Practice Free AZ-305 Exam Online Questions
What should you recommend to meet the monitoring requirements for App2?
- A . Microsoft Sentinel
- B . Azure Application Insights
- C . Container insights
- D . VM insights
HOTSPOT
You need to recommend a solution to ensure that App1 can access the third-party credentials and access strings. The solution must meet the security requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Scenario: Security Requirement
All secrets used by Azure services must be stored in Azure Key Vault.
Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be shared between services.
Box 1: A service principal
A service principal is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal’s object ID is known as its client ID and acts like its username. The service principal’s client secret acts like its password.
Note: Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the identity of any given security principal.
A security principal is an object that represents a user, group, service, or application that’s requesting access to Azure resources. Azure assigns a unique object ID to every security principal.
Box 2: A role assignment
You can provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/authentication
You need to recommend a solution that meets the application development requirements.
What should you include in the recommendation?
- A . the Azure App Configuration service
- B . Continuous Integration/Continuous Deployment (CI/CD) sources
- C . deployment slots
- D . an Azure Container Registry instance
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied from the Azure virtual machines to the on-premises virtual machines.
Solution: Use Azure Advisor.
Does this meet the goal?
- A . Yes
- B . No
DRAG DROP
You plan to deploy an infrastructure solution that will contain the following configurations:
• External users will access the infrastructure by using Azure Front Door.
• External user access to the backend APIs hosted in Azure Kubernetes Service (AKS) will be controlled by using Azure API Management.
• External users will be authenticated by an Azure AO B2C tenant that uses OpenlD Connect-based federate with a third-party identity provider.
Which function does each service provide? To answer, drag the appropriate functions to the correct services. Each function may be used once, more than once, or not at all You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Front Door: Protection against Open Web Application Security Project (OWASP) vulnerabilities1
API Management: IP filtering on a per-API level2 and validation of Azure B2C JSON Web Tokens (JWTs)3
Reference:
1: Azure Front Door – Web Application Firewall
2: Azure API Management policy reference – ip-filter
3: How to validate an Azure B2C JWT token in a web API?
You have an on-premises Microsoft SQL Server 2016 database named DB1.
You have an Azure subscription.
You need to migrate DB1 to an Azure SQL database by using the Azure SQL Migration extension for Azure Data Studio.
What should you do first?
- A . Configure a Site-to-Site (S2S) VPN connection.
- B . Define the schema for the Azure SQL database.
- C . Create a user-assigned managed identity.
- D . Upgrade DB1.
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), and Azure AD Connect
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on-premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.
What should you recommend?
- A . Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
- B . Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
- C . In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers.
- D . Configure an AD FS relying party trust between the fabrikam and Contoso AD FS infrastructures.
A
Explanation:
Trust configurations – Configure trust from managed forests(s) or domain(s) to the administrative forest
A one-way trust is required from production environment to the admin forest.
Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts.
Reference: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to deploy resources to host a stateless web app in an Azure subscription.
The solution must meet the following requirements:
✑ Provide access to the full .NET framework.
✑ Provide redundancy if an Azure region fails.
✑ Grant administrators access to the operating system to install custom application dependencies.
Solution: You deploy two Azure virtual machines to two Azure regions, and you create a Traffic Manager profile.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
You plan to store data in Azure Blob storage for many years. The stored data will be accessed rarely.
You need to ensure that the data in Blob storage is always available for immediate access. The solution must minimize storage costs.
Which storage tier should you use?
- A . Cool
- B . Archive
- C . Hot
A
Explanation:
Azure cool tier is equivalent to the Amazon S3 Infrequent Access (S3-IA) storage in AWS that provides a low cost high performance storage for infrequently access data.
Note: Azure’s cool storage tier, also known as Azure cool Blob storage, is for infrequently-accessed data that needs to be stored for a minimum of 30 days. Typical use cases include backing up data before tiering to archival systems, legal data, media files, system audit information, datasets used for big data analysis and more.
The storage cost for this Azure cold storage tier is lower than that of hot storage tier. Since it is expected that the data stored in this tier will be accessed less frequently, the data access charges are high when compared to hot tier. There are no additional changes required in your applications as these tiers can be accessed using APIs in the same manner that you access Azure storage.
Reference: https://cloud.netapp.com/blog/low-cost-storage-options-on-azure
You plan to move a web application named App! from an on-premises data center to Azure.
App1 depends on a custom COM component that is installed on the host server.
You need to recommend a solution to host App1 in Azure.
The solution must meet the following requirements:
✑ App1 must be available to users if an Azure data center becomes unavailable.
✑ Costs must be minimized.
What should you include in the recommendation?
- A . In two Azure regions, deploy a load balancer and a virtual machine scale set.
- B . In two Azure regions, deploy a Traffic Manager profile and a web app.
- C . In two Azure regions, deploy a load balancer and a web app.
- D . Deploy a load balancer and a virtual machine scale set across two availability zones.
D
Explanation:
(https://docs.microsoft.com/en-us/dotnet/azure/migration/app-service#com-and-com-components)
Azure App Service does not allow the registration of COM components on the platform. If your app makes use of any COM components, these need to be rewritten in managed code and deployed with the site or application. https://docs.microsoft.com/en-us/dotnet/azure/migration/app-service
"Azure App Service with Windows Containers If your app cannot be migrated directly to App Service, consider App Service using Windows Containers, which enables usage of the GAC, COM components, MSIs, full access to .NET FX APIs, DirectX, and more."