Exam-Answer

Exam AZ-301: Microsoft Azure Architect Design

Prepare for Exam AZ-301: Microsoft Azure Architect Design. Free demo questions with answers and explanations.

Home / Microsoft / AZ-301 / Question 1

Question 1

You deploy several Azure SQL Database instances.

You plan to configure the Diagnostics settings on the databases as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers


Explanation (click to expand)

In the exhibit, the SQLInsights data is configured to be stored in Azure Log Analytics for 90 days. However, the question is asking for the "maximum" amount of time that the data can be stored which is 730 days.

References (click to expand)


Home / Microsoft / AZ-301 / Question 2

Question 2

Your company uses Microsoft System Center "" Service Manager on its on-premises network.

You plan to deploy several services to Azure.

You need to recommend a solution to push Azure service health alerts to Service Manager.

What should you include in the recommendation?

Answers


Explanation (click to expand)

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service.

Azure services like Log Analytics and Azure Monitor provide tools to detect, analyze and troubleshoot issues with your Azure and non-Azure resources. However, the work items related to an issue typically reside in an ITSM product/servicThe ITSM connector provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster.

ITSMC supports connections with the following ITSM tools:

ServiceNow

System Center Service Manager

Provance

Cherwell

With ITSMC, you can:

Create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).

Optionally, you can sync your incident and change request data from your ITSM tool to an Azure Log Analytics workspace.

References (click to expand)


Home / Microsoft / AZ-301 / Question 3

Question 3

You have an on-premises Hyper-V cluster. The cluster contains Hyper-V hosts that run Windows Server 2016 Datacenter. The hosts are licensed under a

Microsoft Enterprise Agreement that has Software Assurance.

The Hyper-V cluster hosts 3 virtual machines that run Windows Server 2012 R2. Each virtual machine runs a different workloaThe workloads have predictable consumption patterns.

You plan to replace the virtual machines with Azure virtual machines that run Windows Server 2016. The virtual machines will be sized according to the consumption pattern of each workload.

You need to recommend a solution to minimize the compute costs of the Azure virtual machines.

Which two recommendations should you include in the solution? Each correct answer presents part of the solution.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 4

Question 4

You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned a Premium P1 license.

You deploy Azure AD Connect.

Which two features are available in this environment that can reduce operational overhead for your company's help desk? Each correct answer presents a complete solution.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 5

Question 5

You are planning the implementation of an order processing web service that will contain microservices hosted in an Azure Service Fabric cluster.

You need to recommend a solution to provide developers with the ability to proactively identify and fix performance issues. The developers must be able to simulate user connections to the order processing web service from the Internet, as well as simulate user transactions. The developers must be notified if the goals for the transaction response times are not met.

What should you include in the recommendation?

Answers


Explanation (click to expand)

Part of Azure Monitor, Application Insights is an extensible platform for application monitoring and diagnostics. It includes a powerful analytics and querying tool, customizable dashboard and visualizations, and further options including automated alertinApplication Insights's integration with Service Fabric includes tooling experiences for Visual Studio and Azure portal, as well as Service Fabric specific metrics, providing a comprehensive out-of-the-box logging experiencThough many logs are automatically created and collected for you with Application Insights, we recommend that you add further custom logging to your applications to create a richer diagnostics experience.

References (click to expand)


Home / Microsoft / AZ-301 / Question 6

Question 6

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription.

What should you include in the recommendation?

Answers


Explanation (click to expand)

Through activity logs, you can determine:

what operations were taken on the resources in your subscription

who started the operation

when the operation occurred

the status of the operation

the values of other properties that might help you research the operation

References (click to expand)


Home / Microsoft / AZ-301 / Question 7

Question 7

You have an Azure App Service Web App that includes Azure Blob storage and an Azure SQL Database instancThe application is instrumented by using the

Application Insights SDK.

You need to design a monitoring solution for the web app.

Which Azure monitoring services should you use? To answer, select the appropriate Azure monitoring services in the answer area.

Answers


Explanation (click to expand)

Through activity logs, you can determine:

what operations were taken on the resources in your subscription

who started the operation

when the operation occurred

the status of the operation

the values of other properties that might help you research the operation

Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. With Service Map, you can view your servers in the way that you think of them: as interconnected systems that deliver critical services. Service Map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, with no configuration required other than the installation of an agent.

Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public clouIt integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.

References (click to expand)


Home / Microsoft / AZ-301 / Question 8

Question 8

You plan to deploy 200 Microsoft SQL Server databases to Azure by using Azure SQL Database and Azure SQL Database Managed Instance.

You need to recommend a monitoring solution that provides a consistent monitoring approach for all deployments. The solution must meet the following requirements:

Support current-state analysis based on metrics collected near real-time, multiple times per minute, and maintained for up to one hour

Support longer term analysis based on metrics collected multiple times per hour and maintained for up to two weeks.

Support monitoring of the number of concurrent logins and concurrent sessions.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 9

Question 9

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory

(Azure AD) group named App2Dev.

You identify the following requirements for Application2:

The members of App2Dev must be prevented from changing the role assignments in Azure.

The members of App2Dev must be able to create new Azure resources required by Application2.

All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: Create a new Azure subscription named Project2. Assign Project1admins the Owner role for the Project2 subscription. Assign App2Dev the Contributor role for the Project2 subscription.

Does this meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 10

Question 10

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory

(Azure AD) group named App2Dev.

You identify the following requirements for Application2:

The members of App2Dev must be prevented from changing the role assignments in Azure.

The members of App2Dev must be able to create new Azure resources required by Application2.

All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: Create a new Azure subscription named Project2. Assign Project1admins the User Access Administrator role for the Project2 subscription. Assign

App2Dev the Owner role for the Project2 subscription.

Does this meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 11

Question 11

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory

(Azure AD) group named App2Dev.

You identify the following requirements for Application2:

The members of App2Dev must be prevented from changing the role assignments in Azure.

The members of App2Dev must be able to create new Azure resources required by Application2.

All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a resource group named Application2RG. Assign Project1admins the Owner role for Application2RG. Assign App2Dev the Contributor role for Application2RG.

Does this meet the goal?

Answers


Explanation (click to expand)

You should use a separate subscription for Project2.


Home / Microsoft / AZ-301 / Question 12

Question 12

You have an Azure subscription that contains a resource group named RG1.

You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

The researchers must be allowed to create Azure virtual machines.

The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: Create a lab in Azure DevTest LaConfigure the DevTest Labs settings. Assign the DevTest Labs User role to the ResearchUsers group.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.


Home / Microsoft / AZ-301 / Question 13

Question 13

You have an Azure subscription that contains a resource group named RG1.

You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

The researchers must be allowed to create Azure virtual machines.

The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: Create an Azure DevOps Project. Configure the DevOps Project settings.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.


Home / Microsoft / AZ-301 / Question 14

Question 14

You have an Azure subscription that contains a resource group named RG1.

You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

The researchers must be allowed to create Azure virtual machines.

The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.

Does this meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 15

Question 15

A company named Contoso Ltd., has a single-domain Active Directory forest named contoso.com.

Contoso is preparing to migrate all workloads to AzurContoso wants users to use single sign-on (SSO) when they access cloud-based services that integrate with Azure Active Directory (Azure AD).

You need to identify any objects in Active Directory that will fail to synchronize to Azure AD due to formatting issues. The solution must minimize costs.

What should you include in the solution?

Answers



Home / Microsoft / AZ-301 / Question 16

Question 16

Your company has an API that returns XML data to internal applications.

You plan to migrate the applications to AzurYou also plan to allow the company's partners to access the API.

You need to recommend an API management solution that meets the following requirements:

Internal applications must receive data in the JSON format once the applications migrate to Azure.

Partner applications must have their header information stripped before the applications receive the data.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 17

Question 17

You have an Azure subscription.

You need to recommend a solution to provide developers with the ability to provision Azure virtual machines. The solution must meet the following requirements:

Only allow the creation of the virtual machines in specific regions.

Only allow the creation of specific sizes of virtual machines.

What should include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 18

Question 18

Your company has 20 web APIs that were developed in-house.

The company is developing 10 web apps that will use the web APIs. The web apps and the APIs are registered in the company's Azure Active Directory (Azure

AD) tenant. The web APIs are published by using Azure API Management.

You need to recommend a solution to block unauthorized requests originating from the web apps from reaching the web APIs. The solution must meet the following requirements:

Use Azure AD-generated claims.

Minimize configuration and management effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 19

Question 19

You are designing an access policy for the sales department at your company.

Occasionally, the developers at the company must stop, start, and restart Azure virtual machines. The development team changes often.

You need to recommend a solution to provide the developers with the required access to the virtual machines. The solution must meet the following requirements:

Provide permissions only when needed.

Use the principle of least privilege.

Minimize costs.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 20

Question 20

Your network contains an on-premises Active Directory forest.

You discover that when users change jobs within your company, the membership of the user groups are not being updateAs a result, the users can access resources that are no longer relevant to their job.

You plan to integrate Active Directory and Azure Active Directory (Azure AD) by using Azure AD Connect.

You need to recommend a solution to ensure that group owners are emailed monthly about the group memberships they manage.

What should you include in the recommendation?

Answers


Explanation (click to expand)

What are Azure AD access reviews?;https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview


Home / Microsoft / AZ-301 / Question 21

Question 21

You are designing a software as a service (SaaS) application that will enable Azure Active Directory (Azure AD) users to create and publish surveys. The SaaS application will have a front-end web app and a back-end web API. The web app will rely on the web API to handle updates to customer surveys.

You need to design an authorization flow for the SaaS application. The solution must meet the following requirements:

To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens.

The web app must authenticate by using the identities of individual users.

What should you include in the solution? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 22

Question 22

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity. The solution must meet the following requirements:

Ensure that the applications can authenticate only when running on the 10 virtual machines.

Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 23

Question 23

A company named Contoso, Lthas an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructurThe infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory

Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, InFabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on- premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 24

Question 24

You have a hybrid deployment of Azure Active Directory (Azure AD).

You need to recommend a solution to ensure that the Azure AD tenant can be managed only from the computers on your on-premises network.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 25

Question 25

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains two administrative user accounts named Admin1 and Admin2.

You create two Azure virtual machines named VM1 and VM2.

You need to ensure that Admin1 and Admin2 are notified when more than five events are added to the security log of VM1 or VM2 during a period of 120 seconds.

The solution must minimize administrative tasks.

What should you create?

Answers



Home / Microsoft / AZ-301 / Question 26

Question 26

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains several administrative user accounts.

You need to recommend a solution to identify which administrative user accounts have NOT signed in during the previous 30 days.

Which service should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 27

Question 27

Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys. Several departments have the following requests to support the applications:

You need to recommend the appropriate Azure service for each department request.

What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 28

Question 28

You manage a single-domain, on-premises Active Directory forest named contoso.com. The forest functional level is Windows Server 2016.

You have several on-premises applications that depend on Active Directory.

You plan to migrate the applications to Azure.

You need to recommend an identity solution for the applications. The solution must meet the following requirements:

Eliminate the need for hybrid network connectivity.

Minimize management overhead for Active Directory.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 29

Question 29

You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.

Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory

(Azure AD) group named App2Dev.

You identify the following requirements for Application2:

The members of App2Dev must be prevented from changing the role assignments in Azure.

The members of App2Dev must be able to create new Azure resources required by Application2.

All the required role assignments for Application2 will be performed by the members of Project1admins.

You need to recommend a solution for the role assignments of Application2.

Solution: In Project1, create a network security group (NSG) named NSG1. Assign Project1admins the Owner role for NSG1. Assign the App2Dev the Contributor role for NSG1.

Does this meet the goal?

Answers


Explanation (click to expand)

You should use a separate subscription for Project2.


Home / Microsoft / AZ-301 / Question 30

Question 30

You manage a network that includes an on-premises Active Directory Domain Services domain and an Azure Active Directory (Azure AD).

Employees are required to use different accounts when using on-premises or cloud resources. You must recommend a solution that lets employees sign in to all company resources by using a single account. The solution must implement an identity provider.

You need provide guidance on the different identity providers.

How should you describe each identity provider? To answer, select the appropriate description from each list in the answer area.

Answers


Explanation (click to expand)

Box1: User management occurs on-premises. Azure AD authenticates employees by using on-premises passwords.

Azure AD Domain Services for hybrid organizations

Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them.

Example: Litware Corporation has deployed Azure AD Connect, to synchronize identity information from their on-premises directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, their credential hashes for authentication (password hash sync) and group memberships.

User accounts, group memberships, and credentials from Litware's on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.

Box 2: User management occurs on-premises. The on-promises domain controller authenticates employee credentials.

You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises.

References (click to expand)


Home / Microsoft / AZ-301 / Question 31

Question 31

You have an Azure subscription that contains a resource group named RG1.

You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.

You need to recommend a solution that meets the following requirements:

The researchers must be allowed to create Azure virtual machines.

The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.

Solution: On RG1, assign a custom role-based access control (RBAC) role to the ResearchUsers group.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.


Home / Microsoft / AZ-301 / Question 32

Question 32

A company deploys Azure Active Directory (Azure AD) Connect to synchronize identity information from their on-premises Active Directory Domain Services (AD

DS) directory to their Azure AD tenant. The identity information that is synchronized includes user accounts , credential hashes for authentication (password sync), and group membership. The company plans to deploy several Windows and Linux virtual machines (VMs) to support their applications.

The VMs have the following requirements:

Support domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

Allow users to sign in to the domain using their corporate credentials and connect remotely to the VM by using Remote Desktop.

You need to support the VM deployment.

Which service should you use?

Answers


Explanation (click to expand)

Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory.

References (click to expand)


Home / Microsoft / AZ-301 / Question 33

Question 33

Your company has deployed several virtual machines (VMs) on-premises and to AzurAzure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use the Azure traffic analytics solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

References (click to expand)


Home / Microsoft / AZ-301 / Question 34

Question 34

Your company has deployed several virtual machines (VMs) on-premises and to AzurAzure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Does the solution meet the goal?

Answers


Explanation (click to expand)

The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructurIt also helps you monitor network connectivity to service and application endpoints and monitor the performance of

Azure ExpressRoute.

Note:

IP flow verify checks if a packet is allowed or denied to or from a virtual machinThe information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returneWhile any source or destination IP can be chosen,

IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NITraffic flow is then verified based on the configured settings to or from that network interfacIP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.


Home / Microsoft / AZ-301 / Question 35

Question 35

Your company has deployed several virtual machines (VMs) on-premises and to AzurAzure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Install and configure the Log Analytics and Dependency Agents on all VMs. Use the Wire Data solution in Azure Log Analytics to analyze the network traffic.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.


Home / Microsoft / AZ-301 / Question 36

Question 36

A company plans to implement an HTTP-based API to support a web app. The web app allows customers to check the status of their orders.

The API must meet the following requirements:

Implement Azure Functions

Provide public read-only operations

Do not allow write operations

You need to recommend configuration options.

What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area.

Answers


Explanation (click to expand)

Allowed authentication methods: GET only

Authorization level: Anonymous -

The option is Allow Anonymous requests. This option turns on authentication and authorization in App Service, but defers authorization decisions to your application codFor authenticated requests, App Service also passes along authentication information in the HTTP headers.

This option provides more flexibility in handling anonymous requests.

References (click to expand)


Home / Microsoft / AZ-301 / Question 37

Question 37

Your network contains an on-premises Active Directory forest named contoso.com. The forest is synced to an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure AD Domain Services (Azure AD DS) domain named contoso-aad.com.

You have an Azure Storage account named Storage1 that contains a file share named Share1.

You configure NTFS permissions on Share1. You plan to deploy a virtual machine that will be used by several users to access Share1.

You need to ensure that the users can access Share1.

Which type virtual machine should you deploy?

Answers


Explanation (click to expand)

You join the Windows Server virtual machine to the Azure AD DS-managed domain, here named contoso-aad.com.

Note: Azure Files supports identity-based authentication over SMB (Server Message Block) (preview) through Azure Active Directory (Azure AD) Domain

Services. Your domain-joined Windows virtual machines (VMs) can access Azure file shares using Azure AD credentials.

Incorrect Answers:

Azure AD authentication over SMB is not supported for Linux VMs for the preview releasOnly Windows Server VMs are supported.

References (click to expand)


Home / Microsoft / AZ-301 / Question 38

Question 38

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.

Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution: Deploy one Azure Key Vault to each region. Create two Azure AD service principals. Configure the virtual machines to use Azure Disk Encryption and specify a different service principal for the virtual machines in each region.

Does this meet the goal?

Answers


Explanation (click to expand)

You would also have to import the security keys from the HSM into each Azure key vault.

References (click to expand)


Home / Microsoft / AZ-301 / Question 39

Question 39

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.

Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution: Export a security key from the on-premises HSM. Create one Azure AD service principal. Configure the virtual machines to use Azure Storage Service

Encryption.

Does this meet the goal?

Answers


Explanation (click to expand)

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys.

The Key Vault has to be in the same region as the VM that will be encrypted.

References (click to expand)


Home / Microsoft / AZ-301 / Question 40

Question 40

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.

Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution:

Deploy one Azure key vault to each region

Export two security keys from the on-premises HSM

Import the security keys from the HSM into each Azure key vault

Create two Azure AD service principals

Configure the virtual machines to use Azure Disk Encryption

Specify a different service principal for the virtual machines in each region

Does this meet the goal?

Answers


Explanation (click to expand)

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys.

The Key Vault has to be in the same region as the VM that will be encrypted.

Note: If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-

AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM.

References (click to expand)


Home / Microsoft / AZ-301 / Question 41

Question 41

Your company has deployed several virtual machines (VMs) on-premises and to AzurAzure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.

Several VMs are exhibiting network connectivity issues.

You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.

Solution: Use Azure Advisor to analyze the network traffic.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.

Note: Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.

With Advisor, you can:

Get proactive, actionable, and personalized best practices recommendations.

Improve the performance, security, and high availability of your resources, as you identify opportunities to reduce your overall Azure spend.

Get recommendations with proposed actions inline.

References (click to expand)


Home / Microsoft / AZ-301 / Question 42

Question 42

Your network contains an Active Directory domain named contoso.com that is federated to an Azure Active Directory (Azure AD) tenant. The on-premises domain contains a VPN server named Server1 that runs Windows Server 2016.

You have a single on-premises location that uses an address space of 172.16.0.0/16.

You need to implement two-factor authentication for users who establish VPN connections to Server1.

What should you include in the implementation?

Answers


Explanation (click to expand)

You need to download, install and configure the MFA Server.

References (click to expand)


Home / Microsoft / AZ-301 / Question 43

Question 43

You configure the Diagnostics settings for an Azure SQL database as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers



Home / Microsoft / AZ-301 / Question 44

Question 44

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Install and configure an Azure AD Connect server to use password hash synchronization and select the Enable single sign-on option.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 45

Question 45

You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,

LtDevelopers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the

Microsoft 365 E5 plan.

You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:

To the manager of the developers, send a monthly email message that lists the access permissions to Application1.

If the manager does not verify an access permission, automatically revoke that permission.

Minimize development effort.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 46

Question 46

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Install and configure an Azure AD Connect server to use pass-through authentication and select the Enable single sign-on option.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 47

Question 47

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

You need to enable single sign-on (SSO) for company users.

Solution: Configure an AD DS server in an Azure virtual machine (VM). Configure bidirectional replication.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 48

Question 48

You are building an application that will run in a virtual machine (VM). The application will use Managed Service Identity (MSI).

The application uses Azure Key Vault, Azure SQL Database, and Azure Cosmos DB.

You need to ensure the application can use secure credentials to access these services.

Which authorization methods should you recommend? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 49

Question 49

You are designing a security solution for a company's Azure Active Directory (Azure AD). The company currently uses Azure AD Premium for all employees.

Contractors will periodically access the corporate network based on demand.

You must ensure that all employees and contractors are required to log on by using two-factor authentication. The solution must minimize costs.

You need to recommend a solution.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 50

Question 50

You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Create an Access Review for Group1.

Does this solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 51

Question 51

You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: You implement an access package.

Does this solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 52

Question 52

You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Implement Azure AD Privileged Identity Management.

Does this solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 53

Question 53

Your company has several Azure subscriptions that are part of a Microsoft Enterprise Agreement.

The company's compliance team creates automatic alerts by using Azure Monitor.

You need to recommend a solution to apply the alerts automatically when new subscriptions are added to the Enterprise Agreement.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 54

Question 54

You store web access logs data in Azure Blob storage.

You plan to generate monthly reports from the access logs.

You need to recommend an automated process to upload the data to Azure SQL Database every month.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 55

Question 55

Your company has the offices shown in the following table.

The network contains an Active Directory domain named contoso.com that is synced to Azure Active Directory (Azure AD).

All users connect to an application hosted in Microsoft 365.

You need to recommend a solution to ensure that all the users use Azure Multi-Factor Authentication (MFA) to connect to the application from one of the offices.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 56

Question 56

You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016.

You need to centrally monitor all warning events in the System logs of the virtual machines.

What should you include in the solutions? To answer, select the appropriate options in the answer area.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 57

Question 57

You are developing a sales application that will contain several Azure cloud services and will handle different components of a transactions. Different cloud services will process customer orders, billing, payment, inventory, and shipping.

You need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using REST messages.

What would you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 58

Question 58

You have an Azure subscription that contains an Azure Cosmos DB account.

You need to recommend a solution to generate an alert from Azure Log Analytics when a request charge for a query exceeds 50 request units more than 20 times within a 15-minute window.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 59

Question 59

You are designing a data protection strategy for Azure virtual machines. All the virtual machines are in the Standard tier and use managed disks.

You need to recommend a solution that meets the following requirements:

The use of encryption keys is audited.

All the data is encrypted at rest always.

You manage the encryption keys, not Microsoft.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 60

Question 60

You have 100 servers that run Windows Server 2012 R2 and host Microsoft SQL Server 2012 R2 instances. The instances host databases that have the following characteristics:

The largest database is currently 3 TNone of the databases will ever exceed 4 TB.

Stored procedures are implemented by using CLR.

You plan to move all the data from SQL Server to Azure.

You need to recommend an Azure service to host the databases. The solution must meet the following requirements:

Whenever possible, minimize management overhead for the migrated databases.

Minimize the number of database changes required to facilitate the migration.

Ensure that users can authenticate by using their Active Directory credentials.

What should you include in the recommendation?

Answers


Explanation (click to expand)

Part of the Azure SQL product family, Azure SQL Managed Instance is the intelligent, scalable cloud database service that combines the broadest SQL Server database engine compatibility with all the benefits of a fully managed and evergreen platform as a service. SQL Managed Instance has near 100% compatibility with the latest SQL Server (Enterprise Edition) database engine, providing a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for existing SQL Server customers. SQL Managed Instance allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes. At the same time, SQL Managed Instance preserves all PaaS capabilities (automatic patching and version updates, automated backups, high availability) that drastically reduce management overhead and TCO.

References (click to expand)


Home / Microsoft / AZ-301 / Question 61

Question 61

ou are designing a virtual machine that will run Microsoft SQL Server and will contain two data disks. The first data disk will store log files, and the second data disk will store data. Both disks are P40 managed disks.

You need to recommend a caching policy for each disk. The policy must provide the best overall performance for the virtual machine.

Which caching policy should you recommend for each disk?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 62

Question 62

You plan to create an Azure Cosmos DB account that uses the SQL API. The account will contain data added by a web application. The web application will send data daily.

You need to recommend a notification solution that meets the following requirements:

Sends email notification when data is received from IoT devices.

Minimizes compute cost.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 63

Question 63

You have Azure virtual machines that run a custom line-of-business web application.

You plan to use a third-party solution to parse event logs from the virtual machines stored in an Azure storage account.

You need to recommend a solution to save the event logs from the virtual machines to the Azure Storage account. The solution must minimize costs and complexity.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 64

Question 64

You are planning an Azure solution that will host production databases for a high-performance application. The solution will include the following components:

Two virtual machines that will run Microsoft SQL Server 2016, will be deployed to different data centers in the same Azure region, and will be part of an Always

On availability group.

SQL Server data that will be backed up by using the Automated Backup feature of the SQL Server IaaS Agent Extension (SQLIaaSExtension)

You identify the storage priorities for various data types as shown in the following table.

Which storage type should you recommend for each data type?

Answers



Home / Microsoft / AZ-301 / Question 65

Question 65

Your company deploys several Linux and Windows virtual machines (VMs) to Azure. The VMs are deployed with the Microsoft Dependency Agent and the Log

Analytics Agent installed by using Azure VM extensions. On-premises connectivity has been enabled by using Azure ExpressRoute.

You need to design a solution to monitor the VMs.

Which Azure monitoring services should you use?

Answers


Explanation (click to expand)

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With traffic analytics, you can:

Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.

Visualize network activity across your Azure subscriptions and identify hot spots.

Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.

Pinpoint network misconfigurations leading to failed connections in your network.

Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. With Service Map, you can view your servers in the way that you think of them: as interconnected systems that deliver critical services. Service Map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, with no configuration required other than the installation of an agent.

References (click to expand)


Home / Microsoft / AZ-301 / Question 66

Question 66

You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.

You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting.

Solution: Create a resources group for each resource type. Assign tags to each resource group.

Does this meet the goal?

Answers


Explanation (click to expand)

Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.

References (click to expand)


Home / Microsoft / AZ-301 / Question 67

Question 67

You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.

You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting.

Solution: Place all resources in the same resource group. Assign tags to each resource.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, create a resources group for each resource type. Assign tags to each resource

Note: Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.

References (click to expand)


Home / Microsoft / AZ-301 / Question 68

Question 68

You are designing an Azure solution for a company that has four departments. Each department will deploy several Azure app services and Azure SQL databases.

You need to recommend a solution to report the costs for each department to deploy the app services and the databases. The solution must provide a consolidated view for cost reporting.

Solution: Create a new subscription for each department.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, create a resources group for each resource type. Assign tags to each resource

Note: Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.

References (click to expand)


Home / Microsoft / AZ-301 / Question 69

Question 69

You plan to deploy logical Azure SQL Database servers to the East US Azure region and the West US Azure region. Each server will contain 20 databases. Each database will be accessed by a different user who resides in a different on-premises location. The databases will be configured to use active geo-replication.

You need to recommend a solution that meets the following requirements:

Restricts user access to each database

Restricts network access to each database based on each user's respective location

Ensures that the databases remain accessible from client applications if the local Azure region fails

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 70

Question 70

You plan to deploy the backup policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers


Explanation (click to expand)

Change the access tier:

If you are going to download an archived file an error will be returned:

References (click to expand)


Home / Microsoft / AZ-301 / Question 71

Question 71

You plan to use Azure Site Recovery to protect several on-premises physical server workloads. Each server workload is independent of the other. The workloads are stateless.

You need to recommend a failover strategy to ensure that if the on-premises data center fails, the workloads are available in Azure as quickly as possible.

Which failover strategy should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 72

Question 72

Your company identifies the following business continuity and disaster recovery objectives for virtual machines that host sales, finance, and reporting applications in the company's on-premises data center:

The finance application requires that data be retained for seven years. In the event of a disaster, the application must be able to run from Azure. The recovery time objective (RTO) is 10 minutes.

The reporting application must be able to recover point-in-time data at a daily granularity. The RTO is eight hours.

The sales application must be able to fail over to a second on-premises data center.

You need to recommend which Azure services meet the business continuity and disaster recovery objectives. The solution must minimize costs.

Answers



Home / Microsoft / AZ-301 / Question 73

Question 73

You plan to move a web application named App1 from an on-premises data center to Azure.

App1 depends on a custom COM component that is installed on the host server.

You need to recommend a solution to host App1 in Azure. The solution must meet the following requirements:

App1 must be available to users if an Azure data center becomes unavailable.

Costs must be minimized.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 74

Question 74

You plan to deploy a payroll system to Azure. The payroll system will use Azure virtual machines that run SUSE Linux Enterprise Server and Windows.

You need to recommend a business continuity solution for the payroll system. The solution must meet the following requirements:

Minimize costs.

Provide business continuity if an Azure region fails.

Provide a recovery time objective (RTO) of 120 minutes.

Provide a recovery point objective (RPO) of five minutes.

What should you include in the recommendation?

Answers


Explanation (click to expand)

If your storage account has GRS enabled, then your data is durable even in the case of a complete regional outage or a disaster in which the primary region isn't recoverable.

Note: The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

References (click to expand)


Home / Microsoft / AZ-301 / Question 75

Question 75

The accounting department at your company migrates to a new financial accounting software. The accounting department must keep file-based database backups for seven years for compliance purposes. It is unlikely that the backups will be used to recover data.

You need to move the backups to Azure. The solution must minimize costs.

Where should you store the backups?

Answers



Home / Microsoft / AZ-301 / Question 76

Question 76

Your company has two on-premises sites in New York and Los Angeles and Azure virtual networks in the East US Azure region and the West US Azure region.

Each on-premises site has Azure ExpressRoute circuits to both regions.

You need to recommend a solution that meets the following requirements:

Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.

If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 77

Question 77

You plan to store data in Azure Blob storage for many years. The stored data will be accessed rarely.

You need to ensure that the data in Blob storage is always available for immediate access. The solution must minimize storage costs.

Which storage tier should you use?

Answers


Explanation (click to expand)

Azure cool tier is equivalent to the Amazon S3 Infrequent Access (S3-IA) storage in AWS that provides a low cost high performance storage for infrequently access data.

Note: Azure's cool storage tier, also known as Azure cool Blob storage, is for infrequently-accessed data that needs to be stored for a minimum of 30 days.

Typical use cases include backing up data before tiering to archival systems, legal data, media files, system audit information, datasets used for big data analysis and more.

The storage cost for this Azure cold storage tier is lower than that of hot storage tier. Since it is expected that the data stored in this tier will be accessed less frequently, the data access charges are high when compared to hot tier. There are no additional changes required in your applications as these tiers can be accessed using APIs in the same manner that you access Azure storage.

Incorrect Answers:

Even though Azure archive storage offers the lowest cost in terms of data storage, its data retrieval charges are higher than that of hot and cool tiers. In fact, the data in the archive tier remains offline until the tier of the data is changed using a process called hydration. The process of hydrating data in the archive storage tier and moving it to either hot or cool tier could take up to 15 hours and, hence, it is only intended for data that can afford that kind of access delay.

The storage cost for this Azure cold storage tier is lower than that of hot storage tier.

References (click to expand)


Home / Microsoft / AZ-301 / Question 78

Question 78

You have a virtual machine scale set named SS1.

You configure autoscaling as shown in the following exhibit.

You configure the scale out and scale in rules to have a duration of 10 minutes and a cool down time of 10 minutes.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.

Answers


Explanation (click to expand)

Box 1: 20 Minutes. 10 minutes cool down time after the last scale-up plus 10 minutes duration equals 20 minutes.

Box 2: 9 virtual machines. 30% does not match the scale in requirement of less than 25% so the number of virtual machines will not change.


Home / Microsoft / AZ-301 / Question 79

Question 79

You have 20 Azure virtual machines that run Windows Server 2016 based on a custom virtual machine image. Each virtual machine hosts an instance of a VSS- capable web app that was developed in-house. Each instance is accessed by using a public endpoint. Each instance uses a separate database. The average database size is 200 GB.

You need to design a disaster recovery solution for individual instances. The solution must meet the following requirements:

Provide a recovery time objective (RTO) of six hours

Provide a recovery point objective (RPO) of eight hours

Support recovery to a different Azure region

Support VSS-based backups

Minimize costs

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 80

Question 80

You plan to deploy the backup policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

Answers



Home / Microsoft / AZ-301 / Question 81

Question 81

You have databases in Azure as shown in the following table.

You are designing a data retention policy.

You need to identify which databases can retain a daily backup for up to 35 days and which databases can retain monthly backups for up to 120 months.

Which databases should you identify?

Answers



Home / Microsoft / AZ-301 / Question 82

Question 82

You plan to import data from your on-premises environment into Azure. The data is shown in the following table.

What should you recommend using to migrate the data?

Answers



Home / Microsoft / AZ-301 / Question 83

Question 83

You have an on-premises deployment of MongoDB.

You plan to migrate MongoDB to an Azure Cosmos DB account that uses the MongoDB API.

You need to recommend a solution for migrating MongoDB to Azure Cosmos DB.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 84

Question 84

Your company plans to publish APIs for its services by using Azure API Management.

You discover that service responses include the AspNet-Version header.

You need to recommend a solution to remove AspNet-Version from the response of the published APIs.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 85

Question 85

Your company has 300 virtual machines hosted in a Vmware environment. The virtual machines vary in size and have various utilization levels.

You plan to move all the virtual machines to Azure.

You need to recommend how many and what size Azure virtual machines will be required to move the current workloads to Azure. The solution must minimize administrative effort.

What should you use to make the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 86

Question 86

You are designing an Azure solution for a company that wants to move a .NET Core web application from an on-premises data center to Azure. The web application relies on a Microsoft SQL Server 2016 database on Windows Server 2016. The database server will not move to Azure.

A separate networking team is responsible for configuring network permissions.

The company uses Azure ExpressRoute and has an ExpressRoute gateway connected to an Azure virtual network named VNET1.

You need to recommend a solution for deploying the web application.

Solution:

Deploy the web application to a web app hosted in a Standard App Service plan. Create and configure an Azure App Service Hybrid Connections endpoint.

On the on-premises network, deploy the Hybrid Connection Manager. Configure the Hybrid Connection Manager to access both the Hybrid Connection endpoint and the SQL Server instance.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, use VNet Integration.

Note: VNet Integration gives your web app access to resources in your virtual network. VNet Integration is often used to enable access from apps to a databases and web services running in your VNet.

References (click to expand)


Home / Microsoft / AZ-301 / Question 87

Question 87

A company has custom ASP.NET and Java applications that run old versions of Windows and Linux. The company plans to place applications in containers.

You need to design a solution that includes networking, service discovery, and load balancing for the applications. The solution must support storage orchestration.

Solution: You create an Azure virtual network, public IP address, and load balancer. Then add virtual machines (VMs) to the solution and deploy individual containers on them.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead you should deploy each application to an Azure Container instance.

Note: Docker Containers are the global standard and are natively supported in Azure, offering enterprises an interesting and flexible way to migrate legacy apps for both future proofing and cost benefits.

References (click to expand)


Home / Microsoft / AZ-301 / Question 88

Question 88

A company has custom ASP.NET and Java applications that run old versions of Windows and Linux. The company plans to place applications in containers.

You need to design a solution that includes networking, service discovery, and load balancing for the applications. The solution must support storage orchestration.

Solution: Deploy a Kubernetes cluster that has the desired number of instances of the applications.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead you should deploy each application to an Azure Container instance.

Note: Docker Containers are the global standard and are natively supported in Azure, offering enterprises an interesting and flexible way to migrate legacy apps for both future proofing and cost benefits.

References (click to expand)


Home / Microsoft / AZ-301 / Question 89

Question 89

A company has custom ASP.NET and Java applications that run old versions of Windows and Linux. The company plans to place applications in containers.

You need to design a solution that includes networking, service discovery, and load balancing for the applications. The solution must support storage orchestration.

Solution: You deploy each application to an Azure Container instance.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Docker Containers are the global standard and are natively supported in Azure, offering enterprises an interesting and flexible way to migrate legacy apps for both future proofing and cost benefits.

Containers are modular and portable. Docker containers are supported on any server operating system (Linux and Windows), in any major public cloud (Microsoft

Azure, Amazon AWS, Google, IBM), and in on-premises and private or hybrid cloud environments.

References (click to expand)


Home / Microsoft / AZ-301 / Question 90

Question 90

You have a web application that uses a MongoDB database. You plan to migrate the web application to Azure.

You must migrate to Cosmos DB while minimizing code and configuration changes.

You need to design the Cosmos DB configuration.

What should you recommend? To answer, select the appropriate values in the answer area.

Answers


Explanation (click to expand)

MongoDB compatibility: API -

API: MongoDB API -

Azure Cosmos DB comes with multiple APIs:

SQL API, a JSON document database service that supports SQL queries. This is compatible with the former Azure DocumentDB.

MongoDB API, compatible with existing Mongo DB libraries, drivers, tools and applications.

Cassandra API, compatible with existing Apache Cassandra libraries, drivers, tools, and applications.

Azure Table API, a key-value database service compatible with existing Azure Table Storage.

Gremlin (graph) API, a graph database service supporting Apache Tinkerpop's graph traversal language, Gremlin.

References (click to expand)


Home / Microsoft / AZ-301 / Question 91

Question 91

You manage an application instance. The application consumes data from multiple databases. Application code references database tables using a combination of the server, database, and table name.

You need to migrate the application instance to Azure.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers


Explanation (click to expand)

Access your SQL Server data seamlessly regardless of whether it's on-premises or stretched to the cloud. You set the policy that determines where data is stored, and SQL Server handles the data movement in the background. The entire table is always online and queryable. And, Stretch Database doesn't require any changes to existing queries or applications - the location of the data is completely transparent to the application.

The managed instance deployment model is designed for customers looking to migrate a large number of apps from on-premises or IaaS, self-built, or ISV provided environment to fully managed PaaS cloud environment, with as low migration effort as possible. Using the fully automated Data Migration Service (DMS) in Azure, customers can lift and shift their on-premises SQL Server to a managed instance that offers compatibility with SQL Server on-premises and complete isolation of customer instances with native VNet support.

References (click to expand)


Home / Microsoft / AZ-301 / Question 92

Question 92

You have 100 Microsoft SQL Server Integration Services (SSIS) packages that are configured to use 10 on-premises SQL Server databases as their destinations.

You plan to migrate the 10 on-premises databases to Azure SQL Database.

You need to recommend a solution to host the SSIS packages in Azure. The solution must ensure that the packages can target the SQL Database instances as their destinations.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 93

Question 93

A company has custom ASP.NET and Java applications that run on old versions of Windows and Linux. The company plans to place applications in containers.

You need to design a solution that includes networking, service discovery, and load balancing for the applications. The solution must support storage orchestration.

Solution: You deploy each application to an Azure Web App that has container support.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 94

Question 94

Your company develops a web service that is deployed to an Azure virtual machine named VM1. The web service allows an API to access real-time data from

VM1.

The current virtual machine deployment is shown in the Deployment exhibit. (Click the Deployment tab).

The chief technology officer (CTO) sends you the following email message: "Our developers have deployed the web service to a virtual machine named VM1.

Testing has shown that the APIs is accessible from VM1 and VM2. Our partners must be able to connect to the API over the Internet. Partners will use this data in application that they develop".

You deploy an Azure API Management (APIM) service. The relevant API Management configuration is shown in the API exhibit. (Click the API tab).

Choose all that apply:

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 95

Question 95

You have the application architecture shown in the following exhibit.

Use the drop-down menus to select choice that completes each statement based on the information presented in the graphic.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 96

Question 96

You are designing a solution for a stateless front-end application named Application1. Application1 will be hosted on two Azure virtual machines named VM1 and

VM2.

You plan to load balance connections to VM1 and VM2 from the Internet by using one Azure load balancer.

You need to recommend the minimum number of required public IP addresses.

How many public IP addresses should you recommend using for each resource? To answer, select the appropriate options in the answer area.

Answers



Home / Microsoft / AZ-301 / Question 97

Question 97

You need to recommend a data storage solution that meets the following requirements:

Ensures that application can access the data by using a REST connection

Hosts 20 independent tables of varying sizes and usage patterns

Automatically replicates the data to a second Azure region

Minimizes costs

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 98

Question 98

You deploy two instances of an Azure web app. One instance is in the East US Azure region and the other instance is in the West US Azure region. The web app uses Azure Blob storage to deliver large files to end users.

You need to recommend a solution for delivering the files to the users. The solution must meet the following requirements:

Ensure that the users receive files from the same region as the web app that they access.

Ensure that the files only need to be updated once.

Minimize costs.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 99

Question 99

Your company has an on-premises Windows HPC cluster. The cluster runs an intrinsically parallel, compute-intensive workload that performs financial risk modelling.

You plan to migrate the workload to Azure Batch.

You need to design a solution that will support the workload. The solution must meet the following requirements:

Support the large-scale parallel execution of Azure Batch jobs.

Minimize cost.

What should you include in the solution?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 100

Question 100

Your company has users who work remotely from laptops.

You plan to move some of the applications accessed by the remote users to Azure virtual machines. The users will access the applications in Azure by using a point-to-site VPN connection. You will use certificates generated from an on-premises-based certification authority (CA).

You need to recommend which certificates are required for the deployment.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 101

Question 101

You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016 and Linux.

You need to use Azure Log Analytics design an alerting strategy for security-related events.

Which Log Analytics tables should you query?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 102

Question 102

You have the network topology shown in the following exhibit.

You have a user-defined route that has a default route of 0.0.0.0/0 and the next hop set to the network virtual appliance.

You configure the Azure Storage account to use virtual network service endpoints.

Choose all that apply:

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 103

Question 103

You are designing a container solution in Azure that will include two containers. One container will host a web API that will be available to the public. The other container will perform health monitoring of the web API and will remain private. The two containers will be deployed together as a group.

You need to recommend a compute service for the containers. The solution must minimize costs and maintenance overhead.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 104

Question 104

Your company has three branch offices and an Azure subscription. Each branch office contains a Hyper-V host that hosts application servers.

You need to recommend a storage solution for the branch offices. The solution must ensure that the application servers can connect to a central storage device by using iSCSI connections. Data saved to the iSCSI storage device from the application servers must be uploaded to Azure automatically.

Which components should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 105

Question 105

You have an on-premises network that uses an IP address space of 172.16.0.0/16.

You plan to deploy 25 virtual machines to a new Azure subscription.

You identify the following technical requirements:

All Azure virtual machines must be placed on the same subnet named Subnet1.

All the Azure virtual machines must be able to communicate with all on-premises servers.

The servers must be able to communicate between the on-premises network and Azure by using a site-to-site VPN.

You need to recommend a subnet design that meets the technical requirements.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 106

Question 106

You are migrating an on-premises application to Azure. One component of the application is a legacy Windows native executable that performs image processing.

The image processing application must run every hour. During times that the image processing application is not running, it should not be consuming any Azure compute resources.

You need to ensure that the image processing application runs correctly every hour.

Solution: Create an Azure WebJob that runs the image processing application every hour.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use an Azure Logic Apps, which helps you automate workflows that run on a schedule.

References (click to expand)


Home / Microsoft / AZ-301 / Question 107

Question 107

You are migrating an on-premises application to Azure. One component of the application is a legacy Windows native executable that performs image processing.

The image processing application must run every hour. During times that the image processing application is not running, it should not be consuming any Azure compute resources.

You need to ensure that the image processing application runs correctly every hour.

Solution: Create an Azure Function to run the image processing application every hour.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use an Azure Logic Apps, which helps you automate workflows that run on a schedule.

References (click to expand)


Home / Microsoft / AZ-301 / Question 108

Question 108

You are migrating an on-premises application to Azure. One component of the application is a legacy Windows native executable that performs image processing.

The image processing application must run every hour. During times that the image processing application is not running, it should not be consuming any Azure compute resources.

You need to ensure that the image processing application runs correctly every hour.

Solution: Create a Logic App to run the image processing application every hour.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Azure Logic Apps helps you automate workflows that run on a schedule.

References (click to expand)


Home / Microsoft / AZ-301 / Question 109

Question 109

You are designing an Azure solution for a company that wants to move a .NET Core web application from an on-premises data center to Azure. The web application relies on a Microsoft SQL Server 2016 database on Windows Server 2016. The database server will not move to Azure.

A separate networking team is responsible for configuring network permissions.

The company uses Azure ExpressRoute and has an ExpressRoute gateway connected to an Azure virtual network named VNET1.

You need to recommend a solution for deploying the web application.

Solution: Deploy the web application to a web app hosted in a Premium App Service plan. Configure VNET Integration for the App Service plan.

Does this meet the goal?

Answers


Explanation (click to expand)

VNet Integration gives your web app access to resources in your virtual network. VNet Integration is often used to enable access from apps to a databases and web services running in your VNet.

References (click to expand)


Home / Microsoft / AZ-301 / Question 110

Question 110

You are designing an Azure solution for a company that wants to move a .NET Core web application from an on-premises data center to Azure. The web application relies on a Microsoft SQL Server 2016 database on Windows Server 2016. The database server will not move to Azure.

A separate networking team is responsible for configuring network permissions.

The company uses Azure ExpressRoute and has an ExpressRoute gateway connected to an Azure virtual network named VNET1.

You need to recommend a solution for deploying the web application.

Solution: Deploy the web application by using an Azure Kubernetes Service (AKS) container on VNET1.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, use VNet Integration.

Note: VNet Integration gives your web app access to resources in your virtual network. VNet Integration is often used to enable access from apps to a databases and web services running in your VNet.

References (click to expand)


Home / Microsoft / AZ-301 / Question 111

Question 111

You are designing an Azure solution for a company that wants to move a .NET Core web application from an on-premises data center to Azure. The web application relies on a Microsoft SQL Server 2016 database on Windows Server 2016. The database server will not move to Azure.

A separate networking team is responsible for configuring network permissions.

The company uses Azure ExpressRoute and has an ExpressRoute gateway connected to an Azure virtual network named VNET1.

You need to recommend a solution for deploying the web application.

Solution: Deploy the web application to a web app hosted in an isolated App Service plan on VNET1.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, use VNet Integration.

Note: VNet Integration gives your web app access to resources in your virtual network. VNet Integration is often used to enable access from apps to a databases and web services running in your VNet.

References (click to expand)


Home / Microsoft / AZ-301 / Question 112

Question 112

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:

Provide access to the full .NET framework.

Provide redundancy if an Azure region fails.

Grant administrators access to the operating system to install custom application dependencies.

Solution: You deploy a virtual machine scale set that uses autoscaling.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, you should deploy an Azure virtual machine to two Azure regions, and you create a Traffic Manager profile.


Home / Microsoft / AZ-301 / Question 113

Question 113

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:

Provide access to the full .NET framework.

Provide redundancy if an Azure region fails.

Grant administrators access to the operating system to install custom application dependencies.

Solution: You deploy an Azure virtual machine to two Azure regions, and you create a Traffic Manager profile.

Does this meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 114

Question 114

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:

Provide access to the full .NET framework.

Provide redundancy if an Azure region fails.

Grant administrators access to the operating system to install custom application dependencies.

Solution: You deploy an Azure virtual machine to two Azure regions, and you deploy an Azure Application Gateway.

Does this meet the goal?

Answers


Explanation (click to expand)

You deploy an Azure virtual machine to two Azure regions, but also create a Traffic Manager profile.


Home / Microsoft / AZ-301 / Question 115

Question 115

You plan to deploy an API by using Azure API Management.

You need to recommend a solution to protect the API from a distributed denial of service (DDoS) attack.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 116

Question 116

You manage on-premises networks and Azure virtual networks.

You need a secure private connection between the on-premises networks and the Azure virtual networks. The connection must offer a redundant pair of cross connections to provide high availability.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 117

Question 117

An organization has an on-premises server that runs Windows Server 2003. The server hosts an IIS-based stateless web application that uses forms authentication. The application consists of classic Active Server Pages (ASP) pages and third-party components (DLLs) that are registered in the Windows registry.

The deployment process for the web application is manual and is prone to errors. The deployment process makes it difficult to roll out updates, scale out, and recover after failures.

You need to design a modernization approach for the web application that meets the following requirements:

Improve the deployment process.

Ensure that the application can run in the cloud.

Minimize changes to application code.

Minimize administrative effort required to implement the modernization solution.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 118

Question 118

You use a virtual network to extend an on-premises IT environment into the cloud. The virtual network has two virtual machines (VMs) that store sensitive data.

The data must only be available using internal communication channels. Internet access to those VMs is not permitted.

You need to ensure that the VMs cannot access the Internet.

Which two options should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 119

Question 119

Your company plans to migrate its on-premises data to Azure.

You need to recommend which Azure services can be used to store the data. The solution must meet the following requirements:

Encrypt all data while at rest.

Encrypt data only by using a key generated by the company.

Which two possible services can you recommend? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers


Explanation (click to expand)

Configure customer-managed keys with Azure Key Vault by using the Azure portal;https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys


Home / Microsoft / AZ-301 / Question 120

Question 120

You architect a solution that calculates 3D geometry from height-map data.

You have the following requirements:

Perform calculations in Azure.

Each node must communicate data to every other node.

Maximize the number of nodes to calculate multiple scenes as fast as possible.

Require the least amount of effort to implement.

You need to recommend a solution.

Which two actions should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 121

Question 121

You are designing an Azure web app.

You plan to deploy the web app to the North Europe Azure region and the West Europe Azure region.

You need to recommend a solution for the web app. The solution must meet the following requirements:

Users must always access the web app from the North Europe region, unless the region fails.

The web app must be available to users if an Azure region is unavailable.

Deployment costs must be minimized.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 122

Question 122

You need to design an architecture to capture the creation of users and the assignment of roles. The captured data must be stored in Azure Cosmos DB.

Which Azure services should you include in the design?

Answers



Home / Microsoft / AZ-301 / Question 123

Question 123

You are developing a web application that provides streaming video to users. You configure the application to use continuous integration and deployment.

The app must be highly available and provide a continuous streaming experience for users.

You need to recommend a solution that allows the application to store data in a geographical location that is closest to the user.

What should you recommend?

Answers


Explanation (click to expand)

Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content. It can be hosted in Azure or any other location. With Azure

CDN, you can cache static objects loaded from Azure Blob storage, a web application, or any publicly accessible web server, by using the closest point of presence (POP) server. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network and routing optimizations.

References (click to expand)


Home / Microsoft / AZ-301 / Question 124

Question 124

Your company deploys an Azure App Service Web App.

During testing the application fails under load. The application cannot handle more than 100 concurrent user sessions. You enable the Always On feature. You also configure auto-scaling to increase counts from two to 10 based on HTTP queue length.

You need to improve the performance of the application.

Which solution should you use for each application scenario?

Answers


Explanation (click to expand)

Box 1: Content Delivery Network -

A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.

Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).

Box 2: Azure Redis Cache -

Azure Cache for Redis is based on the popular software Redis. It is typically used as a cache to improve the performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by temporarily copying frequently accessed data to fast storage located close to the application. With

Azure Cache for Redis, this fast storage is located in-memory with Azure Cache for Redis instead of being loaded from disk by a database.

References (click to expand)


Home / Microsoft / AZ-301 / Question 125

Question 125

You need to deploy resources to host a stateless web app in an Azure subscription. The solution must meet the following requirements:

Provide access to the full .NET framework.

Provide redundancy if an Azure region fails.

Grant administrators access to the operating system to install custom application dependencies.

Solution: You deploy a web app in an Isolated App Service plan.

Does this meet the goal?

Answers


Explanation (click to expand)

Instead, you should deploy an Azure virtual machine to two Azure regions, and you create a Traffic Manager profile.


Home / Microsoft / AZ-301 / Question 126

Question 126

You are designing an Azure solution.

The network traffic for the solution must be securely distributed by providing the following features:

HTTPS protocol

Round robin routing

SSL offloading

You need to recommend a load balancing option.

What should you recommend?

Answers


Explanation (click to expand)

If you are looking for Transport Layer Security (TLS) protocol termination ("SSL offload") or per-HTTP/HTTPS request, application-layer processing, review

Application Gateway.

Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). It supports capabilities such as SSL termination, cookie-based session affinity, and round robin for load-balancing traffic. Load Balancer load-balances traffic at layer 4 (TCP or UDP).

References (click to expand)


Home / Microsoft / AZ-301 / Question 127

Question 127

You manage a solution in Azure.

You must collect usage data including MAC addresses from all devices on the network.

You need to recommend a monitoring solution.

What should you recommend?

Answers


Explanation (click to expand)

A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both. When you enable diagnostic logging for an NSG, you can log the following categories of information:

Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. The status for these rules is collected every 60 seconds.

Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.

References (click to expand)


Home / Microsoft / AZ-301 / Question 128

Question 128

A partner manages on-premises and Azure environments. The partner deploys an on-premises solution that needs to use Azure services. The partner deploys a virtual appliance.

All network traffic that is directed to a specific subnet must flow through the virtual appliance.

You need to recommend solutions to manage network traffic.

Which two options should you recommend? Each correct answer presents a complete solution.

Answers


Explanation (click to expand)

C: Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.

This is a critical security requirement for most enterprise IT policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from

Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.

Forced tunneling in Azure is configured via virtual network user-defined routes.

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With

ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co- location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

References (click to expand)


Home / Microsoft / AZ-301 / Question 129

Question 129

You are migrating an on-premises application to Azure. One component of the application is a legacy Windows native executable that performs image processing.

The image processing application must run every hour. During times that the image processing application is not running, it should not be consuming any Azure compute resources.

You need to ensure that the image processing application runs correctly every hour.

Solution: Create an Azure Batch application that runs the image processing application every hour.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Instead use an Azure Logic Apps, which helps you automate workflows that run on a schedule.

References (click to expand)


Home / Microsoft / AZ-301 / Question 130

Question 130

You have an Azure subscription that contains 300 Azure virtual machines that run Windows Server 2016.

You need to centrally monitor all warning events in the System logs of the virtual machines.

What should you include in the solutions?

Answers


Explanation (click to expand)

Resource to create in Azure: Dependency Agent

The Map feature in Azure Monitor for VMs gets its data from the Microsoft Dependency agent. The Dependency agent relies on the Log Analytics agent for its connection to Log Analytics. So your system must have the Log Analytics agent installed and configured with the Dependency agent.

Whether you enable Azure Monitor for VMs for a single Azure VM or you use the at-scale deployment method, use the Azure VM Dependency agent extension to install the agent as part of the experience.

In a hybrid environment, you can download and install the Dependency agent manually. If your VMs are hosted outside Azure, use an automated deployment method

Configuration to perform on the virtual machines: Enable Virtual Machine Scale Set

To set up Azure Monitor for VMs:

Enable a single Azure VM or virtual machine scale set by selecting Insights (preview) directly from the VM or virtual machine scale set.

Enable two or more Azure VMs and virtual machine scale sets by using Azure Policy. This method ensures that on existing and new VMs and scale sets, the required dependencies are installed and properly configured. Noncompliant VMs and scale sets are reported, so you can decide whether to enable them and to remediate them.

Enable two or more Azure VMs or virtual machine scale sets across a specified subscription or resource group by using PowerShell.

References (click to expand)


Home / Microsoft / AZ-301 / Question 131

Question 131

You plan to run an image rendering workload in Azure. The workload uses parallel compute processes.

What is the best service to use to run the workload? More than one answer choice may achieve the goal. Select the BEST answer.

Answers


Explanation (click to expand)

Azure Batch works well with intrinsically parallel (also known as "embarrassingly parallel") workloads. Intrinsically parallel workloads are those where the applications can run independently, and each instance completes part of the work. When the applications are executing, they might access some common data, but they do not communicate with other instances of the application. Intrinsically parallel workloads can therefore run at a large scale, determined by the amount of compute resources available to run applications simultaneously.

References (click to expand)


Home / Microsoft / AZ-301 / Question 132

Question 132

You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager resource deployments in your subscription.

What should you include in the recommendation?

Answers


Explanation (click to expand)

The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events.

Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than 90 days in the past.

References (click to expand)


Home / Microsoft / AZ-301 / Question 133

Question 133

You are designing a storage solution to support on-premises resources and Azure-hosted resources.

You need to provide on-premises storage that has built-in replication to Azure.

Solution: You include Azure Blob storage in the design.

Does the solution meet the goal?

Answers


Explanation (click to expand)

Azure StorSimple replicates to Azure Blob storage.


Home / Microsoft / AZ-301 / Question 134

Question 134

You are designing a storage solution to support on-premises resources and Azure-hosted resources.

You need to provide on-premises storage that has built-in replication to Azure.

Solution: You include Azure Data Lake Storage in the design.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 135

Question 135

You are designing a storage solution to support on-premises resources and Azure-hosted resources.

You need to provide on-premises storage that has built-in replication to Azure.

Solution: You include Azure Data Table Storage in the design.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 136

Question 136

You are designing a storage solution to support on-premises resources and Azure-hosted resources.

You need to provide on-premises storage that has built-in replication to Azure.

Solution: You include Azure StorSimple in the design.

Does the solution meet the goal?

Answers



Home / Microsoft / AZ-301 / Question 137

Question 137

You use Azure virtual machines to run a custom application that uses an Azure SQL Database instance on the back end.

The IT department at your company recently enabled forced tunneling.

Since the configuration change, developers have noticed degraded performance when they access the database.

You need to recommend a solution to minimize latency when accessing the database. The solution must minimize costs.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 138

Question 138

You develop a new Azure Web App that uses multiple Azure blobs and static content. The Web App uses a large number of JavaScript files and cascading style sheets. Some of these files contain references to other files. Users are geographically dispersed.

You need to minimize the time to load individual pages.

What should you do?

Answers



Home / Microsoft / AZ-301 / Question 139

Question 139

You have 100 Standard_F2s_v2 Azure virtual machines. Each virtual machine has two network adapters.

You need to increase the network performance of the workloads running on the virtual machines. The solution must meet the following requirements:

The CPU-to-memory ratio must remain the same.

The solution must minimize costs.

What should you do?

Answers



Home / Microsoft / AZ-301 / Question 140

Question 140

You have a .NET web service named Service1 that has the following requirements:

Must read and write temporary files to the local file system.

Must write to the Windows Application event log.

You need to recommend a solution to host Service1 in Azure. The solution must meet the following requirements:

Minimize maintenance overhead.

Minimize costs.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 141

Question 141

You have an Azure subscription that contains an Azure Blob storage account named store1.

You have an on-premises file server named Server1 that runs Windows Server 2016. Server1 stores 500 GB of company files.

You need to store a copy of the company files in store1.

Which two possible Azure services achieve this goal? Each correct answer presents a complete solution.

Answers



Home / Microsoft / AZ-301 / Question 142

Question 142

You have a web app named App1 that is hosted on-premises and on four Azure virtual machines. Each virtual machine is in a different region.

You need to recommend a solution to ensure that users will always connect to the closest instance of App1. The solution must prevent the users from attempting to connect to a failed instance of App1.

Which two possible recommendations achieve the goal? Each correct answer presents a complete solution.

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 143

Question 143

You plan to deploy a network-intensive application to several Azure virtual machines.

You need to recommend a solution that meets the following requirements:

Minimizes the use of the virtual machine processors to transfer data

Minimizes network latency

Which virtual machine size and feature should you use?

Answers



Home / Microsoft / AZ-301 / Question 144

Question 144

You are designing a microservices architecture that will support a web application.

The solution must meet the following requirements:

Allow independent upgrades to each microservice

Deploy the solution on-premises and to Azure

Set policies for performing automatic repairs to the microservices

Support low-latency and hyper-scale operations

You need to recommend a technology.

What should you recommend?

Answers



Home / Microsoft / AZ-301 / Question 145

Question 145

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for the collection of security logs for the middle tier of the payment processing system.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 146

Question 146

Overview -

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam,

Berlin, and Rome.

Existing Environment -

Active Directory Environment -

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only.

Network Infrastructure -

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders.

WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements -

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements -

Planned Changes -

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements -

Fabrikam identifies the following technical requirements:

Web site content must be easily updated from a single point.

User input must be minimized when provisioning new app instances.

Whenever possible, existing on-premises licenses must be used to reduce cost.

Users must always authenticate by using their corp.fabrikam.com UPN identity.

Any new deployments to Azure must be redundant in case an Azure region fails.

Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network.

Database Requirements -

Fabrikam identifies the following database requirements:

Database metrics for the production instance of WebApp1, must be available for analysis so that database administrators can optimize the performance settings.

To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements -

Fabrikam identifies the following security requirements:

Company information including policies, templates, and data must be inaccessible to anyone outside the company.

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

All administrative access to the Azure portal must be secured by using multi-factor authentication.

The testing of WebApp1 updates must not be visible to anyone outside the company.

You need to recommend a notification solution for the IT Support distribution group.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 147

Question 147

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for configuring the Azure Multi-Factor Authentication (MFA) settings.

What should you include in the recommendation?

Answers


References (click to expand)


Home / Microsoft / AZ-301 / Question 148

Question 148

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to design a solution for securing access to the historical transaction data.

What should you include in the solution?

Answers



Home / Microsoft / AZ-301 / Question 149

Question 149

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for the users at Contoso to authenticate to the cloud-based services and the Azure AD-integrated applications.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 150

Question 150

Overview -

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam,

Berlin, and Rome.

Existing Environment -

Active Directory Environment -

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only.

Network Infrastructure -

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders.

WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements -

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements -

Planned Changes -

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements -

Fabrikam identifies the following technical requirements:

Web site content must be easily updated from a single point.

User input must be minimized when provisioning new app instances.

Whenever possible, existing on-premises licenses must be used to reduce cost.

Users must always authenticate by using their corp.fabrikam.com UPN identity.

Any new deployments to Azure must be redundant in case an Azure region fails.

Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network.

Database Requirements -

Fabrikam identifies the following database requirements:

Database metrics for the production instance of WebApp1, must be available for analysis so that database administrators can optimize the performance settings.

To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements -

Fabrikam identifies the following security requirements:

Company information including policies, templates, and data must be inaccessible to anyone outside the company.

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

All administrative access to the Azure portal must be secured by using multi-factor authentication.

The testing of WebApp1 updates must not be visible to anyone outside the company.

What should you include in the identity management strategy to support the planned changes?

Answers


Explanation (click to expand)

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network. (This requires domain controllers in Azure)

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails. (This requires domain controllers on-premises)


Home / Microsoft / AZ-301 / Question 151

Question 151

Overview -

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam,

Berlin, and Rome.

Existing Environment -

Active Directory Environment -

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by the research and development (R&D) department only.

Network Infrastructure -

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders.

WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements -

The use of Web App1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements -

Planned Changes -

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements -

Fabrikam identifies the following technical requirements:

Web site content must be easily updated from a single point.

User input must be minimized when provisioning new app instances.

Whenever possible, existing on-premises licenses must be used to reduce cost.

Users must always authenticate by using their corp.fabrikam.com UPN identity.

Any new deployments to Azure must be redundant in case an Azure region fails.

Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network.

Database Requirements -

Fabrikam identifies the following database requirements:

Database metrics for the production instance of WebApp1, must be available for analysis so that database administrators can optimize the performance settings.

To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements -

Fabrikam identifies the following security requirements:

Company information including policies, templates, and data must be inaccessible to anyone outside the company.

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

All administrative access to the Azure portal must be secured by using multi-factor authentication.

The testing of WebApp1 updates must not be visible to anyone outside the company.

To meet the authentication requirements of Fabrikam, what should you include in the solution?

Answers



Home / Microsoft / AZ-301 / Question 152

Question 152

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for implementing the back-end tier of the payment processing system in Azure.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 153

Question 153

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for protecting the content of the payment processing system.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 154

Question 154

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authentication.

You need to recommend a solution for the data store of the historical transaction query system.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 155

Question 155

Overview -

Fabrikam, Inc. is an engineering company that has offices throughout Europe. The company has a main office in London and three branch offices in Amsterdam,

Berlin, and Rome.

Existing Environment -

Active Directory Environment -

The network contains two Active Directory forests named corp.fabrikam.com and rd.fabrikam.com. There are no trust relationships between the forests.

Corp.fabrikam.com is a production forest that contains identities used for internal user and computer authentication.

Rd.fabrikam.com is used by their research and development (R&D) department only.

Network Infrastructure -

Each office contains at least one domain controller from the corp.fabrikam.com domain. The main office contains all the domain controllers for the rd.fabrikam.com forest.

All the offices have a high-speed connection to the Internet.

An existing application named WebApp1 is hosted in the data center of the London office. WebApp1 is used by customers to place and track orders. WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are deployed to virtual machines that run on Hyper-V.

The IT department currently uses a separate Hyper-V environment to test updates to WebApp1.

Fabrikam purchases all Microsoft licenses through a Microsoft Enterprise Agreement that includes Software Assurance.

Problem Statements -

The use of WebApp1 is unpredictable. At peak times, users often report delays. At other times, many resources for WebApp1 are underutilized.

Requirements -

Planned Changes -

Fabrikam plans to move most of its production workloads to Azure during the next few years.

As one of its first projects, the company plans to establish a hybrid identity model, facilitating an upcoming Microsoft Office 365 deployment.

All R&D operations will remain on-premises.

Fabrikam plans to migrate the production and test instances of WebApp1 to Azure.

Technical Requirements -

Fabrikam identifies the following technical requirements:

Web site content must be easily updated from a single point.

User input must be minimized when provisioning new web app instances.

Whenever possible, existing on-premises licenses must be used to reduce cost.

Users must always authenticate by using their corp.fabrikam.com UPN identity.

Any new deployments to Azure must be redundant in case an Azure region fails.

Whenever possible, solutions must be deployed to Azure by using platform as a service (PaaS).

An email distribution group named IT Support must be notified of any issues relating to the directory synchronization services.

Directory synchronization between Azure Active Directory (Azure AD) and corp.fabrikam.com must not be affected by a link failure between Azure and the on- premises network.

Fabrikam identifies the following database requirements:

Database metrics for the production instance of WebApp1 must be available for analysis so that database administrators can optimize the performance settings.

To avoid disrupting customer access, database downtime must be minimized when databases are migrated.

Database backups must be retained for a minimum of seven years to meet compliance requirements.

Security Requirements -

Fabrikam identifies the following security requirements:

Company information including policies, templates, and data must be inaccessible to anyone outside the company.

Users on the on-premises network must be able to authenticate to corp.fabrikam.com if an Internet link fails.

Administrators must be able authenticate to the Azure portal by using their corp.fabrikam.com credentials.

All administrative access to the Azure portal must be secured by using multi-factor authentication.

The testing of WebApp1 updates must not be visible to anyone outside the company.

You need to recommend a data storage strategy for WebApp1.

What should you include in the recommendation?

Answers



Home / Microsoft / AZ-301 / Question 156

Question 156

Overview -

Contoso, Ltd. is a US-based financial services company that has a main office in New York and a branch office in San Francisco.

Existing Environment -

Payment Processing System -

Contoso hosts a business-critical payment processing system in its New York data center. The system has three tiers: a front-end web app, a middle-tier web API, and a back-end data store implemented as a Microsoft SQL Server 2014 database. All servers run Windows Server 2012 R2.

The front-end and middle-tier components are hosted by using Microsoft Internet Information Services (IIS). The application code is written in C# and ASP.NET.

The middle-tier API uses the Entity Framework to communicate to the SQL Server database. Maintenance of the database is performed by using SQL Server

Agent jobs.

The database is currently 2 TB and is not expected to grow beyond 3 TB.

The payment processing system has the following compliance-related requirements:

Encrypt data in transit and at rest. Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.

Keep backups of the data in two separate physical locations that are at least 200 miles apart and can be restored for up to seven years.

Support blocking inbound and outbound traffic based on the source IP address, the destination IP address, and the port number.

Collect Windows security logs from all the middle-tier servers and retain the logs for a period of seven years.

Inspect inbound and outbound traffic from the front-end tier by using highly available network appliances.

Only allow all access to all the tiers from the internal network of Contoso.

Tape backups are configured by using an on-premises deployment of Microsoft System Center Data Protection Manager (DPM), and then shipped offsite for long term storage.

Historical Transaction Query System

Contoso recently migrated a business-critical workload to Azure. The workload contains a .NET web service for querying the historical transaction data residing in

Azure Table Storage. The .NET web service is accessible from a client app that was developed in-house and runs on the client computers in the New York office.

The data in the table storage is 50 GB and is not expected to increase.

Current Issues -

The Contoso IT team discovers poor performance of the historical transaction query system, at the queries frequently cause table scans.

Requirements -

Planned Changes -

Contoso plans to implement the following changes:

Migrate the payment processing system to Azure.

Migrate the historical transaction data to Azure Cosmos DB to address the performance issues.

Migration Requirements -

Contoso identifies the following general migration requirements:

Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.

Whenever possible, Azure managed services must be used to minimize management overhead.

Whenever possible, costs must be minimized.

Contoso identifies the following requirements for the payment processing system:

If a data center fails, ensure that the payment processing system remains available without any administrative intervention. The middle-tier and the web front end must continue to operate without any additional configurations.

Ensure that the number of compute nodes of the front-end and the middle tiers of the payment processing system can increase or decrease automatically based on CPU utilization.

Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability.

Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system.

Generate alerts when unauthorized login attempts occur on the middle-tier virtual machines.

Ensure that the payment processing system preserves its current compliance status.

Host the middle tier of the payment processing system on a virtual machine.

Contoso identifies the following requirements for the historical transaction query system:

Minimize the use of on-premises infrastructure services.

Minimize the effort required to modify the .NET web service querying Azure Cosmos DB.

Minimize the frequency of table scans.

If a region fails, ensure that the historical transactions query system remains available without any administrative intervention.

Information Security Requirements

The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only.

Access to all business-critical systems must rely on Active Directory credentials. Any suspicious authentication attempts must trigger a multi-factor authentication prompt automatically. legitimate users must be able to authenticate successfully by using multi-factor authenticati