1 . In which of the following scenarios, would an IaaS deployment make the most sense?
Explanation
From the official docs: Infrastructure as a service (IaaS) is the most flexible category of cloud services, as it provides you the maximum amount of control for your cloud resources. In an IaaS model, the cloud provider is responsible for maintaining the hardware, network connectivity (to the internet), and physical security. You’re responsible for everything else: operating system installation, configuration, and maintenance; network configuration; database and storage configuration; and so on. With IaaS, you’re essentially renting the hardware in a cloud datacenter, but what you do with that hardware is up to you.
Some common scenarios where IaaS might make sense include:
Lift-and-shift migration: You’re standing up cloud resources similar to your on-prem datacenter, and then simply moving the things running on-prem to running on the IaaS infrastructure.
Testing and development: You have established configurations for development and test environments that you need to rapidly replicate. You can stand up or shut down the different environments rapidly with an IaaS structure, while maintaining complete control.
2 . Your manager has asked you to recommend an Azure Service that can be used to securely manage and store certificates for your teams services. Which of the following would you recommend?
Explanation
Secure key management is essential to protect data in the cloud . Azure Key Vault encrypts keys and small secrets like passwords that use keys stored in hardware security modules (HSMs).
For more assurance, it is possible to import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys.
You can monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection.
All of the control, none of the work - the motto
By using Key Vault, you don’t need to provision, configure, patch, and maintain HSMs and key management software. Provision new vaults and keys (or import keys from your own HSMs) in minutes and centrally manage keys, secrets, and policies. You keep control over your keys—simply grant permission for your own and partner applications to use them as needed. Applications never have direct access to keys. Developers manage keys used for Dev/Test and seamlessly migrate to production the keys that are managed by security operations.
3 . The Azure ________ service allows you to create and manage private networks in the cloud and connect them to on-premises networks using a VPN gateway.
Explanation
The correct answer is Azure Virtual Network. The Azure Virtual Network service allows you to create and manage private networks in the cloud and connect them to on-premises networks using a VPN gateway.
Azure Virtual Network is a networking service that allows you to create and manage virtual networks in the cloud, and connect them securely to your on-premises infrastructure. With Azure Virtual Network, you can create subnets, assign IP addresses, and control traffic flow between virtual machines and other resources.
The VPN gateway in Azure Virtual Network provides a secure, encrypted connection between your virtual network in Azure and your on-premises network. This allows you to extend your on-premises infrastructure to the cloud, and access resources in Azure as if they were located on your local network.
Other Options -
Azure DNS: While Azure DNS provides a scalable and reliable domain name system (DNS) service that can be used to resolve domain names to IP addresses, it is not directly related to creating and managing private networks or connecting them to on-premises networks using a VPN gateway.
Azure Traffic Manager: While Azure Traffic Manager is a global DNS-based traffic load balancer that can be used to distribute traffic across multiple endpoints, it is not directly related to creating and managing private networks or connecting them to on-premises networks using a VPN gateway.
Azure Security Center: While Azure Security Center is a unified security management and monitoring service that provides threat protection for cloud workloads, it is not directly related to creating and managing private networks or connecting them to on-premises networks using a VPN gateway. Azure Security Center is focused on securing cloud resources and workloads, rather than on networking and connectivity.
4 . Yes or No: In the case of Resource groups, the most restrictive lock in the inheritance takes precedence.
Explanation
Overall explanation
From the official Azure docs:
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence.
If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.
An organization is planning to migrate large amounts of data from their On-Prem storage to Azure. However, they are worried of incurring huge costs for this transfer and have halted their plans for now.
5 . Is this assumption valid?
Explanation
Data ingress (incoming) to Azure data centers is free, so the organizations assumptions are invalid.
6 . A startup is planning to run a few simulations and needs to deploy pre-configured Virtual Machines in a lab-like environment using ARM templates. These VMs will be used to test app versions and scale up load testing by creating multiple test agents and environments.
As the principal consultant, which of the following services would you recommend?
Explanation
From the official documentation :
Azure DevTest Labs is a service for easily creating, using, and managing infrastructure-as-a-service (IaaS) virtual machines (VMs) and platform-as-a-service (PaaS) environments in labs. Labs offer preconfigured bases and artifacts for creating VMs, and Azure Resource Manager (ARM) templates for creating environments like Azure Web Apps or SharePoint farms.
Lab owners can create preconfigured VMs that have tools and software lab users need. Lab users can claim preconfigured VMs, or create and configure their own VMs and environments. Lab policies and other methods track and control lab usage and costs.
7 . A startup has deployed a set of Virtual Machines which are critical for their day-to-day operations. They need to ensure their availability even if a single data center goes down.
One of their interns has suggested that deploying the VMs through a Scale Set would solve the problem. Do you agree?
Explanation
This answer does not specify that the scale set will be configured across multiple data centers so this solution does not meet the goal.
Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update many VMs.
Virtual machines in a scale set can be deployed across multiple update domains and fault domains to maximize availability and resilience to outages due to data center outages, and planned or unplanned maintenance events.
8 . Which of the following is NOT a cost saving solution?
Explanation
Load balancing is used for PERFORMANCEOPTIMISATION and not cost saving.
Load balancing refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers.
Azure Load Balancer operates at layer 4 of the Open Systems Interconnection (OSI) model. It's the single point of contact for clients. Load balancer distributes inbound flows that arrive at the load balancer's front end to backend pool instances. These flows are according to configured load-balancing rules and health probes. The backend pool instances can be Azure Virtual Machines or instances in a virtual machine scale set.
A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs.
An internal (or private) load balancer is used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a virtual network. A load balancer frontend can be accessed from an on-premises network in a hybrid scenario.
9 . As a consultant, which of the following Locks would you recommend to an organization to prevent deletion or modification of mission-critical resources?
Explanation
From the official documentation:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly. In the left navigation panel, the subscription lock feature's name is Resource locks, while the resource group lock feature's name is Locks.
CanNotDelete means authorized users can read and modify a resource, but they can't delete it.
ReadOnly means authorized users can read a resource, but they can't delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides.
10 . Which of the following services can help you decouple components and asynchronous message storage, for communication between application components, whether they are running in the cloud, on the desktop, on-premise, or on mobile devices?
Explanation
From the official Azure documentation:
You can use Azure Queue Storage to build flexible applications and separate functions for better durability across large workloads. When you design applications for scale, application components can be decoupled, so that they can scale independently. Queue storage gives you asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.
A single queue message can be up to 64 KB in size, and a queue can contain millions of messages, up to the total capacity limit of a storage account. Queue storage is often used to create a backlog of work to process asynchronously.
11 . Which of the following can you use to filter traffic to and from an Azure Virtual Network?
Explanation
You can use Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
For each rule, you can specify source and destination, port, and protocol. This article describes properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify to create an augmented security rule.
12 . In which scenario is geo-redundant storage (GRS) recommended for Azure Storage?
Explanation
Geo-redundant storage (GRS) copies data synchronously within a single region and then asynchronously to a secondary region, providing durability and protection against regional disasters.
14 . Yes or No: When a subscription expires, the trusted instance of the Azure AD service remains, but the security principals still maintain access to Azure resources.
Explanation
From the official Azure docs:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.
One or more Azure subscriptions can establish a trust relationship with an instance of Azure Active Directory (Azure AD) in order to authenticate and authorize security principals and devices against Azure services. When a subscription expires, the trusted instance of the Azure AD service remains, but the security principals LOSE access to Azure resources.
15 . What information can you input into the TCO calculator to estimate the cost difference between your current datacenter and Azure? (Select all that apply)
Explanation
Current infrastructure configuration - Correct, the TCO calculator allows you to input your current infrastructure configuration, including servers, databases, storage, and outbound network traffic.
Power costs - Correct, the TCO calculator lets you add assumptions about power costs in your current environment to estimate the cost difference between on-premises and Azure.
IT labor costs - Correct, the TCO calculator allows you to include assumptions about IT labor costs to help estimate the cost difference between your current environment and Azure.
Subscription type - Incorrect, the TCO calculator focuses on comparing on-premises infrastructure costs with Azure Cloud infrastructure costs. Subscription type is not part of the input for the TCO calculator.
18 . Which of the following would you use if you want to keep track of the performance or issues related to your specific VM or container instances, databases, your applications?
Explanation
From the Official Azure Documentation:
If you want to keep track of the performance or issues related to your specific VM or container instances, databases, your applications, and so on, you want to visit Azure Monitor and create reports and notifications to help you understand how your services are performing or diagnose issues related to your Azure usage.
19 . Yes or No: A resource can connect to resources in other resource groups.
Explanation
From the official documentation :
A resource can connect to resources in other resource groups. This scenario is common when the two resources are related but don't share the same lifecycle. For example, you can have a web app that connects to a database in a different resource group.
20 . Your company is considering migrating its on-premises infrastructure to Azure. The management team wants to compare the costs of running the existing infrastructure in-house to the projected costs in Azure. Which tool should you use to provide this comparison?
Explanation
The Total Cost of Ownership (TCO) calculator is designed to help you compare the costs for running an on-premises infrastructure compared to an Azure Cloud infrastructure. It takes into account your current infrastructure configuration, power costs, IT labor costs, and other factors to provide an estimate of the cost difference between the two environments.
Other options -
Pricing calculator - This tool is designed to estimate the cost of provisioning resources in Azure but does not provide a comparison between on-premises infrastructure costs and Azure Cloud infrastructure costs.
Resource cost calculator - This option is incorrect because there is no specific "Resource cost calculator" in Azure. The Pricing calculator and TCO calculator are the main tools used to estimate costs in Azure.
Billing calculator - This option is incorrect because there is no specific "Billing calculator" in Azure. The Pricing calculator estimates costs for provisioning resources in Azure, while the TCO calculator compares on-premises infrastructure costs to Azure Cloud infrastructure costs.
21 . Your organization is using Azure for disaster recovery purposes. You have set up replication of virtual machines to an Azure region different from the primary region. Which of the following factors could affect the cost of this setup?
Explanation
All of the options could potentially affect the cost of this setup.
The number of virtual machines being replicated - The more virtual machines being replicated, the higher the cost will be, as each VM will require resources to be replicated to the secondary region.
The amount of data being replicated - The amount of data being replicated can have a significant impact on the cost, as data transfer between regions incurs charges.
The network bandwidth between the primary and secondary regions - The network bandwidth between the primary and secondary regions can also impact the cost, as higher bandwidth requirements will result in higher charges.
The types of virtual machines being replicated - The types of virtual machines being replicated could also impact the cost, as certain VM sizes are more expensive than others.
22 . Which of these is NOT a valid Azure resource group constraint?
Explanation
The option "Resource group must be in the same region as its resources" is NOT a valid constraint for Resource Groups.
While it's recommended that resources in a resource group be located in the same region for optimal performance, it's not a strict requirement. Resources in a resource group can span different regions, and this can be useful for achieving high availability and disaster recovery scenarios, as well as for optimizing data access for users in different geographic locations.
Other options:
Resource group can contain resources located in different regions: This is a valid Azure resource group constraint. As mentioned above, resources in a resource group can span different regions.
Resource group can contain resources that belong to different subscriptions: This is also a valid Azure resource group constraint. A single resource group can contain resources that belong to different subscriptions, which is useful for managing resources across multiple subscriptions.
Resource group can be used to apply consistent policies to resources: This is also a valid Azure resource group constraint. Azure Policy can be used to apply governance policies to all resources in a resource group, ensuring consistent compliance across resources.
26 . Yes or No: The composite SLA for an application replying on multiple services would be higher than the individual SLAs of the particular services.
Explanation
From the official Azure documentation:
Composite SLAs involve multiple services supporting an application, each with differing levels of availability.
For example, consider an App Service web app that writes to Azure SQL Database. At the time of this writing, these Azure services have the following SLAs:
App Service web apps = 99.95%
SQL Database = 99.99%
What is the maximum downtime you would expect for this application? If either service fails, the whole application fails. The probability of each service failing is independent, so the composite SLA for this application is 99.95% × 99.99% = 99.94%. That's LOWER than the individual SLAs, which isn't surprising because an application that relies on multiple services has more potential failure points.
You can improve the composite SLA by creating independent fallback paths. For example, if SQL Database is unavailable, put transactions into a queue to be processed later.
With this design, the application is still available even if it can't connect to the database. However, it fails if the database and the queue both fail at the same time. The expected percentage of time for a simultaneous failure is 0.0001 × 0.001, so the composite SLA for this combined path is:
Web app and (database or queue) = 99.95% × 99.99999% = ~99.95%
There are tradeoffs to this approach. The application logic is more complex, you are paying for the queue, and you need to consider data consistency issues.
28 . Which of the following services is an Apache Spark-based analytics platform optimized for the Microsoft Azure cloud services platform?
Explanation
Please read this answer carefully. 'Optimised' is the keyword in the question.
Lot of people get confused between Azure Databricks and Azure HDInsight.
Azure HDInsight is primarily a managed Apache Hadoop service that lets you run Apache Spark, Apache Hive, Apache Kafka, Apache HBase, and more in the cloud.
Azure Databricks is a premium Spark offering that is ideal for customers who want their data scientists to collaborate easily and run their Spark based workloads efficiently and at industry leading performance.
It is essentially an Apache Spark-based analytics platform optimized for the Microsoft Azure cloud services platform.
29 . You want to set up a VPN connection between two Azure virtual networks that are in different regions. Which of the following VPN connection types would be best suited for this scenario?
Explanation
The correct answer Site-to-Site (IPsec).
Site-to-Site (IPsec) VPN connection type is used to connect two or more virtual networks that are in different regions, data centers, or even different cloud providers. It allows you to connect an on-premises network or a branch office network to an Azure virtual network, or to connect two Azure virtual networks that are in different regions. Site-to-Site VPN connections use a VPN gateway to provide a secure connection over the Internet. IPsec is the protocol used to secure the VPN connection.
Other options:
VNet-to-VNet (IPsec): This is not the best choice for this scenario because it is designed to connect two virtual networks within the same region. It creates an IPsec tunnel between the two virtual networks, allowing resources to communicate securely and privately over the Microsoft backbone network. Since the two virtual networks in this scenario are in different regions, VNet-to-VNet (IPsec) would not be the most efficient or cost-effective option.
Point-to-Site (VPN over SSL): This is used to connect individual devices to an Azure virtual network over a VPN connection. It is not suitable for connecting virtual networks in different regions.
ExpressRoute: This is a private connection between an on-premises infrastructure and an Azure data center. It provides dedicated, high-speed connectivity between your network and Azure, but it is not suitable for connecting virtual networks in different regions.
30 . A company has approached you to help them plan an architecture, that would be capable of capturing data from millions of connected devices and securely storing them for analysis. Which of the following two services would you include in the project proposal?
Explanation
From the official Azure documentation:
Azure IoT Hub is a managed service hosted in the cloud that acts as a central message hub for communication between an IoT application and its attached devices. You can connect millions of devices and their backend solutions reliably and securely. Almost any device can be connected to an IoT hub.
Several messaging patterns are supported, including device-to-cloud telemetry, uploading files from devices, and request-reply methods to control your devices from the cloud. IoT Hub also supports monitoring to help you track device creation, device connections, and device failures.
IoT Hub scales to millions of simultaneously connected devices and millions of events per second to support your IoT workloads. For more information about scaling your IoT Hub, see IoT Hub scaling. To learn more about the tiers of service offered by IoT Hub, check out the pricing page.
IoT Hub can further route messages to Azure Data Lake Storage.
31 . Yes or No: Azure HDInsight can be used to run popular open-source frameworks including Apache Hadoop, Spark, Hive, Kafka, and more for open-source big data analytics.
Explanation
Yes! Azure HDInsight is an enterprise-ready, managed cluster service for open-source analytics.
You can run popular open-source frameworks—including Apache Hadoop, Spark, Hive, Kafka,
and more—using Azure HDInsight, a customizable, enterprise-grade service for open-source analytics. You can also effortlessly process massive amounts of data and get all the benefits of the broad open-source project ecosystem with the global scale of Azure. Easily migrate your big data workloads and processing to the cloud.
32 . What is the key advantage of using zone-redundant storage (ZRS) in the primary region?
Explanation
From the official documentation:
For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.
With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable.
33 . You have managed an App that you developed and deployed On-Prem for a long time, but would now like to move it to Azure and be relieved of all the manual administration and maintenance. Which of the following buckets would be most suitable for your use case?
Explanation
Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection.
Like IaaS, PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.
PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators such as Kubernetes, or the development tools and other resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else.
Since we need to reduce the overhead effort of managing everything, and create our
34 . Yes or No: Azure Advisor has the ability to provide recommendations for Azure ExpressRoute.
Explanation
From the official Azure documentation:
Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, Reliability (formerly called High availability), and security of your Azure resources.
Advisor provides recommendations for Application Gateway, App Services, availability sets, Azure Cache, Azure Data Factory, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, Azure ExpressRoute, Azure Cosmos DB, Azure public IP addresses, Azure Synapse Analytics, SQL servers, storage accounts, Traffic Manager profiles, and virtual machines.
Azure Advisor also includes your recommendations from Microsoft Defender for Cloud which may include recommendations for additional resource types.
35 . Yes or No: Azure HDInsight an example of a Software as a Service (SaaS) offering.
Explanation
No, Azure HDInsight is a PaaS offering.
From the official Azure documentation:
Run popular open-source frameworks—including Apache Hadoop, Spark, Hive, Kafka, and more—using Azure HDInsight, a customizable, enterprise-grade service for open-source analytics. Effortlessly process massive amounts of data and get all the benefits of the broad open-source project ecosystem with the global scale of Azure. Easily migrate your big data workloads and processing to the cloud.
36 . Which of the following services would you use to embed the ability to see, hear, speak, search, understand, and accelerate decision-making into your apps without having any machine-learning expertise?
Explanation
Cognitive Services bring AI within reach of every developer—without requiring machine-learning expertise. All it takes is an API call to embed the ability to see, hear, speak, search, understand, and accelerate decision-making into your apps.
37 . What is the main purpose of the Azure Pricing Calculator?
Explanation
To estimate the cost of provisioning resources in Azure - This is the correct answer because the Azure Pricing Calculator is specifically designed to help users estimate the cost of provisioning resources in Azure.
To compare the costs of running on-premises and Azure Cloud infrastructure - This option is incorrect because this function is performed by the Total Cost of Ownership (TCO) Calculator, not the Pricing Calculator.
To provision resources in Azure - This option is incorrect because the Pricing Calculator does not provision resources; it only provides cost estimates for resources. To provision resources, you would use the Azure Portal or other management tools.
To manage the billing of your Azure account - This option is incorrect because the Pricing Calculator does not manage billing. It only provides cost estimates for resources. To manage billing, you would use the Azure Cost Management and Billing tools.
38 . You have configured a VPN connection between an on-premises network and an Azure virtual network using Site-to-Site VPN (IPsec). However, you are experiencing connectivity issues and suspect that there is an issue with the VPN gateway. Which Azure service can you use to diagnose connectivity issues for your VPN gateway?
Explanation
The correct answer is Azure Network Watcher.
Azure Network Watcher is a monitoring and diagnostic service that provides tools to diagnose network issues in Azure. It includes a VPN diagnostics tool that can be used to diagnose connectivity issues with VPN gateways, including Site-to-Site VPN (IPsec) gateways. The tool can help identify configuration issues, routing issues, and other common problems that can cause connectivity issues.
Other Options:
Azure Traffic Manager: This is a global DNS load balancer that can be used to distribute incoming traffic across multiple Azure regions. It is not designed for diagnosing network connectivity issues.
Azure Application Gateway: This is a web traffic load balancer that can be used to manage and route HTTP and HTTPS traffic. It is not designed for diagnosing network connectivity issues.
Azure ExpressRoute: This is a dedicated, private connection between an on-premises datacenter and Azure. It is not used for Site-to-Site VPN (IPsec) connections, and is not designed for diagnosing connectivity issues with VPN gateways.
39 . You are designing a solution to improve the resiliency of your application in Azure. Which of the following would you choose to ensure your application remains available during planned maintenance events?
Explanation
Availability Zones are a high-availability offering from Microsoft Azure that provide a fault-tolerant architecture for applications. Availability Zones are physically separate data centers within an Azure region, each with their own power, cooling, and networking infrastructure.
By deploying virtual machines and other resources across multiple Availability Zones, you can ensure that your application remains available even in the event of a data center outage or other disruption. Availability Zones provide redundancy and isolation, which helps protect your application from both planned and unplanned downtime.
Other options -
Availability Sets are a feature of Microsoft Azure that help ensure that virtual machines are distributed across multiple fault domains and update domains within a single data center or region. This helps protect against hardware failures and other disruptions by ensuring that virtual machines are not all located in the same physical rack or power source. However, Availability Sets do not provide any inherent protection against data center-wide outages, which can occur due to issues such as network outages, power failures, or natural disasters. In such cases, all virtual machines in the affected data center or region may become unavailable.
Scale Sets is not necessarily the best choice for ensuring availability during planned maintenance events because it only provides horizontal scalability by adding or removing virtual machines based on demand, but does not inherently provide any availability benefits beyond what is provided by the underlying infrastructure.
Scale Sets are a feature of Microsoft Azure that provide automatic scaling of a set of virtual machines based on demand. This helps ensure that the application can handle varying levels of traffic and usage, but does not necessarily provide inherent resiliency against planned maintenance events or other types of disruptions.
Azure Container Registry is a managed private Docker registry service that enables you to store and manage container images in Azure. While it provides benefits such as secure storage, authentication, and geo-replication of container images, it is not directly related to ensuring availability during planned maintenance events.
40 . What is the primary purpose of redundancy in Azure Storage?
Explanation
From the official documentation: Azure Storage always stores multiple copies of your data so that it's protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures. Redundancy in Azure Storage ensures that data is protected from planned and unplanned events, providing high availability and durability even in the event of hardware failures, outages, or disasters.
41 . Select the option that is FALSE for Resource Groups
Explanation
Resource groups can't be nested, i.e, a resource group cannot exist inside another resource group. It is however possible is to link resources from other resource groups within a resource group.
From the official documentation (amazing summary, please do read) -
42 . The Azure ________ is a fully managed Platform as a Service (PaaS) that provides a runtime environment for hosting, deploying, and scaling applications
Explanation
The Azure App Service is the correct answer and is a fully managed Platform as a Service (PaaS) that provides a runtime environment for hosting, deploying, and scaling applications.
Azure App Service supports a variety of programming languages, including .NET, Java, Node.js, Python, and PHP, among others. It also provides built-in support for popular content management systems like WordPress and Drupal, and integrates with Azure DevOps for streamlined deployment and continuous integration/continuous deployment (CI/CD).
Other Options:
Azure Logic Apps is designed more for workflow automation and integration, and does not provide a runtime environment for hosting and deploying applications. While it is possible to use Azure Logic Apps to trigger actions in response to events in Azure App Service (for example, deploying a new version of an application), it is not a direct replacement for Azure App Service.
Azure Advisor is a valuable tool for optimizing Azure resources, it is not a fully managed Platform as a Service (PaaS) like Azure App Service. Azure Advisor does not provide a runtime environment for hosting, deploying, and scaling applications, and it does not support a variety of programming languages.
Azure Front Door is a useful service for load balancing and routing traffic, it is not a fully managed Platform as a Service (PaaS) like Azure App Service. Azure Front Door does not provide a runtime environment for hosting, deploying, and scaling applications, and it does not support a variety of programming languages.
43 . _______ is capable of sending encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
Explanation
From the official documentation:
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
44 . Yes or No: Every Azure region is composed of a set of datacenters.
Explanation
A region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. Each Azure region has a minimum of three availability zones.
45 . In the context of Azure subscriptions, what does an Azure free trial subscription provide? (Select all that apply)
Explanation
Access to a number of Azure products free for 12 months - This is correct because an Azure free trial subscription provides access to several Azure products for free during the first 12 months.
Credit to spend within the first 30 days of sign-up - This is correct as the Azure free trial subscription offers credit to spend within the first 30 days after sign-up, which allows users to explore and use various Azure services during that period.
Unlimited access to all Azure services - This is incorrect because the Azure free trial subscription does not provide unlimited access to all Azure services. It offers a limited set of free services, usage allowances, and credits to spend within a specified timeframe.
Access to more than 25 products that are always free - This is correct because, in addition to the free services available during the trial period, the Azure free trial subscription provides access to more than 25 products that are always free, based on resource and region availability. These products can be used without any additional costs even after the trial period is over.
46 . True or False: Each Azure Subscription can trust multiple Active Directories
Explanation
From the official Azure docs:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.
47 . Which of the following requires the greatest security effort on your part?
Explanation
IaaS (Infrastructure as a Service) is, in effect, where a cloud provider hosts the infrastructure components traditionally present in an on-premises data center including servers (operating systems), storage and networking hardware as well as the virtualization or hypervisor layer.
From a security perspective, this offering is probably the closest to traditional in-house IT infrastructure, (Indeed, many companies will effectively move existing server payloads to IaaS either partially or completely resulting in a hybrid solution.) and it will require much of the same security tools as a result.
48 . Where can you obtain up-to-date details about the personal data Microsoft processes, how it processes it and for what purposes?
Explanation
This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.
Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices you use in your home, software that students use at school, and services developers use to create and host what’s next. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices.
Please read the product-specific details in this privacy statement, which provide additional relevant information. This statement applies to the interactions Microsoft has with you and the Microsoft products listed below, as well as other Microsoft products that display this statement.
49 . Your organization has deployed a Virtual Machine in Azure with the Standard_D2s_v3 VM size. The Virtual Machine is running a resource-intensive workload, and you want to optimize costs. Which of the following could be an effective way to achieve this?
Explanation
The correct answer is 'Enable automatic scaling to adjust VM size based on workload' as it could be an effective way to optimize costs for the Virtual Machine in Azure. Automatic scaling allows you to automatically adjust the number of Virtual Machine instances and the size of the instances based on demand, which can help you save costs by avoiding overprovisioning.
Using a larger VM size : This would increase costs as its more expensive to use a larger VM size.
Using a smaller VM size: This could reduce performance and may not be suitable for a resource-intensive workload.
Using a different Azure region with lower VM pricing: This may not be a practical solution if the workload requires a specific region for compliance or latency reasons.
50 . How is the cost of network traffic in Azure affected?
Explanation
The cost of network traffic in Azure is affected by geography. Data transfer costs can vary depending on the zones, which are geographical groupings of Azure regions for billing purposes. The cost of moving data within a region or between regions can differ, impacting the overall cost of network traffic.
Other options -
By the number of users: While the number of users may affect the overall amount of network traffic, the cost is not directly determined by the number of users. Instead, it is determined by the amount of data transferred and the geographical zones involved.
By resource type: The cost of network traffic is related to the amount of data transferred and the zones involved, not the specific Azure resources being used. While the type of resources may have an impact on the amount of data transferred, the cost of network traffic itself is not directly influenced by the resource type.
By the type of subscription: The type of subscription may affect the overall cost of Azure services, including usage allowances, but it doesn't directly determine the cost of network traffic. Network traffic costs are determined by the amount of data transferred and the geographical zones involved.
51 . Select the valid types of storage tiers for Azure Blob Storage?
Explanation
Azure storage offers different access tiers, which allow you to store blob object data in the most cost-effective manner. The available access tiers include:
1) HotStorage- Optimized for storing data that is accessed frequently.
2) CoolStorage- Optimized for storing data that is infrequently accessed and stored for at least 30 days.
3) ArchiveStorage- Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours).
52 . Yes or No: It's possible to deploy an Azure VM from an Ubuntu system by using PowerShell in the Cloud Shell.
Explanation
Tip: Most such questions mentioning Operating Systems (Ubuntu, Linux, Windows, MacOS) are to create confusion. If you can open a browser - you can access the Cloud Shell which gives you access to Bash or PowerShell.
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell.
53 . Suppose the lead architect in your company has asked your team to implement a PaaS based solution in Azure for a quick Proof-of-Concept (POC) to senior management. One of your colleagues goes ahead and creates an Azure Event Hubs and Azure Blob Storage.
Would you agree with this implementation?
Explanation
Yes, both of these services fall under the PaaS category, and therefore meet our requirements!
54 . Yes or No: The private preview phase for a service includes formal support
Explanation
No. Private is a phase when Azure invites a few customers to take part in early access to new concepts and features. This phase does not include formal support. It is not available to the general public as well.
55 . Suppose the lead architect in your company has asked your team to implement a PaaS based solution in Azure for a quick Proof-of-Concept (POC) to senior management. One of your colleagues goes ahead and creates an Azure SQL Database and an Azure Load Balancer.
Would you agree with this implementation?
Explanation
Tricky question!
Platform as a service (PaaS) is a complete development and deployment environment in the cloud. PaaS includes infrastructure as servers, storage, and networking, but also middleware, development tools, business intelligence (BI) services, database management systems, and more.
56 . True or False: In a Private Preview, Azure invites all customers to take part in early access to new concepts and features.
Explanation
From the official documentation:
Private Preview - During this phase we invite a few customers to take part in early access to new concepts and features. This phase DOES NOT include formal support.
57 . Which Azure Service allows you to create, assign and manage policies to enforce different rules and stay compliant with your Service Level Agreements (SLAs)?
Explanation
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill-down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.
58 . _______________ enables a user to log in one time and use that credential to access multiple resources and applications from different providers.
Explanation
From the Official Azure Documentation:
SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.
59 . Which of the following is a great place to start when examining the security of your Azure-based solutions and provides threat protection across all of your services both in Azure, and on-premises?
Explanation
A great place to start when examining the security of your Azure-based solutions is Azure Security Center. Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:
1) Provide security recommendations based on your configurations, resources, and networks.
2) Monitor security settings across on-premises and cloud workloads, and automatically apply
required security to new services as they come online.
3) Continuously monitor all your services, and perform automatic security assessments to
identify potential vulnerabilities before they can be exploited.
4) Use machine learning to detect and block malware from being installed on your virtual
machines and services. You can also define a list of allowed applications to ensure that only
the apps you validate are allowed to execute.
5) Analyze and identify potential inbound attacks, and help to investigate threats and any post-
63 . True or False: Azure Active Directory can restrict access attempts to only those coming from known devices.
Explanation
From the Official Azure Documentation:
Azure AD provides services such as:
Authentication
This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.
Single sign-on
SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.
Application management
You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single sign-on provide a better user experience.
Device management
Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
65 . Which of the following services can facilitate the deploymentand scaling of containers?
Explanation
From the official Azure documentation:
Azure Kubernetes Service (AKS) offers the quickest way to start developing and deploying cloud-native apps, with built-in code-to-cloud pipelines and guardrails. Get unified management and governance for on-premises, edge, and multicloud Kubernetes clusters. Interoperate with Azure security, identity, cost management, and migration services.
66 . Yes or No: A SaaS solution allows access to the underlying Operating System of the application.
Explanation
A SaaS solution does not provide access to the operating system. In fact, with a SaaS we have the least maintenance effort but also the least degree of control.
67 . What are the two options for replicating data within the primary region in Azure Storage?
Explanation
Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region, locally redundant storage (LRS) and zone-redundant storage (ZRS).
Also, Azure Storage offers locally redundant storage (LRS) and zone-redundant storage (ZRS) as options for replicating data within the primary region.
69 . With Azure ___________ , you can scale your applications and create highly available services
Explanation
From the official documentation:
Load balancing refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers.
Why use Azure Load Balancer?
With Azure Load Balancer, you can scale your applications and create highly available services. Load balancer supports both inbound and outbound scenarios. Load balancer provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications.
71 . Your compliance team has contacted you and stated that a certain VM running a mission critical database (with confidential data) should not be able to connect to other applications and VMs. How would you accomplish this?
Explanation
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.
Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization's internal network. This also improves address allocation efficiency. You can secure resources within subnets using Network Security Groups. For more information, see Security groups.
You can filter network traffic between subnets using either or both of the following options:
1) Security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. To learn more, see Network security groups or Application security groups.
2) Network virtual appliances: A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function. To view a list of available network virtual appliances that you can deploy in a virtual network, see Azure Marketplace.
72 . Yes or No: An Azure subscription can trust multiple Azure Active Directory (Azure AD) tenants
Explanation
From the official Azure docs:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.
Please Note :
Multiple subscriptions can trust the same Azure AD directory. Each subscription can
73 . A startup has deployed a set of Virtual Machines which are critical for their day-to-day operations. They need to ensure their availability even if a single data center goes down. One of their interns has suggested that deploying these VMs to multiple resource groups would solve the problem. Do you agree?
Explanation
A resource group is a logical container for Azure resources. When you create a resource group, you specify which location to create the resource group in.
However, when you create a virtual machine and place it in the resource group, the virtual machine can still be in a different location (different datacenter).
Therefore, creating multiple resource groups, even if they are in separate datacenters does not ensure that the services running on the virtual machines are available if a single data center fails. What you really need is high availability and deploying the VM to multiple Regions and AZs.
74 . Which of the following statements BEST describes the Modern Lifecycle Policy for Azure products and services?
Explanation
The Modern Lifecycle Policy covers products and services that are serviced and supported continuously. Under this policy, the product or service remains in support if the following criteria are met:
Customers must stay current as per the servicing and system requirements published for the product or service.
Customers must be licensed to use the product or service.
Microsoft must currently offer support for the product or service.
Hence, only the statement -
"For products governed by the Modern Lifecycle Policy,
Microsoft will provide a minimum of 12 months' notification prior to ending support
if no successor product or service is offered —excluding free services or preview
releases." is correct.
75 . Yes or No: If you have a Delete lock on a resource and attempt to delete its resource group, all resources inside the resource group still get deleted.
Explanation
From the official docs:
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence.
If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.
76 . Which of the following Azure services CANNOT be used to deploy a containerized application?
Explanation
The Azure Content Delivery Network (CDN) service cannot be used to deploy a containerized application.
CDN is a service for delivering static content (such as images, videos, and other files) from a distributed network of servers. It is not designed for running and deploying containerized applications.
On the other hand, Azure Kubernetes Service (AKS), Azure Container Instances (ACI), and Azure Virtual Machines (VMs) can all be used to deploy containerized applications.
Azure Kubernetes Service (AKS) provides a managed Kubernetes service for deploying, scaling, and managing containerized applications.
Azure Container Instances (ACI) is a serverless service that allows you to run containers on demand without having to manage the underlying infrastructure.
Azure Virtual Machines (VMs) provide a more flexible option for running containers by allowing you to choose the operating system and configure the environment to your specific needs.
A Service Level Agreement or SLA is a formal document that provides specific terms that state the level of service that will be provided to a customer. Microsoft's Azure SLA defines three primary characteristics of
Azure service - Performance targets, Uptime, and Connectivity guarantees.
It should be noted that the free and shared tiers of many services DO NOT come with an SLA. (Imp.)
79 . True or False: A Platform as a Service (PaaS) solution that has already been deployed cannot be scaled up or out without re-deploying it.
Explanation
You can always scale your PaaS solution up (increase the memory) or out (add more instances) without re-deployment.
The very beauty of PaaS is that it allows you to avoid the expense and complexity of buying and managing software licences, the underlying application infrastructure and middleware, container orchestrators such as Kubernetes or the development tools and other resources. You manage the applications and services that you develop, and the cloud service provider typically manages everything else.
80 . Which of the following services can be used to store unstructured data in Azure?
Explanation
The Azure services that can be used to store unstructured data are: Azure Blob Storage, Azure Table Storage and Azure File Storage.
Azure Table Storage can also be used to store unstructured data in Azure. Azure Table Storage is a NoSQL key-value store that can be used to store structured and semi-structured data, as well as unstructured data such as large text and binary data. Azure Table Storage allows you to store large amounts of data in a flexible schema that can evolve over time, making it a good choice for storing unstructured data that does not fit well into a fixed schema.
Azure File Storage can also be used to store unstructured data in Azure. Azure File Storage is a fully managed file share service that can be used to store and share unstructured data, such as documents, media files, and logs. Azure File Storage provides the standard SMB (Server Message Block) file share protocol, which allows you to easily mount file shares from multiple VMs in the same region or across regions. This makes it a good choice for scenarios where you need to share unstructured data between multiple VMs or applications.
Azure Blob Storage is a massively scalable object storage service that allows you to store and access large amounts of unstructured data, such as text and binary data, images, and videos. It's commonly used for data storage, backup and recovery, and data archiving.
Incorrect -
Azure Queue Storage, on the other hand, is not suitable for storing unstructured data. It is designed for reliably queuing and processing messages between different components of a distributed application, rather than for storing large amounts of unstructured data.