callicon +1 210 504 8191
whatsAppIcon +1 210 415 9856
emailIcon info@koenig-solutions.com
koenig-logo
Login
whatsAppIcon +1 210 415 9856
phoneIcon +1 210 504 8191
koenig-logo
All Courses

AZ-304: Microsoft Azure Architect Design Quiz Questions and Answers

Answer :
  • A custom role

Explanation :

Role-based access control (RBAC) focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Incorrect Answers: A: If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. B: There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system. D: Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Answer :
  • The self-hosted integration runtime in Azure

Explanation :

Explanation: The integration runtime (IR) is the compute infrastructure that Azure Data Factory uses to provide data-integration capabilities across different network environments. For details about IR, see Integration runtime overview. A self-hosted integration runtime can run copy activities between a cloud data store and a data store in a private network. It also can dispatch transform activities against compute resources in an on-premises network or an Azure virtual network. The installation of a self-hosted integration runtime needs an on-premises machine or a virtual machine inside a private network. Reference: https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime
Answer :
  • An Azure virtual machine that runs Windows Server 2016 and is joined to the contoso-add.com domain

Explanation :

You join the Windows Server virtual machine to the Azure AD DS-managed domain, here named contoso-aad.com. Note: Azure Files supports identity-based authentication over SMB (Server Message Block) (preview) through Azure Active Directory (Azure AD) Domain Services. Your domain-joined Windows virtual machines (VMs) can access Azure file shares using Azure AD credentials. Incorrect Answers: B, C: Azure AD authentication over SMB is not supported for Linux VMs for the preview release. Only Windows Server VMs are supported. References: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-enable#mount-a-file-share-from-a-domain-joinedvm
Answer :
  • Create an access review

Explanation :

Explanation: In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users. When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. References: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamicmembership
Answer :
  • Azure Batch

Explanation :

Azure Batch works well with intrinsically parallel (also known as "embarrassingly parallel") workloads. Intrinsically parallel workloads are those where the applications can run independently, and each instance completes part of the work. When the applications are executing, they might access some common data, but they do not communicate with other instances of the application. Intrinsically parallel workloads can therefore run at a large scale, determined by the amount of compute resources available to run applications simultaneously. References: https://docs.microsoft.com/en-us/azure/batch/batch-technical-overview
Answer :
  • Yes

Explanation :

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys. The Key Vault has to be in the same region as the VM that will be encrypted. Note: If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the AddAzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM. References: https://www.ciraltos.com/azure-disk-encryption-v2/ https://docs.microsoft.com/enus/azure/security/azure-security-disk-encryption-prerequisites-aad
Answer :
  • Configure a CNAME DNS record for the Azure Content Delivery Network (CDN) domain
  • Place the static content in Azure Blob storage and enable Content Delivery Network (CDN) on the account

Explanation :

Explanation: D: Add Azure Content Delivery Network (CDN) to a web app in Azure App Service. B: When you use a CDN endpoint to deliver content, a custom domain is necessary if you would like your own domain name to be visible in your CDN URL. Having a visible domain name can be convenient for your customers and useful for branding purposes. Create a CNAME DNS record, and associate the custom domain with your CDN endpoint. Reference: https://docs.microsoft.com/en-us/azure/cdn/cdn-map-content-to-custom-domain https://docs.microsoft.com/en-us/azure/cdn/cdn-add-to-web-app
Answer :
  • Azure VM Diagnostics Extension

Explanation :

The Azure Diagnostics VM extension enables you to collect monitoring data, such as performance counters and event logs, from your Windows VM. You can granularly specify what data you want to collect and where you want the data to go, such as an Azure Storage account or an Azure Event Hub. Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensionsdiagnostics
Answer :
  • An Azure key vault in the same Azure region as the storage account

Explanation :

An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account." https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#about-customer-managed-keys