Skip Navigation Links
 

Microsoft - AZ-303: Microsoft Azure Architect Technologies

Sample Questions

Question: 184
Measured Skill: Implement solutions for apps (10-15%)

You have an Azure subscription that contains the resources shown in the following table.



You need to deploy a load-balancing solution for two Azure web apps named App1 and App2 to meet the following requirements:
  • App1 must support command injection protection.
  • App2 must be able to use a static IP address.
  • App2 must have a Service Level Agreement (SLA) of 99.99 percent.
Which resource should you use as the load-balancing solution for each app?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AApp1: ILB1
App2: ILB1
B App1: ELB1
App2: AGW2
C App1: ELB1
App2: AGW1
D App1: AGW1
App2: ELB1
E App1: AGW1
App2: AGW2
F App1: AGW2
App2: ELB1

Correct answer: D

Explanation:

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

These are the core benefits that WAF on Application Gateway provides.

  • Protect your web applications from web vulnerabilities and attacks without modification to back-end code.
  • Protect multiple web applications at the same time. An instance of Application Gateway can host up to 40 websites that are protected by a web application firewall.
  • Create custom WAF policies for different sites behind the same WAF
  • Protect your web applications from malicious bots with the IP Reputation ruleset (preview)

Microsoft guarantees that a Load Balanced Endpoint using Azure Standard Load Balancer, serving two or more Healthy Virtual Machine Instances, will be available 99.99% of the time. Basic Load Balancer is excluded from this SLA. 

Static IP addresses can be added to the back-end pool of an external standard load balancer. Static IP addresses cannot be added to the back-end pool of an internal basic load balancer.

What is Command Injection?
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.

References:

What is Azure Web Application Firewall on Azure Application Gateway?

SLA summary for Azure services



Question: 185
Measured Skill: Implement and monitor an Azure infrastructure (50-55%)

You have the following Azure Active Directory (Azure AD) tenants:
  • contoso.onmicrosoft.com: Linked to a Microsoft Office 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization.
  • contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1.
You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.

What should you do?

AConfigure contoso.onmicrosoft.com to use pass-through authentication.
B Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.
C Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com.
D Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.

Correct answer: B

Explanation:

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources.

Note: There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. Having multiple Azure AD Connect sync servers connected to the same or different Azure AD tenant within a single Active Directory forest is not supported, except for a staging server.

References:

What is guest user access in Azure Active Directory B2B?

Topologies for Azure AD Connect

Question: 186
Measured Skill: Implement management and security solutions (25-30%)

You have an Azure key vault named KV1.

You need to implement a process that will digitally sign the blobs stored in Azure Storage.

What is required in KV1 to sign the blobs?

AA key
B A secret
C A certificate
D An automation task

Correct answer: A

Explanation:

We can use both a secret and a key to encrypt blobs. When using a secret, however, additional requirements (key length and encoding) must be fulfilled which are automatically met when using a key. Using a key therefore seems like the better choice.

Reference: Tutorial - Encrypt and decrypt blobs using Azure Key Vault

Question: 187
Measured Skill: Implement management and security solutions (25-30%)

You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled.

Admin1 accesses the Azure portal by using a web browser.

Which additional security verifications can Admin1 use when accessing the Azure portal?

AA phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app.
B An app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app.
C An app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app.
D A phone call, an email message that contains a verification code, and a text message that contains an app password.

Correct answer: A

Explanation:

As an administrator, choosing authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) it is recommended that you require users to register multiple authentication methods. When an authentication method is not available for a user, they can choose to authenticate with another method.

Administrators can define in policy which authentication methods are available to users of SSPR and MFA. Some authentication methods may not be available to all features.

Microsoft highly recommends Administrators enable users to select more than the minimum required number of authentication methods in case they do not have access to one.



A password is only supported as a primary authentication method, not as an additional authentication method.



Reference: What are authentication methods?

Question: 188
Measured Skill: Implement solutions for apps (10-15%)

You deploy an Azure virtual machine scale set named VSS1 that contains 30 virtual machine instances across three zones in the same Azure region. The instances host an application named App1 that must be accessible by using HTTP and HTTPS traffic. Currently, VSS1 is inaccessible from the internet.

You need to use Azure Load Balancer to provide access to App1 across all the instances from the internet by using a single IP address.

What should you configure?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AMinimum number of network security groups (NSGs) to create: 1
Objects to assign to the network security groups (NSGs): 3 subnets
Minimum number of Azure Standard Load Balancer rules to create: 1
B Minimum number of network security groups (NSGs) to create: 1
Objects to assign to the network security groups (NSGs): 1 subnet
Minimum number of Azure Standard Load Balancer rules to create: 2
C Minimum number of network security groups (NSGs) to create: 3
Objects to assign to the network security groups (NSGs): 30 network interfaces
Minimum number of Azure Standard Load Balancer rules to create: 2
D Minimum number of network security groups (NSGs) to create: 3
Objects to assign to the network security groups (NSGs): 3 subnets
Minimum number of Azure Standard Load Balancer rules to create: 6
E Minimum number of network security groups (NSGs) to create: 30
Objects to assign to the network security groups (NSGs): 30 network interfaces
Minimum number of Azure Standard Load Balancer rules to create: 4
F Minimum number of network security groups (NSGs) to create: 30
Objects to assign to the network security groups (NSGs): 1 subnet
Minimum number of Azure Standard Load Balancer rules to create: 1

Correct answer: B

Explanation:

We can use the virtual machine scale set in the back-end pool of the load balancer.

A Network Security Group (NSG) can be applied directly to a scale set by referencing it in the networkInterfaceConfigurations section of the network profile. A single NSG is therefore sufficient.

Availability Zones are located inside an Azure region, and each one has its own independent power source, network, and cooling. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions. Virtual Network subnets span across these zones in a region.

A load balancing rule distributes incoming traffic that is sent to a selected IP address and port combination across a group of backend pool instances. A single rule can handle a single IP address and port combination only. Therefore we need two rules.

References:

Add rules for Azure Load Balancer with virtual machine scale sets

Azure virtual machine scale sets FAQs

Azure Availability Zones



 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com