Skip Navigation Links
 

Microsoft - AZ-305: Designing Microsoft Azure Infrastructure Solutions

Sample Questions

Question: 190
Measured Skill: Design identity, governance, and monitoring solutions (25-30%)

You have five .NET Core applications that run on 10 Azure virtual machines in the same subscription.

You need to recommend a solution to ensure that the applications can authenticate by using the same Azure Active Directory (Azure AD) identity. The solution must meet the following requirements:
  • Ensure that the applications can authenticate only when running on the 10 virtual machines.
  • Minimize administrative effort.
What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ATo provision the Azure AD identity: Create a system-assigned Managed Service Identity
To authenticate request a token by using: An Azure AD v2.0 endpoint
B To provision the Azure AD identity: Create a system-assigned Managed Service Identity
To authenticate request a token by using: An Azure AD v1.0 endpoint
C To provision the Azure AD identity: Create a user-assigned Managed Service Identity
To authenticate request a token by using: An OAuth2 endpoint
D To provision the Azure AD identity: Create a user-assigned Managed Service Identity
To authenticate request a token by using: An Azure AD v2.0 endpoint
E To provision the Azure AD identity: Register each application in Azure AD
To authenticate request a token by using: An OAuth2 endpoint
F To provision the Azure AD identity: Register each application in Azure AD
To authenticate request a token by using: An Azure Instance Metadata Service Identity

Correct answer: C

Explanation:

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. No additional Azure AD directory role assignments are required.

The managed identity and the resource to which the identity is assigned do not have to be in the same region or in the same resource group.

A user-assigned managed identity can be assigned to one or more instances of an Azure service, while a system-assigned managed identity is tied to a single Azure service instance.

To authenticate an app to another Azure resource using its user-assigned managed identity, we use an OAuth2 token.

References:

What are managed identities for Azure resources?

Get an access token

Question: 191
Measured Skill: Design infrastructure solutions (25-30%)

You plan to deploy a network-intensive application to several Azure virtual machines. You need to recommend a solution that meets the following requirements:
  • Minimizes the use of the virtual machine processors to transfer data.
  • Minimizes network latency.
Which virtual machine size and feature should you use?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AVirtual machine size: Compute optimized Standard_F8s
Feature: Single root I/O virtualization (SR-IOV)
B Virtual machine size: General purpose Standard_B8ms
Feature: Receive Side Scaling (RSS)
C Virtual machine size: General purpose Standard_B8ms
Feature: Virtual Machine Multi-Queue (VMMQ)
D Virtual machine size: High Performance compute Standard_H16r
Feature: Remote Direct Memory Access (RDMA)
E Virtual machine size: Memory optimized Standard_E16s_v3
Feature: Receive Side Scaling (RSS)
F Virtual machine size: Memory optimized Standard_E16s_v3
Feature: Remote Direct Memory Access (RDMA)

Correct answer: D

Explanation:

Azure H-series virtual machines (VMs) are designed to deliver leadership-class performance, scalability, and cost efficiency for various real-world HPC workloads.

H-series VMs are optimized for applications driven by high CPU frequencies or large memory per core requirements. H-series VMs feature 8 or 16 Intel Xeon E5 2667 v3 processor cores, 7 or 14 GB of RAM per CPU core, and no hyperthreading. H-series features 56 Gb/sec Mellanox FDR InfiniBand in a non-blocking fat tree configuration for consistent RDMA performance. H-series VMs support Intel MPI 5.x and MS-MPI.

Most of the HPC VM sizes feature a network interface for remote direct memory access (RDMA) connectivity. Selected N-series sizes designated with 'r' are also RDMA-capable. This interface is in addition to the standard Azure Ethernet network interface available in the other VM sizes.

This secondary interface allows the RDMA-capable instances to communicate over an InfiniBand (IB) network, operating at HDR rates for HBv3, HBv2, EDR rates for HB, HC, NDv2, and FDR rates for H16r, H16mr, and other RDMA-capable N-series virtual machines. These RDMA capabilities can boost the scalability and performance of Message Passing Interface (MPI) based applications.

Remote Direct Memory Access (RDMA) is a technology that allows computers in a network to exchange data in main memory without involving the processor, cache or operating system of either computer. Like locally based Direct Memory Access (DMA), RDMA improves throughput and performance because it frees up resources. RDMA also facilitates a faster data transfer rate and low-latency networking. It can be implemented for networking and storage applications.

RDMA enables more direct data movement in and out of a server by implementing a transport protocol in the network interface card (NIC) hardware. The technology supports a feature called zero-copy networking that makes it possible to read data directly from the main memory of one computer and write that data directly to the main memory of another computer.

If both the sending and receiving devices support RDMA, then the conversation between the two will complete much quicker than comparable non-RDMA network systems.

Reference: High performance computing VM sizes



Question: 192
Measured Skill: Design identity, governance, and monitoring solutions (25-30%)

You have an Azure Active Directory (Azure AD) tenant.

You plan to use Azure Monitor to monitor user sign-ins and generate alerts based on specific user sign-in events.

You need to recommend a solution to trigger the alerts based on the events.

What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ASend Azure AD logs to: An Azure Event Hub
Signal type to use for triggering the alerts: Metric
B Send Azure AD logs to: An Azure Event Hub
Signal type to use for triggering the alerts: Activity Log
C Send Azure AD logs to: An Azure Log Analytics workspace
Signal type to use for triggering the alerts: Log
D Send Azure AD logs to: An Azure Log Analytics workspace
Signal type to use for triggering the alerts: Activity Log
E Send Azure AD logs to: An Azure storage account
Signal type to use for triggering the alerts: Log
F Send Azure AD logs to: An Azure storage account
Signal type to use for triggering the alerts: Metric

Correct answer: C

Explanation:

We have to configure the diagnostic settings of the Azure AD tenant to send the SignInLogs to an Azure Log Analytics workspace.

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but may combine data from multiple services.

After we made the Azure AD SignInLogs available to Azure Monitor, we can create an alert rule in Azure Monitor that uses the Azure AD SigninLogs as shown in the following example:

SigninLogs
|where UserPrincipalName contains "user1@contoso.com"

References:

Log Analytics workspace overview

Create Azure Monitor log alert rules and manage alert instances

Terence Luk: Monitoring, Alerting, Reporting Azure AD logins and login failures with Log Analytics and Logic Apps



Question: 193
Measured Skill: Design data storage solutions (25-30%)

You plan to develop a new app that will store business critical data. The app must meet the following requirements:
  • Prevent new data from being modified for one year.
  • Minimize read latency.
  • Maximize data resiliency.
You need to recommend a storage solution for the app.

What should you recommend?

(To answer, select the appropriate objects in the answer area. Each correct selection is worth one point.)

www.cert2brain.com

AAzure Storage account kind: StorageV2
Replication: Read-access geo-redundant storage (RA-GRS)
B Azure Storage account kind: StorageV2
Replication: Zone-redundant storage (ZRS)
C Azure Storage account kind: Storage
Replication: Locally redundant storage (LRS)
D Azure Storage account kind: Storage
Replication: Read-access geo-redundant storage (RA-GRS)
E Azure Storage account kind: BlobStorage
Replication: Zone-redundant storage (ZRS)
F Azure Storage account kind: BlobStorage
Replication: Locally redundant storage (LRS)

Correct answer: A

Explanation:

We should use a StorageV2 account and enable a time-based retention policy on a blob container to prevent data from being modified for one year.



In order to maximize data resiliency and minimize read latency we should choose geo-redundant storage. GRS replicates data to geographical regions while ZRS replicates data to zones within the same geographical region.

Only general-purpose v2 storage accounts support GZRS and RA-GZRS.

References:

Store business-critical blob data with immutable storage

Azure Storage redundancy

Question: 194
Measured Skill: Design identity, governance, and monitoring solutions (25-30%)
Note: This questions is based on a case study. The case study is not shown in this demo.

You need to implement the Azure RBAC role assignments for the Network Contributor role. The solution must meet the authentication and authorization requirements.

How many assignments should you configure for the Network Contributor role and for Role1?

(To answer, select the appropriate options from each list in the answer area. Each correct selection is worth one point.)

www.cert2brain.com

ANetwork Contributor: 1
Role1: 1
B Network Contributor: 1
Role1: 2
C Network Contributor: 2
Role1: 15
D Network Contributor: 2
Role1: 2
E Network Contributor: 15
Role1: 1
F Network Contributor: 15
Role1: 15

Correct answer: D

Explanation:

The Authentication and Authorization Requirements section contains the following:

  • The Network Contributor built-in RBAC role must be used to grant permissions to the network administrators for all the virtual networks in all the Azure subscriptions.
  • Role1 must be used to assign permissions to the storage accounts of all the Azure subscriptions.
  • RBAC roles must be applied at the highest level possible.

From the scenario we know that Litware has two Azure tenants. One tenant with 10 subscriptions and one tenant with five subscriptions. We can organize the subscriptions of the two tenants in a management group each and assign users to the Network Contributor role and to role1 at the management group level.





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2022 by cert2brain.com