Skip Navigation Links
 

Microsoft - AZ-305: Designing Microsoft Azure Infrastructure Solutions

Sample Questions

Question: 338
Measured Skill: Design infrastructure solutions (25-30%)

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1. Server1 contains an app named App1 that uses AD DS authentication. Remote users access App1 by using a VPN connection to the on-premises network.

You have a Microsoft Entra ID tenant that syncs with the AD DS domain by using Microsoft Entra Connect.

You need to ensure that the remote users can access App1 without using a VPN. The solution must meet the following requirements:
  • Ensure that the users authenticate by using Microsoft Entra Multi-Factor Authentication (MFA).
  • Minimize administrative effort.
What should you include in the solution?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AIn Microsoft Entra ID: A managed identity
On-premises: A server that runs Windows Server and has the Web Application Proxy role service installed
B In Microsoft Entra ID: An access package
On-premises: A server that runs Windows Server and has the on-premises data gateway (standard mode) installed
C In Microsoft Entra ID: An access package
On-premises: A server that runs Windows Server and has the Microsoft Entra Application Proxy connector installed
D In Microsoft Entra ID: An app registration
On-premises: A server that runs Windows Server and has the Web Application Proxy role service installed
E In Microsoft Entra ID: An app registration
On-premises: A server that runs Windows Server and has the on-premises data gateway (standard mode) installed
F In Microsoft Entra ID: An enterprise application
On-premises: A server that runs Windows Server and has the Microsoft Entra Application Proxy connector installed

Correct answer: F

Explanation:

Application Proxy is a feature of Microsoft Entra ID that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Microsoft Entra ID, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Microsoft Entra ID to the web application.

Application Proxy works with:

  • Web applications that use Integrated Windows authentication for authentication
  • Web applications that use form-based or header-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)

Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy. It is not intended for internal users on the corporate network. These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

Application Proxy requires the on-premises app to be registered as an enterprise app in Entra ID.

References:

Remote access to on-premises applications through Microsoft Entra application proxy

Using Microsoft Entra application proxy to publish on-premises apps for remote users



Question: 339
Measured Skill: Design infrastructure solutions (25-30%)

You need to recommend a solution to integrate Azure Cosmos DB and Azure Synapse. The solution must meet the following requirements:
  • Traffic from an Azure Synapse workspace to the Azure Cosmos DB account must be sent via the Microsoft backbone network.
  • Traffic from the Azure Synapse workspace to the Azure Cosmos DB account must NOT be routed over the internet.
  • Implementation effort must be minimized.
What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AWhen provisioning the Azure Synapse workspace: Configure a dedicated managed virtual network.
When configuring the Azure Cosmos DB account, enable: Service endpoint policies
B When provisioning the Azure Synapse workspace: Configure a dedicated managed virtual network.
When configuring the Azure Cosmos DB account, enable: Managed private endpoints
C When provisioning the Azure Synapse workspace: Disable public network access to the workspace endpoints.
When configuring the Azure Cosmos DB account, enable: Server-level firewall rules
D When provisioning the Azure Synapse workspace: Disable public network access to the workspace endpoints.
When configuring the Azure Cosmos DB account, enable: Service endpoint policies
E When provisioning the Azure Synapse workspace: Enable the use of Microsoft Entra authentication.
When configuring the Azure Cosmos DB account, enable: Managed private endpoints
F When provisioning the Azure Synapse workspace: Enable the use of Microsoft Entra authentication.
When configuring the Azure Cosmos DB account, enable: Server-level firewall rules

Correct answer: B

Explanation:

Using managed private endpoints, you can restrict network access of your Azure Cosmos DB analytical store, to a Managed Virtual Network associated with your Azure Synapse workspace. Managed private endpoints establish a private link to your analytical store.

Reference: Configure Azure Private Link for Azure Cosmos DB analytical store



Question: 340
Measured Skill: Design business continuity solutions (10-15%)

You have the Azure subscriptions shown in the following table.



Contoso.onmicrosoft.com contains a user named User1.

You need to deploy a solution to protect against ransomware attacks. The solution must meet the following requirements:
  • Ensure that all the resources in Sub1 are backed up by using Azure Backup.
  • Require that User1 first be assigned a role for Sub2 before the user can make major changes to the backup configuration.
What should you create in each subscription?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ASub1: A Recovery Services vault
Sub2: A Resource Guard
B Sub1: A Resource Guard
Sub2: Microsoft Azure Backup Server (MABS)
C Sub1: An Azure Site Recovery job
Sub2: A Recovery Services vault
D Sub1: Microsoft Azure Backup Server (MABS
Sub2: Microsoft Azure Recovery Services (MARS) agent
E Sub1: Microsoft Azure Recovery Services (MARS) agent
Sub2: An Azure Site Recovery job

Correct answer: A

Explanation:

First, we create a Recovery Services vault in Sub1 and use the vault to back up the resources in Sub1.

Then we deploy a Resource Guard in Sub2 and link the vault from Sub1 to the Resource Guard in Sub2. The Resource Guard provides and additional layer of protection to critical operations on your Recovery Services vaults.

The Backup admin (User1) needs to have a Contributor role on the Resource Guard to perform critical operations that are in the Resource Guard scope. One of the ways to allow just-in-time for such operations is through the use of Microsoft Entra Privileged Identity Management.

Reference: Configure Multi-user authorization using Resource Guard in Azure Backup



Question: 341
Measured Skill: Design business continuity solutions (10-15%)

You have 10 on-premises servers that run Windows Server.

You need to perform daily backups of the servers to a Recovery Services vault. The solution must meet the following requirements:
  • Back up all the files and folders on the servers.
  • Maintain three copies of the backups in Azure.
  • Minimize costs.
What should you configure?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AOn the servers: The Azure Site Recovery Mobility service
For the storage: Geo-redundant storage (GRS)
B On the servers: The Azure Site Recovery Mobility service
For the storage: Zone-redundant storage (ZRS)
C On the servers: The Microsoft Azure Recovery Services (MARS) agent
For the storage: Geo-redundant storage (GRS)
D On the servers: The Microsoft Azure Recovery Services (MARS) agent
For the storage: Locally-redundant storage (LRS)
E On the servers: Volume Shadow Copy Service (VSS)
For the storage: Zone-redundant storage (ZRS)
F On the servers: Volume Shadow Copy Service (VSS)
For the storage: Locally-redundant storage (LRS)

Correct answer: D

Explanation:

Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. Those backups are stored in a Recovery Services vault in Azure. You can run the agent:

  • Directly on on-premises Windows machines. These machines can back up directly to a Recovery Services vault in Azure.
  • On Azure VMs that run Windows side by side with the Azure VM backup extension. The agent backs up specific files and folders on the VM.
  • On a Microsoft Azure Backup Server (MABS) instance or a System Center Data Protection Manager (DPM) server. In this scenario, machines and workloads back up to MABS or Data Protection Manager. Then MABS or Data Protection Manager uses the MARS agent to back up to a vault in Azure.

Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option.

References:

Install the Azure Backup MARS agent

Azure Storage redundancy



Question: 342
Measured Skill: Design infrastructure solutions (25-30%)

You plan to deploy an infrastructure solution that will contain the following configurations:
  • External users will access the infrastructure by using Azure Front Door.
  • External user access to the backend APIs hosted in Azure Kubernetes Service (AKS) will be controlled by using Azure API Management.
  • External users will be authenticated by an Entra ID B2C tenant that uses OpenID Connect-based federation with a third-party identity provider.
Which function does each service provide?

(To answer, drag the appropriate functions to the correct services. Each function may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AFront Door: Protection against Open Web Application Security Project (OWASP) vulnerabilities
API Management: IP filtering on a per API level
API Management: Validation of Azure B2C JSON Web Tokens (JWTs)
B Front Door: Validation of Azure B2C JSON Web Tokens (JWTs)
API Management: Protection against Open Web Application Security Project (OWASP) vulnerabilities
API Management: IP filtering on a per API level
C Front Door: IP filtering on a per API level
API Management: IP filtering on a per API level
API Management: Protection against Open Web Application Security Project (OWASP) vulnerabilities
D Front Door: IP filtering on a per API level
API Management: Protection against Open Web Application Security Project (OWASP) vulnerabilities
API Management: Validation of Azure B2C JSON Web Tokens (JWTs)

Correct answer: A

Explanation:

The Azure Web Application Firewall (WAF) seamlessly integrates with Azure Front Door, offering centralized protection for your web applications. It actively monitors and filters incoming requests using a set of rules you define. These rules allow or block requests based on criteria like IP address, HTTP header, query string, or request body. Additionally, Azure WAF is equipped with advanced capabilities to detect and prevent common attacks such as SQL injection, cross-site scripting (XSS), CVE, and OWASP Top 10 threats.

The ip-filter policy in Azure API Management filters (allows/denies) calls from specific IP addresses and/or address ranges.

The validate-jwt policy in Azure API Management enforces existence and validity of a supported JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value.

References:

Azure Web Application Firewall on Azure Front Door

How to Use Azure Front Door's Web Application Firewall (WAF) to Protect Your Web Apps

Restrict caller IPs

Validate JWT





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2024 by cert2brain.com