test 2 Flashcards
(50 cards)
You are securing your virtual network in Azure. Which of the following practices would be effective for establishing secure communication paths within your virtual network and controlling inbound and outbound traffic? (two answer)
Associate an NSG with the subnet.
Implement Azure Bastion for every virtual machine in the network.
Set up security rules in NSGs to define source, destination, and allowed traffic.
Assign a public IP address to each resource for direct access.
Associate an NSG with the subnet.
Set up security rules in NSGs to define source, destination, and allowed traffic.
To analyze system updates across multiple virtual machines, which feature of Azure Monitor should you utilize?
Metrics
Insights
Log Analytics
Alerts
Log Analytics
Explanation
Log Analytics in Azure Monitor allows you to collect, analyze, and visualize log and performance data from multiple sources, including virtual machines. By utilizing Log Analytics, you can track system updates, identify trends, and troubleshoot issues across multiple virtual machines effectively.
Which of the following statements are true regarding managing licenses in Microsoft Entra ID?
Licenses can be assigned to individual users.
Licenses are automatically provisioned when a new user is created.
Licenses can be assigned to groups.
Each user can have only one license.
Licenses can be assigned to individual users.
Explanation
Licenses can indeed be assigned to individual users in Microsoft Enterprise ID, allowing organizations to control access to specific features and services based on user roles and responsibilities.
Licenses can be assigned to groups.
Explanation
In Microsoft Enterprise ID, licenses can be assigned to groups as well, enabling organizations to manage licenses more efficiently by assigning them to groups of users with similar needs or roles.
In Azure, Role-Based Access Control (RBAC) can be assigned at various levels.
Which of the following scopes are valid levels for assigning roles in Azure?
Resource Group
Management Group
Subscription
Virtual Network
Resource Group
Explanation
Assigning roles at the Resource Group level in Azure allows for granular control over permissions for a specific set of resources that are grouped together. This level of scope is beneficial for managing access to resources that are related to a particular project or team, ensuring that only authorized users have the necessary permissions.
Management Group
Explanation
Management Groups in Azure serve as containers for organizing and managing resources, subscriptions, and policies. By assigning roles at the Management Group level, you can establish consistent access controls and governance practices across multiple subscriptions within the same hierarchy, making it a valid level for role assignment in Azure.
Subscription
Explanation
At the Subscription level in Azure, Role-Based Access Control (RBAC) enables administrators to define who has access to resources and what actions they can perform within a specific subscription. Assigning roles at this level ensures that permissions are managed effectively across all resources and services within the subscription.
Virtual Network
Explanation
While Virtual Networks in Azure play a crucial role in network connectivity and isolation, they are also valid levels for assigning roles in Role-Based Access Control (RBAC). The resource level is the most granular scope, referring to an individual resource like a virtual machine, storage account, or database. Assigning a role at the resource level means the role assignment applies only to that specific resource.
Which of the following statements are true regarding Azure resource management?
Tags can be used to organize resources and manage costs.
Resource groups are logical containers for resources deployed on Azure.
Every resource can be in only one resource group.
Policies can be used to enforce tags on resources.
all option
When configuring an Azure Storage account, which of the following redundancy options are available?
Local Redundancy Storage (LRS)
(Read-Access) Geo-Zone-Redundant Storage ((RA)-GZRS)
Object-Level Redundancy (OLR)
(Read-Access) Geo-Redundant Storage ((RA)-GRS)
Local Redundancy Storage (LRS)
(Read-Access) Geo-Zone-Redundant Storage ((RA)-GZRS)
(Read-Access) Geo-Redundant Storage ((RA)-GRS)
When examining an Azure Resource Manager (ARM) template, which of the following elements can be commonly found?
Resources
Outputs
Dependencies
Extensions
Variables
Resources
Outputs
Variables
You have successfully deployed resources using an ARM template. Now, you want to use the Bicep language to manage these resources in the future.
What command do you use to transition from ARM to Bicep?
bicep build
bicep compile
bicep version
bicep decompile
bicep decompile
Your organization follows strict security policies, and you are required to generate a SAS token for a container in a storage account. You also need to ensure that if the security requirements change, the SAS token permissions can be altered without regenerating the token.
What should you use?
Generate an account-level SAS without any stored access policy.
Generate a service-level SAS linked to a stored access policy.
Generate an account-level SAS and link it to a role-based access control (RBAC) policy.
Use managed identity to access the container.
Generate a service-level SAS linked to a stored access policy.
You are managing data between two storage accounts. You have just set up object replication between these accounts. Using AzCopy, you noticed that some blobs that existed before enabling replication haven’t been replicated.
What steps should you consider next? (Choose two)
Disabling and Re-enabling Replication
Use Azure Storage Explorer to manually copy the missing blobs.
Use AzCopy to copy the pre-existing blobs between the source and destination.
Changing Blob Types
Use Azure Storage Explorer to manually copy the missing blobs.
Use AzCopy to copy the pre-existing blobs between the source and destination.
A company wishes to optimize its costs related to Blob Storage. They have a mix of frequently accessed data, data that’s accessed occasionally, and archives. They also want data that hasn’t been accessed for 180 days to be deleted automatically.
Which actions should the company take? (Choose three)
Set infrequently accessed blobs to the “Cool” access tier.
Set archives to “Premium” access tier.
Configure a lifecycle management policy to delete blobs that haven’t been accessed in 180 days.
Use the “Hot” access tier for frequently accessed data.
Only use the Hot Access tier.
Set infrequently accessed blobs to the “Cool” access tier.
Configure a lifecycle management policy to delete blobs that haven’t been accessed in 180 days.
Use the “Hot” access tier for frequently accessed data.
Your organization has recently decided to adopt Bicep as the primary language for infrastructure as code on Azure.
Which of the following actions can you perform with Bicep?
Directly convert an ARM template JSON file to a Bicep file using Azure CLI.
Deploy resources to Azure using a Bicep file without any pre-compilation.
Translate a Bicep file into an equivalent ARM template JSON file.
Validate a Bicep file using Azure PowerShell without deploying it.
Directly convert an ARM template JSON file to a Bicep file using Azure CLI.
Deploy resources to Azure using a Bicep file without any pre-compilation.
Translate a Bicep file into an equivalent ARM template JSON file.
Validate a Bicep file using Azure PowerShell without deploying it.
You are tasked with ensuring the confidentiality and security of data at rest within your Azure virtual machines.
Which of the following actions will help you achieve this? (Choose two).
Encrypt VM OS and data disks using Azure Disk Encryption.
Convert unmanaged disks to managed disks.
Enable Defender for the virtual machines.
Store VM disks in Azure Blob Storage with a private access level.
Encrypt VM OS and data disks using Azure Disk Encryption.
Convert unmanaged disks to managed disks.
You are responsible for developing a containerized application workflow for your organization. You decide to use Azure to streamline deployment and scaling.
Which of the following actions are critical to successfully deploy and scale a containerized application in Azure?
Create an Azure Container Registry and store the Docker images.
Deploy the container using Azure Container Services for orchestration.
Provision the application using Azure Container Instances for rapid elasticity.
Enable auto-scaling and customize scaling rules in Azure Container Apps.
Create an Azure Container Registry and store the Docker images.
Enable auto-scaling and customize scaling rules in Azure Container Apps.
You are setting up a highly available e-commerce web application in Azure. You decide to use Azure App Service for hosting the application.
Which of the following configurations will ensure that the application remains operational during regional outages and maintenance?
Deploy the app to multiple regions and use Azure Front Door for load balancing
Deploy the App Service in a single region and enable Geo-Redundant backups.
Deploy the App Service in a single region with multiple deployment slots.
Use an Azure CDN in front of the App Service.
Deploy the app to multiple regions and use Azure Front Door for load balancing
You have been tasked to optimize a mission-critical Azure App Service for security, continuity, and agility.
Which of the following actions should you take?
Map a custom domain to the App Service and configure a managed certificate for Transport Layer Security (TLS).
Configure daily backups of the App Service with a retention period of 30 days.
Set up deployment slots for staging and testing new features before production deployment.
Disable the public endpoint and enable Azure Private Link for secure access to the App Service.
Map a custom domain to the App Service and configure a managed certificate for Transport Layer Security (TLS).
Configure daily backups of the App Service with a retention period of 30 days.
Set up deployment slots for staging and testing new features before production deployment.
Disable the public endpoint and enable Azure Private Link for secure access to the App Service.
You’ve been assigned to ensure that traffic from the Internet to your Azure virtual machine (VM) is restricted only to HTTP and HTTPS. However, internal traffic within your VNet should flow freely.
Which of the following configurations would best suit this requirement?
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the subnet of your VM.
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the VM’s network interface.
Implement an application security group and associate it with the VM. Allow only HTTP and HTTPS traffic.
Remove all security groups and use Azure Firewall for these rules.
Implement an NSG with inbound security rules that allow HTTP and HTTPS traffic and associate it with the VM’s network interface.
Explanation
Implementing an NSG with inbound security rules that allow only HTTP and HTTPS traffic and associating it with the VM’s network interface would ensure that only HTTP and HTTPS traffic from the Internet reaches the VM while allowing internal VNet traffic to flow freely. This configuration meets the requirement of restricting Internet traffic to HTTP and HTTPS.
You are architecting a secure Azure environment. You want to ensure that your VMs are accessible only from within the Azure portal and your Azure SQL Database is only accessible from a specific VNet.
Which of the following should you consider implementing?
Deploy Azure Bastion in the VNet where your VMs are located.
Implement Azure Private Link for your Azure SQL Database.
Configure a service endpoint on the VNet for Azure SQL Database.
Use Azure Front Door to secure VM access.
Deploy Azure Bastion in the VNet where your VMs are located.
Configure a service endpoint on the VNet for Azure SQL Database.
You are setting up a custom domain for your Azure Web App and plan to use Azure DNS. What type of record should you establish in Azure DNS to point to the hostname of your Azure Web App?
A Record
CNAME Record
MX Record
TXT Record
CNAME Record
Explanation
A CNAME Record, also known as Canonical Name Record, is used to alias one domain name to another. In the context of setting up a custom domain for an Azure Web App, a CNAME Record is the appropriate choice to point to the hostname of the Web App.
You have an Azure environment that uses a standard load balancer to distribute traffic across several VMs. Lately, some users report they cannot access the application. You suspect a load-balancing issue.
Which of the following steps should you take to troubleshoot the problem?
Check the backend health of the load balancer.
Verify the NSG rules associated with the subnet or NIC of the VMs to ensure traffic is allowed.
Ensure the VMs have a static public IP address.
Confirm that the health probes of the load balancer are correctly configured.
Check the backend health of the load balancer.
Verify the NSG rules associated with the subnet or NIC of the VMs to ensure traffic is allowed.
Ensure the VMs have a static public IP address.
Confirm that the health probes of the load balancer are correctly configured.
You are configuring Azure Backup and Azure Site Recovery for a production workload.
Which of the following statements is true?
Azure Backup Vault and Recovery Services Vault are the same.
Azure Backup only supports the backup of virtual machines.
Recovery Services vault supports Azure VM backup, Azure Site Recovery, and Azure Backup for SQL Server in Azure VM.
Azure Site Recovery can be used to automate the recovery of services when a site-wide outage happens.
Recovery Services vault supports Azure VM backup, Azure Site Recovery, and Azure Backup for SQL Server in Azure VM.
You have configured a backup policy for your Azure virtual machines.
Which of the following default retention duration options is NOT available when configuring an enhanced daily backup policy for an Azure VM?
60 days
180 days
12 weeks
60 months
10 years
60 days
Explanation
The default retention duration option of 60 days is not available when configuring an enhanced daily backup policy for an Azure VM. This option is not part of the standard retention durations provided for daily backups in Azure.
Your organization uses Microsoft Entra ID for managing licenses. You are tasked with ensuring an external partner can access certain company resources without consuming a license and that an internal user gets an appropriate license.
Which of the following actions should you take? (Choose two)
Invite a external user.
Add the external partner as a member in Entra ID.
Provide the internal user with a (direct) license assignment.
Assign an Azure Blob Storage permission to the internal user.
The correct two actions are:
Invite an external user
Provide the internal user with a (direct) license assignment
Here’s why these are correct:
For External Partner:
“Invite an external user” is correct because:
External users are managed as guest accounts in Entra ID
Guest users don’t consume licenses
It maintains proper security boundaries
It’s the recommended way to grant external partners access
Provides controlled access to specific resources
Easier to manage and revoke access when needed
For Internal User:
“Provide the internal user with a (direct) license assignment” is correct because:
Internal users need proper licenses to access Microsoft services
Direct license assignment ensures the user has consistent access
It’s the standard way to manage internal user permissions
Provides clear license tracking and management
Ensures compliance with licensing requirements
Why the other options are incorrect:
“Add the external partner as a member” is incorrect because:
This would consume a license
It’s not the recommended security practice for external users
Makes it harder to manage external access
“Assign an Azure Blob Storage permission” is incorrect because:
This is just a resource-specific permission
Doesn’t address the licensing requirement
Storage permissions are separate from Entra ID licensing
Best Practice Implementation:
For external partner:
Use the guest invitation process
Configure specific resource access
Monitor guest user access
For internal user:
Assign appropriate license directly
Configure any additional role-based access
Monitor license usage
An employee reports they are unable to use the Self-Service Password Reset (SSPR) feature.
Which of the following could be the potential reason?
Their account is flagged as a high-risk user.
SSPR is not enabled for their user group.
They are using Azure DevOps.
They have not accessed any Azure resources in the last 30 days.
SSPR is not enabled for their user group.
