AZ-303 Exam - Microsoft Azure Architect Technologies (beta)

NEW QUESTION 1

You have an Azure subscription that contains the Azure SQL servers shown in the following table.

The subscription contains the elastic pool shown in the following table.

The subscription contains the Azure SQL databases shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Note: You cannot add databases from different servers into the same pool Box 1: Yes
Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2. Box 2: Yes
Pool3 is empty. Box 3: Yes
Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1. References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool

NEW QUESTION 2

You create a new Azure subscription. You create a resource group named RG1. In RG1. you create the resources shown in the following table.

You need to configure an encrypted tunnel between your on-premises network and VNET1.
Which two additional resources should you create in Azure? Each correct answer presents part of the solution.

• A. a point-to-site configuration
• B. a local network gateway
• C. a VNet-to-VNet connection
• D. a VPN gateway
• E. a site-to-site connection

Answer: DE

Explanation:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a local network gateway, located on-premises that has an externally facing public IP address assigned to it.
Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

NEW QUESTION 3

You create the Azure resources shown in the following table.

You attempt to add a role assignment to a resource group as shown in the following exhibit.


What should you do to ensure that you can assign VM2 the Reader role for the resource group?

• A. Modify the Reader role at the subscription level.
• B. Configure just in time (JIT) VM access on VM2.
• C. Configure Access control (IAM) on VM2.
• D. Assign a managed identity to VM2.

Answer: D

NEW QUESTION 4

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host. You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container image. Solution: You add the following line to the Dockerfile.
XCOPY File1.txt C:\Folder1\
You then build the container image. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Copy is the correct command to copy a file to the container image. Furthermore, the root directory is specified as '/' and not as 'C:/'.
References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy https://docs.docker.com/engine/reference/builder/

NEW QUESTION 5

You create a container image named Image1 on a developer workstation.
You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1. You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use Image1. To which storage type should you upload Image1?

• A. Azure Container Registry
• B. an Azure Storage account that contains a blob container
• C. an Azure Storage account that contains a file share
• D. Azure Container Instances

Answer: A

Explanation:
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure portal, go to Container settings from the web app and update the Image source, Registry and save.
References:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux

NEW QUESTION 6

You have an Azure subscription.
You plan to deploy an app that has a web front end and an application tier.
You need to recommend a load balancing solution that meets the following requirements:
Internet to web tier:
- Provides URL-based routing
- Supports connection draining
- Prevents SQL injection attacks
Web tier to application tier:
- Provides port forwarding
- Supports HTTPS health probes
- Supports an availability set as a backend pool
Which load balancing solution should you recommend for each tier? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: An Azure Application Gateway that has a web application firewall (WAF)
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC). It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.
Box 2: An internal Azure Standard Load Balancer
The internet to web tier is the public interface, while the web tier to application tier should be internal. Note: When using load-balancing rules with Azure Load Balancer, you need to specify a health probes to
allow Load Balancer to detect the backend endpoint status.
Health probes support the TCP, HTTP, HTTPS protocols. References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

NEW QUESTION 7

You have an Azure logic app named App1 and an Azure Service Bus queue named Queue1.
You need to ensure that App1 can read messages from Queue1. App1 must authenticate by using Azure Active Directory (Azure AD).
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
On App1: Turn on the managed identity
To use Service Bus with managed identities, you need to assign the identity the role and the appropriate scope. The procedure in this section uses a simple application that runs under a managed identity and accesses Service Bus resources.
Once the application is created, follow these steps:
Go to Settings and select Identity.
Select the Status to be On.
Select Save to save the setting.
On Queue1: Configure Access Control (IAM)
Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Service Bus defines a set of built-in RBAC roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data.
Assign RBAC roles using the Azure portal
In the Azure portal, navigate to your Service Bus namespace. Select Access Control (IAM) on the left menu to display access control settings for the namespace. If you need to create a Service Bus namespace.
Select the Role assignments tab to see the list of role assignments. Select the Add button on the toolbar and then select Add role assignment.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/authenticate-application https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity

NEW QUESTION 8

A company runs multiple Windows virtual machines (VMs) in Azure.
The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required. What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
(Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

NEW QUESTION 9

You create the following Azure role definition.

You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. AssignableScopes
• B. Description
• C. DataActions
• D. IsCustom
• E. Id

Answer: AD

Explanation:
Part of example: "IsCustom": true,
"AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.", "Actions": [
"Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}", "/subscriptions/{subscriptionId3}"
]
}
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

NEW QUESTION 10

You need to move the blueprint files to Azure. What should you do?

• A. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
• B. Use the Azure Import/Export service.
• C. Generate an access ke
• D. Map a drive, and then copy the files by using File Explorer.
• E. Use Azure Storage Explorer to copy the files.

Answer: D

Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage. Technical Requirements include: Copy the blueprint files to Azure over the Internet. References:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-us

NEW QUESTION 11

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Create a VPN gateway that uses the VpnGw1 SKU.
• B. Create a connection.
• C. Create a local site VPN gateway.
• D. Create a gateway subnet.
• E. Create a VPN gateway that uses the Basic SKU.

Answer: ABC

Explanation:
References:
https://docs.microsoft.com/en-za/archive/blogs/canitpro/step-by-step-configuring-a-site-to-site-vpn-gateway-bet

NEW QUESTION 12

You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 13

You have resources in three Azure regions. Each region contains two virtual machines. Each virtual machine has a public IP address assigned to its network interface and a locally installed application named App1.
You plan to implement Azure Front Door-based load balancing across all the virtual machines.
You need to ensure that App1 on the virtual machines will only accept traffic routed from Azure Front Door. What should you implement?

• A. Azure Private Link
• B. service endpoints
• C. network security groups (NSGs) with service tags
• D. network security groups (NSGs) with application security groups

Answer: C

Explanation:
Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only. Refer the IP details below for ACLing your backend:
Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4 backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq

NEW QUESTION 14

You have an Azure Container Registry and an Azure container instance.
You pull an image from the registry, and then update the local copy of the image.
You need to ensure that the updated image can be deployed to the container instance. The solution must ensure that you can deploy the updated image or the previous version of the image.
What should you do?

• A. Run the docker image push command and specify the tag parameter.
• B. Run the az image copy command and specify the tag paramete
• C. Run the az aks update command and specify the attach-acr parameter.
• D. Run the kubect1 apply command and specify the dry-run parameter.

Answer: B

NEW QUESTION 15

You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

• A. Short Message Service (SMS) messages
• B. Authentication app
• C. Email addresses
• D. Security questions
• E. App passwords

Answer: AB

Explanation:
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

NEW QUESTION 16

You need to recommend a solution for App1. The solution must meet the technical requirements. What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: 3
One virtual network for every tier Box 2: 1
Only one subnet for each tier, to minimize the number of open ports.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers: A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.

NEW QUESTION 17

You create an Azure virtual machine named VM1 in a resource group named RG1. You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1. What should you do?

• A. From Diagnostic settings for VM1. configure the performance counters to include network counters.
• B. From the VM1 blade, configure Connection troubleshoot.
• C. From the VM1 blade, install performance diagnostics and run advanced performance analysis
• D. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.

Answer: C

Explanation:
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the performance analysis, and collects one or more of the traces, as listed in the following sections. Use this scenario to troubleshoot complex issues that require additional traces. Running this scenario for longer periods will increase the overall size of diagnostics output, depending on the size of the VM and the trace options that are selected.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics

NEW QUESTION 18

You have an Azure SQL database named Db1 that runs on an Azure SQL server named SQLserver1. You need to ensure that you can use the query editor on the Azure portal to query Db1.
What should you do?

• A. Modify the Advanced Data Security settings of Db1
• B. Configure the Firewalls and virtual networks settings for SQLserver1
• C. Copy the ADO.NET connection string of Db1 and paste the string to the query editor
• D. Approve private endpoint connections for SQLserver1

Answer: B

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-connect-query-portal

NEW QUESTION 19

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company is deploying an on-premises application named Appl. Users will access App1 by using a URL of https://app1.contoso.com. You register App1 in Azure Active Directory (Azure AD) and publish Appl by using the Azure AD Application Proxy. You need to ensure that Appl appears in the My Apps portal for all the users.
Solution: You create an offer for App1 and publish the offer to Azure Marketplace.

• A. Yes
• B. No

Answer: A

NEW QUESTION 20
......