Microsoft Microsoft Certifications AZ-305 Questions & Answers

• Question 291:

  You plan to migrate App1 to Azure. The solution must meet the authentication and authorization requirements. Which type of endpoint should App1 use to obtain an access token?

  A. Azure Instance Metadata Service (IMDS)

  B. Azure AD

  C. Azure Service Management

  D. Microsoft identity platform

  Correct Answer: D

  Scenario: To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.

  Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azureresources/overview

• Question 292:

  You migrate App1 to Azure.

  You need to ensure that the data storage for App1 meets the security and compliance requirements.

  What should you do?

  A. Create Azure RBAC assignments.

  B. Create an access policy for the blob service.

  C. Modify the access level of the blob service.

  D. Implement Azure resource locks.

  Correct Answer: B

• Question 293:

  HOTSPOT

  You have the Azure subscriptions shown in the following table.

  

  Contoso.onmicrosft.com contains a user named User1.

  You need to deploy a solution to protect against ransomware attacks. The solution must meet the following requirements:

  1.

  Ensure that all the resources in Sub1 are backed up by using Azure Backup.

  2.

  Require that User1 first be assigned a role for Sub2 before the user can make major changes to the backup configuration.

  What should you create in each subscription? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: A Recovery Services vault

  Ensure that all the resources in Sub1 are backed up by using Azure Backup.

  A Recovery Services vault is an entity that stores the backups and recovery points created over time. The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.

  Azure Backup automatically handles storage for the vault.

  Box 2: A Resource Guard

  Require that User1 first be assigned a role for Sub2 before the user can make major changes to the backup configuration.

  A Resource Guard is an Azure resource that can be created in the same subscription, a different subscription in the same Azure AD tenant, or even a subscription in a different Azure AD tenant! When associated to an RSV (Recovery Service

  Vault), a user looking to make risky modifications to it (such as removing soft delete) must have permissions on BOTH the Resource Guard and the RSV. This means it can support separate authorization boundaries at the subscription level or

  even completely separate identity and authentication boundaries at the tenant.

  Reference:

  https://learn.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

  https://journeyofthegeek.com/2022/10/18/protecting-azure-backups-with-resource-guard-part-1/

• Question 294:

  HOTSPOT

  You have 10 on-premises servers that run Windows Server.

  You need to perform daily backups of the servers to a Recovery Services vault. The solution must meet the following requirements:

  1.

  Back up all the files and folders on the servers.

  2.

  Maintain three copies of the backups in Azure.

  3.

  Minimize costs.

  What should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: The Microsoft Azure Recovery Services (MARS) agent

  You can use the Azure Backup service to back up on-premises machines and apps and to back up Azure virtual machines (VMs).

  The MARS agent

  Azure Backup uses the MARS agent to back up data from on-premises machines and Azure VMs to a backup Recovery Services vault in Azure. The MARS agent can:

  Run on on-premises Windows machines so that they can back up directly to a backup Recovery Services vault in Azure.

  Run on Windows VMs so that they can back up directly to a vault.

  Run on Microsoft Azure Backup Server (MABS) or a System Center Data Protection Manager (DPM) server. In this scenario, machines and workloads back up to MABS or to the DPM server. The MARS agent then backs up this server to a

  vault in Azure.

  Incorrect:

  *

  The Azure Site Recovery Mobility service

  About the Mobility service for VMware VMs and physical servers

  When you set up disaster recovery for VMware virtual machines (VM) and physical servers using Azure Site Recovery, you install the Site Recovery Mobility service on each on-premises VMware VM and physical server. The Mobility service

  captures data, writes on the machine, and forwards them to the Site Recovery process server.

  *

  Volume Shadow Copy Service (VSS)

  The Volume Shadow Copy Service (VSS) captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide.

  Box 2: Locally Redundant Storage (LRS)

  Locally Redundant Storage (LRS) is the least expensive solution.

  How does Azure Backup follow the 3-2-1 rule?

  3

• Question 295:

  HOTSPOT

  You plan to deploy a containerized web-app that will be hosted in five Azure Kubernetes Service (AKS) clusters. Each cluster will be hosted in a different Azure region.

  You need to provide access to the app from the internet. The solution must meet the following requirements:

  1.

  Incoming HTTPS requests must be routed to the cluster that has the lowest network latency.

  2.

  HTTPS traffic to individual pods must be routed via an ingress controller.

  3.

  In the event of an AKS cluster outage, failover time must be minimized.

  What should you include in the solution? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview

  https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq

• Question 296:

  HOTSPOT

  You have an Azure subscription.

  You create a storage account that will store documents.

  You need to configure the storage account to meet the following requirements:

  1.

  Ensure that retention policies are standardized across the subscription.

  2.

  Ensure that data can be purged if the data is copied to an unauthorized location.

  Which two settings should you enable? To answer, select the appropriate settings in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Enable soft delete for containers

  Ensure that retention policies are standardized across the subscription.

  Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a

  retention period that you specify.

  Box 2: Enable permanent delete for soft deleted items

  Ensure that data can be purged if the data is copied to an unauthorized location.

  Incorrect:

  *

  Enable versioning for blobs You can enable Blob storage versioning to automatically maintain previous versions of a blob when it is modified or deleted. When blob versioning is enabled, then you can restore an earlier version of a blob to recover your data if it is erroneously modified or deleted.

  *

  Enable version-level immutability support Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data can't be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes. Immutability policies include time-based retention policies and legal holds.

  Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable

• Question 297:

  HOTSPOT

  You have two Azure AD tenants named contoso.com and fabrikam.com. Each tenant is linked to 50 Azure subscriptions. Contoso.com contains two users named User1 and User2.

  You need to meet the following requirements:

  Ensure that User1 can change the Azure AD tenant linked to specific Azure subscriptions.

  If an azure subscription is liked to a new Azure AD tenant, and no available Azure AD accounts have full subscription-level permissions to the subscription, elevate the access of User2 to the subscription.

  The solution must use the principle of least privilege.

  Which role should you assign to each user? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 298:

  HOTSPOT

  You company has offices in New York City, Sydney, Paris, and Johannesburg.

  The company has an Azure subscription.

  You plan to deploy a new Azure networking solution that meets the following requirements:

  1.

  Connects to ExpressRoute circuits in the Azure regions of East US, Southeast Asia, North Europe, and South Africa

  2.

  Minimizes latency by supporting connection in three regions

  3.

  Supports Site-to-site VPN connections

  4.

  Minimizes costs

  You need to identify the minimum number of Azure Virtual WAN hubs that you must deploy, and which virtual WAN SKU to use.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 3

  Need one Virtual WAN hub for each of the three regions in a hub-and-spoke topology.

  Note 1: The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It

  enables a global transit network architecture, where the cloud hosted network 'hub' enables transitive connectivity between endpoints that may be distributed across different types of 'spokes'.

  Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity.

  Note 2: You company has offices in New York City, Sydney, Paris, and Johannesburg

  Connects to ExpressRoute circuits in the Azure regions of East US, Southeast Asia, North Europe, and South Africa

  Minimizes latency by supporting connection in three regions

  Box 2: Standard

  Need Standard to support ExpressRoute.

  Note: Virtual WAN types

  There are two types of virtual WANs: Basic and Standard. The following table shows the available configurations for each type.

  * Basic Site-to-site VPN only

  Standard ExpressRoute User VPN (P2S) VPN (site-to-site) Inter-hub and VNet-to-VNet transiting through the virtual hub Azure Firewall NVA in a virtual WAN

  Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal

• Question 299:

  HOTSPOT

  You are developing a multi-tier app named App1 that will be hosted on Azure virtual machines. The peak utilization periods for App1 will be from 8 AM to 9 AM and 4 PM to 5 PM on weekdays.

  You need to deploy the infrastructure for App1. The solution must meet the following requirements:

  1.

  Support virtual machines deployed to four availability zones across two Azure regions.

  2.

  Minimize costs by accumulating CPU credits during periods of low utilization.

  What is the minimum number of virtual networks you should deploy, and which virtual machine size should you use? To answer, select the appropriate options in the answer area.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 2

  Support virtual machines deployed to four availability zones across two Azure regions.

  One virtual network in each region.

  Note:

  Regions

  All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource. You can however, connect virtual networks that exist in

  different subscriptions and regions.

  Do you require resiliency across Azure Availability Zones within the same Azure region for the resources you deploy? You can deploy resources, such as virtual machines (VM) to different availability zones within the same virtual network.

  Box 2: B-Series

  Minimize costs by accumulating CPU credits during periods of low utilization.

  Understanding the Azure B Series and CPU credits

  If you have applications that remain idle for a long time and burst occasionally, then the B-series might be the perfect fit for you. To understand why, we first need to understand how the pricing for a VM works in the cloud. When you deploy a

  VM in the cloud, you’re paying the same regardless of the % of CPU used. Therefore, anytime your VM is not using 100% CPU, you are leaving computing cycles on the table that you are paying for. Typically, users will solve this problem by

  deploying a VM size with smaller number of cores and lesser RAM. However, sometimes the application demands more computing power. This is a classic vertical scalability problem. As the physics of semiconductors limits the number of

  cores, CPU clock speeds and RAM you can add to a single node, users have solved this problem by developing applications that can scale horizontally to more nodes.

  But, if you have an application that is small enough for a single node and only needs to use 100% of the CPU for a small time, burstable sizes will provide you the most cost-effective way to run it.

  Reference:

  https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

  https://singhkays.medium.com/understanding-the-azure-b-series-and-cpu-credits-cd6ad1c46094

• Question 300:

  HOTSPOT

  You have an Azure App Service web app named Webapp1 that connects to an Azure SQL database named DB1. Webapp1 and DB1 are deployed to the East US Azure region.

  You need to ensure that all the traffic between Webapp1 and DB1 is sent via a private connection.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview