscription an Azure AD domain is created for you. ▪ The domain has an initial domain name in the form domainname.onmicrosoft.com. ▪ You can customize/change the name. ▪ After the custom name is added, it must be verified.

Planned Maintenance

-Events are periodic updates made to the Azure platform. -Action: No action.

NSG Rules

-Security rules in NSGs enable you to filter network traffic that can flow in and out of virtual network subnets and network interfaces. -There are default security rules. You cannot delete the default rules, but you can add other rules with a higher priority.

Unexpected Downtime

-When a virtual machine fails unexpectedly. -Action: Automatically migrate (heal).

Unplanned Hardware Maintenance

-When the platform predicts a failure, it will issue an unplanned hardware maintenance event. -Action: live migration.

Which of the following sets the scope of a role to be the resource group myResourceGroup?

/subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup

Implementing Firewalls

1. Create the network infrastructure. 2. Deploy the firewall. 3. Create a default route. 4. Configure rules. ✔️ In production deployments, a Hub and Spoke model is recommended.

What are the criteria for using Azure Disks?

1. Do not need to access the data outside of the VM 2. Lift-and-shift of machines from on-premises 3. Disk expansion for application installations

What is Shared Access Signature?

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time. An account-level SAS can delegate access to multiple storage services (i.e. blob, file, queue, table). Note that stored access policies are currently not supported for an account-level SAS.

What is Azure Storage Explorer?

A utility that allows you to manage storage anywhere from Windows, MacOS, and Linux https://azure.microsoft.com/en-us/features/storage-explorer/ 1. Management for all your storage accounts and multiple subscriptions across Azure, Azure Stack, and government cloud 2. Accessible, intuitive, feature-rich graphical user interface (GUI) for full management of cloud storage resources 3. Robust security features like cross-origin resource sharing and shared access signature to help protect your data access wherever you are

What is classified as stale data?

Any data that hasn't been accessed for one year or more

Dynamic IP address (default)

Azure assigns the next available unassigned or unreserved IP address in the subnet's address range

What is Blob Storage

Binary Large Object - Random text, video or images.

Type of blobs

Block Blobs: blocks of different sizes that are written to and uploaded.Append Blobs: can only have new data added to it.Page Blobs: used for random-access read and write

What is a tool that can be used to effectively keep your organization accountable for its spending?

Budgets

What is the inheritance order for scope in Azure?

Management group, Subscription, Resource group, Resource

When you monitor a recovery from the recovery services vault, which of the following statistics can be viewed on the Site Recovery dashboard?

Replicated items, monitoring of test failovers, and monitoring of configuration issues

What is a Rest API? Explain.

Representational State Transfer (REST) API is an application that allows devices or applications to communicate. Both sides are secured and protected because of REST API's architectural constraints, which allows users to make changes to the application without modifying the server's database design.

How should you test the Azure Site Recovery deployment?

Run a disaster recovery drill for a single isolated VM, on an isolated network.

What is the Azure PowerShell cmdlet to update a custom role?

Set-AzRoleDefinition

What are the 2 types for SAS tokens?

Shared Access Signature Account SAS tokens and Service SAS Tokens All are encrypted

What are the key elements of SAS tokens?

Shared Access Signature (SAS) It's a query string that we add to the URL of a storage resource. The Strong informs Azure what access should be granted

Which of the following is not a valid blob storage access tiers?

Standard

Your organization has several Linux virtual machines. You would like to use Log Analytics to retrieve error messages for these machines. You plan to automate the process, so you create a search query. You begin the query by identifying the source table. Which source table do you use? Select one

SysLog

Which of the following can be used to initialize the Blob Storage client library within an application?

The Azure Storage account connection string.

Which of these is the correct meaning of a recovery time objective (RTO)?

The measure of the maximum amount of time the business can survive if a disaster happens

If you delete a user account by mistake, can it be restored?

The user account can be restored, but only when it's created within the last 30 days.

Why might you use virtual network peering?

To connect virtual networks together in the same region or across regions.

What is the main benefit of using a network virtual appliance?

To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass through.

Why would you use a custom route in a virtual network?

To control the flow of traffic within your Azure virtual network.

True or False, an organization can have more than one Azure AD directory.

True

How many access key per storage account?

Two for redundancy. Once you regenerate all links break

Public IP addresses

Used for communication with the Internet, including Azure public-facing services.

Private IP addresses

Used within an Azure virtual network (VNet), and your on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.

Which of the following is a good analogy for the access keys of a storage account?

Username and password

When you enable SSPR for your Azure AD organization...

Users can reset their passwords when they can't sign in.

redirection to a provider endpoint

What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an app? Select one.

inputs

Which of the following is not an element in the template schema? Select one.

is scheduled on multiple host machines

Which of the following is not true about container groups? Select one.

each user account can be assigned multiple machines

Which of the following is not true about the Cloud Shell?

kubelet

Which of the following is the Kubernetes agent that processes the orchestration requests from the cluster master, and schedules running the requested containers? Select one.

global administrator

You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams tenants and be able to assign other administrator roles? Select one.

SSH key pair

You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs must use an authentication system other than passwords. You need to deploy an authentication method for the Linux VMs to meet the requirement. Which authentication method should you use? Select one.

Use HDD instead of SSD for VM storage. Bring your own Windows license for each VM. Use different Azure regions. Use the least powerful VMs that meet your requirements.

You are researching Microsoft Azure for your company. The company is considering deploying Windows-based VMs in Azure. However, before moving forward, the management team has asked you to research the costs associated with Azure VMs. You need to document the configuration options that are likely to save the company money on their Azure VMs. Which options should you document? (Each answer presents part of the solution. Select four.

request support increase your limit

You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual machines in the US East region. Which of the following provides the easiest solution? Select one.

Which two statements regarding an Azure VPN gateway are true? Select two.

You can only assign a dynamic public IP address to an Azure VPN Gateway. The gateway connects an Azure VNet to an on-premises network.

node virtual machines

You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge? Select one.

Tenant

You have a new Azure subscription and need to move resources to that subscription. Which of the following resources cannot be moved? Select one.

Your manager asks you to verify some information about Azure Virtual WANs. Which of the following statements are true? Select three.

You must use a VPN device that provides IKEv2/IKEv1 IPsec support. Virtual WAN supports ExpressRoute. Virtual WAN supports site-to-site connections.

Deploy the DSC extension for Linux VMs. Deploy the DSC extension for Windows Server VMs.

Your company has Windows Server 2012 R2 VMs and Ubuntu Linux VMs in Microsoft Azure. The company has a new project to standardize the configuration of servers across the Azure environment. The company opts to use Desired State Configuration (DSC) across all VMs. You need to ensure that DSC can be used across all the VMs. What two things should you do? Select two.

Assign her as a Resource Group Owner.

Your company hires a new IT administrator. She needs to manage a resource group with first-tier web servers including assigning permissions. However, she should not have access to other resource groups inside the subscription. You need to configure role-based access. What should you do? Select one.

Configure the Bastion service

Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need to connect to an Azure Linux virtual machine to install software. What should you do? Select one.

Join the device to Azure AD.

Your users want to sign-in to devices, apps, and services from anywhere. They want to sign-in using an organizational work or school account instead of a personal account.You must ensure corporate assets are protected and that devices meet standards for security and compliance. Specifically, you need to be able to enable or disable a device. What should you do? Select one.

Fault Domains

a group of virtual machines that share a common set of hardware, switches, that share a single point of failure. VMs in an availability set are placed in at least two fault domains.

account-level SAS

allow access to anything that a service-level SAS can allow, plus additional resources and abilities

Service-Level SAS

allow access to specific storage accounts.

Virtual Directories and Blobs.

blobs can be named like files and folders (stuff/music/song.mp4) and then be accessed by an api

Remote Desktop Protocol (RDP)

creates a GUI session and accepts inbound traffic on TCP port 3389

WinRM

creates a command-line session so can run scripts

Azure Blob storage

data in the cloud that is unstructured ( can be pdf, JSON, image)

Shared Key

easiest to use and supported by many azure resources. client embeds shared key in the http authorization header

Shared Access Signature(SAS)

for untrusted clients, is a string that contains a security token attached to URI.

managed identities for Azure resources

provides Azure services with an automatically managed identity in Azure Active Directory

CloudStorageAccount.Parse("connectionString")

returns a storage obj, that is used to create other clients

You have an Azure virtual machine that has a multi-network interface with private IP addressing. To which IP address in Azure managed DNS is the hostname mapped? Select one.

the primary network interface

Vertical scaling (scale up and scale down)

the process of increasing or decreasing power to a single instance of a workload; usually manual.

Azure Table Storage

used to store NoSQL, semi-structured data

Azure Queue Storage

used to store messages in a queue, which can then be accessed and processed by applications through HTTP(S) calls

Linux Virtual Machines

▪ Hundreds of community-built images in the Azure Marketplace. ▪ Linux has the same deployment options as for Windows VMs. ▪ Manage Linux VMs with many popular open-source DevOps tools.

Creating NSG Rules

▪ Service - The destination protocol and port range for this rule. ▪ Port ranges - Single port or multiple ports. ▪ Priority - The lower the number, the higher the priority.

What are the criteria for using Azure Files ?

1. Access files across multiple machines 2. Jumpbox scenarios for shared development

What are the ways to connect with Azure Storage Explorer?

1. Azure AD 2. Connection String 3. Shared Access Signature URI 4. Storage account name and key 5. Attach a local emulator 6. Add Azure Account (sign in with credentials)

What are the differences between Block and Page Blob?

1. Block Blob - storing text or binary files, 50K blocks/100MB block with a total size of 4.75TB. Supports Append Blobs. 2. Page Blob - Efficient for read/write, used byt Azure VMs, up to 8 TB in size

What are the types of storage accounts?

1. GPV12. GPV2 - New standard, main type used. Can support blobs as well3. Blob Account

How do you create a storage account via PowerShell?

1. Get-AzureResourceGroup - List available RG 2. $resourcegroupname = "name of RG where you want to create storage account" 3. New-AzureRMStorageAccount -ResourceGroupName $resourcegroupname -name "nameofnewacct" - location "eastus" -SkuName (Standard_LRS, etc.) -kind (Storage or Blob)

What are the tiers of storage in Azure?

1. Hot - higher storage, lower access cost 2. Cold - Lower storage cost, higher access cost. Intended for data that will remain cool for 30 days or more 3. Archive - Lowest storage costs, highest retrieval cost. When a blob is in archive storage it is offline and can't be read. has to be restored first

How do you create a storage account in the Azure Portal?

1. Select the subscription 2. Click add at the top 3. In the search bar type in Storage Account- blob, file, table, queue 4. In the Blade -click create - select the RG, type in the name of the Storage Account (must be lower case letters and numbers) - Select location - Standard vs. Premium - Account Kind ( GPV1 or GPV2 ) GPv2 is standard -Choose replication (LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS) Click Create

You are configuring your network environment in Microsoft Azure. You create a virtual network. Next, you create a single subnet using 172.16.10.0/24. You opt to deploy a load balancer on the first available IP address in the subnet. Which IP address should you use for the load balancer?

172.16.10.4

azure storage accounts have how many access keys

2

What happens when you call GetBlockBlobReference with the name of a blob?

A CloudBlockBlob object is created locally. No network calls are made.

Azure DNS Zones

A DNS zone hosts the DNS records for a domain. ▪ The name of the zone must be unique within the resource group. ▪ Where multiple zones share the same name, each instance is assigned a different name server address. ▪ Only one set of addresses can be configured with the domain name registrar.

What is a role definition in Azure?

A collection of permissions with a name that is assignable to a user, group, or application

What kind of account would you create to allow an external organization easy access?

A guest user account for each member of the external team.

What are Stored Access Policies?

A method of controlling SAS Group shared access signatures and provide additional restrictions Can be used to change the start time, expiry time, permissions, or revoke it after it has been issued Only supported on service SAS - Blob containers - File shares - Queues - Tables

Your organization has an app that is used across the business. The performance of this app is critical to day-to-day operations. Because the app is so important, four IT administrators have been identified to address any issues. You have configured an alert and need to ensure the administrators are notified if there is a problem. In which area of the portal will you provide the administrator email addresses? Select one.

Action Group

You deploy a new domain named contoso.com to domain controllers in Azure. You have the following domain-joined VMs in Azure: VM1 at 10.20.30.10 VM2 at 10.20.30.11 VM3 at 10.20.30.12 VM99 at 10.20.40.101 You need to add DNS records so that the hostnames resolve to their respective IP addresses. Additionally, you need to add a DNS record so that intranet.contoso.com resolves to VM99. What should you do? (Each answer presents part of the solution. Choose two.)

Add A records for each VM. Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com.

You deploy a new domain named contoso.com to domain controllers in Azure. You have the following domain-joined VMs in Azure: VM1 at 10.20.30.10 VM2 at 10.20.30.11 VM3 at 10.20.30.12 VM99 at 10.20.40.101 You need to add DNS records so that the hostnames resolve to their respective IP addresses. Additionally, you need to add a DNS record so that intranet.contoso.com resolves to VM99. What should you do?

Add A records for each VM. Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com.

Your company has an existing Azure tenant named alpineskihouse.onmicrosoft.com. The company wants to start using alpineskihouse.com for their Azure resources. You add a custom domain to Azure. Now, you need to add a DNS record to prepare for verifying the custom domain. Which two of the following record types could you create?

Add a TXT record to the DNS zone. Add an MX record to the DNS zone

You need to determine who deleted a network security group through Resource Manager. You are viewing the Activity Log when another Azure Administrator says you should use this event category to narrow your search. Select one.

Administrative

Which Azure service detects anomalies in account activities and notifies you of potential harmful attempts to access your account?

Advanced Threat Protection

What are Custom Domains ?

Allow you to customize Storage and CDN locations. Create a CNAME record with your DNS provider that points from 1. such as www.yourdomain.com to stacctdemo.blob.core.windows.net This method is simpler but results in a brief downtime while Azure verifies the domain registration 2. the "asverify" subdomain Such as verify.yourdomain.com to stacctdemo.blob.core.windows.net After this step completes, you can create a CNAME similar to step one. No downtime with option 2 - ' Use Indirect CNAME validation" check box

What do you have to install or create to store simple boot diagnostics in Azure?

An Azure storage account.

You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean? Select one.

An administrator has reviewed the alert and started working on it.

Enable the autoscale option.

Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the VMs are all running at max capacity with the CPU being fully consumed. However, additional VMs are not deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75% consumed. What should you do? Select one.

Which of the following features of Azure Site Recovery aid application workloads in a seamless failover?

App-consistent snapshots, near synchronous replication, SQL Server Always On integration

What does the application mapping provide and how is it deployed?

Application mapping provides a visual representation of the application components, failures, and dependencies of the application topology. On the Application Insights page, we can click on the Application map to observe the full topology.

You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the firewall. Which of the following should you use?

Application rules

You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2 is connected to the 10.20.8.0/24 subnet. You plan to update the VM configuration to provide the following functionality: ▪ Enable direct communication from the internet to TCP port 443. ▪ Maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24 subnets. ▪ Maintain a simple configuration whenever possible.You need to update the VM configuration to support the new functionality. What should you do?

Associate a public IP address to NIC2 and create an inbound security rule.

You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2 is connected to the 10.20.8.0/24 subnet. You plan to update the VM configuration to provide the following functionality: Enable direct communication from the internet to TCP port 443. Maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24 subnets. Maintain a simple configuration whenever possible. You need to update the VM configuration to support the new functionality. What should you do? Select one.

Associate a public IP address to NIC2 and create an inbound security rule.

Suppose an administrator in another department needs access to a virtual machine managed by your department. What's the best way to grant them access to just that resource?

At the resource scope, assign the role with the appropriate access.

What is AZ Copy?

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. This article helps you download AzCopy, connect to your storage account, and then transfer files.

How does Azure App Service ensure that production performance doesn't drop just after a swap?

Azure App Service ensures that production performance doesn't drop after a swap by warming up all the instances in the slot. This operation allows the traffic to be smooth and the requests are successfully sent to the application root.

Your company provides a secure web-based encryption service at www.contoso.com. Users visit the company website and can encrypt individual files and send links to recipients. Links expire in 3 days. Encrypted files are archived for 1 year and are only available to the sender. Your company is moving the encryption service to Microsoft Azure. To maximize performance and reduce costs, the company has established the following requirements: Files that are being encrypted, decrypted, and downloaded for up to 3 days must be accessible via www.contoso.com/immediate. Additionally, the storage performance must be maximized. A set of 5 VMs will serve the short-term files. Files that are being archived for 1 year must be stored in lower-performing storage and accessible via www.contoso.com/archive. A separate set of 5 VMs will serve the archive files. You need to deploy Microsoft Azure technology to ensure that files are available per the requirements. Which technology should you deploy?

Azure Application Gateway.

You are responsible for creating a disaster recovery plan for your data center. You must be able to recreate virtual machines from scratch. This includes the Operating System, its configuration/ settings, and patches. Which of the following will provide a bare metal backup of your machines? Select one.

Azure Backup Server

Your organization needs a way to create application-aware snapshots, and backup Linux virtual machines and VMware virtual machines. You have files, folders, volumes, and workloads to protect. Do you recommend which of the following solutions? Select one.

Azure Backup Server

You have several Azure VMs that are currently running production workloads. You have a mix of Windows Server and Linux servers and you need to implement a backup strategy for your production workloads. Which feature should you use in this case? Select one.

Azure Backup.

Your company is planning to storage log data, crash dump files, and other diagnostic data for Azure VMs in Azure. The company has issued the following requirements for the storage: Administrators must be able to browse to the data in File Explorer. Access over SMB 3.0 must be supported. The storage must support quotas. You need to choose the storage type to meet the requirements. Which storage type should you use? Select one.

Azure Files

Your company has a popular regional website. The company plans to move it to Microsoft Azure and host it in the Canada East region. The web team has established the following requirements for managing the web traffic: Evenly distribute incoming web requests across a farm of 10 Azure VMs. Support many incoming requests, including spikes during peak times. Minimize complexity. Minimize ongoing costs. Which of the following would you select for this scenario? Select one.

Azure Load Balancer

Network firewall rules

Configure rules that contain source addresses, protocols, destination ports, and destination addresses

You have a hybrid environment with some resources located in your on-premises data center and some resources located in Microsoft Azure. You have an internal domain named alpineskihouse.com. All domain controllers are DNS servers. You have two domain controllers in Azure IaaS to service VMs in Azure. All existing servers are joined to the domain. You deploy two new Linux VMs in a default configuration. Later, you notice that they are unable to resolve the alpineskihouse.com domain. You need to ensure that the two new Linux VMs can resolve the alpineskihouse.com domain. What should you do?

Configure the Linux VMs to point to the two domain controllers in Azure IaaS for DNS.

You work for an open source development company. You use Microsoft Azure for a variety of storage needs. Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each block blob is in its own container. Each container is set to default settings. In total, you have 50 block blobs. The company has decided to provide read access to the data in the block blobs, as part of releasing more information about their open source development efforts. You need to reconfigure the storage to meet the following requirements: All block blobs must be readable by anonymous internet users. What should you do? Select one.

Create a new container, move all the blobs to the new container, and then set the public access level to Blob.

You are planning your Azure network implementation to support your company's migration to Azure. Your first task is to prepare for the deployment of the first set of VMs. The first set of VMs that you are deploying have the following requirements: You need to configure the environment to prepare for the first VM. Must be able to communicate with customers on the internet Additionally, you need to minimize costs, whenever possible, while still meeting the requirements. What should you do? Select one.

Create a standard public IP address. During the creation of the first VM, associate the public IP address with the VM's NIC.

You have a hybrid environment with some resources in an on-premises data center and some resources in Microsoft Azure. Your on-premises data center is connected to Azure through a site-to-site VPN. You deploy default Windows Server 2016 VMs in Azure. You configure them to use your on-premises DNS servers. In your on-premises environment, all domain controllers are also DNS servers. Several months later, you notice that some of the VMs in Azure are not resolving in DNS. You troubleshoot and find that all the name resolution issues are tied to the first VMs you deployed in Azure. VMs that were recently deployed resolve successfully in DNS. You need to ensure that all Azure VMs resolve from your on-premises DNS servers. What should you do?

Disable scavenging.

You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these options would you recommend to restore a database used for development on a data disk? Select one.

Disk snapshot

Which load balancing strategy does the Application Gateway implement? Select one.

Distributes requests to each available server in a backend pool in turn, round-robin.

You implement a site-to-site VPN to connect your on-premises site to Microsoft Azure. The information security team has mandated that all internet traffic from Azure VMs go to the internet through the on-premises data center so that the existing security software can scan the communication for compliance. You need to configure the environment to meet the information security requirement. What should you do?

Enable forced tunneling.

You manage a large datacenter that is running out of space. You propose extending the datacenter to Azure using a Multi-Protocol Label Switching virtual private network. Which connectivity option would you select? Select one.

ExpressRoute

What is meant by the terms failover and failback in the context of disaster recovery?

Failover is the transfer of workload to a secondary site during a test or disaster scenario. Failback is when the workload gets transferred back over to the primary site from the secondary site.

Custom Script Extensions

For PowerShell use the Set-AzVmCustomScriptExtension command

You have several VMs in Azure hosting a web application for the public. Each of the VMs has been assigned a public IP address. You use the host firewall to protect each VM. You have a similar, but smaller, non-production implementation of the web application in Azure. The web application is set to grow exponentially over the next several months. The web application team manager is concerned about maintaining the VM security with the host firewalls. The manager comes up with the following requirements to prepare for the growth of the web application: Control inbound network ports for all web application VMs in a more automated way Reuse the production VM security for the non-production VM security Minimize the administrative overhead of implementing and maintaining network security for the web application You need to implement a new method to meet the requirements. What should you do?

Implement a Network Security Group (NSG)

Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a single site, headquarters, which has an on-premises data center. The company establishes the following requirements for the connectivity: Connectivity must be persistent. Connectivity must provide for the entire on-premises site. You need to implement a connectivity solution to meet the requirements. What should you do? Select one.

Implement a Site-to-Site VPN.

You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create containers to store each type of file and want to limit access to those files for specific periods. Additionally, the files can only be accessed through shared access signatures (SAS). You need the ability to revoke access to the files and to change the period for which users can access the files. What should you do in order to accomplish this in the most simple and effective way? Select one.

Implement stored access policies for each container to enable revocation of access or change of duration.

You are analyzing the company's virtual network and think it would help to get a visual representation of the networking elements. Which feature can you use? Select one.

Network Watcher Topology

What are the key steps required to set up Azure Site Recovery to protect your on-premises VMs?

Networking, create a Recovery Services vault, give the correct permissions to credentials, install a configuration server in your vCenter via an OVA

Your company is preparing to move some services and VMs to Microsoft Azure. The company has opted to use Azure DNS to provide name resolution. A project begins to configure the name resolution. The project identifies the following requirements: A new domain will be used. The domain will have DNS records for internal and external resources. Minimize ongoing administrative overhead. You need to prepare and configure the environment with a new domain name and a test hostname of WWW. Which of the following steps should you perform? (Each answer presents part of the solution. Choose three.)

Register a domain name with a domain registrar Delegate the new domain name to Azure DNS. Add a record for WWW.

Which is the best first step the team should take to compare the cost of running these environments on Azure versus in their datacenter?

Run the Total Cost of Ownership Calculator.

You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are configuring the VPN Gateways. You want VNET2 to be able to use to VNET1's gateway to get to resources outside the peering. What should you do? Select one.

Select allow gateway transit on VNET1 and use remote gateways on VNET2.

You are working on a project with a 3rd party vendor to build a website for a customer. The image assets that will be used on the website are stored in an Azure Storage account that is held in your subscription. You want to give read access to this data for a limited period of time. What security option would be the best option to use?

Shared Access Signatures

You are working on a project with a 3rd party vendor to build a website for a customer. The image assets that will be used on the website are stored in an Azure Storage account that is held in your subscription. You want to give read access to this data for a limited period of time. What security option would be the best option to use

Shared Access Signatures: a string that contains a security token that can be attached to a URI. Use a shared access signature to delegate access to storage objects and specify constraints, such as the permissions and the time range of access.

You have several VMs in Microsoft Azure. All the VMs are configured with the default IP addressing solution. A VM named VM1 is assigned the 172.16.10.100 IP address. You stop VM1 to perform some disk maintenance activities. During that time, another administrator deploys a new VM named VM25. Later, after VM1 comes back online, you notice that its IP address changed. Now, VM25 is assigned the 172.16.10.100 IP address. You need to ensure that VM1 maintains the IP address of 172.16.10.100. All other VMs should have their IP addresses automatically allocated. What should you do?

Stop VM25 and Configure VM1 with a static IP address of 172.16.10.100.

What security permissions must you have to copy data into Blob storage using AzCopy?

Storage Blob Data Contributor

List the 7 background processing examples. Define 1 one of them.

The 7 background processing examples are: Azure Blob Storage Trigger Azure Cosmos DB Trigger Azure Event Grid Trigger Azure Queue Storage Trigger Azure Service Bus Queue Trigger Azure Service Bus Topic Trigger Time Trigger Azure Blob Storage Trigger begins a function when a blob is created, updated, and detected.

What are the components of an SAS Token?

The Blob - https://example.blob.core.windows.net/images/images.jpg Storage Service version - SV=2015-04-05 or later Signed Services = SS=bfqt Signed Resource Types = SP=rwdlacup Signed Expiry & Start = SE=2018-02-24T01:21:26Z&st=2018-02-23T17:21:26Z Signed Protocol = spr=https

What is the difference between horizontal and vertical scaling?

The difference between horizontal and vertical scaling is that horizontal scaling can scale in or out the number of virtual machines. When a company is able to scale 'out' horizontally, it means that the number of virtual machines can be increased. If instead, the organization can scale 'in' (horizontally), the number of virtual machines would decrease. vertical scaling means the power that can be added or taken away from virtual machines. We can vertically scale 'down' or 'up' a virtual machine. This means that the power will be more (scale up), or less (scale down). By increasing the disk space, memory, size of hardware, and the speed of the CPU, organizations can make a virtual machine more powerful.

What is the key benefit of an event-driven application?

The key benefit of an event-driven application is that the application is activated when there is an action generated. Additionally, there are no charges until this activation occurs since the code is not running until there is an event, which can be a click or pressing a key.

You are configuring a site-to-site VPN connection between your on-premises network and your Azure network. The on-premises network uses a Cisco ASA VPN device. You have checked to ensure the device is on the validated list of VPN devices. Before you proceed to configure the device what two pieces of information should you ensure you have? Select two.

The shared key you provided when you created your site-to-site VPN connection. The public IP address of your virtual network gateway.

What tool should you us to prepare a Linux Server image for generalization?

To prepare a Linux Server image for generalization the command waagent can be used. To delete the specific data and files we must add -deprovision after the waagent command. Additionally, the +user parameter will remove the user account last provisioned. The command will look like this: sudo waagent -deprovision+user

What tool should you use to prepare a Windows Server image for generalization?

To prepare a Windows Server image for generalization, the tool used should be Sysprep, which is the Microsoft System preparation tool. Sysprep can be run on Command Line Prompt or on GUI, and its function is to prepare a system image to be cloned several times.

You want to track the average CPU usage of your Azure virtual machine over the last seven days. What is the most straightforward way to do this?

View the metrics for the virtual machine on the Overview page and set the range to the last seven days.

You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these options would you recommend to restore the entire virtual machine or files on the virtual machine? Select one.

Virtual machine backup

Which configuration is required to configure an internal load balancer?

Virtual machines should be in the same virtual network.

You have several websites and are using Traffic Manager to distribute the network traffic. You are bringing a new endpoint online but are not sure that it is ready to accept a full load of requests. Which Traffic Manager routing algorithm should you use? Select one.

Weighted

When is a user considered registered for SSPR?

When they've registered at least the number of methods that you've required to reset a password.

In which of the following situations would a validation test happen automatically?

When you use the Azure portal to move resources to a new resource group.

You deploy an internal load balancer between your web tier and app tier servers. You configure a custom HTTP health probe. Which two of the following are not true? Select two.

You can change the number of failures within a time period. By default, the health probe checks the endpoint every 30 seconds.

How might you deploy a network virtual appliance?

You can configure a Windows virtual machine and enable IP forwarding after routing tables, user-defined routes, and subnets have been updated. Or you can use a partner image from Azure Marketplace.

add a load balancer put the virtual machines in an availability set

You host a service with two Azure virtual machines. You discover that occasional outages cause your service to fail. What two actions can you do to minimize the impact of the outages? Select two.

Static IP address

You manually select and assign any unassigned or unreserved IP address in the subnet's address range

Update domains

allows Azure to perform incremental or rolling upgrades across a deployment. During planned maintenance, only one update domain is rebooted at a time.

Account-Level SAS

allows access to storage accounts and has special privileges. Usually, when users read/write data to your storage.

Horizontal scaling (scale out and scale in)

the process of increasing or decreasing the number of instances of a workload; frequently automated.

You need to ensure that Azure DNS can resolve names for your registered domain. What should you implement?

zone delegation

DNS Record Sets

▪ A record set is a collection of records in a zone that have the same name and are the same type. ▪ You can add up to 20 records to any record set. ▪ A record set cannot contain two identical records.

Subnets

▪ A virtual network can be segmented into one or more subnets. ▪ Subnets provide logical divisions within your network. ▪ Subnets can help improve security, increase performance, and make it easier to manage the network. ▪ Each subnet must have a unique address range - cannot overlap with other subnets in the virtual network in the subscription.

You deploy a new domain named contoso.com to domain controllers in Azure. You have the following domain-joined VMs in Azure: ▪ VM1 at 10.20.30.10 ▪ VM2 at 10.20.30.11 ▪ VM3 at 10.20.30.12 ▪ VM99 at 10.20.40.101 You need to add DNS records so that the hostnames resolve to their respective IP addresses. Additionally, you need to add a DNS record so that intranet.contoso.com resolves to VM99. What should you do?

▪ Add A records for each VM. ▪ Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com.

You host a service with two Azure virtual machines. You discover that occasional outages cause your service to fail. What two actions can you do to minimize the impact of the outages?

▪ Add a load balancer. ▪ Put the virtual machines in an availability set.

Azure Networking Components

▪ Adopting cloud solutions can save time and simplify operations. ▪ Azure requires the same types of networking functionality as on-premises infrastructure. ▪ Azure networking offers a wide range of services and products.

Linux VM Connections

▪ Authenticate with a SSH public key or password. ▪ SSH is an encrypted connection protocol that allows secure logins over unsecured connections. ▪ There are public and private keys.

Implementing Virtual Networks

▪ Create new virtual networks at any time. ▪ Add virtual networks when you create a virtual machine. ▪ Need to define the address space, and at least one subnet. ▪ Be careful with overlapping address spaces.

You're currently using network security groups (NSGs) to control how your network traffic flows in and out of your virtual network subnets and network interfaces. You want to customize how your NSGs work. For all incoming traffic, you need to apply your security rules to both the virtual machine and subnet level. Which of the following options will let you accomplish this?

▪ Create rules for both NICs and subnets with an 'allow' action. ▪ Add rules with a higher priority than the default rules.

Implementing Autoscale

▪ Define a minimum, maximum, and default number of VM instances. ▪ Create more advanced scale sets with scale-out and scale-in parameters.

Autoscale

▪ Define rules to automatically adjust capacity. ▪ Scale-out (increase) the number of VMs in the set. ▪ Scale in (reduce) the number of VMs in the set. ▪ Schedule events to increase or decrease at a fixed time. ▪ Reduces monitoring and optimizes performance.

You are planning to configure networking in Microsoft Azure. (Your company has a new Microsoft Azure presence with the following network characteristics: ▪ 1 Virtual Network. ▪ 1 subnet using 192.168.0.0/23 (does not have existing resources). Your on-premises data center has the following network characteristics: ▪ 10 subnets using 192.168.1.0/24 through 192.168.10.0/24.)The company intends to use 192.168.1.0/24 on-premises and 192.168.0.0/24 in Azure. You need to update your company's environment to enable the needed functionality. What should you do?

▪ Delete 192.168.0.0/23 from Azure. ▪ Create a subnet for 192.168.0.0/24 in Azure.

Virtual Networks

▪ Logical representation of your own network. ▪ Create a dedicated private cloud-only virtual network. ▪ Securely extend your data center with virtual networks. ▪ Enable hybrid cloud scenarios.

NSG Effective Rules

▪ NSGs are evaluated independently for the subnet and NIC. ▪ An "allow" rule must exist at both levels for traffic to be admitted. ▪ Use the Effective Rules link if you are not sure which security rules are being applied.

Virtual Machine Disks

▪ Operating System Disks are SATA drives, labeled as C: ▪ Temporary Disks provide short-term storage. ▪ Data Disks are SCSI drives and depend on your virtual machine type.

Storage Options

▪ Premium storage offers high-performance, low-latency SSD disk support. ▪ Use premium storage for virtual machines with input/output (I/O)-intensive workloads.

Your company is preparing to move some services and VMs to Microsoft Azure. The company has opted to use Azure DNS to provide name resolution. A project begins to configure the name resolution. The project identifies the following requirements: ▪ A new domain will be used. ▪ The domain will have DNS records for internal and external resources. ▪ Minimize ongoing administrative overhead.You need to prepare and configure the environment with a new domain name and a test hostname of WWW. Which of the following steps should you perform?

▪ Register a domain name with a domain registrar. ▪ Delegate the new domain name to Azure DNS. ▪ Add a record for WWW.

Virtual Machine Connections

▪ Remote Desktop Protocol (RDP) for Windows-based virtual machines. ▪ Secure Shell Protocol (SSP) for Linux-based virtual machines. ▪ Bastion Subnet for RDP/SSH through the Portal over SSL.

Azure Firewall

▪ Stateful firewall as a service. ▪ Built-in high availability with unrestricted cloud scalability. ▪ Create, enforce, and log application and network connectivity policies. ▪ Threat intelligence-based filtering. ▪ Fully integrated with Azure Monitor for logging and analytics. ▪ Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways.

In which of the following situations do you need to obtain an access token before you can validate a move?

When you use custom code to call the validateMoveResources REST API

a JSON document with key-value pairs

Which of the following best describes the format of an Azure Resource Manager template? Select one.

Read-access geo-redundant storage

Which of the following replicates your data to a secondary region, maintains six copies of your data, and is the default replication option. Select one.

always on custom domain names publishing endpoints

Which of the following settings are not swapped when you swap an app? Select three.

custom domain names always-on publishing endpoints

Which of the following settings are not swapped when you swap an app? Select three.

blob storage

used to store unstructured data as a binary large object (blob)

To add or delete users from your Azure Active Directory (Azure AD) organization

you must be a user admin or global admin

What commands help you determine what operations to add to a custom role definition?

Use 'az provider operation show' to find resource provider operations.

Resources in the Dev and Test environments are each paid for by different departments. What's the best way to categorize costs by department?

Apply a tag to each virtual machine that identifies the appropriate billing department.

When is conditional access applied?

After first-factor authentication

What information does an Action provide in a role definition?

An Action provides the allowed management capabilities for the role.

Which of the following best describes the relationship between a subscription and an Azure AD directory?

An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory.

What device security sign-in options does Azure AD join support?

An Azure AD work account with password or Windows Hello, and multifactor authentication

Which of the following items would be good use of a resource lock?

An ExpressRoute circuit with connectivity back to your on-premises network

A manager currently has access to the subscription that's used for the organization's production environment. They also need Owner access to the subscription that's used for the organization's development environment. How can this access be granted?

An administrator with Owner or User Access Administrator access to the development environment can grant the manager access to the subscription.

What's the main difference between Azure roles and Azure AD roles?

Azure roles apply to Azure resources. Azure AD roles apply to Azure AD resources such as users, groups, and domains.

Which of the following strategies is the best way to approach Cost Management?

Create a plan in advance and ensure every stakeholder in your organization is aligned and on board to iteratively review and understand cost drivers on a regular basis.

Which of the following approaches would be the most efficient way to ensure a naming convention was followed across your subscription?

Create a policy with your naming requirements and assign it to the scope of your subscription

Can you name one of the benefits of using Enterprise State Roaming?

Enhanced security

Suppose a team member can't view resources in a resource group. Where would the administrator go to check the team member's access?

Go to the resource group and select Access control (IAM) > Role assignments.

Azure AD includes Federation Services There are no Organizational Units (OUs) or Group Policy Objects (GPOs) in Azure AD Azure AD uses HTTP and HTTPS communications

Identify three differences from the following list between Azure Active Directory (AD) and Active Directory Domain Services (AD DS). Select three.

What's included in a custom Azure role definition?

Operations allowed for Azure resources and the scope of permissions

Suppose a developer needs full access to a resource group. If you are following least-privilege best practices, what scope should you specify?

Resource group

Which of the following features does not apply to resource groups?

Resource groups can be nested.

Suppose an administrator needs to generate a report of the role assignments for the last week. Where in the Azure portal would they generate that report?

Search for Activity log and filter on the Create role assignment (roleAssignments) operation.

What provisioning options are available through Azure AD Join?

Self-service by using the Windows out-of-box experience (OOBE), Windows Autopilot, or bulk enrollment

A user who had Owner access to a subscription has left your company. No one else has access to this subscription. How can you grant another employee access to this subscription?

Use the Azure portal to elevate your own access.

A paging service. .

You are configuring Self-service Password Reset. Which of the following is not a validation method? Select one.

NodePort

You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming direct traffic to the pods? Select one.

Deploy the application and database VMs in one availability set and the web VMs into a separate availability set.

Your company is deploying a critical business application to Microsoft Azure. The uptime of the application is of utmost importance. The application has the following components: 2 web servers 2 application servers 2 database servers You need to design the layout of the VMs to meet the following requirements: Each VM in a tier must run on different hardware uptime for the application must be maximized. You need to deploy the VMs to meet the above requirements. What should you do? Select one.

Azure Files

Your company is planning to storage log data, crash dump files, and other diagnostic data for Azure VMs in Azure. The company has issued the following requirements for the storage: Administrators must be able to browse to the data in File Explorer. Access over SMB 3.0 must be supported. The storage must support quotas. You need to choose the storage type to meet the requirements. Which storage type should you use? Select one.

Deploy the app in a virtual machine scale set.

Your company is preparing to deploy an application to Microsoft Azure. The app is a self-contained unit that runs independently on several servers. The company is moving the app to the cloud to provide better performance. To get better performance, the team has the following requirements: If the CPU across the servers goes above 85%, a new VM should be deployed to provide additional resources. If the CPU across the servers drops below 15%, an Azure VM running the app should be decommissioned to reduce costs. You need to deploy a solution to meet the requirements while minimizing the administrative overhead to implement and manage the solution. What should you do? Select one.

Deploy blob storage using append blobs.

Your company provides cloud software to audit administrative access in Microsoft Azure resources. The software logs all administrative actions (including all clicks and text input) to log files. The software is about to be released from beta and the company is concerned about storage performance. You need to deploy a storage solution for the log files to maximize performance. What should you do? Select one.

What happens when a device isn't in the MDM scope?

he Azure AD join finishes without the enrollment to MDM.

what managed identities are used for

to authenticate to any service that supports Azure AD authentication, without having credentials in your code

an expressroute circuit with connectivity back to your on-premises network

Which of the following would be good example of when to use a resource lock? Select one

What operating systems do Azure AD registered devices support?

Windows 10, iOS, Android, and macOS

create a policy initiative

Your organization has several Azure policies that they would like to create and enforce for a new branch office. What should you do? Select one.

Data Box Heavy

Your organization maintains historical images for large media companies. There are thousands of photos requiring over 600 TB of storage. Your datacenter has only limited bandwidth, and you need to quickly move the data to Azure blob storage. Additionally, security of the data including chain of custody logs and 256-bit encryption is required. Which of the following products would you recommend using? Select one.

Shared Access Signature (SAS)

a string that contains a security token that can be attached to a URI

service-level SAS

allow access to specific resources in a storage account

What's the best way to ensure that the development team doesn't provision too many virtual machines at the same time?

Apply spending limits to the development team's Azure subscription

You need to grant administrator access for an Azure subscription to someone else in your organization. That person needs to be able to manage Azure resources that were created under that subscription. The person also needs access to the billing information for that subscription. What role should you grant them?

Assign the Owner role at the subscription scope.

location , name

You are creating a new resource group to use for testing. Which two of the following parameters are required when you create a resource group with PowerShell or the CLI? Select two.

connect -AzAccount

You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which of the following commands would you do first?

Use shared access signatures for the non-production apps.,Use access keys for the production apps.

You are planning a delegation model for your Azure storage. The company has issued the following requirements for Azure storage access: Apps in the non-production environment must have automated time-limited access. Apps in the production environment must have unrestricted access to storage resources. You need to configure storage access to meet the requirements. What should you do? (Each answer presents part of the solution. Select two.

You can switch between hot and cool performance tiers at any time.

You are using blob storage. Which of the following is true? Select one.

Use the AzCopy command-line tool

You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new storage account. You need to move half of the data from the existing storage account to the new storage account. What tool should you use? Select one.

assign the user to contributor role on VM3

You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your solution must minimize administrative overhead. What should you do? Select one.

Generate a shared access signature (SAS) token for the container.

You need to provide a contingent staff employee temporary read-only access to the contents of an Azure storage account container named media. It is important that you grant access while adhering to the security principle of least privilege. What should you do? Select one.

Create management groups

You need to target policies and review spend budgets across several subscriptions you manage. What should you do? Select one.

Implement stored access policies for each container to enable revocation of access or change of duration.

You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create containers to store each type of file and want to limit access to those files for specific periods. Additionally, the files can only be accessed through shared access signatures (SAS). You need the ability to revoke access to the files and to change the period for which users can access the files. What should you do in order to accomplish this in the most simple and effective way? Select one.

Create a new container, move all the blobs to the new container, and then set the public access level to Blob.

You work for an open-source development company. You use Microsoft Azure for a variety of storage needs. Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each block blob is in its own container. Each container is set to default settings. In total, you have 50 block blobs. The company has decided to provide read access to the data in the block blobs, as part of releasing more information about their open source development efforts. You need to reconfigure the storage to meet the following requirements: All block blobs must be readable by anonymous internet users. What should you do? Select one.

Guest user

You would like to add a user who has a Microsoft account to your subscription. Which type of user account is this? Select one.

Create tags for each department and create azure policy

You would like to categorize resources and billing for different departments like IT and HR. The billing needs to be consolidated across multiple resource groups and you need to ensure everyone complies with the solution. What should you do? {Choose two to complete a solution}.

Create a budget and a spending threshold.

Your company financial comptroller wants to be notified whenever the company is half-way to spending the money allocated for cloud services. What should you do? Select one.

Deploy Azure File Sync.

Your company has a file server named FS01. The server has a single shared folder that users access to shared files. The company wants to make the same files available from Microsoft Azure. The company has the following requirements: Microsoft Azure should maintain the exact same data as the shared folder on FS01. Files deleted on either side (on-premises or cloud) shall be subsequently and automatically deleted from the other side (on-premises or cloud). You need to implement a solution to meet the requirements. What should you do? Select one. Deploy DFS Namespaces. Install and use AZCopy.Deploy Azure File Sync. Install and use Azure Storage Explorer. Deploy storage tiering.

Azure Blob Storage

Your company is building an app in Azure. The app has the following storage requirements: Storage must be reachable programmatically through a REST API. Storage must be globally redundant. Storage must be accessible privately within the company's Azure environment. Storage must be optimal for unstructured data. Which type of Azure storage should you use for the app? Select one.

Resource groups can be nested.

Your manager asks you to explain how Azure uses resource groups. You provide all of the following information, except? Select one.

Install Azure AD Connect Health.

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com and an Azure Active Directory (Azure AD) domain named contoso.onmicrosoft.com.Azure AD Connect is installed and Active Directory Federation Services (AD FS) is configured. Password-writeback is enabled. You need to monitor synchronization events generated by Azure AD Connect. Select one.

An Azure subscription is a _______________.

billing entity and security boundary


Conjuntos de estudio relacionados

AP US History Period 2: 1607 - 1754

View Set

Traditional/Indigenous/Folk Cultures

View Set