Exam-Answer

Download YouTube videos at cutyt.com. Free and Fast.

Exam AZ-303: Microsoft Azure Architect Technologies

Prepare for Exam AZ-303: Microsoft Azure Architect Technologies. Free demo questions with answers and explanations.

Home / Microsoft / AZ-303 / Question 1

Question 1

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants to move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there to be less hands-on maintenance and administration once the infrastructure is moved to Azure

You need to eliminate the bottleneck during peak seasons.

Which two Azure resources should you create? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should create a scale set. A scale set contains one or more identical VMs. It can be configured to automatically scale out more VMs as the CPU threshold increases.

You should also create a load balancer. A load balancer distributes traffic evenly across a set of VMs.

You should not create a Service Fabric cluster. Service Fabric allows you to scale out micro-services. In this scenario, you need to scale out VMs.

You should not create a Traffic Manager profile. Traffic Manager distributes traffic across Azure regions. It uses DNS to determine the nearest Azure datacenter to which external traffic should be routed.

You should not create an API Management gateway. API Management allows API developers to publish and secure web APIs.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 2

Question 2

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants to move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there to be less hands-on maintenance and administration once the infrastructure is moved to Azure

You need configure Azure to automatically notify the owner of the dealership when peak season appears to have started. The solution must minimize expense and difficulty to implement.

What should you do?

Answers



A B C D

Explanation

You should use Monitor to create an alert when a CPU threshold is exceeded. With Monitor, you first choose a resource to monitor. In this scenario, the resource is a VM. You then choose a condition to monitor. In this scenario, when peak season starts, the website's response time is slower. This means that the CPU is doing more work than usual. Therefore, you should create a condition that monitors CPU percentage. You then choose an action. You can configure an action to e-mail the owner of the dealership when the CPU percentage exceeds a specific threshold.

You should not use Machine Learning. With Machine Learning, you import historical data into a model to predict future outcomes. You cannot monitor VM metrics like CPU usage and memory consumption.

You should not create a Function. This requires you to create an App Service resource. Also, you would need to manually write code to monitor CPU usage on the VM and send the text message.

You should not create a WebJob. This requires you to create an App Service resource. Also, you would need to manually write code to monitor memory consumption on the VM and invoke the WebHook. You would also need to code the WebHook to send the message to the owner.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 3

Question 3

You are the IT administrator for an automobile dealership on the west coast of the United States. The dealership wants to take advantage of Microsoft Azure by first moving its website to the cloud. The dealership wants to use the lowest cost solution possible.

Business Requirements

One of the problems the dealership has been facing is website downtime. The dealership typically provides maintenance every Sunday and Wednesday at 2:00 A.M. Eastern Time. However, because the dealership wants to attract customers all over the world, it wants to ensure that the website is always available. During peak seasons, the dealership notices that the website responds slower. The dealership wants this bottleneck eliminated.

Technical Requirements

The website is currently hosted at the dealership's domain registrar. The dealership wants to move the site to Azure on Windows Server virtual machines (VMs). Users must be able to use the same domain name to reach the website. The website must be hosted in only one Azure region. The VMs must use a four-gigabyte (GB) solid state drive (SSD). The dealership expects there to be less hands-on maintenance and administration once the infrastructure is moved to Azure

You need to ensure that users can reach the website hosted in Azure with the existing domain name.

What two actions should you perform on the VM? Each correct answer presents part of the solution.

Answers



A B C D E F

Explanation

You should add an inbound port rule to the VM. This rule should allow traffic over an HTTP port, which by default is port 80. (For HTTPS, the port is 443.)

You should also add a DNS A record to the VM to resolve the public IP address assigned to the VM. The public IP address is dynamic by default, and this does not cost any more money. At the domain registrar, you can create a CNAME record that points your website domain name to Azure at [dnsnamelabel].[region].cloudapp.azure.net.

You should not add a VM extension. A VM extension is a small application that provides post deployment tasks. For example, an extension can automatically install anti-virus software whenever a VM is deployed through script.

You should not add an outbound port rule to the VM. The VM should allow all outbound traffic by default.

You should not assign a public static IP address to the VM. This causes the IP address assigned to it to always remain the same. However, this is not necessary and costs more money. You can use a CNAME record at the domain registrar and a DNS name label in Azure.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 4

Question 4

You are implementing a big data solution that runs on two Azure Virtual Machines (VMs). A VM named model1 is used to train a deep learning algorithm that uses GPU processing. A VM named database1 runs a NoSQL database that requires high disk throughput and IO.

You need to implement the most appropriate VM sizes for these VMs.

Choose all that apply

Answers



A B C

Explanation

Implement a high performance compute VM for model1 and a Dsv3 size VM for database1: This solution does not meet the goal. You can use high performance compute (HPC) VMs for workloads that might use high-throughput network interfaces like remote direct memory access (RDMA), such as genomics, computational chemistry, and financial risk modeling. You can use a Dsv3 size VM for general-purpose workloads with a good CPU-to-memory ratio, like small or medium databases and web servers.

Implement a GPU optimized VM for model1 and an Lsv2 size VM for database1: This solution meet the goal. You can use a GPU optimized VM for model1, which provides access to GPU hardware to train the deep learning algorithm. You can use an Lsv2 size VM, which is a storage optimized VM with high disk throughput and IO. This is ideal for Big Data solutions, NoSQL databases, data warehousing, and large transactional databases.

Implement a memory optimized VM for model1 and a Fsv2 size VM for database1: This solution does not meet the goal. You can use memory optimized VMs for workloads that require high memory-to-CPU ratio, like medium to large caching solutions like Redis and in-memory analytics. You can use a Fsv2 size VM for compute optimized workloads with a high CPU-to-memory ratio, like network appliances, batch processes, and application servers.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 5

Question 5

You manage an Azure subscription for your company.

The subscription has one hundred Azure virtual machines (VMs) that run different workloads.

You need to identify underutilized VMs and suggest a less expensive service tier for these VMs.

What should you use?

Answers



A B C D

Explanation

You should use Azure Advisor to identify underutilized VMs. You can use Azure Advisor to display personalized recommendations for your subscription. These recommendations are divided into five different categories. The Cost category includes recommendations on how to optimize VM costs by resizing or shutting down underutilized instances. Azure Advisor uses multiple metrics to identify underutilized VMs and suggests the most appropriate service tier for each workload.

You should not use Application Insights to identify underutilized VMs. You can use Application Insights as an Application Performance Management (APM) platform to monitor the applications to give visibility about performance anomalies, unhandled exceptions, and how users behave when using the applications.

You should not use Azure Monitor to identify underutilized VMs. Azure Monitor is a complete monitoring service that centralizes performance and availability by monitoring applications and services with the use of metrics and logs. You can use Azure Monitor to aggregate multiple metrics, like CPU usage percentage, network utilization, and others, to determine if a VM is underutilized. However, you need to adjust which metrics to use based on the VM workload and determine manually the most appropriate service tier to use.

You should not use Azure Log Analytics to identify underutilized VMs. Log Analytics is a tool in the Azure portal for writing log queries and analyzing their results. You can write a log query to calculate and correlate performance records and identify underutilized VMs. However, you need to write different queries based on the VM workload and determine manually the most appropriate service tier to use.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 6

Question 6

You are the solution architect for an IT company. Your company has a solution that is provisioned in your customer's Azure subscription. You build a monitoring dashboard that uses Azure Monitor Workbooks to monitor the provisioned solution.

You need to evaluate how to publish and secure the dashboard in the customer's subscription.

Choose all that apply:

Answers



A B C

Explanation

You can publish the dashboard template in the customer subscription's gallery template. After you design the dashboard, you can export the template using the gallery template in the advanced editor. You can combine the exported template with an Azure Resource Manager (ARM) template and deploy it in the customer's subscription.

You can customize the dashboard by saving the template as a shared report. You can create a custom dashboard based on a workbook template and save it as a shared report, so that other users can use this custom dashboard, or save it as a private report.

You can use RBAC to limit the access to the workbook templates. You need to create an Azure resource when you deploy a workbook template in a resource group. You can assign an RBAC in the resource group or resource level to limit access to the report template.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 7

Question 7

Your team is using role-based access control (RBAC) to manage access to Azure resources.

You need to programmatically retrieve the team's most recent 100 events.

Which cmdlet should you use?

Answers



A B C D

Explanation

You should use the Get-AzLog cmdlet to retrieve the last 100 events. You should use the MaxRecord parameter with this command. You can also filter the events by start and end time and display detailed information.

You should not use the Get-AzLogProfile cmdlet to retrieve the last 100 events. This cmdlet is used for retrieving information about the log profile.

You should not use the Get-AzMetric cmdlet to retrieve the last 100 events. This cmdlet is used for retrieving information about all metrics values connected to a specified resource.

You should not use the Get-AzDiagnosticSetting cmdlet to retrieve the last 100 events. This cmdlet gets the categories and time grains that are logged for a resource. A time grain is the aggregation interval of a metric.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 8

Question 8

You have an ASP.Net Core application running in a Windows App Service.

The application generates log messages that should be stored for one week at least.

You need to enable a diagnostics logging and only store logs with the severity level of Warning or higher.

How should you configure the diagnostics logging? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

You should enable the Application Logging (Blob) diagnostics logging. This setting can store logs generated by the application in a Blob Storage. You can access the application logs stored for more than one week.

You should also configure the severity level to Warning. You should use the Warning severity level to store only Warning, Error, and Critical log messages.

You should not enable the Application Logging (Filesystem) diagnostics logging. This setting saves the application log directly in the App Service filesystem. This option should be used only for debugging purposes because it is enabled for only 12 hours before turning itself off.

You should not enable the Detailed Error Messages diagnostics logging. This setting can store detailed error pages in HTML format that is hidden to clients using the application.

You should not enable the Web server logging (Storage) diagnostics logging. This setting can store raw HTTP request data from the webserver in a Blob Storage. You can use this setting in Windows App Services only.

You should not configure the severity level to Error. This severity level stores Error and Critical log messages. However, log messages with the Warning severity level will not be stored.

You should not configure the severity level to Information or Verbose. These severity levels store Warning, Error, and Critical log messages. However, they also store Info log messages for Information level, and also Trace for Verbose level, storing more log messages than necessary by the requirements.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 9

Question 9

You are enabling a diagnostics logging for the App Services below:

App1 - ASP.Net Core application running in Windows platform

App2 - Node.js application running in Linux platform

You need to determine which diagnostics logging setting could be enabled for each application.

Choose all that apply:

Answers



A B C

Explanation

You cannot enable Detailed Error Messages and Failed request tracing, and store these logs directly to a Blob Storage in App1. These diagnostics logs can only be stored in the App Service filesystem.

You can enable Application logging to store application logs at the App Service filesystem in App2. You can enable Application logging in the App Service filesystem for both Windows and Linux platforms. You can also store Application logging directly to a Blob Storage, but only using Windows platform.

You cannot enable Web server logging to store HTTP request data log messages in App2. You can only enable Web server logging in Windows platform. This setting will store the IIS server logs in the App Service filesystem using the W3C extended log file format.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 10

Question 10

You have two Azure Virtual Machines (VMs) and three Storage accounts provisioned in an Azure subscription. The subscription configuration is shown in the exhibit.

You need to enable boot diagnostics in the Azure VMs using the Storage accounts available.

Which Storage accounts should you use?

Answers



Explanation

You should enable boot diagnostics on vm1 by using storage3 only. You can use a standard storage account v2 in the same region as the Azure VM is provisioned, which is storage3 for vm1. You can use Geo-redundant storage (GRS) or Read-Access Geo-redundant storage (RA-GRS) replication in the storage account to provide additional redundancy.

You should enable boot diagnostics on vm2 by using storage2 only. You can use a standard storage account v1 in the same region as the Azure VM is provisioned, which is storage2 for vm2.

You should not enable boot diagnostics by using storage1. Boot diagnostics does not support a premium storage account, even if the storage accounts use Locally-redundant storage (LRS) replication and are provisioned in the same Azure region of the Azure VM. Using premium storage might result in the StorageAccountTypeNotSupported error when you start the VM.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 11

Question 11

You are creating a new alert to monitor the CPU percentage of an Azure App Service Plan.

You configure the frequency of evaluation for this alert to every minute. You also configure the action group shown in the exhibit.

You need to determine the maximum number of alerts the action group will receive if this alert condition is enabled for one hour.

How many emails and SMS messages will this group receive? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

The group should receive a maximum of 60 emails an hour. They should receive an email every minute when this alert condition is enabled for one hour. To ensure that alerts are manageable, email notifications have a rate limit of 100 messages per email per hour.

The group should receive a maximum of 12 SMS messages an hour. This type of notification has a rate limit of one message every 5 minutes, and so they should receive an SMS every five minutes. In one hour, they can receive no more than 12 SMS messages.

The group should not receive a maximum of 6 emails or SMS messages an hour. This alert condition is enabled for an hour, and the frequency of evaluation for this alert happens every minute. Since the rate limit of this action group is not reached, the group should receive 60 alerts.

The group should not receive a maximum of 120 emails or SMS messages an hour. They should receive 60 alerts for an hour in this action group using only this alert. It is also greater than the email notifications rate limit of 100 messages per email per hour.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 12

Question 12

You implement monitoring for Linux Virtual Machines (VMs) in your company's Azure subscription.

Your company needs to monitor performance counters on these VMs in Azure Monitor Metrics.

You need to implement an agent to meet the requirements.

Which agent should you implement?

Answers



A B C D

Explanation

You should implement the Telegraf agent. You can use this agent to collect performance counter data from Linux VMs and send it to Azure Monitor Metrics.

You should not implement the Diagnostics extension. You can use this agent to collect performance counter data from Linux VMs. However, you can only send the data to Azure Storage for archiving or to Azure Event Hub. For Windows VMs, you can use this agent to collect performance counters and send them to Azure Monitor Metrics.

You should not implement the Log Analytics agent. You can use this agent to collect performance counter data from Linux VMs. However, you can only send the data to a Log Analytics workspace.

You should not implement the Dependency agent. You can use this agent to discover network dependencies between running processes and external process dependencies. This agent also requires the Log Analytics agent.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 13

Question 13

You manage an Azure subscription with resources that are provisioned across multiple Azure regions.

An incident caused by an outage in one Azure region impacts multiple resources in your subscription.

You need to recommend a solution to alert you proactively when an outage affects your resources.

What should you recommend?

Answers



A B C D

Explanation

You should recommend an Azure Service Health alert. This allows you to be notified about service issues in an Azure region that may affect you. You can also create alerts for Azure planned maintenance.

You should not recommend the Azure status page. This page gives a global overview of Azure Service Health and current events, but it does not proactively notify you of a regional outage.

You should not recommend Azure Advisor. Azure Advisor gives you personalized recommendations about high availability, security, performance, and cost in your Azure subscription. Azure Advisor does not notify about service outages, but it can advise you to create a Service Health alert.

You should not recommend Azure Resource Health. You can use Azure Resource Health to diagnose the health of a given resource and to identify which resources are affected by a service outage. It is not a good solution to monitor Azure region outages because you need to check each resource individually.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 14

Question 14

You are planning to implement Azure Monitor for VMs in your Azure subscription.

Your subscription has the Azure Virtual Machines (VMs) shown in the exhibit.

You also provision a Log Analytics workspace named vmMonitorWorkspace in the Central US region.

You need to evaluate which Azure VMs meet the prerequisites to implement Azure Monitor for VMs with vmMonitorWorkspace and decide which agents you should install on these Azure VMs.

How should you evaluate the requirements? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

The Azure VMs that meet the prerequisites are vm1, vm2, vm3, and vm4. The Azure VMs meet the operating system requirements to use Azure Monitor for VMs. You can also use Azure Monitor for VMs with VMs provisioned in any region, even with on-premises VMs, as long the Log Analytics workspace is provisioned in a supported region.

The required agents installed on the Azure VMs are the Log Analytics and the Dependency agents. You need to deploy both agents on the Azure VMs to use Azure Monitor for VMs. The Log Analytics agent collects performance data and other metrics from Linux and Windows VMs and sends the data to a Log Analytics workspace. The Dependency agent discovers network dependencies between running processes and external process dependencies.

You should not deploy the Diagnostics extension. You can use this extension to collect performance counters data and other metrics from Linux and Windows VMs and send the data to Azure Storage for archiving or to Azure Event Hub. For Windows VMs, you can use this extension to send data to Azure Monitor Metrics. Azure Monitor for VMs requires you to send data to a Log Analytics workspace, which can be done by using the Log Analytics agent.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 15

Question 15

You manage an Azure subscription that contains multiple Azure Virtual Machines (VMs). You enable diagnostics settings on all Azure VMs and configure a Log Analytics workspace as the diagnostics destination.

Your company asks you to generate a security report to:

1. Identify which users deleted Azure VMs up to four weeks ago.

2. List security events on Azure VMs that run Windows Server 2016.

You need to implement the security report.

What should you use?

Answers



Explanation

You should use the Activity log to identify which users deleted Azure VMs up to four weeks ago. Activity logs provide insight into operations that were performed on resources in your Azure subscription, enabling you to determine which user deleted a VM and other actions. Azure stores Activity logs by default for 90 days. For longer retention, you can archive the Activity logs in a Storage account or send them to a Log Analytics workspace.

You should use a Log Analytics query to list security events on Azure VMs that run Windows Server 2016. Azure Monitor collects logs from a variety of sources, consolidating the data in a Log Analytics workspace, including security events collected by diagnostics settings on all Azure VMs. You can use a Log Analytics query to select these security events and filter them for VMs running Windows Server 2016.

You should not use Azure Monitor Metrics. You can use metrics to monitor particular aspects of a resource, like CPU usage, disk operations per second, and network usage for an Azure VM. Metrics are represented by a numerical value over time.

You should not use Service Health. You can use Service Health to monitor the health of Azure services in a region and be notified about ongoing service issues, planned maintenance, or region outages.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 16

Question 16

You are the Azure administrator for an online personal training company. You create a blob storage account to store training videos. Only you should be able to manage the storage account.

The storage account has a container that personal trainers use to upload their videos. Only personal trainers that your company approves should be able to upload video files.

Choose all that apply:

Answers



A B C

Explanation

You should create a shared access signature. This is a URI that contains access rights to an Azure resource.

You should not set the access level of the blob container to Public. This allows anyone to access the container, including anonymous users. You should instead set the access level to Private. By doing this and giving out the shared access signature, you can control who has access to the blob container.

You should not share the storage account key with the personal trainers. This allows the personal trainers to manage the storage account, including the ability to delete other trainers' videos.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 17

Question 17

A blob associated with an Azure Blob storage account contains data that is accessed several times per day.

You plan to add a new blob to the Blob storage account. The data in the new blob will be viewed infrequently but must be available immediately when accessed.

You must configure the storage tier for the new blob. The solution must minimize storage costs.

What should you do?

Answers



A B C D

Explanation

You should set the storage tier for the new blob to Cool. Cool storage is intended for data that is accessed infrequently and stored for 30 days or more. Cool storage has a similar time-to-access as Hot data. Although it has a slightly lower availability compared to Hot data, storage costs are lower.

You should not set the storage tier for the new blob to Archive. Although Archive storage is the least expensive, it also has several hours of retrieval latency.

You should not set the default storage tier for the account to Hot. Only the original blob in the storage account is accessed frequently. If the tier for the account is set to Hot, this applies to the new blob as well.

You should not set the default storage tier for the account to Cool. This is appropriate only for the new blob. If the tier for the account is set to Cool, this applies to the original blob as well.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 18

Question 18

You are a Cloud Solutions Architect for a mobile application development company. The company has worldwide users that consistently require high performance.

You now want to drop the dependency on physical datacenter storage. You plan to create a new storage solution for the company that uses Azure Storage for disaster recovery, high availability, and performance.

Choose all that apply:

Answers



A B C

Explanation

You should not use Premium Storage for global replication. Premium Storage is available only for locally redundant storage (LRS) replication. Also, Premium Storage is not available for all regions.

Recovery time objective (RTO) is the maximum acceptable time that an application can be unavailable after an incident. For example, if your RTO is 50 minutes, you can restore the application to a running state within 50 minutes after the start of an incident. However, if you have a very low RTO, you might keep a second regional deployment continually running an active/passive configuration on standby to protect against a regional outage.

You cannot authorize the Azure Storage from HTTP. To authorize blob and queue operations with an OAuth token, you must use HTTPS.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 19

Question 19

You are determining which type of Azure storage replication is appropriate for your storage account.

You must consider the features of each replication option and choose the most appropriate which is the most appropriate: locally-redundant storage (LRS), zone-redundant storage (ZRS), geo-redundant storage (GRS), or read-access geo-redundant storage (RA-GRS).

Which replication options should you use to provide the features listed in the answer area?

Answers



Explanation

LRS maintains three copies of your data within a single datacenter in a single region. This type of replication does not protect your data from the failure of a single data center or region, but it protects you from hardware failures.

Premium storage supports only LRS as storage redundancy.

RA-GRS replicates your data to another datacenter in a secondary region and provides read-only access to the data in the secondary location. This replication option is the default option for new storage accounts.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 20

Question 20

You create an Azure storage account that is used to store financial records. These records are accessed frequently. In the event of a datacenter outage, you want to ensure that the records are easily accessible, even if they cannot be modified. All applications use REST APIs to access the financial records.

You need to choose the most appropriate, least expensive configuration.

How should you configure the storage account? To answer, select the appropriate configurations from the drop-down menus.

Answers



Explanation

You should use the Hot access tier. This tier is feasible for storage accounts that are accessed frequently.

You should use the RA-GRS replication strategy. With this strategy, if a failure occurs at a datacenter, data is replicated to another datacenter in another region, and it is available for read-only access.

You should use the Standard performance tier. This tier uses magnetic drives to store data at low cost.

You should not use the Cool access tier. This tier is feasible for storage accounts that are not accessed frequently.

You should not use LRS. This replication strategy only copies data within a datacenter. It is feasible for scenarios such as power supply failure or disk failure.

You should not use GRS. This replication strategy copies data to other regions. However, the data is not available to be read unless Microsoft initiates a failover to that region.

You should not use the Premium performance tier. This tier uses solid state drives at a higher cost. These storage accounts can only be used with virtual machine (VM) disks.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 21

Question 21

You are designing the disaster recovery strategy for an application.

The application uses a private blob container in a storage account named storage1. The application needs to read and write blobs in storage1 even if a disaster impacting a whole Azure region occurs.

You need to configure storage1 to maximize availability and indicate an action to perform in case of an outage.

Which redundancy option and action should you use?

Answers



Explanation

You should configure Geo-redundant storage (GRS) for storage1. This redundancy option replicates the storage account to a geographically isolated region if there is a disaster that impacts an Azure region.

You should initiate a storage account failover if an outage occurs. An account failover promotes the secondary endpoint of the storage account to become the primary endpoint. Once failover is completed, the application can read and write to the new primary region and maintain high availability.

You should not configure Read-access geo-redundant storage (RA-GRS) and use the storage account secondary endpoint. Using RA-GRS and redirecting the application to use the secondary storage account endpoint solves the read availability problem. However, the secondary endpoint does not allow the application to write on the replicated blobs.

You should not configure Locally redundant storage (LRS) or Zone-redundant storage (ZRS) for storage1. These redundancy options do not replicate the storage account to a geographically isolated region.

You should not copy the files to a new storage account. If the primary region is not available, you may not be able to copy the original blobs from the storage account.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 22

Question 22

You are designing a new storage solution using Azure Storage Accounts for your company.

The company security team requires that the solution uses Azure Active Directory (Azure AD) as the authentication platform with the storage account.

You need to indicate which storage account services are compatible with Azure AD.

Choose all that apply:

Answers



A B C

Explanation

You can use Azure AD role-based access control (RBAC) to access Azure Blobs and Azure Queues. You can use Azure AD to authorize requests to Azure Blobs and Azure Queues, assign RBAC roles to the security principal, like the Storage Blob Data Contributor or Storage Queue Data Reader built-in roles, for example.

You can use the Azure Files access over Server Message Block (SMB) protocol with Azure AD by enabling the Azure AD Domain Services. After you enable Azure AD Domain Services, you can mount Azure Files in a domain-joined machine and enforce authorization on user access using the same credentials in Azure AD. The SMB protocol is a network file sharing protocol providing access to files, printers, and serial ports over a network.

You cannot use Azure AD managed identities to access Azure Tables. Only storage account keys and shared access signature (SAS) are supported as authorization for Azure Tables.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 23

Question 23

You are the Azure administrator for a web API that uses the Free plan.

You need to monitor the web API to determine whether or not you should change the plan to Basic.

Which metric should you monitor?

Answers



A B C D

Explanation

You should monitor CPU time. This represents the number of CPU minutes used by the web API. For the Free plan, a web app or web API is allowed 60 CPU minutes per day. By monitoring this metric, you can decide whether or not to scale up the web API.

You should not monitor Average Response Time. This represents the average number of milliseconds used to serve a single request. An App Service Plan can affect the response time, but it is not feasible to use the response time to determine whether or not to scale up an app due to other factors. For example, the average response time can increase due to the number of simultaneous requests made, for example, during peak times.

You should not monitor Requests. This represents the total number of HTTP requests made to the web API. An App Service Plan does not limit the number of requests made to a web API.

You should not monitor Thread Count. This represents the total number of working threads used to service requests. An App Service Plan does not limit the number of threads used by a web API.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 24

Question 24

You need to enable encryption for a running Windows Infrastructure-as-a-Service (IaaS) virtual machine (VM).

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use the Set-AzVMDiskEncryptionExtension cmdlet. This cmdlet is used to enable encryption on a running VM by installing the disk encryption extension. This cmdlet is used to enable encryption for a Windows or supported Linux VM. You should create a snapshot of the VM before enabling encryption.

You should not use the Set-AzVMDataDisk cmdlet. This cmdlet is used to modify properties for a VM data disk but does not include properties related to encryption.

You should not use the Set-AzDiskDiskEncryptionKey cmdlet. This cmdlet sets the disk encryption key properties on a disk but does not enable encryption.

You should not use the ConvertTo-AzVMManagedDisk cmdlet. This cmdlet is used to convert a VM with blob-based disks to a VM with managed disks.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 25

Question 25

Your company is researching ways to improve data security for Windows and Linux Infrastructure-as-a-Service (IaaS) virtual machines (VM)s. You need to determine if Azure Disk Encryption can meet the company's requirements.

Choose all that apply:

Answers



A B C

Explanation

Azure Disk Encryption is not supported for Basic tier VMs. It is supported for Standard and Premium tier VMs. Azure Disk Encryption supports Windows Server 2008 and later, and a subset of Azure Linux images. Custom Linux images are not supported.

You must encrypt the boot volume before you can encrypt any data volumes on a Windows VM. Azure Disk Encryption does not let you encrypt a data volume unless you first encrypt the OS volume. This is different for Linux VMs, which let you encrypt data without first encrypting the OS volume.

You cannot use an on-premises key management service to safeguard encryption keys. You are required to use Azure Key Vault. Azure Key Vault is a prerequisite for implementing Azure Disk Encryption.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 26

Question 26

Your company plans to use a custom image based on an existing Azure Windows virtual machine (VM) to provision new VMs in multiple regions.

You need to prepare the VM so it can be used to create a custom image.

Which three commands should you run first in sequence?

Answers



A B C D

Explanation

You need to start by running the following commands in order:

Sysprep

Stop-AzVm

Set-AzVm

A custom image is similar to an Azure marketplace image. The primary difference is that you create the image yourself from an existing VM. The result is a reusable image that can be used to create as many VMs as you want.

You start by running the Sysprep command to remove personal information and generalize the image. You then use the Stop-AzVm cmdlet to deallocate the VM. Finally, you need to identify the VM as generalized to Azure using the Set-AzVm command.

Once you have prepared the image, you run Get-AzVM to retrieve the image and load it into a variable, New-AzImageConfig to create the image configuration by specifying the image location, and finally New-AzImage to create the image, specifying the image name and location.

At this point, you can use the New-AzVm to create new VMs from the image.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 27

Question 27

You need to recommend a solution that will monitor Azure subscription activity and send alerts to a non-Azure system for processing.

Notification of alerts sent to the external system must be automated.

Which mechanism should you recommend?

Answers



A B C D

Explanation

You should recommend using a webhook. Azure alerts use HTTP POST to send the alert contents in JSON format to a webhook URI that you provide when you create the alert. Azure posts one entry per request when an alert is activated.

You should not recommend Power BI. This service is used to present and analyze both historical and live data. The external system would need to retrieve the data from Power BI.

You should not recommend Azure Event Hubs. Although this service is used to ingest data, you would need an additional component to send data to an external system.

You should not recommend Azure Stream Analytics. This service is used to process large amounts of data on the fly and to perform complex data analytics and aggregations.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 28

Question 28

You plan to move a batch processing solution that currently runs on multiple on-premises Virtual Machines (VMs) to the Azure cloud.

The solution requires you to control when maintenance events occur and provide hardware isolation at the physical server level.

You need to implement a solution to meet the requirements.

What should you use?

Answers



A B C D

Explanation

You should use Azure Dedicated Hosts. You can use Azure Dedicated Hosts to provide a physical server dedicated to one Azure subscription. Azure Dedicated Hosts provide hardware isolation at the physical server level and total control over Azure's maintenance events by defining a custom maintenance window. You can also host one or more virtual machines on a single Dedicated Host.

You should not use Azure VM scale sets. You can use Azure VM scale sets to manage a group of load-balanced VMs that run a similar workload. You can use update domains to improve high availability during maintenance events. However, you cannot control when maintenance events will be applied, and VM scale sets do not provide hardware isolation at the physical server level.

You should not use App Service Environments. You can use App Service Environments to provide an isolated and dedicated environment for running App Service apps. App Service Environments provide hardware isolation at the physical server level. However, it is better suited for running web applications.

You should not use Azure Kubernetes Service. You can use Azure Kubernetes Service to provide a managed Kubernetes cluster in Azure and reduce the complexity of managing the cluster. Azure Kubernetes Service is better suited for running microservices and containerized applications, and it does not provide hardware isolation at the physical server level by itself.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 29

Question 29

You are implementing an n-tier application that runs on three Azure Virtual Machines (VMs) in your Azure subscription.

The application requires the lowest possible network latency between the Azure VMs.

You need to deploy the application using the most cost-effective solution.

What should you do?

Answers



A B C D

Explanation

You should create a proximity placement group. You can use a proximity placement group to provision resources like Azure VMs or VM scale sets that are physically located close to each other. This achieves the lowest network latency between this group of resources.

You should not deploy the VMs on a Dedicated Host. You can use a Dedicated Host to host one or more VMs in the Azure infrastructure. To achieve the lowest network latency, you also need a proximity placement group, which is not compatible with a Dedicated Host.

You should not use a VM scale set and deploy the VMs in the same fault domain or update domain. You can use a VM scale set to provide high availability for each application tier by increasing the VM redundancy. A fault domain is a logical group that shares the same hardware power supply and network switch. An update domain also shares the same hardware, but it is logically separated from the fault domain so they can perform maintenance operations at different times. A fault domain and an update domain are used by a single VM scale set. You cannot control where you deploy your VMs in a specific fault or update domain, and you cannot guarantee that the resources are physically located close to each other using three different VM scale sets. Therefore, the lowest network latency would not necessarily be achieved.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 30

Question 30

You plan to deploy 15 identical virtual machines (VMs) to Azure. All 15 VMs must be based on the settings of a local on-premises computer.

You need to choose the best strategy for deploying the VMs.

What should you do?

Answers



A B C D

Explanation

You should create a JSON file that describes a single VM. This file is referred to as an Azure Resource Manager (ARM) template in Azure. You should then use deployment commands to deploy the template to Azure. One tool that you can use is PowerShell. Once the template is deployed, you can use it to create actual VMs.

You should not create an XML file to describe a single VM. ARM templates must be written in JSON syntax.

You should not create the VM in Azure and then use PowerShell or Azure CLI to copy it. ARM templates provide a way to describe a VM before you create it.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 31

Question 31

You need to deploy a virtual machine (VM) to Azure from a third-party online template.

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use New-AzResourceGroupDeployment. This cmdlet allows you to use Azure Resource Manager (ARM) templates to create Azure resources. In this scenario, it allows you to create a VM from an ARM template.

You should not use New-AzureQuickVM or New-AzVM. Both cmdlets allows you to create a VM from a PowerShell command, not from a third-party online template. You can use New-AzureQuickVM and New-AzVM to create VMs using the classic deployment and Azure Resource Manager, respectively.

You should not use New-AzVMConfig. This cmdlet creates a VM configuration, not an actual VM.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 32

Question 32

You used the Azure portal to deploy resources. You now want to create a similar deployment based on the ARM template that you used with this earlier deployment.

Which four actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following steps in order:

1. Open the Azure portal.

2. Select the resource group that you recently deployed.

3. From the group's deployment history, select the appropriate deployment.

4. Redeploy and provide different values as needed.

You use the Azure portal to perform this procedure. You find the resource group that you deployed previously, view the deployments for this resource group, and then select the deployment that you want to repeat. The template from this previous deployment is used for the new deployment.

You should not select Automation script. This option generates a new ARM template for the resource group. It does not use the template from a previous deployment.

You should not view the deployment's template and edit any parameters as required for the current deployment. You can provide new values when you redeploy, but you cannot edit the template during this step.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 33

Question 33

An Azure resource group was initially deployed from an Azure Resource Manager (ARM) template. Resources have since been added and modified manually through the Azure portal.

You need to create a new template based on the current state of the resource group.

Which PowerShell cmdlet should you use?

Answers



A B C D

Explanation

You should use the Export-AzResourceGroup cmdlet. This cmdlet captures a specified resource group and saves it as a template to a JSON file. This gives you a way to create a template based on the current resources in a resource group. You also have the option of exporting a running resource group as a template from the Azure portal.

You should not use the Save-AzResourceGroupDeploymentTemplate cmdlet. This saves a resource group deployment, not the current resource group, to a file. You must specify both the deployment name and resource group name.

You should not use the Save-AzDeploymentTemplate cmdlet. This saves an existing deployment template to a new template file.

You should not use the New-AzResourceGroupDeployment cmdlet. This cmdlet is used to apply a template to an existing resource group, not to create a new template file.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 34

Question 34

You create an Azure Automation Account with an Azure PowerShell runbook to stop Azure Virtual Machines (VMs) with a given tag.

When you execute this runbook, you see the error message shown in the exhibit.

You need to fix the runbook.

What should you do?

Answers



A B C D

Explanation

You should import the Az.Compute module from the modules gallery. This kind of error occurs when you try to run a runbook without the required modules installed. You can import the Az.Compute module from the modules gallery to enable the Get-AzVM PowerShell cmdlet and fix the error shown in the exhibit.

You should not update the AzureRM.Compute module from the modules gallery. This module is available by default in the Automation Account. You can use this module if your runbook uses the AzureRM PowerShell module to stop Azure VMs, like the Get-AzureRmVM cmdlet.

You should not create a new Azure Automation Run As account. The Azure Automation Run As account is a service principal with the Contributor role at the subscription level and is used by the Azure Automation Account. You would see a different error message if the runbook failed for insufficient permission reasons.

You should not re-create the runbook as a graphical runbook. You can use a graphical runbook to create a PowerShell-based script using a graphical editor. Re-creating the runbook and using the Get-AzVM PowerShell cmdlet would result in the same error if you did not import the Az.Compute module.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 35

Question 35

You plan to automate the deployment of an Azure Virtual Machine (VM) scale set to a new Azure subscription. The scale set uses a Ubuntu Server 18.04 LTS image.

After the deployment is complete, all VMs in the scale set must have the Nginx web server installed.

You need to ensure that the web server is installed after the VM scale set is provisioned.

Which two actions should you perform? Each correct answer presents part of the solution.

Answers



A B C D

Explanation

You should create an Azure Resource Manager (ARM) template for the VM scale set. You can create an ARM template to automate the configuration of the VM scale set in the new subscription. You can reuse the same ARM template and configure parameters to make the template more customizable.

You should also modify the ARM template with a Custom Script extension. You can install the web server after the VM scale set is provisioned by using a Custom Script extension. You could use the following command to install the web server:

sudo apt-get install nginx -y.

You should not upload a DSC script or import a runbook from the gallery. You can use a DSC script or a runbook to install the Nginx web server. However, you need an Automation Account configured to run these scripts.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 36

Question 36

You are planning to automate when an Azure Virtual Machine (Azure VM) named vm1 is turned on by using an Azure Runbook.

Vm1 is provisioned in a resource group named rg1. You write the runbook script as shown in the exhibit.

You need to run this runbook in your Azure subscription.

Which three actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following actions in order:

1. Create an Azure Automation Account.

2. Import the necessary modules from the modules gallery.

3. Create a PowerShell runbook and execute the runbook.

You should create an Azure Automation Account. You can use the Azure Automation Account to manage your runbooks, configuration management, and authenticate your Azure subscription.

You should also import the necessary modules from the modules gallery. You need to import the Az.Accounts and the Az.Compute modules from the modules gallery. These modules are required by your runbook script, and they are not available by default when you create your Automation Account.

Finally, you should create a PowerShell runbook and execute the runbook. You need to create a PowerShell runbook to execute your script, and you can run your runbook to turn on the Azure VM.

You should not create a PowerShell Workflow runbook and execute the runbook. You can use a PowerShell Workflow runbook to support additional features to run your runbook, like checkpoints, parallel execution, and runspaces. The syntax of a PowerShell Workflow is slightly different than a PowerShell script.

You should not create a graphical runbook and execute the runbook. You can create a runbook by using a graphical interface to build your workflow. To create a graphical runbook from a script, you need to import from a PowerShell Workflow runbook.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 37

Question 37

You have a resource group named rg1 with a storage account named storage1 in your Azure subscription. Both resources are provisioned in the East US region.

You export rg1 to an Azure Resource Manager (ARM) template file and modify it as shown in the exhibit:

You run the following Azure command-line interface (CLI) command to deploy the ARM template to a new resource group:

az group create --name rg2 --location "West US"

az deployment group create \

--name deployment\

--resource-group rg2 \

--template-file template.json \

--parameters location="East US"

You need to evaluate the results of running this command.

Choose all that apply:

Answers



A B C

Explanation

The rg2 resource group is provisioned in the West US region. The az group create command has the --location parameter configured as West US. This creates rg2 in the specified region.

The new storage account is not provisioned in the West US region. The new storage account is provisioned in the East US region as specified in the --parameters parameter in the az deployment group create command. To provision the storage account in the West US region, you should define this region in the --parameters parameter or omit the --parameters location parameter to use the resource group default location that is retrieved by the location defaultValue "[resourceGroup().location]".

This ARM template does not output the new storage account and its region. This template outputs the generated storage account name, but it does not output the storage account region.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 38

Question 38

You create an Azure Resource Manager (ARM) template to deploy an Azure virtual machine (VM) running Windows Server 2019.

You need to allow other users to deploy this ARM template multiple times without exposing the administrator password.

What should you do?

Answers



A B C D

Explanation

You should create a parameter file referencing an Azure Key Vault secret. You can create an Azure Key Vault secret and integrate it with the ARM template by adding a reference for this secret in the parameter file. This securely stores the administrator password without exposing it to other users.

You should not create a parameter file containing the password. You can use a parameter file to store the values you pass in during deployment. The parameter file contains Javascript Object Notion (JSON) plain text, which would expose the administrator password.

You should not create a user-assigned managed identity for the VMs. You can use a managed identity to authenticate your VMs with any service that supports Azure Active Directory (Azure AD) authentication without saving any credentials in your code. You cannot store the VM administrator password using a managed identity.

You should not create a parameter file referencing an Azure Key Vault key. You can use an Azure Key Vault key to store cryptographic keys. Azure Key Vault supports multiple types of keys and algorithms. However, you should use a secret to store a password in a Key Vault.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 39

Question 39

You have three virtual networks (VNets) named VNET1, VNET2 and VNET3. The VNets have the following subnets:

VNET1: Subnet11, Subnet12

VNET2: Subnet21

VNET3: Subnet31, Subnet32

You perform the following actions:

Add peering from VNET1 to VNET2

Add peering from VNET2 to VNET3

Add peering from VNET3 to VNET2

You need to identify network connectivity between the subnets.

Which network connectivity should you identify for each subnet?

Answers



Explanation

Virtual network (VNet) peering enables you to connect VNets. Peered VNets appear as one for connectivity purposes. You must add peering to both VNets that you want to connect. If you add peering to only one VNet, peering is in the Initiated state, and VNets will not have connectivity.

You should select Subnet11 has network connectivity with Subnet12 only. Those two subnets are on the same VNet. Subnets on the same VNet always have full network connectivity.

Subnet11 does not have network connectivity with Subnet21. Subnet11 is on VNET1, and Subnet21 is on VNET2. You have only added peering between VNET1 and VNET2 in one direction. For this reason, peering is in the Initiated state and the two VNets do not have connectivity. Because the VNets are not connected, Subnet11 does not have connectivity with Subnet21.

You should select Subnet21 has network connectivity with Subnet31 and Subnet32 only. Subnet21 is on a different VNet than Subnet31 and Subnet32. You add peering from VNET2 to VNET3 and from VNET3 to VNET2. Because the VNets are connected, the subnets on VNET2 have full connectivity to subnets on VNET3.

You added peering from VNET1 to VNET2, but you did not add peering from VNET2 to VNET1. Because the peering was only added to one of the VNets, there is no network connectivity between VNET1 and VNET2 and Subnet21 does not have connectivity with Subnet11 and Subnet12.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 40

Question 40

You are implementing network communication between two Azure Virtual Machines (VMs).

The Azure subscription resources are shown in the exhibit.

You need to ensure that vm1 can connect to vm2 using the private IP address.

What should you do?

Answers



A B C D

Explanation

You should create a virtual network peering between vnet1 and vnet2. You can use virtual network peering to enable connections between virtual networks in the same or different Azure regions. The traffic between Azure VMs uses the Microsoft private network only, resulting in a high-bandwidth, low-latency connection across virtual networks.

You should not add a new NIC on vm1 associated with vnet2. You can attach more network adapters on an Azure VM depending on the VM size to increase network throughput or enable connection with other virtual networks. However, all resources (the network adapter, the VM, and the virtual network) must be provisioned in the same Azure region.

You should not associate the vm2 NIC with vnet1. You can change the subnet, but not the virtual network associated with a NIC.

You should not move vm1 to resource group rg2. You can move an Azure VM to another resource group in your subscription. However, it does not affect VM connectivity or resource location. Vm1 will continue to be connected with vnet1 and in the same region (Central US).

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 41

Question 41

You are implementing the virtual network for a new application. The application uses two Azure Virtual Machines (VMs):

webserver: an Azure VM that only accepts network connections from the internet using ports 80 and 443 directly from a static public IP

database: an Azure VM running MySQL server that accepts connections only from the webserver's private IP address on port 3306

You need to evaluate the minimum number of network interface cards (NICs) and network security groups (NSGs) you need to provision.

How many resources should you provision? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

You should provision at least two NICs. You need to associate one NIC for each Azure VM, and for the webserver, you should associate a static public IP address on the same NIC. You have a required private IP address that is defined by the virtual network and an optional public IP address per NIC.

You should provision at least two NSGs. One NSG should be associated with the webserver's NIC to allow network traffic on ports 80 and 433 from the internet. Another NSG should be associated with the database NIC to allow network traffic on port 3306 from the webserver's private IP address.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 42

Question 42

You are managing your company's virtual networks in Azure.

Your company has Azure Virtual Machines (VMs) across three virtual networks.

vnet1 has the address space 10.0.0.0/16.

vnet2 has the address space 10.1.0.0/16.

vnet3 has the address space 10.2.0.0/16.

You configure virtual network peering on the following networks:

vnet1 network peering allows virtual network access to vnet2.

vnet2 network peering allows virtual network access to vnet3.

vnet3 network peering allows virtual network access to vnet2.

You need to determine if Azure VMs in a specific virtual network can communicate with Azure VMs in other virtual networks.

How can Azure VMs communicate with each other? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

Azure VMs on vnet1 can connect to Azure VMs on vnet2 only. You configured a virtual network peering in vnet1 to vnet2, allowing resources from vnet1 to connect with resources in vnet2.

Azure VMs on vnet2 can connect to Azure VMs on vnet3 only and vice versa. You configured a virtual network peering on vnet2 to vnet3, and also a peering on vnet3 to vnet2, allowing resources from vnet2 and vnet3 to connect with each other.

Azure VMs on vnet1 cannot connect to Azure VMs on vnet3 and vice versa. A virtual network peering is established between two virtual networks only, and it is not transitive. If you want to connect resources on vnet1 with resources on vnet3, you need to configure a network peering between vnet1 to vnet3.

Azure VMs on vnet2 cannot connect to Azure VMs on vnet1. You configured a virtual network peering in vnet1 to vnet2 only. A virtual network peering does not work in both directions. To allow connections to resources from vnet2 to vnet1, you need to configure a network peering between vnet2 to vnet1.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 43

Question 43

You manage your company's Azure virtual network. You have a virtual network named vnet1 with the address space 10.0.0.0/16 that contains three subnets:

public: subnet with the address space 10.0.1.0/24

private: subnet with the address space 10.0.2.0/24

dmz: subnet with the address space 10.0.3.0/24

You create a new network virtual appliance named nvm1 in the dmz subnet with the private IP address 10.0.3.11.

You need to configure a custom route in the private subnet to route the traffic to nvm1.

How should you configure the custom route? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

You should configure the address prefix as 10.0.2.0/24. You can use the address prefix to configure where the traffic is coming from, which is from the private subnet.

Next, you should configure the next hop type as Virtual appliance. This option configures the type of destination where traffic is routed, which is the nvm1 network virtual appliance.

Finally, you should configure the next hop address as 10.0.3.11. You can use this option to configure the routing destination, which is the nvm1 private IP address.

You should not configure the address prefix as 10.0.1.0/24 or 10.0.3.0/24. These addresses prefixes refer to public and dmz subnets, respectively. You need to route traffic from the private subnet.

You should not configure the next hop type as Internet or Virtual network. You should configure these next hop types to route traffic to the internet or to a virtual network, respectively.

You should not configure the next hop address as 0.0.0.0/0 or 10.0.1.0/24. These addresses could be used to route traffic to the internet or the public subnet, respectively. You need to configure the next hop type as Internet or Virtual network with these addresses.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 44

Question 44

You are implementing network connectivity between your on-premises network with two Azure virtual networks.

You configure your network with the addresses spaces below:

on-premises network: 10.0.1.0/16

vnet1 (Azure): 10.0.11.0/16

vnet2 (Azure): 10.0.12.0/16

You decide to implement a hub-spoke network topology to optimize the cost. You create a new virtual network named hub with the address space 10.0.10.0/16 and implement virtual network peering between vnet1 and hub, and vnet2 and the hub virtual network.

You need to complete the hub-spoke network topology configuration.

Which three actions should you perform?

Answers



A B C D

Explanation

You should perform the following actions:

Implement a VPN gateway on the hub virtual network.

Configure the peering connection on the hub virtual network to allow gateway transit.

Configure the peering connection on vnet1 and vnet2 to use remote gateways.

You should implement a VPN gateway on the hub virtual network. The hub virtual network centralizes connectivity to your on-premises network. You should implement a VPN gateway only on this virtual network. The spoke networks connects to on-premises through this hub network.

You should also configure the peering connection on the hub virtual network to allow gateway transit. This allows the on-premises network to access vnet1 and vnet2 virtual networks.

Finally, you should also configure the peering connections on vnet1 and vnet2 to use remote gateways. This allows the spoke networks to connect back with the on-premises network.

You should not implement a VPN gateway on the vnet1, vnet2, and hub virtual networks. You can configure network peering between Azure virtual networks by using a VPN gateway. However, you already configured virtual network peering between the virtual networks and the hub network. Implementing a VPN gateway in all virtual networks results is a more expensive solution.

You should not configure all peering connections to use remote gateways. You need to use remote gateways only in the spoke networks in a hub-spoke network topology, which, in this case, is vnet1 and vnet2.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 45

Question 45

You create a new, empty virtual network named vnet1 as shown in the exhibit.

You have another virtual network named vnet2 in a different Azure subscription. vnet2 is provisioned in the Azure Central US region with the address space 10.2.0.0/16.

You need to create a virtual network peering between vnet1 and vnet2.

What should you do first?

Answers



A B C D

Explanation

You should modify the address space of vnet1. To create a virtual network peering, both networks must have non-overlapping IP address spaces. Since vnet1 and vnet2 use the same address space, you need to use a different address space for vnet1, like 10.1.0.0/16 for example, before you create the virtual network peering.

You should not move vnet2 to the same subscription. You can create a virtual network peering between virtual networks in different subscriptions. If the subscriptions belong to different Azure Active Directory (AD) tenants, you should use the Azure Command-line interface (CLI), or the PowerShell Az Module to create the virtual network peering instead of the Azure portal.

You should not move vnet1 to the Central US region. You can create a virtual network peering between virtual networks in different regions. This is also called global virtual network peering.

You should not create a gateway subnet in vnet2. You should create a gateway subnet if you plan to deploy a virtual network gateway in vnet2. You do not need this to create a virtual network peering.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 46

Question 46

Your company has on-premises Domain Name System (DNS) servers that are authoritative for its domain. You create a directory in Azure Active Directory (Azure AD). You want to create a custom domain for this directory that matches your company's domain.

You need to configure the environment so that you can have Azure verify the custom domain.

What should you do?

Answers



A B C D

Explanation

You should add a TXT record to your company's DNS servers. When you ask Azure to verify a custom domain, it issues DNS queries for TXT records. Because your company has on-premises DNS servers that are authoritative for its domain, Azure sends the DNS queries to your company's DNS servers. If the TXT entry in Azure matches the TXT entry in your company's DNS servers, verification is successful.

You should not add a TXT record to your company's domain registrar. You should do this only if the registrar is authoritative for the domain.

You should not add CNAME records. CNAME records are alias records that allow you to forward requests from a domain name to another domain name or server.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 47

Question 47

You plan to enable Azure Active Directory (AD) Identity Protection for your company. The configuration must include the following:

A role that allows full access to Identity Protection but without resetting passwords for users

A policy that will analyze user sign-in and learn typical user behavior

Which role and policy will meet these requirements?

Answers



Explanation

You should recommend the Security administrator role. This role provides full access to Identity Protection but cannot reset user passwords.

You should not recommend the Global administrator role. This role has full access to Identity Protection but can reset user passwords.

You should not recommend the Security reader role. This role has read-only access to Identity Protection and cannot configure policies or reset passwords.

You should recommend a user risk policy. With this type of policy, Azure AD analyzes each user's sign-in so it can detect suspicious actions (risk events) related to the sign-in. After a particular learning period, the system can learn typical user behavior.

You should not recommend an MFA registration policy. This type of policy provides a second layer of security to user sign-ins and transactions, but it does not analyze user sign-ins and learn typical user behavior.

You should not recommend a sign-in policy. This type of policy is used to define a response for a specific sign-in risk level. It does not analyze user sign-in or learn typical user behavior.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 48

Question 48

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You create two Windows 10 virtual machines for the lawyer and legal assistant. You must ensure that the lawyer and legal assistant can connect to their desktop computers from any location and from any device.

What should you do?

Answers



A B C D

Explanation

You should add an inbound port rule to each VM. An inbound port rule specifies the port that must be open for the VM. In this scenario, you can open a Remote Desktop Protocol (RDP) port to allow the lawyer and legal assistant to remotely connect to the VMs.

You should not place the two VMs in the same availability set. An availability set allows one VM to be responsive when another VM is down for maintenance or some unexpected event. It does not allow users to connect to a VM remotely.

You should not move each VM into its own subnet. This increases resource management. Both VMs can be part of the same subnet.

You should not assign a static public IP address to each VM. This is not necessary, and it will add to the monthly cost. You can continue to use the dynamic public IP address that is assigned to each VM by default.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 49

Question 49

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You need to meet the availability demands for the Windows computers.

What should you do?

Answers



A B C D

Explanation

You should create one availability set for each VM. An availability set allows you to group VMs for availability. For example, the first availability set can contain the Windows 10 computer for the assistant, with additional VM instances for failover support. The second availability set can contain the Windows 10 computer for the lawyer, with additional VM instances for failover support.

You should not create one availability set for both VMs. This would cause the lawyer's VM to be used when the assistant's VM is being upgraded, and vice versa.

You should not implement horizontal auto-scaling. Horizontal auto-scaling allows more VMs to be created as load on a particular VM increases. It does not provide failover support.

You should not implement vertical auto-scaling. Vertical auto-scaling allows more resources to be added to a VM as load on a particular VM increases. It does not provide failover support.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 50

Question 50

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.

Existing Infrastructure

The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.

Business Requirements

The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.

Technical Requirements

The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.

You need to ensure that the Linux virtual machine (VM) automatically expands its disk size when it is running low on space.

Which two actions should you perform? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should configure Azure Monitor with an alert rule. Azure Monitor can monitor a VM for free disk space and an alert rule can trigger an alert. This alert can run actions in response to alerts, like send an email, SMS, Automation Runbook, and Azure Functions.

You should also create an Azure Function that uses an HTTP trigger. When the trigger is invoked by the alert, it should stop the VM, expand the disk, and then restart the VM.

You should not create an Azure Function that uses a Queue trigger. To invoke an Azure Function from an alert rule, you should call a existing Azure Function that uses an HTTP trigger.

You should not run an Azure PowerShell or Azure CLI command from the VM. Although both types of commands can be used to expand a disk, they should be run from a separate computer or VM instance.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 51

Question 51

You are implementing a web app that runs in multiple regions. Each region has an Azure App Service web app provisioned. The web app address is named company1.com.

You need to route the users to the closest region when they access the web app address.

Solution: Implement Azure Front Door and configure latency based traffic-routing.

Does this solution meet the goal?

Answers



A B

Explanation

This solution meets the goal. You can use Azure Front Door to define global routing for multi-region web apps. Azure Front Door works as a global HTTP/HTTPS layer load balancer, and it is integrated with Microsoft Content Delivery Network (CDN) and DNS based global routing. Azure Front Door supports a range of traffic-routing methods for DNS based routing, such as latency based traffic-routing that routes the web traffic to the closest region.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 52

Question 52

You are implementing a web app that runs in multiple regions. Each region has an Azure App Service web app provisioned. The web app address is named company1.com.

You need to route the users to the closest region when they access the web app address.

Solution: Implement Azure Traffic Manager and configure geographic traffic-routing.

Does this solution meet the goal?

Answers



A B

Explanation

This solution does not meet the goal. You can use Azure Traffic Manager to define DNS based global routing for multi-region web apps. However, the geographic traffic-routing does not route the web traffic to the closest region, but to a specific region based on the user's location. You should use the performance traffic-routing to route the web traffic to the closest region.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 53

Question 53

You are implementing a web app that runs in multiple regions. Each region has an Azure App Service web app provisioned. The web app address is named company1.com.

You need to route the users to the closest region when they access the web app address.

Solution: Implement Azure Application Gateway and configure multiple backend pools.

Does this solution meet the goal?

Answers



A B

Explanation

This solution does not meet the goal. You can use Azure Application Gateway as an HTTP/HTTPS layer load balancer to route web traffic for one or multiple web apps. You can configure multiple websites to respond to a specific backend pool. However, you cannot route web traffic to the closest region with Azure Application Gateway. You need to implement a service that supports DNS based load balancing, such as Azure Traffic Manager or Azure Front Door.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 54

Question 54

You have three application virtual machines (VMs) hosted in one region in Azure. You plan to prepare a strategy that will create backups for all data from the VMs. The backup will occur every day at 1 A.M. on each VM.

You need to ensure that the data is protected upon configuring the solution. You want to minimize the required administrative effort.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

Answers



A B C D

Explanation

You should perform the following steps in order:

1. Create a Recovery Services vault.

2. Define a backup policy to protect the VMs.

3. Perform the initial backup.

First, you create a Recovery Services vault to contain the backup data and the backup policy.

Then, you define the backup policy to protect the VMs, which defines when and how often recovery points are taken.

Finally, you perform an initial backup. It is disaster recovery best practice to trigger the first backup so that your data is protected.

You should not define a separate backup policy for each VM. To minimize administrative effort, you should create only one policy to apply to all VMs.

Unless you plan to perform backups manually, you should not create a storage account for files. Recovery Services manages the files internally.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 55

Question 55

You are planning to assess and migrate your company's Hyper-V on-premises clusters to the Azure cloud using Azure Migrate.

The cluster configuration is shown in the exhibit.

You need to determine how many Azure Migrate appliances and Microsoft Azure Recovery Services (MARS) agents you should provision to assess and migrate the clusters.

How many appliances and agents should you provision?

Answers



Explanation

You should provision three Azure Migrate appliances on your clusters. The Azure Migrate appliance is used during the assessment phase of the migration and is provisioned as a Hyper-V VHD. You should deploy one appliance for each cluster in your environment.

You should provision six MARS agents on your clusters. The MARS agent is used to replicate Hyper-V VMs during the migration phase. You should deploy one agent for each Hyper-V Host or node in your environment.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 56

Question 56

You plan to migrate a virtual machine (VM) that runs Windows Server 2012 from Amazon Web Services (AWS) to Azure.

You decide to perform the migration by using Azure Site Recovery (ASR).

You need to prepare the migration.

Which three steps should you perform first? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should create an Azure storage account. Images of replicated machines are held in Azure Storage. Azure VMs are created from storage when you failover from on-premises to Azure.

You should prepare a vault to store all recovery points in Azure Recovery Services. This allows you to configure recovery points to meet the recovery time objective (RTO).

You should set up an Azure network. When Azure VMs are created after the migration (failover), they are joined to this Azure network.

You should not set the recovery point to last processed during preparation steps. The recovery point configuration is done during testing of the failover. The last-processed option means that the VM fails over to the latest recovery point that was processed by Site Recovery.

You should not turn on replication during the preparation steps. This can be done after the configuration is prepared and sources and targets are configured.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 57

Question 57

You are running SQL Server on a virtual machine (VM) in Azure.

You need to create an outbound load balancing rule.

Which command should you use?

Answers



A B C D

Explanation

You should use the az network lb command to create an outbound rule. You can specify various parameters, which as protocol, ports, or a list of frontend IP configuration names.

You should not use the az network nic command to create an outbound rule. This command is used to create, update, or delete a network interface. A network interface allows an Azure VM to communicate with the Internet, Azure, and on-premises resources.

You should not use the az network local-gateway command to create an outbound rule. This command is used to create, update, or delete a local VPN gateway. The local network gateway typically refers to your on-premises location.

You should not use the az network private-endpoint command to create an outbound rule. This command is used to manage interface endpoints.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 58

Question 58

You need to configure an application gateway for your company websites.

Two web applications must be hosted on the same application gateway instance. Each website has the following requirements:

It must be directed to its own backend pool.

It must have its own domain.

It must be hosted on its own virtual machine (VM).

Choose all that apply:

Answers



A B C

Explanation

ou do not need to create a virtual network for each application. You should create only one virtual network for the applications. The virtual network acts as a container for all objects that you need to create.

You should create two request routing rules. Because each application has its own VM, traffic must be redirected to each of them.

You should include an HTTP listener for each web application that specifies a host name, protocol, frontend IP configuration, and frontend port. The HTTP listeners must be used in the request routing rules, which connects this configuration to the backend pool.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 59

Question 59

You are implementing a solution that runs in multiple Azure App Service web apps. Each web app is provisioned in a Basic tier App Service Plan. All web traffic to the web app should be routed through an Azure Application Gateway instance. The web app address is named company1.com.

You need to configure the Azure Application Gateway instance, and secure all traffic with Secure Sockets Layer (SSL) with the least administrative efforts.

Which two actions should you perform to meet the requirements? Each correct answer presents part of the solution.

Answers



A B C D

Explanation

You should enable the Use for App service setting in the Azure Application Gateway's HTTP setting. Since App Service is a multi-tenant service, you need to pass the host header in the incoming request to resolve to the correct App Service endpoint. You must enable this setting to pick the host name from backend address and pass it through the host header. This setting also enables the Create a probe with pick host name from backend address and Pick host name from backend address automatically switches.

You should also add an SSL wildcard certificate for company1.com to the Azure Application Gateway. Azure Application Gateway supports TSL termination at the gateway, offloading the application server to process TLS decryption, and centralizing in one place the certificate management, such as configuring and renew this certificate in the future.

You should not upgrade the web apps to Standard pricing tier. You can use the Basic pricing tier to integrate App Service web apps with Azure Application Gateway or configure custom domains and SSL certificates. You should upgrade to Standard tier if you need to integrate with Azure Traffic Manager to implement a multi-region web application with DSN based traffic-routing.

You should not add an SSL wildcard certificate for company1.com to each web app. You can use the Basic pricing tier to configure custom domains and SSL certificates in the App Service. However, you need to configure the SSL certificate and renew it in the future for each App Service, increasing the administrative efforts.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 60

Question 60

ResetOptionsShow AnswerExhibitUndo

You are managing network resources that will be used by two new applications. You can use the network resources shown in the exhibit.

The new applications have the requirements below:

application1 requires a static public IP.

application2 requires protection against common web vulnerabilities, like SQL injection.

You need to use the most cost-effective network resource for each application.

Which network resources should you use?

Answers



Explanation

You should use the lb1 resource for application1. You can assign a static public IP address with lb1, which is a Public Load Balancer with the Basic SKU. This is the most cost-effective resource from the options that meet the requirements for application1.

You should use the appgtw1 resource for application2. To protect application2 against common web vulnerabilities like SQL injection, you should use a resource that supports Web Application Firewall (WAF). You should use appgtw1 because it is the only option that supports WAF among the options.

You should not use the lb2 resource. You can also assign a static public IP address with lb2, as long as you use the same SKU for the public IP address (a Standard Public Load Balancer with a standard public IP address). However, a Public Load Balancer with the Basic SKU can also assign a static public IP address and is more cost-effective than a Public Load Balancer with Standard SKU.

You should not use the appgtw2 resource. You can use an Application Gateway with the V2 SKU offer if you need additional features like autoscaling for the Application Gateway deployment size and zone redundancy. However, the Standard V2 tier does not support WAF.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 61

Question 61

You are deploying two new applications in your Azure subscription.

The applications have the following requirements:

application1: a global multi-region application that needs to redirect user traffic automatically to the closest region using a single domain

application2: a secure application that requires Transport Layer Security (TLS) termination at the edge

You need to implement the appropriate network service for each application.

Which services should you implement?

Answers



Explanation

You should implement Front Door or Traffic Manager for application1. Azure Front Door works as a global HTTP/HTTPS layer load balancer, and it is integrated with Microsoft Content Delivery Network (CDN) and DNS-based global routing. Azure Front Door supports a range of traffic-routing methods for DNS-based routing, such as latency-based traffic routing that routes the web traffic to the closest region. You can also implement Azure Traffic Manager to define DNS-based global routing for multi-region application by using performance traffic routing.

You should implement Application Gateway or Front Door for application2. Azure Application Gateway works as an HTTP/HTTPS layer load balancer to route web traffic for one or multiple applications. You can use Application Gateway or Azure Front Door to provide TLS termination on the edge for application2, offloading the application servers to handle TLS encryption.

You should not implement Application Gateway for application1. Azure Application Gateway does not support routing the web traffic to the closest region. You need to implement a service that supports DNS-based load balancing, such as Azure Traffic Manager or Azure Front Door.

You should not implement Traffic Manager for application2. You can use Azure Traffic Manager to define DNS-based global routing for your applications. You need to implement a service that supports TLS termination on the edge, such as Azure Application Gateway or Azure Front Door.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 62

Question 62

You have an Azure Virtual Machine (VM) named vm1 running Windows Server 2019.

Vm1 should not have a public IP address attached to it.

You need to access vm1 using a Remote Desktop Protocol (RDP) session.

What should you use?

Answers



A B C D

Explanation

You should use Azure Bastion. Azure Bastion is a service that you can provision in your virtual network to provide RDP and SSH connectivity to your Azure VMs without needing to attach a public IP address to your VMs. It creates a secure connection to access your VMs without having to manage network security groups to allow RDP connection to your VMs.

You should not use Azure Firewall. Azure Firewall is a managed service to centralize network security in a VM. You can use Azure Firewall to create network filtering rules without needing to deploy and manage a network virtual appliance.

You should not use virtual network peering. You can use virtual network peering to integrate two virtual networks, in the same or different Azure regions, using the Microsoft private network. You cannot use only virtual network peering to connect to a private Azure VM and start an RDP session.

You should not use Azure Front Door. Azure Front Door works as a global HTTP/HTTPS layer load balancer. It is integrated with Microsoft Content Delivery Network (CDN) and DNS-based global routing. Azure Front Door supports a range of traffic routing methods for DNS-based routing, such as a latency-based traffic routing that routes the web traffic to the closest region.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 63

Question 63

You manage a virtual network named vnet1 that contains a subnet named subnet1.

You deploy 30 Azure Virtual Machines (VMs) in subnet1. Five of these Azure VMs are used for a distributed database, 20 VMs are used by a batch application, and the other VMs host a web application. The private IP address for all Azure VMs changes frequently.

The distributed database VMs should be accessed by the batch application VMs only.

You need to restrict network access in subnet1.

Which two services or features should you use? Each correct answer presents part of the solution.

Answers



A B C D E

Explanation

You should use ASGs. You can use an ASG to group the network interface cards (NICs) used by the distributed database VMs and another ASG to group the batch application VM NICs. You can use these groups to configure NSG rules later.

You should also use NSGs. You can create an NSG with rules to allow network connectivity between the NICs from the batch application group with the distributed database and deny network connectivity for the other VMs. You should attach this NSG to all VMs in subnet1.

You should not use Azure Firewall. Azure Firewall is a managed network security service from Azure that protects the Azure virtual network. You can use Azure Firewall to centralize network connectivity policies by using Application fully qualified domain name (FQDN) and Network traffic filtering rules. You should not use Azure Firewall to identify which network traffic comes from a batch application VM to distributed database VMs because the private IP address for all Azure VMs changes frequently.

You should not use a Network rule. This is a type of rule used by Azure Firewall to define the source address, protocol, destination port, and destination address. A network rule is similar to an NSG rule.

You should not use Service tags. A Service tag represents a group of IP address prefixes from a given Azure service. You can use a service tag to make it easier to configure NSG rules or Azure Firewall network rules for Azure services, like ApiManagement or AzureCosmosDB.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 64

Question 64

You must create a custom role that allows the following operations:

To read data from a blob but not write data to the blob

To display a list of containers.

To define the role, you must assign permissions to these operations.

What permissions should you use?

Answers



Explanation

You should use the DataActions permission element to allow reading data from a blob because this is a data-related operation. The DataActions permission specifies the data operations that the role allows to be performed to the data within that object.

You should use the NotDataActions permission element to exclude writing data to the blob. The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. The access granted by the role is computed by subtracting the NotDataActions operations from the DataActions operations. The NotActions permission element is used for management operations. The NotActions permission specifies the management operations that are excluded from the allowed Actions. You should use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. The access granted by a role is computed by subtracting the NotActions operations from the Actions operations.

You should use the Actions permission element to allow displaying a list of containers because this operation is related to management instead of data. The Actions permission specifies the management operations that the role allows to be performed. It is a collection of operation strings that identify securable operations of Azure resource providers.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 65

Question 65

A member of the development team needs to have the ability to create Azure resources. However, the developer should not be allowed to grant resource access to other users.

You need to assign the appropriate role to the developer.

Which role should you assign?

Answers



A B C D

Explanation

You should assign the Contributor role to the developer. This role allows the developer to create all types of Azure resources, without the ability to grant resource access to other users.

You should not assign the Owner role to the developer. This role allows the developer to have full access to Azure, including granting resource access to other users.

You should not assign the Reader role to the developer. This role only allows the developer to view resources, not create them.

You should not assign the User Access Administrator role to the developer. This role allows the developer to grant resource access to other users.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 66

Question 66

You have a custom role in a file named CustomRole.json.

You need to add this role to Azure by using Azure CLI.

Which command should you use?

Answers



A B C D

Explanation

You should use the following command: az role definition create --role-definition CustomRole.json

The az role definition create command creates the role. The --role-definition parameter specifies the name of the role definition JSON file.

You should not use the following command: az role create --role-definition CustomRole.json

This command is missing the definition token.

You should not use the following command: az role definition create CustomRole.json

This command is missing the --role-definition parameter.

You should not use the following command: az role create CustomRole.json

This command is missing the definition token and --role-definition parameter.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 67

Question 67

You want to add a security group named Development to the Website Contributor built-in role.

You need to use Azure CLI.

Which command should you use?

Answers



A B C D

Explanation

You should use the following command:

az role assignment create --assignee "Development" --role "Website Contributor"

This command adds the group development to the role Website Contributor. The --assignee parameter specifies the user name or group. The --role parameter specifies the role.

You should not use the following command:

az role definition create --resource-group "Development" --role "Website Contributor"

This command creates a role, not a role assignment.

You should not use the following command:

az role definition create --assignee "Development" --role "Website Contributor"

This command creates a role, not a role assignment.

You should not use the following command:

az role assignment create --resource-group "Development" --role "Website Contributor"

The --resource-group parameter specifies the name of a resource group, not a security group.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 68

Question 68

You plan to perform an Azure Active Directory (Azure AD) Access Review because you have found a higher number of users than you expected in certain groups and roles.

You need to review the security group members, Azure AD roles, and Azure resource roles.

Where will you create reviews for the different groups?

Answers



Explanation

The review for security group members should be created in Azure AD Access reviews. This can be done from the access panel in Azure. To use the access reviews, you need to have an Azure AD Premium P2 license and an Enterprise Mobility + Security E5 license.

The review for Azure AD roles and Azure resource roles should be created in Azure AD Privileged Identity Management (PIM). This can be done from the Azure portal. Azure PIM is a service that enables you to manage, control, and monitor access to important resources in your organization.

Azure AD enterprise apps is used for reviews of users assigned to connected apps.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 69

Question 69

You are reviewing role assignments in your company's Azure Active Directory (Azure AD) tenant.

You have role assignments in a resource group named rg1. The role assignments are shown in the exhibit.

You need to determine which users can create a virtual network in rg1.

Which users can create a virtual network in rg1?

Answers



A B C D E

Explanation

The users that can create a virtual network in rg1 are admin and userA only. The admin user is associated with the Owner built-in role and can create any resource in this subscription, including a virtual network. UserA can also create a virtual network because it is associated with the Network Contributor role, but only in this resource group.

UserB cannot create a virtual network in rg1. The Security Assessment Contributor role allows userB to push assessments to Security Center.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 70

Question 70

You plan to move an Azure virtual machine (VM) to another region by using Azure Site Recovery (ASR). You are not a subscription administrator.

You need permissions to create a VM in an Azure resource group and perform ASR operations.

Which roles provide the required permissions?

Answers



Explanation

You should have the Virtual Machine Contributor role to create a VM in an Azure resource group. This role allows you to manage VMs. It does not allow access to the VM.

You should not use the Virtual Administrator Login role to create a VM in an Azure resource group. This role allows you to view virtual machines in the portal and log in as administrator.

You should not use the Virtual Machine User Login role to create a VM in an Azure resource group. This role allows you to view VMs in the portal and log in as a regular user.

You should have the Site Recovery Contributor role to perform ASR operations. This role has all permissions required to manage ASR operations in a Recovery Services vault. This role is intended for disaster recovery administrators who can enable and manage disaster recovery for applications or entire organizations.

You should not use the Site Recovery Operator role to perform ASR operations. This role has permissions to execute and manage Failover and Failback operations. This role is intended for disaster recovery operators who can failover VMs or applications when instructed by application owners and IT administrators.

You should not use the Site Recovery Reader role to perform ASR operations. This role has permissions to view all Site Recovery management operations. It is intended for IT monitoring executives who can monitor the current state of protection and raise support tickets if required.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 71

Question 71

You create a web API that will be accessed by a web application and two different mobile applications. You want to secure the web API by using OAuth 2.0.

You need to determine which applications to register in Azure Active Directory (Azure AD)

Choose all that apply:

Answers



A B C

Explanation

You should register all applications in Azure AD. Both client applications and web APIs are required to be registered to support OAuth 2.0 in an AD tenant.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 72

Question 72

You deploy an application to an Azure virtual machine (VM). You use Secure Shell (SSH) to connect to the VM.

You need to get an access token using the assigned VM's managed identity.

To which IP address should you issue a web request?

Answers



A B C D

Explanation

You should issue a web request to 169.254.169.254. Specifically, the entire URL is http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com. This is the URL you should use on all VMs.

You should not issue a web request to any other IP address. Only 169.254.169.254 is available for issuing identity tokens on VMs.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 73

Question 73

You create a Linux Azure virtual machine (VM) and enable the system-assigned identity. You want to use Managed Service Identity to allow the VM to access the Azure Resource Manager application programming interface (API).

Which three actions should you perform in sequence?

Answers



A B C D

Explanation

You need to perform the following steps in order:

1. Grant the Reader role to the VM for all resource groups.

2. Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token.

3. Call Azure Resource Manager using the access token.

You should grant the Reader role to the VM for all resource groups. This ensures that the VM can access resources in all resource groups. You must grant the Reader role before taking action to retrieve an access token.

Next, you should run the Invoke-WebRequest cmdlet to retrieve an access token. You extract the access token from the response, and then finally, you call Azure Resource Manager using the access token.

You should not run the az identity create CLI command to specify the name of the system identity. You should run this command when you want to set the name of a user identity, not a system identity.

You should not grant the Virtual Machine Contributor role to your account. This role is required to create a VM with the system-assigned identity enabled. However, because the VM is already created with the system assigned identity enabled, your account already has the required permissions.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 74

Question 74

The following secret identifier exists in an Azure key vault: https://examanswer.vault.azure.net/secrets/billingApiKey/bcbb1a2eb5cb4a3696348504f74704c8

You need to use Azure CLI to retrieve the value for the secret.

Which command should you use?

Answers



Explanation

You should use the following command:

az keyvault secret show --name billingApiKey --vault-name examanswer

This command sets the --name parameter to billingApiKey, which represents the name of the secret. It also sets the --vault-name parameter to examanswer, which represents the name of the key vault. The secret identifier URL is always in the format https://{key vault name}.vault.azure.net/secrets/{secret name}/{secret version}.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 75

Question 75

You use the following command to store a connection string in Azure Key Vault:

az keyvault secret set --vault-name "examanswer" --name "connectionString" --value "server=10.10.10.100;database=prodSql;user id=webapp;password=4$gg65"

Developers need to retrieve the connection string.

Which URL should they use?

Answers



A B C D

Explanation

The developers should use the following URL:

https://examanswer.vault.azure.net/secrets/connectionString

This URL uses the format https://{key vault}.vault.azure.net/secrets/{secret name} to retrieve a secret from the vault.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 76

Question 76

You have an Azure Key Vault named vault1 that is used by Azure Virtual Machines (VMs) with user-assigned managed identities.

You configure the access policies as shown in the exhibit.

You need to determine which actions an Azure VM with the given managed identity can do.

Choose all that apply:

Answers



A B C

Explanation

A VM with identity1 cannot list keys in vault1. The access policy for identity1 does not give any permission to keys in vault1. You can manage secrets in vault1 with identity1.

A VM with identity2 cannot get secrets in vault1. The access policy for identity2 does not give any permission to secrets in vault1. You can manage keys in vault1 with identity2.

A VM with identity3 can update certificates in vault1. The access policy for identity3 gives permission to manage secrets and certificates in vault1.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 77

Question 77

You manage multiple Azure subscriptions in the same Azure Active Directory (Azure AD) tenant.

You deploy the Azure Virtual Machines (VMs) and the managed identities as shown in the exhibit.

You need to determine which VMs can be associated with each of the managed identities.

Which VMs can you use for each identity?

Answers



Explanation

You can use vm1, vm2, and vm3 with identity1, identity2, and indentity3. You can associate any user-assigned managed identities with Azure VMs from different regions, resource groups, and subscriptions, as long these subscriptions are in the same Azure AD tenant.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 78

Question 78

You have a solution that runs in an Azure Virtual Machine (VM).

The solution encrypts sensitive files and saves file metadata information in an Azure SQL database.

You need to use Azure Key Vault to securely store the database connection string for this solution.

Which Key Vault object should you use?

Answers



A B C D

Explanation

You should use a secret to store the database connection string. You can use secrets to securely store tokens, passwords, API keys, database connection strings, and other secrets. You can control access to these secrets by using access policies.

You should not use a certificate to store the database connection string. You can generate or import x509 certificates used to encrypt Transport Layer Security (TLS) network communication. Azure Key Vault can generate a self-signed or Certificate Authority (CA) certificate. It also handles renewals.

You should not use a key or an HSM-protected key to store the database connection string. You can use these to store or generate software-protected and HSM-protected cryptographic keys. You can use HSM-protected keys in the Azure Key Vault Premium tier.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 79

Question 79

An Azure Logic app accesses data from an on-premises SQL Server database. The database administrator recently changed the password that is used to connect to the database.

You need to update your Logic app so that it can connect to the database with the new password.

Which Azure option should you modify?

Answers



A B C D

Explanation

You should modify API connections. This option allows you to update the connection to an on-premises data gateway, which is a component that allows you to connect an Azure Logic app to an on-premises database.

You should not modify Workflow settings. This option allows you to configure access control to the Logic app, such as which IP addresses are allowed to access the app. It does not allow you to change connections to on-premises databases.

You should not modify the Properties setting. This option specifies the endpoint information that you can use to manage the Logic app from PowerShell or Azure CLI. It does not allow you to change connections to on-premises databases.

You should not modify the Access keys setting. This option allows you to generate access keys that you can use to access Logic apps from code. It does not allow you to change connections to on-premises databases.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 80

Question 80

An Azure function responds to GET requests at the URL http://shipping.azurewebsites.net/api/HttpTriggerJS1.

You need to modify the setting so that the function responds to requests at http://shipping.azurewebsites.net/Rate

Choose all that apply:

Answers



A B C

Explanation

You should change the routePrefix value to a slash (/) in the host.json file. By default, this value is /api. This means that all functions in this function app have a URL that begins with http://shipping.azurewebsites.net/api. By changing the routePrefix value to /, you allow all functions to have a URL that begin with http://shipping.azurewebsites.net.

You should change the route template to /Rate. This is the path for the actual function. This means that the function in this scenario will be reachable at http://shipping.azurewebsites.net/Rate.

You should not change the Request parameter name to Rate. This Request parameter name represents the parameter to the method that represents the function. By default, this parameter is named req.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 81

Question 81

You use Visual Studio to create an ASP.NET web app named billing and enable Docker Compose support. You publish the app to Docker Hub. You then sign into Azure and create a Windows container app for the web app.

You need to view the progress of the app as it is starting up.

What should you do?

Answers



A B C D

Explanation

You should visit http://billing.scm.azurewebsites.net/api/logstream. This endpoint provides progress information for web app container instances.

You should not run the following Azure CLI command: az container show --name billing. This command shows the status of a container instance's provisioning state. It does not show its entire progress.

You should not run the following PowerShell cmdlet: Get-AzContainerGroup -Name billing. This cmdlet shows the status of a container instance's provisioning state. It does not show its entire progress.

You should not visit http://billing.scm.azurewebsites.net/api/deployments. This endpoint returns a JSON view of a web app deployment.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 82

Question 82

You recently created a Web App for Containers instance named prodWeb that uses a Docker image. The name of the resource group is Production.

You need to change the instance to use the new image company1/testapp.

Which command should you use?

Answers



A B C D

Explanation

You should use the following command:

az webapp config container set -n prodWeb -g Production -c company1/testapp

This command changes the image for an existing container.

You should not use the following command:

az webapp deployment container config -n prodWeb -g Production -c company1/testapp

This command enables continuous deployment for a container instance.

You should not use the following command:

az webapp create -n prodWeb -g Production -c company1/testapp

This command creates a new container instance.

You should not use the following command:

az webapp deployment source config -n prodWeb -g Production -c company1/testapp

This command configures a GIT deployment.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 83

Question 83

You are building new web apps in Azure App Service.

You should use the web apps, stacks, and the available App Service plans as shown in the exhibit.

You need to publish the web apps in an App Service plan that supports that stack runtime.

Which App Service plan can you use for each web app? To answer, select the appropriate options from the drop-down menus.

Answers



Explanation

You can use plan1 and plan2 for app1 and app3. PHP 7.3 and .NET Core 3.1 runtime stacks are supported by the App Service plans platforms running on Linux or Windows.

You can use plan1 only for app2. ASP.NET 4.7 is supported only by App Service plans platforms running on Windows.

You can use plan2 only for app4. Ruby 2.6 is supported only by App Service plans platforms running on Linux.

The az webapp list-runtimes --linux and az webapp list-runtimes commands can be used to view the latest languages and supported versions for App Service platforms.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 84

Question 84

Your office uses Azure for cloud computing. Your team consists of over 40 IT administrators across the country. Each IT administrator has permission to create virtual machines (VMs) in Azure.

You need to receive an e-mail whenever a VM is added or changed. The solution must be the most cost-effective and easy to implement.

What should you do?

Answers



A B C D

Explanation

You should create a Logic app that uses the Event Grid connector. A Logic app allows you to automate business processes. The Event Grid connector allows the Logic app to run whenever a resource event is added to Event Grid. In this scenario, a resource event is the VM addition or change. You can have the Logic app automatically e-mail you when this happens.

You should not create a Function app that uses the HTTP trigger. A Function app provides a serverless architecture that allows you to run code on a trigger. The HTTP trigger requires you to run the function by making an HTTP request. This would require you to manually monitor Azure for changes and then make the HTTP request. Event Grid is a better solution.

You should not create a Notification Hub namespace and implement a push notification. This allows a backend application to send notifications to Internet-connected devices. This is not suitable in this scenario.

You should not create a Service Bus namespace and implement a relay binding. This allows you to forward Internet messages to a backend network. This is not suitable for this scenario.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 85

Question 85

You are developing a web application that will serve as a search engine for the science department at a school. You plan to host the application in Azure.

A console application acts as a web crawler. It browses the web servers on the school's network every 12 hours to build a local table of keywords and links. This table is used by the web application. You plan to host the web application in Azure App Service.

You need to make sure that the web crawler continues to work while the web application is in Azure without increasing costs.

What should you do?

Answers



A B C D

Explanation

You should deploy the web crawler as a WebJob. A WebJob allows you to run a program in the context of a web application. The program can be written in Java, JavaScript, Python, PHP, Bash, PowerShell, or any .NET language. You can configure the WebJob to use a schedule as a trigger, which allows the console application to run every 12 hours. Also, WebJobs involves no additional cost.

You should not convert it to an Azure Function. Although an Azure Function can use a schedule as a trigger, it increases the cost, unlike a WebJob.

You should not convert it to a web application. There is no easy way to cause a web application to run on a scheduled basis.

You should not deploy it as a Docker container instance. Although you can run a Docker container instance on a schedule, it increases the cost, unlike a WebJob.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 86

Question 86

You have an Azure Virtual Machine (VM) provisioned in your Azure subscription.

You plan to implement an Azure Logic App to send an email notification every time this Azure VM is stopped.

You need to implement the Logic App.

Which three Logic App components should you use? To answer, move the appropriate components from the list of possible components to the answer area and arrange them in any order.

Answers



A B C D

Explanation

You should use the components below:

an Event Grid trigger

a condition

an action

You should use an Event Grid trigger. By default, Azure resources publish events to Azure Event Grid. You can respond to events on this Azure VM by initiating Logic Apps with this trigger.

You should also use a condition. You can use a condition to determine which action happened on the Azure VM. In this case, you are interested in the stop VM event.

Finally, you should use an action. After evaluating the event, you need to monitor the condition. To do this, when this event happens, you need to perform an action, such as send an email. You can use a send an email action in this case, by selecting the appropriate email provider action that matches your email address.

You should not use an HTTP trigger. You can use an HTTP trigger to initiate a logic app from an HTTP endpoint.

You should not use a variable. You can use a variable to simplify some steps in your logic app and reuse the same value during the workflow execution. It is not required to define a variable in this case.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 87

Question 87

You are migrating an ASP.NET Core application to Azure App Service.

The application requires two different environments: a production environment for end-users and an approval environment for the QA team to validate new application versions. The application also needs to warm up some internal modules to better perform in production.

You need to configure the App Service to meet the requirements and minimize the solution costs.

Which App Service feature and pricing tier should you use?

Answers



Explanation

You should use the Standard tier. You need to use the standard pricing tier because it is the most cost-effective tier that supports deployment slots.

You should not use the Basic tier. This tier does not support any deployment slots, which is necessary to meet the requirements of having a different environment for the QA team and warm up the application before releasing it into production.

You should not use the Premium tier. Compared with the Standard tier, the Premium tier provides greater limits and access to premium SSD disks in the underlining virtual machine used by the App Service Plan. However, to minimize the solution costs, you should use the Standard tier.

You should use deployment slots. A deployment slot is a web app that runs in the same App Service plan from the original web app. This allows you to have different hosts, settings, or application versions than the production environment. You can use a deployment slot to test new application versions in the approval environment and warm up the application before releasing it into production. You can have up to five deployment slots in the Standard tier.

You should not use always on. You can use this feature to keep the application loaded in the App Service Plan memory, even if does not receive any traffic. It is recommended to always leave enabled for production environments in order to avoid HTTP 500 errors when the application is reloaded after not receiving traffic. You can disable always on in other environments to save some computing resources.

You should not use Application Gateway. Application Gateway is an HTTP/HTTPS layer load balancer used to route web traffic for one or multiple applications. It can also include Web Application Firewall (WAF) to secure your application against common security attacks. You can integrate Application Gateway with App Service, but it does not provide separate environments to test your application or warm up the application before releasing it into production.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 88

Question 88

You have a financial application developed in ASP.NET Core named finance1. You plan to migrate finance1 to an Azure App Service.

The application should be accessible only from private virtual networks on Azure or through a Virtual Private Network (VPN) connection with on-premises networks. For compliance reasons, the application needs to run on isolated physical hardware.

You need to implement the App Service to deploy finance1.

Which App Service tier should you use?

Answers



A B C D

Explanation

You should use ASE. The ASE is an isolated environment used to securely run App Service apps. You can use ASE to provide complete isolation and secure network access using an Internal Load Balancer to deploy your App Service into a subnet in a virtual network and run your workload in dedicated and isolated hardware.

You should not use the PremiumV2, Standard, or Basic tiers. These tiers provide a public endpoint to access your application from the internet. Although you can filter inbound network traffic to block the internet connectivity and integrate the App Service with virtual networks by using service endpoints, these tiers run in multi-tenant hardware managed by Azure and do not run in complete isolated hardware.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 89

Question 89

You deploy a .NET Core application that is configured to connect with an Azure Service Bus queue.

The application reads messages in the queue and processes the messages to an external service. You should avoid any cold start when running the application.

You need to provide the infrastructure for this application. You want to use the best Azure service and pricing tier.

Which service and tier should you use?

Answers



Explanation

You should use Azure Functions. Azure Functions can run specialized code to perform a single task called functions without needing to manage application infrastructure. You can execute a function in response to events from other services by using triggers. You can use a variety of built-in triggers to execute your function, such as the trigger Service Bus.

You should not use Logic Apps. Logic Apps can automate tasks and integrate applications or data without having to write code. You can build workflows using a range of triggers similar to Azure Functions. However, you need to build custom connectors to integrate with external services that are not supported by the built-in connectors.

You should not use ACI. You can use ACI to run container applications that do not require complex orchestration. With an ACI, you need to develop the connection logic with the Service Bus queue into the application.

You should use the Premium plan. You can use this plan to always run your function on warm instances and avoid cold starts. A cold start is the process of loading your function in Azure infrastructure before you actually run the function, which increases latency.

You should not use the Consumption plan. This is the standard option to run Azure Functions without the need to manage application infrastructure. However, the application may suffer from a cold start.

You should not use the Dedicated plan. This plan runs the function in an existing App Service Plan in your subscription. You should use this plan if you have underutilized VMs that run other App Service instances.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 90

Question 90

You pull a Dockerfile from an online repository. You build a container image from this file, and you want to add it to an Azure Container Registry named mytestreg. The name of image is my-test-app.

You need to deploy the image to the registry.

Which command should you run from your developer computer?

Answers



A B C D

Explanation

You should use the following command: docker push mytestreg.azurecr.io/my-test-app

This command pushes the image named my-test-app to an Azure login server named mytestreg.azurecr.io.

You should not use the following command: docker run -p mytestreg my-test-app

This command runs a container locally. In this scenario, you need to deploy the container image.

You should not use the following command: az acr create --name mytestreg\my-test-app

The az acr create command creates an Azure Container Registry.

You should not use the following command: az container create --name mytestreg --image my-test-app

The az container create command creates a container instance in Azure.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 91

Question 91

You obtain a Docker container image from a third-party source.

You need to push the image to an Azure Container Registry that you created.

What should you do first?

Answers



A B C D

Explanation

You should tag the image with the login server. This is required before you can push the image.

You should not deploy an Azure VM. A container image runs in a container. It does not require a VM.

You should not assign the Owner role to the appropriate security group. Owner role assignment is not required to deploy a Docker container image.

You should not create a load balancer. A load balancer distributes load to a pool of VMs. This is not required for a Docker container image.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 92

Question 92

You recently moved a critical production workload to Azure Kubernetes Service (AKS). A second AKS cluster is used for other application workloads.

You want to collect performance metrics directly from the AKS cluster that is used for the critical workloads.

Which four actions should you perform in sequence?

Answers



A B C D

Explanation

You should perform the following steps in order:

1. Create a Log Analytics workspace if you do not have one.

2. From the Azure portal, enable monitoring for the cluster.

3. Add Azure Monitor for Containers to the workspace.

4. View charts on the Insights page of the AKS cluster.

You must first create a Log Analytics workspace if you do not already have one. You must then enable monitoring for the target cluster. Next, you add Azure Monitor for Containers to the workspace. This allows the collection of performance data from the nodes in the cluster. Although you can use Azure Monitor to view performance data on all clusters, you can also view this data directly from the cluster.

After you have enabled monitoring for a cluster, you do not need to run queries to see detailed performance data.

Because you are gathering metrics instead of logs, you do not need to obtain data from the activity log.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 93

Question 93

You use the following commands to create a container in Azure:

az group create --name app1RG --location eastus

az container create --resource-group app1RG --name app1Container --image company1/app1Image --dns-name-label app1 --ports 80

You need to navigate to the application that is hosted in the container.

Which URL should you use?

Answers



A B C D

Explanation

You should navigate to app1.eastus.azurecontainer.io. The container application's URL format is [DNS label].[Azure region].azurecontainer.io.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 94

Question 94

You use the following Azure CLI command to create an Azure container instance:

az container create --resource-group testgroup --name testcontainer --image company1/c1app1

You need to be able to browse to the container's URL.

Which two parameters must you set?

Answers



A B C D E

Explanation

You should set the --dns-name-label parameter. This parameter is necessary so that Azure can resolve the DNS name to the IP address that hosts the container instance.

You should set the --ports parameter. This parameter is necessary so that you can have Azure open the appropriate TCP ports. If the default ports are used, it can be omitted.

You do not need to set the --environment-variables parameter. This parameter allows you to set environment variables for container instances, which is unnecessary in this scenario.

You do not need to set the --os-type parameter. This parameter specifies the operating system for the container instance. The type of operating system is irrelevant in this scenario.

You do not need to set the --protocol parameter. This parameter specifies either TCP or UDP. When browsing from a web browser, the protocol is automatically TCP.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 95

Question 95

You are deploying a container solution in Azure.

You create a Docker image and add it to an Azure Container Registry named registry1.

You need to deploy the Docker image to Azure Container Instances.

Which command should you run?

Answers



A B C D

Explanation

You should run the az container create command. This command creates a container in Azure Container Instance and deploys the image specified in the --image parameter.

You should not run the az acr create command. This command creates an Azure Container Registry. In this scenario, you already have a container registry named registry1.

You should not run the docker push command. This command pushes an image to a registry. You already pushed the image to registry1.

You should not run the az aks create command. This command creates an Azure Kubernetes Service cluster, and in this scenario you need to create an Azure Container Instance to deploy the image.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 96

Question 96

You are planning to create a new Azure Cosmos DB account for an existing application.

The application runs the following queries:

CREATE KEYSPACE app

WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', 'datacenter1' : 1 };

CREATE TABLE IF NOT EXISTS app.users (

user_id int PRIMARY KEY,

user_name text,

user_age int,

user_bcity text

);

SELECT user_name, occupation AS user_occupation FROM app.users WHERE user_age > 40;

You need to create the Cosmos DB account for the application.

Choose all that apply:

Answers



A B C D

Explanation

You can use Cassandra API to store data for applications written for Apache Cassandra. Apache Cassandra uses a SQL-like query language named Cassandra Query Language (CQL). Cassandra stores data in tables, where the data schema is defined. Those tables are grouped in a keyspace that defines options to all the tables, such as the replication strategy to use.

You can use the SQL API to query data that use SQL-like statements like SELECT. However, you cannot use SQL statements like CREATE to create a container.

You cannot use SQL-like statements to query a graph database. You should use the Gremlin query language to query data from a Cosmos DB Gremlin API graph database:

g.V().hasLabel('users').has('user_age', gt(40))

You cannot use SQL-like statements to query from a document database. You should use MongoDB queries to query data from Cosmos DB MongoDB API:

db.users.find({user_age: {$gt: 40}})

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 97

Question 97

Your company creates an Azure Cosmos DB in Azure portal. The database must be a graph database with the ability to model and traverse relationships between entities in the database.

You need to recommend the appropriate Cosmos DB API to use.

Which API should you use?

Answers



A B C D E

Explanation

You should choose the Gremlin API. This is the API that is used to build a graph database. In Azure portal, the API is identified as Gremlin (graph). When using this API, in addition to having an Azure subscription, you must install Visual Studio 2017 and enable Azure development.

The APIs supported by Azure Cosmos DB are:

Azure Cosmos DB's API for MongoDB - Used when migrating from a MongoDB and supports the MongoDB wire protocol and connections by MongoDB client drivers.

Cassandra API - Used to create a data store for use with apps written for Apache Cassandra with compatibility with existing applications and support for the Cassandra Query Language (CQL).

Gremlin API - Used when creating graph databases for modeling and traversing relationships between entities.

SQL API - Default Cosmos DB API that supports building a non-relational document database that supports SQL syntax queries.

Table API - Provides premium database support for applications written for Azure Table storage.

None of these APIs, with the exception of the Gremlin API, can be used to build a graph database.

If you need to support multiple APIs, you must create a separate database with a unique account name for each.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 98

Question 98

You plan to create new Azure Cosmos accounts for four Cosmos DB databases.

The databases have the following requirements:

db1: A Core (SQL) API multi-region database with multi-region writes and an estimated 700 Request Units (RU/s) of provisioned throughput

db2: A Mongo DB single-region database, with an estimated 400 RU/s of provisioned throughput

db3: A Core (SQL) API single-region database, with an estimated 4500 RU/s of provisioned throughput

db4: A Mongo DB single-region database, with an estimated 500 RU/s of provisioned throughput

You need to deploy these databases using the minimum number of Cosmos accounts while minimizing the cost.

How many Cosmos accounts should you deploy?

Answers



A B C D

Explanation

You should deploy one Cosmos account for db1, another for db3, and a third for db2 and db4. You can deploy two Core (SQL) API Cosmos accounts, one with multi-region and multi-region writes for db1 and another account with single-region for db3. You can deploy db2 and db4 in the same MongoDB API account because they have the same single-region replication configuration. You need to configure the RU/s of provisioned throughput according to the database estimates.

You should not deploy one Cosmos account for all databases. You can select only one API type for a Cosmos account. You cannot use the same Cosmos account for Core (SQL) API and MongoDB API databases.

You should not deploy one Cosmos account for db1 and db3, and a second one for db2 and db4. Although this is a possible configuration for Cosmos accounts for these databases, db3 is provisioned in a Cosmos account with multi-region, multi-region writes. This doubles the cost per 100 RU/s per hour with multi-region writes and results in a more expensive solution.

You should not deploy one Cosmos account for each database. Although this configuration results in an optimal cost for the solution, you would achieve the same cost by deploying three Cosmos accounts: one Cosmos account for db1, another for db3, and a third for db2 and db4, instead of four Cosmos accounts.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 99

Question 99

You have an Azure subscription named Subscription1.

You have two virtual networks on Subscription1:

vnet1: Address Space 10.0.0.0/16 in the East US region

vnet2: Address Space 10.1.0.0/16 in the Central US region

You create a new Azure Cosmos DB account named sqlaccount1 configured as shown in the exhibit.

You need to determine the network connectivity to sqlaccount1.

Which virtual networks can access sqlaccount1 in the current configuration?

Answers



A B C D

Explanation

You can access sqlaccount1 from only vnet1 by using the private endpoint. You have deployed sqlaccount1 using a private endpoint as the connectivity method. With this method, your Cosmos DB account can only be accessed through a private endpoint, which is configured with vnet1 as shown in the exhibit. You can create a private endpoint with virtual networks in the same region as your Cosmos DB account.

You cannot access sqlaccount1 from the public endpoint. When you create a Cosmos DB account with a private endpoint, the public endpoint is disabled by default and your account receives traffic only from the private endpoint.

You cannot access sqlaccount1 from vnet2. You can only connect through a private endpoint with virtual networks that have previously been configured. You cannot configure a private endpoint with virtual networks in other regions. Instead, you can configure a virtual network peering between vnet1 and vnet2, and access sqlaccount1 from vnet2 through the vnet1 endpoint.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 100

Question 100

You have a .NET Core application that stores key-value data in an Azure Table storage named table1.

Users report that the application performance is slow during peak usages. You identify that table1 is the bottleneck.

You need to evaluate the impacts and create a plan to migrate table1 to a Cosmos DB account.

Choose all that apply:

Answers



A B C

Explanation

You can use the Table API to migrate table1 to Cosmos DB. The Table API provides premium capabilities for applications written for Azure Table storage, such as dedicated throughput, guaranteed high availability, and better latency.

You do not need to change the application code to use the Cosmos DB SDK. You can still use the Table storage SDK with Cosmos DB Table API, but it is recommended to update to Cosmos DB SDK for the best support and improved performance.

You can use the AzCopy utility to move data from table1 to Cosmos DB. You can use the AzCopy utility or the Azure Cosmos DB Data Migration Tool to migrate the data from table1 to Cosmos DB.

References

Comments

Load more

Home / Microsoft / AZ-303 / Question 101

Question 101

A company is migrating its on-premises datacenter to Azure. The solution should:

Support migration without database changes.

Provide for company control over maintenance and update schedules.

Provide for control over the recovery model.

You need to identify the appropriate database solution.

What solution should you choose?

Answers



A B C D

Explanation