Azure Solutions Architect Expert Certification Questions And Answers Dumps
This exam measures your ability to accomplish the following technical tasks: design identity, governance, and monitoring solutions; design data storage solutions; design business continuity solutions; and design infrastructure solutions.
This blog covers the Designing Microsoft Azure Infrastructure Solutions.
A candidate for this certification should have advanced experience and knowledge of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platforms, and governance. A professional in this role should manage how decisions in each area affect an overall solution. In addition, they should have experience in Azure administration, Azure development, and DevOps processes.
Below are the top 50 Questions and Answers for AZ303, AZ304 and AZ305 Certification Exam:
A. ensure naming conventions are properly applied.
B. To reduce the risk associated with stale role assignments.
C. To eliminate extra distribution groups that are no longer used.
A. Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).
B. Discovery and insights can find when guest’s access resources across Azure AD.
C. Discovery and insights can find security group assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).
D. N/A
A. You want to use Conditional Access policies.
B. Many Azure resources need to be managed.
C. Many users are assigned to a role.
D. N/A
A. Permanently active roles.
B. Eligible roles.
C. Transient roles.
D. N/A
A. Azure AD audit logs provide a comparison of budgeted Azure usage compared to actual.
B. Azure AD audit logs provide records of system activities for compliance reporting.
C. Azure AD audit logs allow customer to monitor activity when provisioning new services within Azure.
D. N/A
A. Yes, Azure supports exporting log data to several common third-party SIEM tools.
B. No, Azure only supports the export to Azure Sentinel.
C. Yes, Splunk is the 3rd Party SIEM Azure can export to.
D. N/A
A. Azure Microsoft Portal > Azure Active Directory > Monitoring > Notifications > Add email recipient.
B. Azure Microsoft Portal > Azure AD Domain Services > Notification settings > Add email recipient.
C. Azure Microsoft Portal > Notification Hubs > Azure Active Directory > Add email recipient.
D. N/A
To ensure the web application is resilient, you have been asked to configure Azure Storage as follows:
How would you configure Azure Storage to meet these requirements?
GZRS provides asynchronous replication to a single physical location in the secondary region. Additionally, this includes synchronous replication across three availability zones within the primary region (ZRS).
Video for reference: Storage Account Replication
Configure a Key Vault Access Policy: A Key Vault Access Policy will be required to allow Azure Disk Encryption for volume encryption.
Create an Azure Key Vault: Azure Disk Encryption leverages a Key Vault for the secure storage of cryptographic information.
Video for reference: Azure Disk Encryption
Fraud alert helps users to protect against MFA verification requests they did not initiate. It provides the ability to report fraudulent attempts, as well as the ability to automatically block users who report fraud.
Reference: Fraud Alert
New-AzStorageAccount -name "tpcstore01" -ResourceGroupName "rg1" -location "auseast" -SkuName "standard_lrs"
Which two arguments could you use to complete the PowerShell command to meet the above requirements?
-Kind "Storage"
General Purpose v1 supports blob, file, queue, table, and disk.
-Kind "StorageV2"
General Purpose v2 supports blob, file, queue, table, disk, and data lake.
New-AzKeyvault
Azure Disk Encryption leverages a Key Vault for the secure storage of cryptographic information.
Set-AzVMDiskEncryptionExtension
Azure Disk Encryption leverages a VM extension to enable BitLocker (Windows) or DM-Crypt (Linux) to encrypt boot/OS/data volumes.
– Consistency across subscriptions. It appears each subscription has different policies for the creation of virtual machines. The IT department would like to standardize the policies across the Azure subscriptions.
– Ensure critical storage is highly available. There are several critical applications that use storage. The IT department wants to ensure the storage is made highly available across regions.
– Identify R&D costs. The CTO wants to know how much a new project is costing. The costs are spread out across multiple departments.
– ISO compliance. CompanyA wants to certify that it complies with the ISO 27001 standard. The standard will require resources groups, policy assignments, and templates.
Create a management group and place all the relevant subscriptions in the new management group.
A management group could include all the subscriptions. Then a policy could be scoped to the management group and applied to all the subscriptions.
Add an Azure policy that requires geo-redundant storage.
An Azure policy can enforce different rules over your resource configurations.
Add a resource tag to identify which resources are used for the new product.
Resource tagging provides extra information, or metadata, about your resources. You could then run a cost report on all resources with that tag.
Azure blueprints.
Azure blueprints will deploy all the artifacts for ISO 27001 compliance.
Navigate to Shared Resources > Modules, and configure the additional module.
Additional PowerShell modules can be added to the sandbox environment for use by your runbooks.
– Device access to company applications. The CTO has agreed to allow some level of device access. Employees at the company’s retail stores will now be able to access certain company applications. This access, however, should be restricted to only approved devices.
– Company reorganization. A company-wide reorganization has affected many employees. These employees are now in new roles. The IT team needs to ensure users have the correct access based on their new jobs.
– External developer accounts. A new development project requires external software developers to access company data files. The IT team needs to create user accounts for approximately five developers.
– User sign-in attempts. A recent audit of user sign-ins attempts revealed anonymous IP addresses and unusual locations. The IT team wants to require multifactor authentication for these attempted sign-ins.
Conditional access: Conditional Access enables you to require users to access your applications only from approved, or managed, devices.
Require an access review: An access review would give managers an opportunity to validate the employees access.
Invite the developers as guest users to their directory: In Business-to-Business scenarios guest user accounts are created. You can then apply the appropriate permissions
Create a sign-in risk policy: That’s correct. A sign-in risk policy can identify anonymous IP and atypical locations. Secondary multifactor authentication can then be required.
VNET1
Location: Australia East
Resource group: RG1
Address space: 10.1.0.0/16
VNET2
Location: Australia Southeast
Resource group: RG2
Address space: 10.1.0.0/16
VNET1
and VNET2
, to allow private communication between resources in each virtual network. Do you need to modify either of the two virtual networks before virtual network peering is supported?Yes: IP address ranges cannot overlap. One of the virtual networks must have their address space changed before VNet peering would be able to be configured.
Configure an additional server with Azure AD Connect in staging mode.
Azure AD Connect can be configured in staging mode, which helps with high availability.
Cohorts leverage analytics queries to analyze users, sessions, events, or operations that have something in common (e.g., location, event, etc.). Reference: App insights
Run the Azure AD Connect wizard, and configure Domain and OU filtering.
Premium SSD Managed Disks: Premium SSDs provide high performance and low latency, and include guaranteed capacity, IOPS, and throughput.
Warranty document retention. The company’s risk and legal teams requires warranty documents be kept for three years.
New photos and videos. The company would like each product to have a photo or video to demonstrate the product features.
External vendor development. A vendor will create and develop some of the online ecommerce features. The developer will need access to the HTML files, but only during the development phase.
Product catalog updates. The product catalog is updated every few months. Older versions of the catalog aren’t viewed frequently but must be available immediately if accessed.
Time-based retention policy: With a time-based retention policy, users can set policies to store data for a specified interval. When a time-based retention policy is in place, objects can be created and read, but not modified or deleted.
Blob storage: That’s correct. Blob storage is best for their photos.
Shared access signatures: That’s correct. Shared access signatures provide secure delegated access. This functionality can be used to define permissions and how long access is allowed.
Cool access tier: That’s correct. The cool access tier is for content that wouldn’t be viewed frequently but must be available immediately if accessed.
Azure Advisor: Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. Reference
VNET1
SUBNET1
(10.1.1.0/24)You need to configure DNS for a VM called VM1
, that is located in SUBNET1
. DNS should be set to 8.8.8.8. All other VMs must keep their existing settings.
What should you do?
Navigate to the network interface of VM1
, DNS Servers, and enable Custom DNS Servers and set to 8.8.8.8.
There may be data loss, and the extent of data loss can be estimated using the Last Sync Time.
The Last Sync Time property provides an indication of how far the secondary is behind from the primary. This can be used to estimate the extent of data loss that may occur.
Azure Blobs: Azure blobs are used for storing large amounts of unstructured data, such as documents, images, and video files. This service is best used for streaming audio and video, particularly over HTTP/S.
Azure Files: Azure files allow you to create and maintain highly available file shares that are accessible anywhere. They can be considered as a replacement to traditional file servers. They provide SMB access.
No: The virtual machine does use premium storage; however, this only provides a 99.9% SLA.
Vault Credentials: Vault Credentials are used by the Microsoft Azure Backup Server software to register with the vault.
Register the application in Azure AD and use a client secret.
To allow an on-premises application to authenticate with Azure AD, it can be registered in Azure AD and given a client secret (or client certificate). If this application was hosted on a supported Azure service, it could have been possible to use a managed identity instead.
Configure an access policy in Azure Key Vault.
To allow access to Key Vault, any identity (application, user, etc.) must be provided permissions using an Access Policy.
Yes: The Microsoft Azure Recovery Services (MARS) agent can perform backups of files, folders, and system states up to three times a day.
Azure Migrate Project: All migrations (both assessment and migration) require an Azure Migrate Project for the storage of related metadata.
Yes: Azure Blueprints includes several different artifacts, one of which is ‘Role Assignment’. This allows a user to be assigned permissions as part of the blueprint definition.
Yes, for VMware, Hyper-V, and physical machines. The Azure Migrate: Server Migration tool support migrating VMware VMs, Hyper-V VMs, and physical servers.
COPY ./index.html /usr/share/nginx/html
Networking > Access Restrictions
Access Restrictions allows you to filter inbound connectivity to Azure App service, based on the IP address of the requesting user/service.
This meets the requirements of this scenario, as an Access Restriction could be configured for the Web App. To configure this, an ALLOW rule would be created for the web app (and the management interface, SCM, if needed). Adding the ALLOW rule for the IP address of 13.77.161.179 would automatically create a DENY ALL rule, which will prevent any other network location from accessing this resource.
Azure SQL auto-failover group: Using Azure SQL auto-failover groups provides protection at a geographic scale. By using the read-write listener, an application will seamlessly point to the primary, even in the event of a failover. Azure SQL auto-failover groups simplify the deployment and management of geo-replicated databases. It supports replication, and failover, for one or more databases on Azure SQL Database, or Azure SQL Managed Instances. A key benefit of auto-failover groups, is the built-in management of DNS for read, and read-write listeners.
Enable replication using Auto-Failover Groups. Enable the 1 hour delay using the Grace Period.
Auto-Failover Groups are supported by Azure SQL Managed Instances, and the Grace Period is used to define how many hours to wait before an automatic read/write failover occurs.
Cosmos DB Strong Consistency: Strong consistency ensures that reads are guaranteed to return the most recent committed write. This is useful when order matters.
No: Active Geo-Replication does not include DNS automatically managed for primary read/write access. This is a feature of auto-failover groups. The inclusion of DNS for both the primary read/write endpoint, and the secondary read endpoint, reduces the management overhead for ensuring applications are pointing to the correct resources in the event of a disaster.
https://awscertifiedsolutionarchitectexamprep.com/
Offering employees, coworkers, teammates, and students constructive feedback is a vital part of growth on…
Millennials should avoid delaying the inevitable and look into various retirement investment pathways. Here’s why…
For most people, a satisfactory career is essential for leading a happy life. However, ensuring…
The pipeline industry is more than pipework and construction, and we explore those details in…
SQL Interview Questions and Answers In the world of data-driven decision-making, SQL (Structured Query Language)…