FREE Microsoft Azure Architect Design Questions and Answers

Question 1

Your business offers customer support for various Azure subscriptions as well as outside hosting companies. You are creating a system for central monitoring. The following needs to be addressed by the solution:
‥ Collect log and diagnostic data from all the third-party hosting providers into a centralized repository.
‥ Collect log and diagnostic data from all the subscriptions into a centralized repository.
‥ Automatically analyze log data and detect threats.
‥ Provide automatic responses to known events.
What Azure service ought to be incorporated into the solution?

Accepted Answer

Azure Monitor

Answer

Azure Monitor is a comprehensive monitoring solution that collects telemetry from Azure resources, on-premises environments, and even other cloud providers. It can ingest logs and metrics, provide insights, and integrate with other services like Azure Sentinel for threat detection and Azure Logic Apps for automated responses. This makes it the foundational service for a centralized monitoring system with the specified requirements, including collecting data, detecting threats, and providing automatic responses.

Question 2

You are creating an Azure resource deployment using templates from Azure Resource Manager. Secrets will be kept in Azure Key Vault during deployment.
You must suggest a solution that satisfies the following criteria:
‥ Prevent the IT personnel handling the deployment from immediately obtaining the secrets from Key Vault.
‥ Apply the least privilege principle.
Which two steps would you suggest? Each right response offers a piece of the answer.

Accepted Answer

From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment. Most Voted

Answer

Enabling 'Azure Resource Manager for template deployment' in Key Vault access policies allows Azure Resource Manager to retrieve secrets from the Key Vault during the deployment process. This is crucial because it enables the ARM template to access the secrets needed for resource configuration without directly exposing those secrets to the IT personnel initiating the deployment, thus preventing them from immediately obtaining the secrets. This mechanism adheres to the principle of least privilege by granting access only to the deployment service, not the individual.

Question 3

You have three Azure regions' worth of web apps in your Azure subscription.
The following requirements must be fulfilled by the implementation of Azure Key Vault:
‥ All keys must be readable in the case of a local outage.
‥ Key Vault access is required for any subscription-based web apps.
‥ The least amount of Key Vault resources need to be deployed and managed.
How many Key Vault instances should you set up?

Accepted Answer

1

Answer

Azure Key Vault is a global service, meaning its data is replicated across multiple Azure regions within a geographical area. This inherent redundancy ensures high availability and resilience, so even if one region experiences an outage, the Key Vault remains accessible. Therefore, a single Key Vault instance is sufficient to meet the requirements of web apps across three regions, ensuring keys are readable during a local outage and minimizing administrative overhead.

Question 4

Your Azure Active Directory (Azure AD) tenancy already exists.
Using Azure Storage, you want to give users access to shared files. Depending on their user account or group membership, the users will receive varying degrees of access to various Azure file shares.
Which additional Azure services should be leveraged to support the proposed rollout must be suggested.
What should the recommendation contain?

Accepted Answer

an Azure AD Domain Services (Azure AD DS) instance

Answer

To provide file share access to Azure Storage based on Azure AD user and group identities, and leverage traditional Windows ACLs for varying access levels, Azure AD Domain Services (Azure AD DS) is required. Azure AD DS provides managed domain services, including domain join, group policy, and LDAP, enabling Azure file shares to be joined to a domain and support identity-based authentication for SMB access using Azure AD credentials.

Question 5

You want to set up five Azure virtual machines for the App1 application, which will be deployed. To run App1, more virtual machines will be introduced later.
You must suggest a method to satisfy each of the conditions for the virtual machines that will run App1:
‥ Check that the virtual machines can access an Azure key vault, instances of Azure Logic Apps, and an Azure SQL database by authenticating to Azure Active Directory (Azure AD).
‥ When you deploy more virtual machines, avoid giving them new roles and permissions for Azure services.
‥ Prevent keeping certificates and secrets on the virtual machines.
‥ Reduce the administrative work required to manage identities.
Which identification type ought to be mentioned in the recommendation?

Accepted Answer

a user-assigned managed identity

Answer

A user-assigned managed identity is the ideal solution here because it is a standalone Azure resource that can be assigned to multiple Azure VMs. This allows you to grant permissions to the identity once, and any VM assigned that identity will inherit those permissions, eliminating the need to configure new roles or store secrets on each VM. This approach significantly reduces administrative overhead and adheres to security best practices for identity management across multiple instances.

AZ-304 - Microsoft Azure Architect Design Practice Test

AZ-304 - Microsoft Azure Architect Design Practice Test

FREE Microsoft Azure Architect Design Questions and Answers