Az-900

Question 1

Which two factors affect Azure costs?

Answer 1

Usage meters, such as CPU time, disk size, and write operations, are used to calculate your bill for an Azure resource. Deleting or deallocating a resource means that you will no longer be billed for it. Different regions can have different associated prices. Resources cost the same no matter the time of day or the day of the week.

Question 2

Which two scenarios are common billing use cases for resource tags?

Answer 2

You can use tags to categorize costs by department, such as human resources, marketing, or finance, or by environment, such as test or production. Resizing underutilized virtual machines is a good cost saving measure and provisioning resources in lower cost regions is a good practice, but resource tags do not help with this.

Question 3

You plan to build a new solution in Azure that will use platform as a service (PaaS) products.

What should you use to estimate the monthly costs?

Answer 3

The Azure Pricing calculator allows you to estimate and configure according to your specific requirements. You will then receive a consolidated estimated price and a detailed breakdown of the costs associated with each resource you added to your solution.

Question 4

You need to associate the costs of resources to different groups within an organization without changing the location of the resources.

What should you use?

Answer 4

Resource tags can be used to group billing data and categorize costs by runtime environment, such as billing usage for virtual machines running in a production environment.

Question 5

Your organization plans to deploy several production virtual machines that will have consistent resource usage throughout the year.

What can you use to minimize the costs of the virtual machines without reducing the functionality of the virtual machines?

Answer 5

Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72 percent compared to pay-as-you-go prices. To receive a discount, you can reserve services and resources by paying in advance.Spending limits can suspend a subscription when the spend limit is reached.

Question 6

What can you use to ensure that new and existing Azure resources stay in compliance with corporate standards?

Answer 6

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit resources. These policies enforce different rules across all resource configurations so that the configurations stay compliant with corporate standards.

Question 7

You need to recommend a solution for Azure virtual machine deployments. The solution must enforce company standards on the virtual machines.

What should you include in the recommendation?

Answer 7

Azure policies will allow you to enforce company standards on new virtual machines when combined with Azure VM Image Builder and Azure Compute Gallery. By using Azure Policy and role-based access control (RBAC) assignments, enterprises can enforce standards on Azure resources. But on virtual machines, these mechanisms only affect the control plane or the route to the virtual machine.

Question 8

You need to identify which Azure services are compliant with ISO 27001 Information Security Management Standards.

Where should you go to locate the information?

Answer 8

The Trust Center showcases the Microsoft principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.

Question 9

What allows you to orchestrate the deployment of resource templates, Azure Policy assignments, and resource groups?

Answer 9

Azure Blueprints simplifies large scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager (ARM) templates, role-based access controls (RBAC), and policies, into a single blueprint definition. You can easily apply the blueprint to new subscriptions and environments.

Question 10

What can you use to restrict the deployment of a virtual machine to a specific location?

Answer 10

Azure Policy can help to create a policy for allowed regions, which enables you to restrict the deployment of virtual machines to a specific location.

Question 11

Which management layer accepts requests from any Azure tool or API and enables you to create, update, and delete resources in an Azure account?

Answer 11

ARM is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in an Azure account.

Question 12

Which two tools can you use to create a new Azure virtual machine from a mobile device that runs Android?

Answer 12

The Azure portal can run on devices that have the Android operating system installed. The browser can be any type, such as Internet Explorer 11, Chrome, Firefox, or Safari (all the latest versions). When you visit the portal, you will see Cloud Shell. Users can then access Bash and PowerShell from within Cloud Shell. You can use Bash and PowerShell to create Azure virtual machines.

Question 13

What can you use to manage servers across cloud platforms and on-premises environments?

Answer 13

Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.

Question 14

You have a team of Linux administrators that need to manage the resources in Azure. The team wants to use the Bash shell to perform the administration.

What should you recommend?

Answer 14

Azure CLI allows you to use the Bash shell to perform administrative tasks. Bash is used in Linux environments, so a Linux administrator will probably be more comfortable performing command-line administration from Azure CLI.

Question 15

What can you use to automatically detect performance anomalies for web apps?

Answer 15

Application Insights is a feature of Azure Monitor that allows you to monitor running applications, automatically detect performance anomalies, and use built-in analytics tools to see what users do on an app.

Question 16

Which Azure service can generate an alert if virtual machine utilization is over 80% for five minutes?

Answer 16

Azure Monitor is a platform for collecting, analyzing, visualizing, and alerting based on metrics. Azure Monitor can log data from an entire Azure and on-premises environment.

Question 17

——– are physically separate datacenters within an Azure region.

Answer 17

Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking.

Question 18

Which resource can you use to manage access, policies, and compliance across multiple subscriptions?

Answer 18

Management groups can be used in environments that have multiple subscriptions to streamline the application of governance conditions.

Resource groups can be used to organize Azure resources.

Administrative units are used to delegate the administration of Azure AD resources, such as users and groups.

Accounts are used to provide access to resources

Question 19

[Answer choice] is the deployment and management service for Azure.

Answer 19

ARM is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in an Azure subscription. You use management features, such as access control, resource locks, and resource tags, to secure and organize resources after deployment.

Question 20

Which Azure resource is a software emulation of a physical computer that includes a virtual processor, memory, storage, and networking resources?

Answer 20

Virtual machines are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources. Virtual machines host an operating system, and you can install and run software just like on a physical computer.

Question 21

What can you use to execute code in a serverless environment?

Answer 21

Azure Functions allows you to run code as a service without having to manage the underlying platform or infrastructure. Azure Logic Apps is similar to Azure Functions, but uses predefined workflows instead of developing your own code.

Question 22

Which scenario is a use case for a VPN gateway?

Answer 22

A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed to a dedicated subnet of a virtual network. You can use them to connect on-premises datacenters to virtual networks through a Site-to-Site (S2S) VPN connection.

Question 23

You need to allow resources on two different Azure virtual networks to communicate with each other.

What should you configure?

Answer 23

You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other.

Question 24

Which Azure Blob storage tier stores data offline and offers the lowest storage costs and the highest costs to access data?

Answer 24

The Archive storage tier stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data. The Hot storage tier is optimized for storing data that is accessed frequently. Data in the Cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data.

Question 25

Which two scenarios are common use cases for Azure Blob storage? Each correct answer presents a complete solution.

Answer 25

Low storage costs and unlimited file formats make blob storage a good location to store backups and archives. Blob storage can be reached from anywhere by using an internet connection. Azure Disk Storage provides disks for Azure virtual machines. Azure Files supports mounting file storage shares.

Question 26

Which Azure Storage service should you use to store unstructured files, such as images, that will be served on webpages?

Answer 26

Azure Blob storage is an object storage solution that you can use to store massive amounts of unstructured data, such as text or binary data.

Question 27

Which two protocols are used to access Azure file shares?

Answer 27

Azure Files offers fully managed file shares in the cloud that are accessible via industry-standard SMB and NFS protocols.

Question 28

What is the purpose of defense in depth?

Answer 28

The objective of defense in depth is to use several layers of protection to prevent information from being accessed or stolen by unauthorized users.

Question 29

What enables a user to sign in one time and use that credential to access multiple resources and applications from different providers?

Answer 29

SSO enables a user to sign in one time and use that credential to access multiple resources and applications from different providers. MFA is a process whereby a user is prompted during the sign-in process for an additional form of identification. Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals. Azure AD supports the registration of devices.

Question 30

What can you use to ensure that a user can only access applications from compliant devices?

Answer 30

Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals, such as the device being used. SSO enables a user to sign in one time and use that credential to access multiple resources and applications from different providers. MFA is a process whereby a user is prompted during the sign-in process for an additional form of identification. Hybrid identity solutions create a common user identity for authentication and authorization to all resources, regardless of location.

Question 31

What can you use to allow a user to manage all the resources in a resource group?

Answer 31

Azure RBAC allows you to assign a set of permissions to a user or group. Resource tags are used to locate and act on resources associated with specific workloads, environments, business units, and owners. Resource locks prevent the accidental change or deletion of a resource. Key Vault is a centralized cloud service for storing an application secrets in a single, central location.

Question 32

Which type of strategy uses a series of mechanisms to slow the advancement of an attack that aims to gain unauthorized access to data?

Answer 32

A defense in depth strategy uses a series of mechanisms to slow the advancement of an attack that aims to gain unauthorized access to data. The principle of least privilege means restricting access to information to only the level that users need to perform their work. A DDoS attack attempts to overwhelm and exhaust an application’s resources. The perimeter layer is about protecting an organization’s resources from network-based attacks.

Question 33

What Azure AD feature can you use to configure security authentication that requires users to use their mobile phone to sign in?

Answer 33

MFA is the concept of requiring something more than only a password to sign in to an application. You can use the mobile phone to receive a phone call, text, or a code to get authenticated.

Question 34

Which two services are provided by Azure AD?

Answer 34

Azure AD provides services for verifying identity and access to applications and resources. SSO enables you to remember a single username and password to access multiple applications and is available in Azure AD.

Question 35

What Azure AD feature can you use to ensure that users can only access Microsoft Office 365 applications from approved client applications?

Answer 35

Conditional Access allows administrators to control, allow, or deny access to resources based on certain signals. You can require that access to certain applications only be allowed if the users are using an approved client application. MFA is a process whereby a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan.

Question 36

Which two attributes are characteristics of the private cloud deployment model?

Answer 36

In a private cloud, hardware must be purchased for start up and maintenance. In a private cloud, organizations control resources and security. Quick provisioning is a characteristic of the public cloud deployment model. Paying only for what is used is a characteristic of the public cloud deployment model.

Question 37

What are two basic services provided by all cloud providers?

Answer 37

All cloud providers provide compute and storage services. Colocation is when a business rents space in a shared physical datacenter. Application development is the responsibility of the customer and is typically done either in-house or through a third party.

Question 38

What are two characteristics of a consumption-based model?

Answer 38

In a consumption-based model, you do not pay for anything until you start using resources, and you only pay for what you use. If you stop using a resource, you stop paying for it. High expenditures are usually associated with the purchase of the physical infrastructure, which is not needed in a consumption-based model.

Question 39

Increasing compute capacity for an app by adding RAM or CPUs to a virtual machine is called [answer choice].

Answer 39

You scale vertically to increase compute capacity by adding RAM or CPUs to a virtual machine. Scaling horizontally increases compute capacity by adding instances of resources, such as adding virtual machines to the configuration. Disaster recovery keeps data and other assets safe in the event of a disaster. High availability minimizes downtime when things go wrong.

Question 40

Deploying and configuring cloud-based resources quickly as business requirements change is called [answer choice].

Answer 40

Agility means that you can deploy and configure cloud-based resources quickly as app requirements change. Scalability means that you can add RAM, CPU, or entire virtual machines to a configuration. Elasticity means that you can configure cloud-based apps to take advantage of autoscaling, so apps always have the resources they need. High availability means that cloud-based apps can provide a continuous user experience with no apparent downtime, even when things go wrong.

Question 41

Increasing compute capacity for an app by adding instances of resources such as virtual machines is called [answer choice].

Answer 41

Scaling horizontally increases compute capacity by adding instances of resources, such as adding virtual machines to the configuration. You scale vertically by adding RAM or CPUs to a virtual machine. Disaster recovery keeps data and other assets safe in the event of a disaster. High availability minimizes downtime when things go wrong.

Question 42

What is high availability in a public cloud environment dependent on?

Answer 42

Different services have different SLAs. Sometimes different tiers of the same service will offer different SLAs, which can increase or decrease the promised availability.

Question 43

An example of [answer choice] is automatically scaling an application to ensure that the application has the resources needed to meet customer demands.

Answer 43

Elasticity refers to the ability to scale resources as needed, such as during business hours, to ensure that an application can keep up with demand, and then reducing the available resources during off-peak hours. Agility refers to the ability to deploy new applications and services quickly. High availability refers to the ability to ensure that a service or application remains available in the event of a failure. Geo-distribution makes a service or application available in multiple geographic locations that are typically close to your users.

Question 44

In cloud computing, [answer choice] allows you to deploy applications to regional datacenters around the world.

Answer 44

You can deploy apps and data to regional datacenters around the globe, thereby ensuring that your customers always have the best performance in their region. This is referred to as geo-distribution.

Question 45

Increasing the capacity of an application by adding additional virtual machine is called [answer choice].

Answer 45

Scaling horizontally increases compute capacity by adding instances of resources, such as adding virtual machines to the configuration. You scale vertically to increase compute capacity by adding RAM or CPUs to a virtual machine. Agility refers to the ability to deploy new applications and services quickly. High availability minimizes downtime when things go wrong.

Question 46

In which two deployment models are customers responsible for managing operating systems that host applications?

Answer 46

Operating systems are managed by customers when using IaaS or an on-premises deployments. The operating systems are not accessible in PaaS and SaaS deployments.

Question 47

In a platform as a service (PaaS) model, which two components are the responsibility of the cloud service provider?

Answer 47

In PaaS, the cloud provider is responsible for the operating system, physical datacenter, physical hosts, and physical network. In PaaS, the customer is responsible for accounts and identities.

Question 48

What is the customer responsible for in a software as a service (SaaS) model?

Answer 48

SaaS allows you to pay to use an existing application on hardware managed by a third party. You supply data and configure access. Customers are only responsible for storage in a private cloud. Customers are responsible for virtual machines and runtime in IaaS and the private cloud.

Question 49

Which cloud service model is used by Microsoft Office 365?

Answer 49

SaaS allows users to connect to and use cloud-based apps over the internet. Common examples are email, calendaring, and Office tools, such as Office 365.

Question 50

Describe Infrastructure as a service

Answer 50

Infrastructure as a service (IaaS) is the most flexible category of cloud services, as it provides you the maximum amount of control for your cloud resources. In an IaaS model, the cloud provider is responsible for maintaining the hardware, network connectivity (to the internet), and physical security. You’re responsible for everything else: operating system installation, configuration, and maintenance; network configuration; database and storage configuration; and so on. With IaaS, you’re essentially renting the hardware in a cloud datacenter, but what you do with that hardware is up to you.

Question 51

Shared responsibility model IAAS

Answer 51

The shared responsibility model applies to all the cloud service types. IaaS places the largest share of responsibility with you. The cloud provider is responsible for maintaining the physical infrastructure and its access to the internet. You’re responsible for installation and configuration, patching and updates, and security.

Question 52

Describe Platform as a Service

Answer 52

Platform as a service (PaaS) is a middle ground between renting space in a datacenter (infrastructure as a service) and paying for a complete and deployed solution (software as a service). In a PaaS environment, the cloud provider maintains the physical infrastructure, physical security, and connection to the internet. They also maintain the operating systems, middleware, development tools, and business intelligence services that make up a cloud solution. In a PaaS scenario, you don’t have to worry about the licensing or patching for operating systems and databases.

PaaS is well suited to provide a complete development environment without the headache of maintaining all the development infrastructure.

Question 53

Shared responsibility model PAAS

Answer 53

The shared responsibility model applies to all the cloud service types. PaaS splits the responsibility between you and the cloud provider. The cloud provider is responsible for maintaining the physical infrastructure and its access to the internet, just like in IaaS. In the PaaS model, the cloud provider will also maintain the operating systems, databases, and development tools. Think of PaaS like using a domain joined machine: IT maintains the device with regular updates, patches, and refreshes.

Depending on the configuration, you or the cloud provider may be responsible for networking settings and connectivity within your cloud environment, network and application security, and the directory infrastructure.

Question 54

Describe Software as a Service

Answer 54

Software as a service (SaaS) is the most complete cloud service model from a product perspective. With SaaS, you’re essentially renting or using a fully developed application. Email, financial software, messaging applications, and connectivity software are all common examples of a SaaS implementation.

While the SaaS model may be the least flexible, it’s also the easiest to get up and running. It requires the least amount of technical knowledge or expertise to fully employ.

Question 55

Shared responsibility model SAAS

Answer 55

The shared responsibility model applies to all the cloud service types. SaaS is the model that places the most responsibility with the cloud provider and the least responsibility with the user. In a SaaS environment you’re responsible for the data that you put into the system, the devices that you allow to connect to the system, and the users that have access. Nearly everything else falls to the cloud provider. The cloud provider is responsible for physical security of the datacenters, power, network connectivity, and application development and patching.

Question 56

Which cloud service type is most suited to a lift and shift migration from an on-premises datacenter to a cloud deployment?

Answer 56

IAAS

Question 57

What type of cloud service type would a Finance and Expense tracking solution typically be in?

Answer 57

SAAS

Question 58

High availability

Answer 58

High availability focuses on ensuring maximum availability, regardless of disruptions or events that may occur.

When you’re architecting your solution, you’ll need to account for service availability guarantees. Azure is a highly available cloud environment with uptime guarantees depending on the service. These guarantees are part of the service-level agreements (SLAs).

Question 59

Scalability

Answer 59

Another major benefit of cloud computing is the scalability of cloud resources. Scalability refers to the ability to adjust resources to meet demand. If you suddenly experience peak traffic and your systems are overwhelmed, the ability to scale means you can add more resources to better handle the increased demand.

The other benefit of scalability is that you aren’t overpaying for services. Because the cloud is a consumption-based model, you only pay for what you use. If demand drops off, you can reduce your resources and thereby reduce your costs.

Scaling generally comes in two varieties: vertical and horizontal. Vertical scaling is focused on increasing or decreasing the capabilities of resources. Horizontal scaling is adding or subtracting the number of resources.

Question 60

Vertical scaling

Answer 60

With vertical scaling, if you were developing an app and you needed more processing power, you could vertically scale up to add more CPUs or RAM to the virtual machine. Conversely, if you realized you had over-specified the needs, you could vertically scale down by lowering the CPU or RAM specifications.

Question 61

Horizontal scaling

Answer 61

With horizontal scaling, if you suddenly experienced a steep jump in demand, your deployed resources could be scaled out (either automatically or manually). For example, you could add additional virtual machines or containers, scaling out. In the same manner, if there was a significant drop in demand, deployed resources could be scaled in (either automatically or manually), scaling in.

Question 62

Reliability

Answer 62

Reliability is the ability of a system to recover from failures and continue to function. It’s also one of the pillars of the Microsoft Azure Well-Architected Framework.

The cloud, by virtue of its decentralized design, naturally supports a reliable and resilient infrastructure. With a decentralized design, the cloud enables you to have resources deployed in regions around the world. With this global scale, even if one region has a catastrophic event other regions are still up and running. You can design your applications to automatically take advantage of this increased reliability. In some cases, your cloud environment itself will automatically shift to a different region for you, with no action needed on your part. You’ll learn more about how Azure leverages global scale to provide reliability later in this series.

Question 63

Predictability

Answer 63

Predictability in the cloud lets you move forward with confidence. Predictability can be focused on performance predictability or cost predictability. Both performance and cost predictability are heavily influenced by the Microsoft Azure Well-Architected Framework. Deploy a solution that’s built around this framework and you have a solution whose cost and performance are predictable.

Question 64

Performance Predictability

Answer 64

Performance predictability focuses on predicting the resources needed to deliver a positive experience for your customers. Autoscaling, load balancing, and high availability are just some of the cloud concepts that support performance predictability. If you suddenly need more resources, autoscaling can deploy additional resources to meet the demand, and then scale back when the demand drops. Or if the traffic is heavily focused on one area, load balancing will help redirect some of the overload to less stressed areas.

Question 65

Cost predictability

Answer 65

Cost predictability is focused on predicting or forecasting the cost of the cloud spend. With the cloud, you can track your resource use in real time, monitor resources to ensure that you’re using them in the most efficient way, and apply data analytics to find patterns and trends that help better plan resource deployments. By operating in the cloud and using cloud analytics and information, you can predict future costs and adjust your resources as needed. You can even use tools like the Total Cost of Ownership (TCO) or Pricing Calculator to get an estimate of potential cloud spend.

Question 66

Describe the benefits of security and governance in the cloud

Answer 66

Whether you’re deploying infrastructure as a service or software as a service, cloud features support governance and compliance. Things like set templates help ensure that all your deployed resources meet corporate standards and government regulatory requirements. Plus, you can update all your deployed resources to new standards as standards change. Cloud-based auditing helps flag any resource that’s out of compliance with your corporate standards and provides mitigation strategies. Depending on your operating model, software patches and updates may also automatically be applied, which helps with both governance and security.

On the security side, you can find a cloud solution that matches your security needs. If you want maximum control of security, infrastructure as a service provides you with physical resources but lets you manage the operating systems and installed software, including patches and maintenance. If you want patches and maintenance taken care of automatically, platform as a service or software as a service deployments may be the best cloud strategies for you.

And because the cloud is intended as an over-the-internet delivery of IT resources, cloud providers are typically well suited to handle things like distributed denial of service (DDoS) attacks, making your network more robust and secure.

By establishing a good governance footprint early, you can keep your cloud footprint updated, secure, and well managed.

Question 67

What is cloud computing

Answer 67

Cloud computing is the delivery of computing services over the internet. Computing services include common IT infrastructure such as virtual machines, storage, databases, and networking. Cloud services also expand the traditional IT offerings to include things like Internet of Things (IoT), machine learning (ML), and artificial intelligence (AI).

Because cloud computing uses the internet to deliver these services, it doesn’t have to be constrained by physical infrastructure the same way that a traditional datacenter is. That means if you need to increase your IT infrastructure rapidly, you don’t have to wait to build a new datacenter—you can use the cloud to rapidly expand your IT footprint.

Question 68

Private cloud

Answer 68

A private cloud is, in some ways, the natural evolution from a corporate datacenter. It’s a cloud (delivering IT services over the internet) that’s used by a single entity. Private cloud provides much greater control for the company and its IT department. However, it also comes with greater cost and fewer of the benefits of a public cloud deployment. Finally, a private cloud may be hosted from your on site datacenter. It may also be hosted in a dedicated datacenter offsite, potentially even by a third party that has dedicated that datacenter to your company.

Question 69

Public cloud

Answer 69

A public cloud is built, controlled, and maintained by a third-party cloud provider. With a public cloud, anyone that wants to purchase cloud services can access and use resources. The general public availability is a key difference between public and private clouds.

Question 70

Hybrid cloud

Answer 70

A hybrid cloud is a computing environment that uses both public and private clouds in an inter-connected environment. A hybrid cloud environment can be used to allow a private cloud to surge for increased, temporary demand by deploying public cloud resources. Hybrid cloud can be used to provide an extra layer of security. For example, users can flexibly choose which services to keep in public cloud and which to deploy to their private cloud infrastructure.

Question 71

Multi-cloud

Answer 71

A fourth, and increasingly likely scenario is a multi-cloud scenario. In a multi-cloud scenario, you use multiple public cloud providers. Maybe you use different features from different cloud providers. Or maybe you started your cloud journey with one provider and are in the process of migrating to a different provider. Regardless, in a multi-cloud environment you deal with two (or more) public cloud providers and manage resources and security in both environments.

Question 72

Azure Arc

Answer 72

Azure Arc is a set of technologies that helps manage your cloud environment. Azure Arc can help manage your cloud environment, whether it’s a public cloud solely on Azure, a private cloud in your datacenter, a hybrid configuration, or even a multi-cloud environment running on multiple cloud providers at once.

Question 73

Azure VMware Solution

Answer 73

What if you’re already established with VMware in a private cloud environment but want to migrate to a public or hybrid cloud? Azure VMware Solution lets you run your VMware workloads in Azure with seamless integration and scalability.

Question 74

two types of expenses to consider

Answer 74

Capital expenditure (CapEx) and operational expenditure (OpEx).

Question 75

CapEx

Answer 75

typically a one-time, up-front expenditure to purchase or secure tangible resources. A new building, repaving the parking lot, building a datacenter, or buying a company vehicle are examples of CapEx.

Question 76

OpEx

Answer 76

spending money on services or products over time. Renting a convention center, leasing a company vehicle, or signing up for cloud services are all examples of OpEx.

Question 77

What is Microsoft Azure

Answer 77

Azure is a continually expanding set of cloud services that help you meet current and future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive global network using your favorite tools and frameworks.

Question 78

What does Azure offer?

Answer 78

Continuous innovation from Microsoft supports your development today and your product visions for tomorrow.

You have choices with a commitment to open source, and support for all languages and frameworks, you can build how you want and deploy where you want.

On-premises, in the cloud, and at the edge, we’ll meet you where you are. Integrate and manage your environments with tools and services designed for a hybrid cloud solution.

Get security from the ground up, backed by a team of experts, and proactive compliance trusted by enterprises, governments, and startups.

Question 79

What can I do with Azure?

Answer 79

provides more than 100 services that enable you to do everything from running your existing applications on virtual machines to exploring new software paradigms

provides artificial intelligence (AI) and machine-learning (ML) services that can naturally communicate with your users through vision, hearing, and speech. It also provides storage solutions that dynamically grow to accommodate massive amounts of data. Azure services enable solutions that aren’t feasible without the power of the cloud.

Question 80

Physical infrastructure

Answer 80

The physical infrastructure for Azure starts with datacenters. Conceptually, the datacenters are the same as large corporate datacenters. They’re facilities with resources arranged in racks, with dedicated power, cooling, and networking infrastructure.

As a global cloud provider, Azure has datacenters around the world. However, these individual datacenters aren’t directly accessible. Datacenters are grouped into Azure Regions or Azure Availability Zones that are designed to help you achieve resiliency and reliability for your business-critical workloads.

Question 81

Regions

Answer 81

A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. Azure intelligently assigns and controls the resources within each region to ensure workloads are appropriately balanced.

When you deploy a resource in Azure, you’ll often need to choose the region where you want your resource deployed.

Question 82

Availability Zones

Answer 82

Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. An availability zone is set up to be an isolation boundary. If one zone goes down, the other continues working. Availability zones are connected through high-speed, private fiber-optic networks.

To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions. However, not all Azure Regions currently support availability zones.

Question 83

Region pairs

Answer 83

Most Azure regions are paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources across a geography that helps reduce the likelihood of interruptions because of events such as natural disasters, civil unrest, power outages, or physical network outages that affect an entire region. For example, if a region in a pair was affected by a natural disaster, services would automatically fail over to the other region in its region pair.

Not all Azure services automatically replicate data or automatically fall back from a failed region to cross-replicate to another enabled region. In these scenarios, recovery and replication must be configured by the customer.

examples of region pairs in Azure are West US paired with East US and South-East Asia paired with East Asia. Because the pair of regions are directly connected and far enough apart to be isolated from regional disasters, you can use them to provide reliable services and data redundancy.

Question 84

What are containers?

Answer 84

Containers are a virtualization environment. Much like running multiple virtual machines on a single physical host, you can run multiple containers on a single physical or virtual host. Unlike virtual machines, you don’t manage the operating system for a container. Virtual machines appear to be an instance of an operating system that you can connect to and manage. Containers are lightweight and designed to be created, scaled out, and stopped dynamically. It’s possible to create and deploy virtual machines as application demand increases, but containers are a lighter weight, more agile method. Containers are designed to allow you to respond to changes on demand. With containers, you can quickly restart if there’s a crash or hardware interruption. One of the most popular container engines is Docker, which is supported by Azure.

Question 85

Describe Azure Functions

Answer 85

Azure Functions is an event-driven, serverless compute option that doesn’t require maintaining virtual machines or containers. If you build an app using VMs or containers, those resources have to be “running” in order for your app to function. With Azure Functions, an event wakes the function, alleviating the need to keep resources provisioned when there are no events.

Question 86

Benefits of Azure Functions

Answer 86

Azure Functions runs your code when it’s triggered and automatically deallocates resources when the function is finished. In this model, you’re only charged for the CPU time used while your function runs.

Functions can be either stateless or stateful. When they’re stateless (the default), they behave as if they’re restarted every time they respond to an event. When they’re stateful (called Durable Functions), a context is passed through the function to track prior activity.

Functions are a key component of serverless computing. They’re also a general compute platform for running any type of code. If the needs of the developer’s app change, you can deploy the project in an environment that isn’t serverless. This flexibility allows you to manage scaling, run on virtual networks, and even completely isolate the functions.

Question 87

Azure App Service

Answer 87

App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. App Service supports Windows and Linux. It enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.

Azure App Service is a robust hosting option that you can use to host your apps in Azure. Azure App Service lets you focus on building and maintaining your app, and Azure focuses on keeping the environment up and running.

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. It supports multiple languages, including .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. It also supports both Windows and Linux environments.

Question 88

Describe Azure Virtual Networking

Answer 88

Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. You can think of an Azure network as an extension of your on-premises network with resources that link other Azure resources.

Azure virtual networks provide the following key networking capabilities:

Isolation and segmentation
Internet communications
Communicate between Azure resources
Communicate with on-premises resources
Route network traffic
Filter network traffic
Connect virtual networks
Azure virtual networking supports both public and private endpoints to enable communication between external or internal resources with other internal resources.

Question 89

Communicate between Azure resources

Answer 89

Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.

Question 90

Describe Azure DNS

Answer 90

Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.

Question 91

Which Azure Virtual Machine feature staggers updates across VMs based on their update domain and fault domain?

Answer 91

Availability sets stagger VM updates based on their update and fault domains.

Question 92

Which Azure service allows users to use a cloud hosted version of Windows from any location and connect from most modern browsers?

Answer 92

Azure Virtual Desktop provides access to a cloud-hosted version of Windows, and it works with most modern browsers.

Question 93

Describe Azure directory services

Answer 93

Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Azure AD can also help you maintain your on-premises Active Directory deployment.

For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that’s managed by your organization. Azure AD is Microsoft’s cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally. If you’ve worked with Active Directory, Azure AD will be familiar to you.

When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.

Question 94

What does Azure AD do?

Answer 94

Authentication:Single sign-on:Application management:Device management

Question 95

Can I connect my on-premises AD with Azure AD?

Answer 95

If you had an on-premises environment running Active Directory and a cloud deployment using Azure AD, you would need to maintain two identity sets. However, you can connect Active Directory with Azure AD, enabling a consistent identity experience between cloud and on-premises.

One method of connecting Azure AD with your on-premises AD is using Azure AD Connect. Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.

Question 96

What is Azure Active Directory Domain Services?

Answer 96

Azure Active Directory Domain Services (Azure AD DS) is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. Just like Azure AD lets you use directory services without having to maintain the infrastructure supporting it, with Azure AD DS, you get the benefit of domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

An Azure AD DS managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign into services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.

Question 97

What’s passwordless authentication?

Answer 97

Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are, or something you know.

Passwordless authentication needs to be set up on a device before it can work. For example, your computer is something you have. Once it’s been registered or enrolled, Azure now knows that it’s associated with you. Now that the computer is known, once you provide something you know or are (such as a PIN or fingerprint), you can be authenticated without using a password.

Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):

Windows Hello for Business
Microsoft Authenticator app
FIDO2 security keys

Question 98

FIDO2 security keys

Answer 98

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.

FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password by using an external security key or a platform key built into a device.

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there’s no password that could be exposed or guessed.

Question 99

Describe Azure external identities

Answer 99

An external identity is a person, device, service, etc. that is outside your organization. Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization

Question 100

Describe Azure conditional access

Answer 100

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from

Question 101

When can I use Conditional Access?

Answer 101

Require multifactor authentication (MFA) to access an application depending on the requester’s role, location, or network. For example, you could require MFA for administrators but not regular users or for people connecting from outside your corporate network.
Require access to services only through approved client applications. For example, you could limit which email applications are able to connect to your email service.
Require users to access your application only from managed devices. A managed device is a device that meets your standards for security and compliance.
Block access from untrusted sources, such as access from unknown or unexpected locations.

Question 102

Describe Azure role-based access control

Answer 102

if you hire a new engineer and add them to the Azure RBAC group for engineers, they automatically get the same access as the other engineers in the same Azure RBAC group. Similarly, if you add additional resources and point Azure RBAC at them, everyone in that Azure RBAC group will now have those permissions on the new resources as well as the existing resources.

Question 103

How is role-based access control applied to resources?

Answer 103

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

The following diagram shows the relationship between roles and scopes. A management group, subscription, or resource admin might be given the role of owner, so they have increased control and authority. An observer, who isn’t expected to make any updates, might be given a role of Reader for the same scope, enabling them to review or observe the management group, subscription, or resource group.

When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.

Question 104

How is Azure RBAC enforced?

Answer 104

Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application.

Azure RBAC uses an allow model. When you’re assigned a role, Azure RBAC allows you to perform actions within the scope of that role. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

Question 105

Describe zero trust model

Answer 105

Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network.

Today, organizations need a new security model that effectively adapts to the complexity of the modern environment; embraces the mobile workforce: and protects people, devices, applications, and data wherever they’re located.

To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:

Verify explicitly - Always authenticate and authorize based on all available data points.
Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

Question 106

Describe defense-in-depth

Answer 106

The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it.

A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

Question 107

Layers of defense-in-depth

Answer 107

The physical security layer is the first line of defense to protect computing hardware in the datacenter.
The identity and access layer controls access to infrastructure and change control.
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
The network layer limits communication between resources through segmentation and access controls.
The compute layer secures access to virtual machines.
The application layer helps ensure that applications are secure and free of security vulnerabilities.
The data layer controls access to business and customer data that you need to protect.

Question 108

Physical security

Answer 108

Physically securing access to buildings and controlling access to computing hardware within the datacenter are the first line of defense.

With physical security, the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can’t be bypassed, and loss or theft is handled appropriately. Microsoft uses various physical security mechanisms in its cloud datacenters.

Question 109

Identity and access Layer

Answer 109

The identity and access layer is all about ensuring that identities are secure, that access is granted only to what’s needed, and that sign-in events and changes are logged.

At this layer, it’s important to:

Control access to infrastructure and change control.
Use single sign-on (SSO) and multifactor authentication.
Audit events and changes.

Question 110

Network Perimeter

Answer 110

The network perimeter protects from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

At this layer, it’s important to:

Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.

Question 111

Network Layer

Answer 111

At this layer, the focus is on limiting the network connectivity across all your resources to allow only what’s required. By limiting this communication, you reduce the risk of an attack spreading to other systems in your network.

At this layer, it’s important to:

Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound access where appropriate.
Implement secure connectivity to on-premises networks.

Question 112

Compute Layer

Answer 112

Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues.

At this layer, it’s important to:

Secure access to virtual machines.
Implement endpoint protection on devices and keep systems patched and current.

Question 113

Application Layer

Answer 113

Integrating security into the application development lifecycle helps reduce the number of vulnerabilities introduced in code. Every development team should ensure that its applications are secure by default.

At this layer, it’s important to:

Ensure that applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.

Question 114

Data

Answer 114

Those who store and control access to data are responsible for ensuring that it’s properly secured. Often, regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

In almost all cases, attackers are after data:

Stored in a database.
Stored on disk inside virtual machines.
Stored in software as a service (SaaS) applications, such as Office 365.
Managed through cloud storage.

Question 115

Describe Microsoft Defender for Cloud

Answer 115

Defender for Cloud is a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.

Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and streamline security management. Deployment of Defender for Cloud is easy, it’s already natively integrated to Azure.

Question 116

Azure-native protections

Answer 116

Azure PaaS services – Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).
Azure data services – Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them.
Networks – Defender for Cloud helps you limit exposure to brute force attacks. By reducing access to virtual machine ports, using the just-in-time VM access, you can harden your network by preventing unnecessary access. You can set secure access policies on selected ports, for only authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.

Question 117

Assess, Secure, and Defend definitions

Answer 117

Continuously assess – Know your security posture. Identify and track vulnerabilities.
Secure – Harden resources and services with Azure Security Benchmark.
Defend – Detect and resolve threats to resources, workloads, and services.

Question 118

Which Azure Active Directory tool can vary the credentials needed to log in based on signals, such as where the user is located?

Answer 118

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. Conditional Access might challenge you for a second authentication factor if your sign-in signals are unusual or from an unexpected location.

Question 119

Which security model assumes the worst-case security scenario, and protects resources accordingly?

Answer 119

Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation.

Question 120

A user is simultaneously assigned multiple roles that use role-based access control. What are their actual permissions? The role permissions are: Role 1 - read || Role 2 - write || Role 3 - read and write.

Answer 120

Role-based access control, using an allow model, grants all of the permissions assigned in all of the assigned roles.

Question 121

Describe Azure storage accounts

Answer 121

A storage account provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly available, durable, and massively scalable.

When you create your storage account, you’ll start by picking the storage account type. The type of account determines the storage services and redundancy options and has an impact on the use cases. Below is a list of redundancy options that will be covered later in this module:

Locally redundant storage (LRS)
Geo-redundant storage (GRS)
Read-access geo-redundant storage (RA-GRS)
Zone-redundant storage (ZRS)
Geo-zone-redundant storage (GZRS)
Read-access geo-zone-redundant storage (RA-GZRS)

Question 122

Standard general-purpose v2

Answer 122

Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.

Question 123

Premium block blobs

Answer 123

Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.

Question 124

Premium file shares

Answer 124

Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.

Question 125

Premium page blobs

Answer 125

Premium storage account type for page blobs only.

Question 126

Storage account endpoints

Answer 126

One of the benefits of using an Azure Storage Account is having a unique namespace in Azure for your data. In order to do this, every storage account in Azure must have a unique-in-Azure account name. The combination of the account name and the Azure Storage service endpoint forms the endpoints for your storage account.

When naming your storage account, keep these rules in mind:

Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
Your storage account name must be unique within Azure. No two storage accounts can have the same name. This supports the ability to have a unique, accessible namespace in Azure.

Question 127

Describe Azure storage redundancy

Answer 127

Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.

When deciding which redundancy option is best for your scenario, consider the tradeoffs between lower costs and higher availability. The factors that help determine which redundancy option you should choose include:

How your data is replicated in the primary region.
Whether your data is replicated to a second region that is geographically distant to the primary region, to protect against regional disasters.
Whether your application requires read access to the replicated data in the secondary region if the primary region becomes unavailable.

Question 128

Redundancy in the primary region

Answer 128

Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region, locally redundant storage (LRS) and zone-redundant storage (ZRS).

Question 129

Locally redundant storage

Answer 129

Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year.

Question 130

LRS

Answer 130

the lowest-cost redundancy option and offers the least durability compared to other options. LRS protects your data against server rack and drive failures. However, if a disaster such as fire or flooding occurs within the data center, all replicas of a storage account using LRS may be lost or unrecoverable. To mitigate this risk, Microsoft recommends using zone-redundant storage (ZRS), geo-redundant storage (GRS), or geo-zone-redundant storage (GZRS).

Question 131

Zone-redundant storage

Answer 131

For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.

Question 132

Redundancy in a secondary region

Answer 132

For applications requiring high durability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region. If the data in your storage account is copied to a secondary region, then your data is durable even in the event of a catastrophic failure that prevents the data in the primary region from being recovered.

Because data is replicated to the secondary region asynchronously, a failure that affects the primary region may result in data loss if the primary region can’t be recovered. The interval between the most recent writes to the primary region and the last write to the secondary region is known as the recovery point objective (RPO). The RPO indicates the point in time to which data can be recovered. Azure Storage typically has an RPO of less than 15 minutes, although there’s currently no SLA on how long it takes to replicate data to the secondary region.

Question 133

Geo-redundant storage

Answer 133

GRS copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region (the region pair) using LRS. GRS offers durability for Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.

Question 134

Geo-zone-redundant storage

Answer 134

GZRS combines the high availability provided by redundancy across availability zones with protection from regional outages provided by geo-replication. Data in a GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from regional disasters. Microsoft recommends using GZRS for applications requiring maximum consistency, durability, and availability, excellent performance, and resilience for disaster recovery.

Question 135

Describe Azure storage services

Answer 135

Azure Blobs: A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.
Azure Files: Managed file shares for cloud or on-premises deployments.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Disks: Block-level storage volumes for Azure VMs.

Question 136

Benefits of Azure Storage

Answer 136

Durable and highly available. Redundancy ensures that your data is safe if transient hardware failures occur. You can also opt to replicate data across data centers or geographical regions for additional protection from local catastrophes or natural disasters. Data replicated in this way remains highly available if an unexpected outage occurs.
Secure. All data written to an Azure storage account is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
Scalable. Azure Storage is designed to be massively scalable to meet the data storage and performance needs of today’s applications.
Managed. Azure handles hardware maintenance, updates, and critical issues for you.
Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides client libraries for Azure Storage in a variety of languages, including .NET, Java, Node.js, Python, PHP, Ruby, Go, and others, as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

Question 137

Blob storage

Answer 137

Azure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.

Blobs aren’t limited to common file formats. A blob could contain gigabytes of binary data streamed from a scientific instrument, an encrypted message for another application, or data in a custom format for an app you’re developing. One advantage of blob storage over disk storage is that it doesn’t require developers to think about or manage disks. Data is uploaded as blobs, and Azure takes care of the physical storage needs.

Blob storage is ideal for:

Serving images or documents directly to a browser.
Storing files for distributed access.
Streaming video and audio.
Storing data for backup and restore, disaster recovery, and archiving.
Storing data for analysis by an on-premises or Azure-hosted service.

Question 138

Accessing blob storage

Answer 138

Objects in Blob storage can be accessed from anywhere in the world via HTTP or HTTPS. Users or client applications can access blobs via URLs, the Azure Storage REST API, Azure PowerShell, Azure CLI, or an Azure Storage client library. The storage client libraries are available for multiple languages, including .NET, Java, Node.js, Python, PHP, and Ruby.

Question 139

Blob storage tiers

Answer 139

Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).
The following considerations apply to the different access tiers:

Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
Hot, cool, and archive tiers can be set at the blob level, during or after upload.
Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data.

Question 140

Azure Files

Answer 140

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) or Network File System (NFS) protocols. Azure Files file shares can be mounted concurrently by cloud or on-premises deployments. SMB Azure file shares are accessible from Windows, Linux, and macOS clients. NFS Azure Files shares are accessible from Linux or macOS clients. Additionally, SMB Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

Question 141

Azure Files key benefits

Answer 141

Shared access: Azure file shares support the industry standard SMB and NFS protocols, meaning you can seamlessly replace your on-premises file shares with Azure file shares without worrying about application compatibility.
Fully managed: Azure file shares can be created without the need to manage hardware or an OS. This means you don’t have to deal with patching the server OS with critical security upgrades or replacing faulty hard disks.
Scripting and tooling: PowerShell cmdlets and Azure CLI can be used to create, mount, and manage Azure file shares as part of the administration of Azure applications. You can create and manage Azure file shares using Azure portal and Azure Storage Explorer.
Resiliency: Azure Files has been built from the ground up to always be available. Replacing on-premises file shares with Azure Files means you don’t have to wake up in the middle of the night to deal with local power outages or network issues.
Familiar programmability: Applications running in Azure can access data in the share via file system I/O APIs. Developers can therefore leverage their existing code and skills to migrate existing applications. In addition to System IO APIs, you can use Azure Storage Client Libraries or the Azure Storage REST API.

Question 142

Azure Queue storage

Answer 142

Azure Queue Storage is a service for storing large numbers of messages. Once stored, you can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue can contain as many messages as your storage account has room for (potentially millions). Each individual message can be up to 64 KB in size. Queues are commonly used to create a backlog of work to process asynchronously.

Queue storage can be combined with compute functions like Azure Functions to take an action when a message is received. For example, you want to perform an action after a customer uploads a form to your website. You could have the submit button on the website trigger a message to the Queue storage. Then, you could use Azure Functions to trigger an action once the message was received.

Question 143

Disk storage

Answer 143

Disk storage, or Azure managed disks, are block-level storage volumes managed by Azure for use with Azure VMs. Conceptually, they’re the same as a physical disk, but they’re virtualized – offering greater resiliency and availability than a physical disk. With managed disks, all you have to do is provision the disk, and Azure will take care of the rest.

Question 144

Azure Migrate

Answer 144

Azure Migrate is a service that helps you migrate from an on-premises environment to the cloud. Azure Migrate functions as a hub to help you manage the assessment and migration of your on-premises datacenter to Azure. It provides the following:

Unified migration platform: A single portal to start, run, and track your migration to Azure.
Range of tools: A range of tools for assessment and migration. Azure Migrate tools include Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration. Azure Migrate also integrates with other Azure services and tools, and with independent software vendor (ISV) offerings.
Assessment and migration: In the Azure Migrate hub, you can assess and migrate your on-premises infrastructure to Azure.

Question 145

Integrated tools

Answer 145

Azure Migrate: Discovery and assessment. Discover and assess on-premises servers running on VMware, Hyper-V, and physical servers in preparation for migration to Azure.
Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.
Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers. It helps pinpoint potential problems blocking migration. It identifies unsupported features, new features that can benefit you after migration, and the right path for database migration.
Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.
Web app migration assistant. Azure App Service Migration Assistant is a standalone tool to assess on-premises websites for migration to Azure App Service. Use Migration Assistant to migrate .NET and PHP web apps to Azure.
Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.

Question 146

Azure Data Box

Answer 146

Azure Data Box is a physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device that has a maximum usable storage capacity of 80 terabytes. The Data Box is transported to and from your datacenter via a regional carrier. A rugged case protects and secures the Data Box from damage during transit.

You can order the Data Box device via the Azure portal to import or export data from Azure. Once the device is received, you can quickly set it up using the local web UI and connect it to your network. Once you’re finished transferring the data (either into or out of Azure), simply return the Data Box. If you’re transferring data into Azure, the data is automatically uploaded once Microsoft receives the Data Box back. The entire process is tracked end-to-end by the Data Box service in the Azure portal.

Question 147

use case list

Answer 147

Data Box is ideally suited to transfer data sizes larger than 40 TBs in scenarios with no to limited network connectivity. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers.

Here are the various scenarios where Data Box can be used to import data to Azure.

Onetime migration - when a large amount of on-premises data is moved to Azure.
Moving a media library from offline tapes into Azure to create an online media library.
Migrating your VM farm, SQL server, and applications to Azure.
Moving historical data to Azure for in-depth analysis and reporting using HDInsight.
Initial bulk transfer - when an initial bulk transfer is done using Data Box (seed) followed by incremental transfers over the network.
Periodic uploads - when large amount of data is generated periodically and needs to be moved to Azure.

Question 148

AzCopy

Answer 148

AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage account. With AzCopy, you can upload files, download files, copy files between storage accounts, and even synchronize files. AzCopy can even be configured to work with other cloud providers to help move files back and forth between clouds.

Important

Synchronizing blobs or files with AzCopy is one-direction synchronization. When you synchronize, you designated the source and destination, and AzCopy will copy files or blobs in that direction. It doesn’t synchronize bi-directionally based on timestamps or other metadata.

Question 149

Azure Storage Explorer

Answer 149

Azure Storage Explorer is a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account. It works on Windows, macOS, and Linux operating systems and uses AzCopy on the backend to perform all of the file and blob management tasks. With Storage Explorer, you can upload to Azure, download from Azure, or move between storage accounts.

Question 150

Azure File Sync

Answer 150

Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server. It’s almost like turning your Windows file server into a miniature content delivery network. Once you install Azure File Sync on your local Windows server, it will automatically stay bi-directionally synced with your files in Azure.

With Azure File Sync, you can:

Use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS.
Have as many caches as you need across the world.
Replace a failed local server by installing Azure File Sync on a new server in the same datacenter.
Configure cloud tiering so the most frequently accessed files are replicated locally, while infrequently accessed files are kept in the cloud until requested.

Question 151

Which tool automatically keeps files between an on-premises Windows server and an Azure cloud environment updated?

Answer 151

Azure File Sync maintains a bidirectional synchronization of files between your on-premises and cloud Windows servers.

Question 152

Which storage redundancy option provides the highest degree of durability, with 16 nines of durability?

Answer 152

Geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS) both provide 16 nines of durability.

Question 153

Which Azure Storage service supports big data analytics, as well as handling text and binary data types?

Answer 153

Azure Blobs is a massively scalable object store for text and binary data. Azure Blobs also includes support for big data analytics through Data Lake Storage Gen2.

Question 154

Describe the purpose of Azure Advisor

Answer 154

azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs. Azure Advisor is designed to help you save time on cloud optimization. The recommendation service includes suggested actions you can take right away, postpone, or dismiss.

The recommendations are available via the Azure portal and the API, and you can set up notifications to alert you to new recommendations.

When you’re in the Azure portal, the Advisor dashboard displays personalized recommendations for all your subscriptions. You can use filters to select recommendations for specific subscriptions, resource groups, or services. The recommendations are divided into five categories:

Reliability is used to ensure and improve the continuity of your business-critical applications.
Security is used to detect threats and vulnerabilities that might lead to security breaches.
Performance is used to improve the speed of your applications.
Operational Excellence is used to help you achieve process and workflow efficiency, resource manageability, and deployment best practices.
Cost is used to optimize and reduce your overall Azure spending.

Question 155

Describe Azure Service Health

Answer 155

Azure Service Health helps you keep track of Azure resource, both your specifically deployed resources and the overall status of Azure. Azure service health does this by combining three different Azure services:

Azure Status is a broad picture of the status of Azure globally. Azure status informs you of service outages in Azure on the Azure Status page. The page is a global view of the health of all Azure services across all Azure regions. It’s a good reference for incidents with widespread impact.
Service Health provides a narrower view of Azure services and regions. It focuses on the Azure services and regions you’re using. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Service Health experience knows which services and resources you currently use. You can even set up Service Health alerts to notify you when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.
Resource Health is a tailored view of your actual Azure resources. It provides information about the health of your individual cloud resources, such as a specific virtual machine instance. Using Azure Monitor, you can also configure alerts to notify you of availability changes to your cloud resources.

Question 156

Describe Azure Monitor

Answer 156

Azure Monitor is a platform for collecting data on your resources, analyzing that data, visualizing the information, and even acting on the results. Azure Monitor can monitor Azure resources, your on-premises resources, and even multi-cloud resources like virtual machines hosted with a different cloud provider.

Question 157

Azure Log Analytics

Answer 157

Azure Log Analytics is the tool in the Azure portal where you’ll write and run log queries on the data gathered by Azure Monitor. Log Analytics is a robust tool that supports both simple, complex queries, and data analysis. You can write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze the records. You can write an advanced query to perform statistical analysis and visualize the results in a chart to identify a particular trend. Whether you work with the results of your queries interactively or use them with other Azure Monitor features such as log query alerts or workbooks, Log Analytics is the tool that you’re going to use to write and test those queries.

Question 158

Azure Monitor Alerts

Answer 158

Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a threshold being crossed. You set the alert conditions, the notification actions, and then Azure Monitor Alerts notifies when an alert is triggered. Depending on your configuration, Azure Monitor Alerts can also attempt corrective action.

Question 159

Application Insights

Answer 159

Application Insights, an Azure Monitor feature, monitors your web applications. Application Insights is capable of monitoring applications that are running in Azure, on-premises, or in a different cloud environment.

There are two ways to configure Application Insights to help monitor your application. You can either install an SDK in your application, or you can use the Application Insights agent. The Application Insights agent is supported in C#.NET, VB.NET, Java, JavaScript, Node.js, and Python.

Once Application Insights is up and running, you can use it to monitor a broad array of information, such as:

Request rates, response times, and failure rates
Dependency rates, response times, and failure rates, to show whether external services are slowing down performance
Page views and load performance reported by users’ browsers
AJAX calls from web pages, including rates, response times, and failure rates
User and session counts
Performance counters from Windows or Linux server machines, such as CPU, memory, and network usage

Question 160

Which is not one of the recommendation categories for Azure Advisor?

Answer 160

The five recommendation categories for Azure Advisor are: Reliability, Security, Performance, Operational Excellence, and Cost.

Question 161

You receive an email notification that virtual machines (VMs) in an Azure region where you have VMs deployed is experiencing an outage. Which component of Azure Service Health will let you know if your application is impacted?

Answer 161

Resource Health is a tailored view of your actual Azure resources. It provides information about the health of your individual cloud resources

Question 162

Describe the purpose of tags

Answer 162

Resource management Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
Cost management and optimization Tags enable you to group resources so that you can report on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
Operations management Tags enable you to group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs). An SLA is an uptime or performance guarantee between you and your users.
Security Tags enable you to classify data by its security level, such as public or confidential.
Governance and regulatory compliance Tags enable you to identify resources that align with governance or regulatory compliance requirements, such as ISO 27001. Tags can also be part of your standards enforcement efforts. For example, you might require that all resources be tagged with an owner or department name.
Workload optimization and automation Tags can help you visualize all of the resources that participate in complex deployments. For example, you might tag a resource with its associated workload or application name and use software such as Azure DevOps to perform automated tasks on those resources.

Question 163

How do I manage resource tags?

Answer 163

You can add, modify, or delete resource tags through Windows PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.

You can use Azure Policy to enforce tagging rules and conventions. For example, you can require that certain tags be added to new resources as they’re provisioned. You can also define rules that reapply tags that have been removed. Resources don’t inherit tags from subscriptions and resource groups, meaning that you can apply tags at one level and not have those tags automatically show up at a different level, allowing you to create custom tagging schemas that change depending on the level (resource, resource group, subscription, and so on).

Question 164

What Azure feature can help stay organized and track usage based on metadata associated with resources?

Answer 164

Tags allow you to associate metadata with a resource to help keep track of resource management, costs and optimization, security, and so on.

Question 165

What’s the best method to estimate the cost of migrating to the cloud while incurring minimal costs?

Answer 165

The Total Cost of Ownership calculator lets you input your current infrastructure and requirements and provides you an estimate for running in the cloud.

Question 166

Describe the purpose of Azure Blueprints

Answer 166

Azure Blueprints lets you standardize cloud subscription or environment deployments. Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define repeatable settings and policies that are applied as new subscriptions are created. Need a new test/dev environment? Azure Blueprints lets you deploy a new Test/Dev environment with security and compliance settings already configured. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational requirements.

Question 167

What are artifacts?

Answer 167

Each component in the blueprint definition is known as an artifact.

It is possible for artifacts to have no additional parameters (configurations). An example is the Deploy threat detection on SQL servers policy, which requires no additional configuration.

Artifacts can also contain one or more parameters that you can configure. The following screenshot shows the Allowed locations policy. This policy includes a parameter that specifies the allowed locations.

Question 168

Describe the purpose of Azure Policy

Answer 168

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across your resource configurations so that those configurations stay compliant with corporate standards.

Question 169

What are Azure Policy initiatives?

Answer 169

An Azure Policy initiative is a way of grouping related policies together. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

For example, Azure Policy includes an initiative named Enable Monitoring in Azure Security Center. Its goal is to monitor all available security recommendations for all Azure resource types in Azure Security Center.

Under this initiative, the following policy definitions are included:

Monitor unencrypted SQL Database in Security Center This policy monitors for unencrypted SQL databases and servers.
Monitor OS vulnerabilities in Security Center This policy monitors servers that don’t satisfy the configured OS vulnerability baseline.
Monitor missing Endpoint Protection in Security Center This policy monitors for servers that don’t have an installed endpoint protection agent.
In fact, the Enable Monitoring in Azure Security Center initiative contains over 100 separate policy definitions.

Question 170

Describe the purpose of the Service Trust portal

Answer 170

The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other resources about Microsoft security, privacy, and compliance practices.

The Service Trust Portal contains details about Microsoft’s implementation of controls and processes that protect our cloud services and the customer data therein. To access some of the resources on the Service Trust Portal, you must sign in as an authenticated user with your Microsoft cloud services account (Azure Active Directory organization account). You’ll need to review and accept the Microsoft non-disclosure agreement for compliance materials.

Question 171

How many parameters does an Azure Blueprint Artifact need to be valid?

Answer 171

It is possible for artifacts to have no additional parameters. An example is the Deploy threat detection on SQL servers policy, which requires no additional configuration.

Question 172

How can you prevent non-compliant resources from being created, without having to manually evaluate each resource as it’s created?

Answer 172

Azure policy lets you create policies and initiatives (groups of policies) that prevent non-compliant resource from being created.

Question 173

A company can extend a private cloud by adding its own physical servers to the public cloud

Answer 173

no

Question 174

To build a hybrid cloud, you must deploy resources to the public cloud.

Answer 174

yes

Question 175

A private cloud must be disconnected from the internet.

Answer 175

no

Question 176

spending money upfront and then deducting that expense over time

Answer 176

Capital expenditure

Question 177

Which cloud model provides the greatest degree of flexibility?

Answer 177

The hybrid cloud model provides the greatest degree of flexibility, as you have the option to choose either public or private depending on your requirements.

Question 178

ARM templates

Answer 178

Infrastructure as code is a concept where you manage your infrastructure as lines of code. Leveraging Azure Cloud Shell, Azure PowerShell, or the Azure CLI are some examples of using code to deploy cloud infrastructure. ARM templates are another example of infrastructure as code at work.

By using ARM templates, you can describe the resources you want to use in a declarative JSON format. With an ARM template, the deployment code is verified before any code is run. This ensures that the resources will be created and connected correctly. The template then orchestrates the creation of those resources in parallel. That is, if you need 50 instances of the same resource, all 50 instances are created at the same time.

Ultimately, the developer, DevOps professional, or IT professional needs only to define the desired state and configuration of each resource in the ARM template, and the template does the rest. Templates can even execute PowerShell and Bash scripts before or after the resource has been set up.

Question 179

What service helps you manage your Azure, on-premises, and multi-cloud environments?

Answer 179

Azure Arc, working with Azure Resource Manager, lets you extend your Azure compliance and monitoring to your hybrid and multi-cloud configurations.

Question 180

What two components could you use to implement a “infrastructure as code” deployment?

Answer 180

Azure Blueprints applies policies in an automated fashion and ARM Templates allow you to deploy your resource as code. Using the two together helps ensure that you’re deploying consistent, compliant resources.

Question 181

What is Azure?

Answer 181

Azure is a continually expanding set of cloud services that help your organization meet your current and future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive global network using your favorite tools and frameworks.

Question 182

What does Azure offer?

Answer 182

With help from Azure, you have everything you need to build your next great solution. The following table lists several of the benefits that Azure provides, so you can easily invent with purpose.

Question 183

Azure Virtual Machines

Answer 183

Windows or Linux virtual machines (VMs) hosted in Azure. one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a virtual machine when you need more control over the computing environment than the other choices offer.

Question 184

Azure Virtual Machine Scale Sets

Answer 184

Scaling for Windows or Linux VMs hosted in Azure.

Question 185

Azure Kubernetes Service

Answer 185

Cluster management for VMs that run containerized services.

Question 186

Azure Service Fabric

Answer 186

Distributed systems platform that runs in Azure or on-premises.

Question 187

Azure Batch

Answer 187

Managed service for parallel and high-performance computing applications.

Question 188

Azure Container Instances

Answer 188

Containerized apps run on Azure without provisioning servers or VMs.

Question 189

Azure Functions

Answer 189

An event-driven, serverless compute service.

Question 190

Azure Virtual Network

Answer 190

Connects VMs to incoming virtual private network (VPN) connections.

Question 191

Azure Load Balancer

Answer 191

Balances inbound and outbound connections to applications or service endpoints.

Question 192

Azure Application Gateway

Answer 192

Optimizes app server farm delivery while increasing application security.

Question 193

Azure VPN Gateway

Answer 193

Accesses Azure Virtual Networks through high-performance VPN gateways.

Question 194

Azure DNS

Answer 194

Provides ultra-fast DNS responses and ultra-high domain availability.

Question 195

Azure Content Delivery Network

Answer 195

Delivers high-bandwidth content to customers globally.

Question 196

Azure DDoS Protection

Answer 196

Protects Azure-hosted applications from distributed denial of service (DDOS) attacks.

Question 197

Azure Traffic Manager

Answer 197

Distributes network traffic across Azure regions worldwide.

Question 198

Azure ExpressRoute

Answer 198

Connects to Azure over high-bandwidth dedicated secure connections.

Question 199

Azure Network Watcher

Answer 199

Monitors and diagnoses network issues by using scenario-based analysis.

Question 200

Azure Firewall

Answer 200

Implements high-security, high-availability firewall with unlimited scalability.

Question 201

Azure Virtual WAN

Answer 201

Creates a unified wide area network (WAN) that connects local and remote sites.

Question 202

Azure Blob storage

Answer 202

Storage service for very large objects, such as video files or bitmaps.

Question 203

Azure File storage

Answer 203

File shares that can be accessed and managed like a file server.

Question 204

Azure Queue storage

Answer 204

A data store for queuing and reliably delivering messages between applications.

Question 205

Azure Table storage

Answer 205

Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design.

Question 206

Azure Cosmos DB

Answer 206

Globally distributed database that supports NoSQL options.

Question 207

Azure SQL Database

Answer 207

Fully managed relational database with auto-scale, integral intelligence, and robust security.

Question 208

Azure Database for MySQL

Answer 208

Fully managed and scalable MySQL relational database with high availability and security.

Question 209

Azure Database for PostgreSQL

Answer 209

Fully managed and scalable PostgreSQL relational database with high availability and security.

Question 210

SQL Server on Azure Virtual Machines

Answer 210

Service that hosts enterprise SQL Server apps in the cloud.

Question 211

Azure Synapse Analytics

Answer 211

Fully managed data warehouse with integral security at every level of scale at no extra cost.

Question 212

Azure Database Migration Service

Answer 212

Service that migrates databases to the cloud with no application code changes.

Question 213

Azure Cache for Redis

Answer 213

Fully managed service caches frequently used and static data to reduce data and application latency.

Question 214

Azure Database for MariaDB

Answer 214

Fully managed and scalable MariaDB relational database with high availability and security.

Question 215

Used to analyze data on end user devices.

Answer 215

Because it moves cloud analytics and custom business logic to devices so that your organization can focus on business insights instead of data management. Scale out your IoT solution by packaging your business logic into standard containers, then you can deploy those containers to any of your devices and monitor it all from the cloud. Analytics drives business value in IoT solutions, but not all analytics needs to be in the cloud. If you want to respond to emergencies as quickly as possible, you can run anomaly detection workloads at the edge. If you want to reduce bandwidth costs and avoid transferring terabytes of raw data, you can clean and aggregate the data locally then only send the insights to the cloud for analysis.

Question 216

Monitor and control billions of Internet of Things (IoT) assets

Answer 216

Because an IoT Hub is a managed service, hosted in the cloud, that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution back end. You can connect virtually any device to IoT Hub.

Question 217

Provides a fully managed SaaS (software-as-a-service) solution that makes it easy to connect, monitor and manage IoT assets at scale

Answer 217

IoT Central is an app platform that reduces the burden and cost associated with developing, managing, and maintaining enterprise-grade IoT solutions. Choosing to build with Azure IoT Central gives you the opportunity to focus your time, money, and energy on transforming your business with IoT data, rather than just maintaining and updating a complex and continually evolving IoT infrastructure.

Question 218

Azure Key Vault

Answer 218

a secure store for storage various types of sensitive information including passwords and certificates.
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.

Question 219

Azure Activity Log

Answer 219

You would use the Azure Activity Log, not Azure Monitor to view which user turned off a specific virtual machine during the last 14 days.
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.
In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14 days.

Question 220

what can be used to manage governance across multiple Azure subscriptions?

Answer 220

Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each management group, along with Azure Policy and Azure role-based access controls, to manage Azure subscriptions effectively. The resources and subscriptions assigned to a management group automatically inherit the conditions applied to the management group.

Question 221

What is a logical unit of Azure services that links to an Azure account?

Answer 221

Azure subscription is a logical unit of Azure services that links to an Azure account. An Azure subscription is an object that represents a container that you can put resources in. Subscriptions are tied to tenants, so one tenant can have many subscriptions, but not vice versa.

Question 222

Azure Cosmos DB

Answer 222

Microsoft’s globally distributed, multi-model database service. With a click of a button, Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide.
Azure Cosmos DB is a great way to store unstructured and JSON data. Combined with Azure Functions, Cosmos DB makes storing data quick and easy with much less code than required for storing data in a relational database.

Question 223

Azure Databricks

Answer 223

Apache Spark-based analytics platform. The platform consists of several components including MLib. Mlib is a Machine Learning library consisting of common learning algorithms and utilities, including classification, regression, clustering, collaborative filtering, dimensionality reduction, as well as underlying optimization primitives.

Question 224

Read-only geo-redundant storage

Answer 224

allows you to have higher read availability for your storage account by providing ג€read onlyג€ access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region. This is an “opt-in” feature which requires the storage account be geo-replicated.

Question 225

Geo-redundant storage

Answer 225

replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region. When you enable read access to the secondary region, your data is available to be read at all times, including in a situation where the primary region becomes unavailable. For read access to the secondary region, enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).

Question 226

Network Security Group

Answer 226

allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Question 227

Azure Key Vault

Answer 227

is a centralized cloud service for storing your applications’ secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

Question 228

Service Trust Portal

Answer 228

Service Trust Portal is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.

Question 229

Azure Traffic Manager

Answer 229

enables you to control the distribution of traffic across your application endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides two key benefits: Distribution of traffic according to one of several traffic-routing methods.

Question 230

Azure Content Delivery Network

Answer 230

is a distributed network of servers that can efficiently deliver web content to users.

Question 231

What is Azure Information Protection?

Answer 231

AIP is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).

Question 232

iot central

Answer 232

a ready-made UX and API surface for connecting and managing devices at scale, delivering reliable data for business insights. It preassembles platform as a service (PaaS) offerings, bringing together each service beneath it for an easy-to-configure, comprehensive, and secure IoT offering.

Question 233

iot Hub

Answer 233

acts as the communication hub where all your devices can connect and send data back to your central data hub.

Question 234

iot edge

Answer 234

Analyze data on end user devices

Question 235

Azure Time Series Insights

Answer 235

fully managed analytics, storage, and visualization service that makes it simple to explore and analyze billions of IoT events simultaneously. It gives you a global view of your data, which lets you quickly validate your IoT solution and avoid costly downtime to mission-critical devices.

Question 236

LOB application

Answer 236

usually large programs that contain a number of integrated capabilities and tie into databases and database management systems. Alternatively, in some large enterprise cultures, the term line of business or LOB is used as a synonym for corporate division.

Question 237

provides a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment.

Answer 237

Azure Resource Manager templates

Question 238

a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud and on-premises environments. You can use to maximize the availability and performance of your applications and services.

Answer 238

Azure Monitor

Question 239

gives specific advice and walks you through the best practices for optimising Azure resources. Azure Advisor analyses the resource setup and technique and provides recommendations to help us improve the availability, performance, security, and cost-effectiveness of Azure resources.

Answer 239

Azure Advisor

Question 240

built-in platform monitoring setting that gives a single pipeline for observing and diagnostics data beyond all Azure resource types, enabling us to easily monitor, diagnose, alert, and report problems in the cloud infrastructure.

Answer 240

Azure Monitor

Question 241

provides information about your overall costs and utilization across all Azure services and Azure Marketplace products.

Answer 241

Azure Cost Management

Question 242

allows you to estimate and configure according to your specific requirements. You will then receive a consolidated estimated price and a detailed breakdown of the costs associated with each resource you added to your solution.

Answer 242

Azure pricing calculator

Question 243

a tool provided by Microsoft that helps users to estimate the costs of running their workloads on Azure, compared to running them on-premises or in another cloud platform.

Answer 243

Total Cost of Ownership Calculator

Question 244

used to expose Azure services to a virtual network, providing communication between the two. ExpressRoute is used to connect an on-premises network to Azure. NSGs allow you to configure inbound and outbound rules for virtual networks and virtual machines. Peering allows you to connect virtual networks togethe

Answer 244

Service endpoints

Question 245

You’re charged for only what you use. This model is also known as the pay-as-you-go rate.

Answer 245

azure consumption based model

Question 246

offers fully managed file shares in the cloud with shares that are accessible by using Server Message Block (SMB) protocol.

Answer 246

Azure Files

Question 247

connections and Azure VPN Gateway are two services that you can use to connect an on-premises network to Azure. Bastion provides a web interface to remotely administer Azure virtual machines by using SSH/RDP. Azure Firewall is a stateful firewall service used to protect virtual networks.

Answer 247

ExpressRoute

Question 248

allows you to create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns. It also allows you to use historical data to generate reports and forecast future usage and expenditures.

Answer 248

Azure Cost Management

Question 249

are primarily for virtual machines, managed disks, load balancers, and SQL databases.

Answer 249

Availability zones

Question 250

Which Azure compute service can you use to deploy and manage a set of identical virtual machines?

Answer 250

Virtual Machine Scale Sets

Question 251

used to expose Azure services to a virtual network, providing communication between the two.

Answer 251

Service endpoints

Question 252

a tool that Azure AD uses to allow or deny access to resources based on identity signals, such as the device being used.

Answer 252

Conditional Access