Professional Documents
Culture Documents
Question 1:
You plan to create a Netflix like streaming service and would like to serve video content
to users worldwide. Which of the following would help you deliver the best possible
service with least latency?
A content delivery network (CDN)
An Azure ExpressRoute circuit
An Azure Load Balancer
An Azure Virtual Network NAT
Explanation
The question states that users are located worldwide and need the least possible latency. The
video playback experience would be improved if they can download the video from servers in
the same region as the users. We can achieve this by using a Content Delivery Network.
A content delivery network (CDN) is a distributed network of servers that can efficiently
deliver web content to users. CDNs store cached content on edge servers in point-of-presence
(POP) locations that are close to end users, to minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly
delivering high-bandwidth content to users by caching their content at strategically placed
physical nodes across the world. Azure CDN can also accelerate dynamic content, which
cannot be cached, by leveraging various network optimizations using CDN POPs. For
example, route optimization to bypass Border Gateway Protocol (BGP).
-> Better performance and improved user experience for end users, especially when using
applications in which multiple round-trips are required to load content.
-> Large scaling to better handle instantaneous high loads, such as the start of a product
launch event.
-> Distribution of user requests and serving of content directly from edge servers so that less
traffic is sent to the origin server.
References: https://docs.microsoft.com/en-us/azure/cdn/cdn-overview
Question 2: Correct
How does the defense-in-depth model enhance cybersecurity compared to relying solely
on perimeter security?
It provides protection against both external and internal threats.
It reduces the need for user authentication.
It eliminates the need for regular security updates.
It isolates the network from the internet entirely.
Explanation
The defense-in-depth model focuses on multiple layers of security, including internal
defenses. This strategy provides safeguards against both external threats (outside attackers)
and internal threats (compromised insiders).
The remaining options don't make any sense and rather reduce the security configuration.
Reference: https://azure.microsoft.com/en-us/blog/microsoft-azures-defense-in-depth-
approach-to-cloud-vulnerabilities/
Question 3: Correct
Which of the following can you use to implement strict governance and ensure that the
right people have access to the right resources, and only when they need it?
Azure Bastion
Azure Active Directory
Microsoft Defender for Cloud
Microsoft Sentinel
Explanation
From the official docs:
Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity
service that provides single sign-on, multifactor authentication, and conditional access to
guard against 99.9 percent of cybersecurity attacks.
Microsoft Defender for Cloud - is a solution for cloud security posture management
(CSPM) and cloud workload protection (CWP) that finds weak spots across cloud
configurations, helps strengthen the overall security posture of environments, and can protect
workloads across multicloud and hybrid environments from evolving threats.
Azure Bastion - is a fully managed service that provides more secure and seamless Remote
Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs)
without any exposure through public IP addresses.
Microsoft Sentinel - is a birds-eye view across the enterprise. It puts the cloud and large-
scale intelligence from decades of Microsoft security experience to work. Make your threat
detection and response smarter and faster with artificial intelligence (AI).
Reference: https://azure.microsoft.com/en-ca/services/active-directory/#features
Question 4:
What Azure service provides recommendations to optimize your cloud spending based
on your usage patterns?
Azure Policy
Azure Cost Management and Billing
Azure Monitor
Azure Advisor
Explanation
Azure Cost Management and Billing is the correct answer & provides recommendations to
optimize your cloud spending based on your usage patterns. The service provides insights and
cost management tools to help you monitor, allocate, and optimize your cloud costs.
Other options:
Reference: https://learn.microsoft.com/en-us/azure/cost-management-billing/cost-
management-billing-overview
Question 5: Correct
Your organization has an on-premise infrastructure. The requirement from senior
management is to migrate everything to the cloud.
As an advisor, what would you recommend to deal with an unexpected Azure outage in a
Data Center / Availability Zone?
In the event of a failure, the Azure infrastructure (the Fabric Controller) reacts immediately
to restore services and infrastructure. For example, if a virtual machine (VM) fails due to a
hardware failure on the physical host, the Fabric Controller moves that VM to another
physical node based on the same hard disk stored in Azure storage. Azure is similarly capable
of coordinating upgrades and updates in such a way as to avoid service downtime.
For computing resources (such as cloud services, traditional IaaS VMs, VM scale sets), the
most important and fundamental concepts for enabling high availability are fault domains and
upgrade domains. These have been part of Azure since its inception.
Reference : https://azure.microsoft.com/en-us/blog/introducing-azure-availability-zones-for-
resiliency-and-high-availability/
Question 6:
One of the teams in your company is looking for a solution for collecting, analyzing, and
potentially taking action based on the metric and logging data from your entire Azure
and on-premises environment.
Azure Logs
Azure Insights
Azure Monitor
Azure Advisor
Explanation
From the Official Azure Documentation:
Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking
action based on the metric and logging data from your entire Azure and on-premises
environment.
The following diagram illustrates just how comprehensive Azure Monitor is.
On the left is a list of the sources of logging and metric data that can be collected at
every layer in your application architecture, from application to operating system and
network.
In the center, you can see how the logging and metric data is stored in central
repositories.
On the right, the data is used in a number of ways. You can view real-time and
historical performance across each layer of your architecture, or aggregated and
detailed information. The data is displayed at different levels for different audiences.
You can view high-level reports on the Azure Monitor Dashboard or create custom
views by using Power BI and Kusto queries.
Additionally, you can use the data to help you react to critical events in real time, through
alerts delivered to teams via SMS, email, and so on. Or you can use thresholds to trigger
autoscaling functionality to scale up or down to meet the demand.
Reference: https://docs.microsoft.com/en-ca/learn/modules/monitoring-fundamentals/2-
identify-product-options
Question 7:
How does Defender for Cloud contribute to the security of Azure-native services?
By enforcing access controls on physical hardware.
By focusing solely on Azure App Service protection.
By natively integrating with Azure services to provide monitoring and
protection.
By automatically deploying Log Analytics agents to Azure machines.
Explanation
Defender for Cloud, being an Azure-native service, natively integrates with Azure services,
monitoring and protecting them without requiring additional deployment. This integration
enhances the security posture of Azure resources.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-
access-security/9-describe-microsoft-defender-for-cloud
Question 8: Correct
Yes or No:
If you assign permissions to a resource group, all the resources inside it inherit these
permissions.
Yes
No
Explanation
Yes, it is true that if you assign certain permissions to a resource group, then all the resources
inside it inherit those permissions.
Generally, we add resources that share the same lifecycle to the same resource group so
you can easily deploy, update, and delete them as a group.
Reference : https://docs.microsoft.com/en-us/azure/azure-resourcemanager/management/
overview#resource-groups
Question 9:
Which of the following statements is accurate?
If you want to migrate a website that is hosted On-Prem presently to Azure, one of the clear
benefits is the Pay-As-You-Go Pricing that comes with Azure.
Azure Websites is offered in four tiers: Free, Shared (Preview), Basic and Standard.
Websites Shared (Preview): The price for the Shared tier during preview
is $0.013 per hour per website instance (~$10/month). This price reflects a 33%
preview discount.
Websites Basic and Standard: The Basic and Standard tiers offer multiple instance
sizes as well as scaling to meet changing capacity needs starting from $56 for a Basic
(Single Small instance) and $75 for a Standard ( Single small instance)
Answers:
Question 10:
Suppose the lead architect in your company has asked your team to implement a PaaS
based solution in Azure for a quick Proof-of-Concept (POC) to senior management.
One of your colleagues goes ahead and creates an Azure Logic App and an Azure Data
Factory instance.
Yes
No
Explanation
Azure Logic App and Azure Data Factory both fall under the PaaS (Platform as a Service)
category.
References:
https://azure.microsoft.com/en-us/overview/what-is-iaas/
https://azure.microsoft.com/en-us/overview/what-is-paas/
Question 11:
Is an internet connection necessary for using cloud computing?
Yes
No
Explanation
The answer is no. Cloud computing services can be used over the internet, but they can also
be used through private networks or dedicated connections, such as Azure ExpressRoute,
which provides a dedicated, private network connection between on-premises infrastructure
and Azure data centers. Some cloud services can also be accessed offline or through local
networks.
For example, Azure Stack is a hybrid cloud solution that allows you to use Azure services on-
premises, without an internet connection. This can be useful for organizations that have
limited or unreliable internet connectivity but still want to take advantage of the benefits of
cloud computing.
Similarly, some cloud providers offer edge computing solutions that allow you to run cloud
workloads on devices located at the edge of the network, such as in a factory or remote
location, without needing a constant internet connection.
In general, however, most cloud services do require an internet connection to access and use
them. This is because the underlying infrastructure and resources that support these services
are typically hosted in data centers that are connected to the internet.
Reference: https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-overview?
view=azs-2206
Question 12:
Which of the following Azure storage solutions meets ALL the following requirements:
Explanation
From the official documentation:
Today's applications are required to be highly responsive and always online. To achieve low
latency and high availability, instances of these applications need to be deployed in
datacenters that are close to their users. Applications need to respond in real time to large
changes in usage at peak hours, store ever increasing volumes of data, and make this data
available to users in milliseconds.
Azure Cosmos DB is a great way to store unstructured and JSON data. Combined with Azure
Functions, Cosmos DB makes storing data quick and easy with much less code than required
for storing data in a relational database.
References:
https://docs.microsoft.com/en-us/azure/cosmos-db/introduction
https://docs.microsoft.com/en-us/azure/azure-functions/functions-integrate-store-
unstructured-data-cosmosdb?tabs=csharp
Question 13:
How can you determine the estimated monthly cost of an Azure service or resource?
By using the Azure Pricing Calculator
By checking the current Azure Marketplace pricing
By contacting Microsoft customer support
By analyzing the usage data of the resource
Explanation
The Azure Pricing Calculator is a free tool that can be used to estimate the monthly cost of
Azure services and resources based on factors such as region, usage, and quantity. It allows
users to select specific Azure services and configurations and provides an estimated monthly
cost based on the chosen parameters.
Other options:
By contacting Microsoft customer support : This is because contacting Microsoft
customer support is not a reliable method to determine the estimated monthly cost of an
Azure service or resource.
By analyzing the usage data of the resource: This is because analyzing the usage data of a
resource can help in optimizing costs but it does not provide an estimated monthly cost.
By checking the current Azure Marketplace pricing: This is because checking the current
Azure Marketplace pricing does not necessarily provide the estimated monthly cost of a
particular service or resource.
Reference: https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/
plan-manage-costs
Question 14:
Which of the following Azure Support Plans grants access to:
Professional Direct
Standard
Basic
Developer
Explanation
Look at the table below. Clearly, Professional Direct is the correct option.
It is the only option (last column) that fulfills all mentioned requirements.
Reference : https://azure.microsoft.com/en-us/support/plans/
Azure Cosmos DB
Azure App Service
Azure Functions
Azure Kubernetes
Explanation
From the official Azure docs:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and
mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java,
Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows
and Linux-based environments.
It is also possible to scale apps on an enterprise grade platform:
Reference : https://docs.microsoft.com/en-us/azure/app-service/overview
Question 16:
Which of the following affect costs in Azure? (Choose 2)
Location
Instance size
Availability Zone
Knowledge center usage
Explanation
According to the official docs:
The instance size and the location (eg -US or Europe etc ) affect the prices. The knowledge
center is completely free to use, and you aren't charged for an Availability Zone.
Reference : https://azure.microsoft.com/en-us/pricing/
Question 17:
One of the primary benefits of using an Azure Key Vault is ____________.
To see and stop threats before they cause harm
Key Management
Enforcing organizational standards and to assess compliance at-scale
Automatically masking sensitive information
Explanation
Enforcing organizational standards and to assess compliance at-scale - This is
done by Azure Policy.
To see and stop threats before they cause harm - This is done by Azure Sentinel.
Key Management - Azure Key Vault can be used as a Key Management solution. Azure
Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
The recommendations are available via the Azure portal and the API, and you can set up
notifications to alert you to new recommendations.
When you're in the Azure portal, the Advisor dashboard displays personalized
recommendations for all your subscriptions, and you can use filters to select
recommendations for specific subscriptions, resource groups, or services.
Reference: https://docs.microsoft.com/en-ca/learn/modules/monitoring-fundamentals/2-
identify-product-options
Question 19:
What is the primary goal of the defense-in-depth model in cybersecurity?
To establish multiple layers of security controls to mitigate risks.
To create a single layer of security controls to prevent all threats.
To focus solely on physical security measures for data centers.
To outsource security responsibilities to third-party providers.
Explanation
The defense-in-depth model involves implementing a series of security layers, each providing
a different type of protection against threats. This approach minimizes the impact of a single
security breach by adding multiple lines of defense.
Reference: https://azure.microsoft.com/en-us/blog/microsoft-azures-defense-in-depth-
approach-to-cloud-vulnerabilities/
Question 20:
What is the primary purpose of Microsoft Purview in Azure?
To provide a cloud-based development platform for building and deploying
applications.
To enable real-time analytics and monitoring for Azure resources.
To offer a suite of security services for protecting virtual machines.
To manage and govern data across on-premises, multi-cloud, and SaaS
environments.
Explanation
Microsoft Purview is designed to help organizations manage, discover, classify, and govern
data across a variety of sources, including on-premises, multi-cloud, and software-as-a-
service (SaaS) environments. It provides a unified data governance solution to ensure data
security, compliance, and data-driven insights.
Reference: https://azure.microsoft.com/en-ca/products/purview
Question 21:
Azure virtual machines (VM) are classified as which of the following offering
Software-as-a-service (Saas)
Platform-as-a-service (Paas)
Infrastructure-as-a-service (Iaas)
Database-as-a-service (Daas)
Explanation
According to the official Azure website, Azure VMs are classified as IaaS since you are
renting out physical hardware. Refer to this image :
Question 22:
When should you scale out your deployment?
When you need a stronger CPU to make your application run faster
When you want to reduce the unused capacity of your system
When you need to reduce your cost of operation
When you need additional Virtual Machines / computers to speed up your
application
Explanation
Scale Out
A scale out operation is the equivalent of creating multiple copies of your web site and
adding a load balancer to distribute the demand between them. When you scale out a web site
in Azure, there is no need to configure load balancing separately since this is already
provided by the platform
References : https://www.azurebarry.com/how-to-autoscale-azure-app-services-cloud-
services/
Question 23:
Yes or No:
No
Yes
Explanation
Azure Storage always stores multiple copies of your data so that it is protected from planned
and unplanned events, including transient hardware failures, network or power outages, and
massive natural disasters. Redundancy ensures that your storage account meets the Service-
Level Agreement (SLA) for Azure Storage even in the face of failures.
See below:
Reference : https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
Question 24:
You have managed an app that you developed and deployed On-Prem for a long time,
but would now like to move it to Azure and be relieved of all the manual administration
and maintenance. Which of the following buckets would be most suitable for your use
case?
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Database as a Service (DaaS)
Software as a Service (SaaS)
Explanation
Platform as a service (PaaS) is a complete development and deployment environment in the
cloud, with resources that enable you to deliver everything from simple cloud-based apps to
sophisticated, cloud-enabled enterprise applications. You purchase the resources you need
from a cloud service provider on a pay-as-you-go basis and access them over a secure
Internet connection.
PaaS allows you to avoid the expense and complexity of buying and managing software
licenses, the underlying application infrastructure and middleware, container
orchestrators such as Kubernetes, or the development tools and other resources. You
manage the applications and services you develop, and the cloud service provider
typically manages everything else.
References: https://docs.microsoft.com/en-us/azure/security/fundamentals/paas-applications-
using-app-services
Question 25:
Which of the following services can help you:
Assign time-bound access to resources using start and end dates
Enforce multi-factor authentication to activate any role
Explanation
(IMPORTANT QUESTION)
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that
enables you to manage, control, and monitor access to important resources in your
organization. These resources include resources in Azure AD, Azure, and other Microsoft
Online Services like Office 365 or Microsoft Intune.
Reasons to use:
Organizations want to minimize the number of people who have access to secure information
or resources, because that reduces the chance of a malicious actor getting that access, or an
authorized user inadvertently impacting a sensitive resource. However, users still need to
carry out privileged operations in Azure AD, Azure, Office 365, or SaaS apps. Organizations
can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. There
is a need for oversight for what those users are doing with their administrator privileges.
Reference : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-
management/pim-configure
Reference: https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-
components-of-azure/6-describe-azure-management-infrastructure
The requirement is that only Platform as a Service (PaaS) solutions must be used in Azure.
Solution: To begin, you create an Azure App Service and Azure SQL databases.
Yes
No
Explanation
Please always remember - Azure App Service and Azure SQL Databases are both PaaS
services!
Azure App Service - Allows us to quickly build, deploy, and scale web apps created with
popular frameworks such as .NET, .NET Core, Node.js, Java, PHP, Ruby, or Python, in
containers or running on any operating system. It offers rigorous, enterprise-grade
performance, security, and compliance requirements by using the fully managed platform for
your operational and monitoring tasks.
Reference: https://azure.microsoft.com/en-in/services/app-service/
Azure SQL Database - Microsoft Azure SQL Database is a managed cloud database
provided as a part of Microsoft Azure. A cloud database is a database that runs on a cloud
computing platform, and access to it is provided as a service. Managed database services take
care of scalability, backup, and high availability of the database.
Reference: https://azure.microsoft.com/en-in/services/sql-database/
Please refer to the image below, and make sure you remember it properly. A lot of the
questions in the exam can be answered using this image alone:
Question 28: Correct
What is the primary purpose of Microsoft Defender for Cloud?
To provide network segmentation for virtual machines.
To provide a physical security layer for computing hardware.
To monitor security posture and protect against threats in cloud, on-premises,
hybrid, and multi-cloud environments.
To automate the deployment of virtual machines in the cloud.
Explanation
From the official Microsoft documentation:
Defender for Cloud is a monitoring tool for security posture management and threat
protection. It monitors your cloud, on-premises, hybrid, and multi-cloud environments to
provide guidance and notifications aimed at strengthening your security posture.
Defender for Cloud provides the tools needed to harden your resources, track your security
posture, protect against cyber attacks, and streamline security management. Deployment of
Defender for Cloud is easy, it’s already natively integrated to Azure.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-
access-security/9-describe-microsoft-defender-for-cloud
Question 29:
________________ is the mission-critical cloud, delivering breakthrough innovation to
US government customers and their partners. Only US federal, state, local, and tribal
governments and their partners have access to this dedicated instance, with operations
controlled by screened US citizens.
Azure Nation
Azure US
Azure Government
Azure United States
Explanation
From the official docs:
Reference: https:///en-us/global-infrastructure/government/get-started/
Question 30:
You want to restrict access to certain Azure resources based on departmental
requirements within your organization. Which Azure feature would you use?
Management groups
Azure Active Directory
Resource groups
Subscriptions
Explanation
In this scenario, you would use subscriptions to restrict access to certain Azure resources
based on departmental requirements. Subscriptions can be used to apply different access-
management policies, reflecting different organizational structures. Azure applies access-
management policies at the subscription level, which allows you to manage and control
access to the resources that users provision within specific subscriptions.
Other options -
Resource groups: Resource groups are primarily used to organize resources that are
related to the same project or have the same lifecycle. They are not specifically
designed for access control based on departmental requirements.
Management groups: Management groups are used to efficiently manage access,
policies, and compliance for multiple subscriptions, providing a level of scope above
subscriptions. They are more suitable for large-scale governance rather than
restricting access based on departmental requirements.
Azure Active Directory: While Azure Active Directory (Azure AD) is responsible
for handling authentication and authorization, it alone cannot restrict access to certain
Azure resources based on departmental requirements. Instead, Azure AD is used in
conjunction with other features like subscriptions to control access.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-
components-of-azure/6-describe-azure-management-infrastructure
Other Options:
Azure SQL Database is a database service and not suitable for sharing files among
multiple virtual machines.
Azure Virtual Network is a networking service and not suitable for file sharing.
Azure App Service is a platform for hosting web applications and not suitable for file
sharing.
Reference: https://azure.microsoft.com/en-us/products/storage/files/
Question 32:
Yes or No:
We get total control of the underlying Operating System when working with Platform
As a Service (PaaS) solutions.
Yes
No
Explanation
From the official Azure documentation:
PaaS allows you to avoid the expense and complexity of buying and managing software
licenses, the underlying application infrastructure and middleware, container orchestrators
such as Kubernetes, or the development tools and other resources. You manage the
applications and services you develop, and the cloud service provider typically manages
everything else.
Reference: https://azure.microsoft.com/en-us/overview/what-is-paas/
Question 33:
Which of the following is a server-less solution that allows you to write less code,
maintain less infrastructure, and save on costs.?
Azure App Service
Azure DevOps
Azure Logic Apps
Azure Functions
Explanation
Azure Functions allows you to run small pieces of code (called "functions") without
worrying about application infrastructure. With Azure Functions, the cloud infrastructure
provides all the up-to-date servers you need to keep your application running at scale.
Reference : https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview
Question 34:
When assigning Azure role-based access control (Azure RBAC) at the management
group level, which of the following occurs?
Permissions are assigned individually for each subscription under the
management group.
Permissions apply only to the resources within the management group.
Permissions are inherited by all sub-management groups, subscriptions,
resource groups, and resources under the management group.
Permissions are restricted to the management group level only.
Explanation
Permissions are inherited by all sub-management groups, subscriptions, resource groups, and
resources under the management group.
When you assign Azure role-based access control (Azure RBAC) at the management group
level, the permissions are inherited by all sub-management groups, subscriptions, resource
groups, and resources under the management group. This approach simplifies access
management and helps maintain consistency across the organization.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-
components-of-azure/6-describe-azure-management-infrastructure
Solution: You deploy the virtual machines to two or more Availability Zones.
Yes
No
Explanation
Absolutely! The answer is in the question itself. If one data center goes down, we can make
sure our VM is still running in another data center! This is the entire concept of fault
tolerance - Make sure you have enough backups to prevent downtime.
Availability Zones -
An Availability Zone is a high-availability offering that protects your applications and data
from datacenter failures. Availability Zones are unique physical locations within an Azure
region. Each zone is made up of one or more datacenters equipped with independent power,
cooling, and networking (VERY IMPORTANT PLEASE NOTE).
To ensure resiliency, there's a minimum of three separate zones in all enabled regions. The
physical separation of Availability Zones within a region protects applications and data from
datacenter failures. Zone-redundant services replicate your applications and data across
Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure
offers industry best 99.99% VM uptime SLA.
Azure services that support Availability Zones fall into two categories:
1) Zonal services – where a resource is pinned to a specific zone (for example, virtual
machines, managed disks, Standard IP addresses), or
Reference : https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
No
Yes
Explanation
From the official documentation:
Resources from multiple different regions can be placed in a resource group. The resource
group only contains metadata about the resources it contains.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-
overview
Question 37:
Which of the following is an accurate description of Azure ExpressRoute?
A service that provides dedicated, private network connectivity between your on-
premises infrastructure and Azure datacenters.
A service that allows you to connect your on-premises infrastructure to Azure
over the public internet.
A service that enables you to manage and monitor Azure resources from a single,
unified dashboard.
A service that provides backup and disaster recovery solutions for Azure
resources.
Explanation
Azure ExpressRoute is a service that provides dedicated, private network connectivity
between your on-premises infrastructure and Azure datacenters. This allows you to extend
your on-premises network into Azure, providing a more secure and reliable connection than
the public internet.
A service that allows you to connect your on-premises infrastructure to Azure
over the public internet: This is because Azure ExpressRoute does not use the
public internet for connectivity. Instead, it provides a private, dedicated connection.
A service that provides backup and disaster recovery solutions for Azure
resources: This is because Azure ExpressRoute is not specifically designed for
backup and disaster recovery. While it can be used in conjunction with these
solutions, it is primarily used for private connectivity.
A service that enables you to manage and monitor Azure resources from a single,
unified dashboard: This is because Azure ExpressRoute is not a management or
monitoring tool for Azure resources. It is a connectivity service that enables you to
extend your on-premises network into Azure.
Reference: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction
When you create a resource group, you need to provide a location for that resource
group.
Yes
No
Explanation
From the official Azure docs:
When you create a resource group, you need to provide a location for that resource
group.
You may be wondering, "Why does a resource group need a location? And, if the resources
can have different locations than the resource group, why does the resource group location
matter at all?"
The resource group stores metadata about the resources. When you specify a location for the
resource group, you're specifying where that metadata is stored. For compliance reasons, you
may need to ensure that your data is stored in a particular region.
Question 39:
When you as a consumer are implementing a Software as a Service (SaaS) solution, you are
responsible for configuring high availability.
Review the bolded text. If the statement is already correct, select "No change is needed". If
the statement is , choose the option below that would make the statement correct.
No change is needed
Creating a resource group
Installing the SaaS solution
Configuring the SaaS solution
Explanation
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the
Internet. Common examples are email, calendaring, and office tools (such as Microsoft
Office 365).
SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from
a cloud service provider. You rent the use of an app for your organization, and your users
connect to it over the Internet, usually with a web browser. All of the underlying
infrastructure, middleware, app software, and app data are located in the service provider’s
data center. The service provider manages the hardware and software, and with the
appropriate service agreement, will ensure the availability and the security of the app and
your data as well. SaaS allows your organization to get quickly up and running with an app at
minimal upfront cost.
If you’ve used a web-based email service such as Outlook, Hotmail, or Yahoo! Mail, then
you’ve already used a form of SaaS. With these services, you log into your account over the
Internet, often from a web browser. The email software is located on the service provider’s
network, and your messages are stored there as well. You can access your email and stored
messages from a web browser on any computer or Internet-connected device.
The previous examples are free services for personal use. For organizational use, you can rent
productivity apps, such as email, collaboration, and calendaring; and sophisticated business
applications such as customer relationship management (CRM), enterprise resource planning
(ERP), and document management. You pay for the use of these apps by subscription or
according to the level of use.
Reference : https://azure.microsoft.com/en-us/overview/what-is-saas/
Question 40:
Yes or No:
No
Yes
Explanation
It is important to note that data inbound (ingress) is FREE, but data outbound (egress)
is NOT FREE.
Look at the following details from the official documentation:
Reference: https://azure.microsoft.com/en-us/pricing/details/bandwidth/
Question 41:
Which of the following services allows you to send events generated from Azure
resources to applications?
Azure Event Hub
Azure Cognitive Services
Azure App Service
Azure Event Grid
Explanation
A summary from the official Azure documentation:
Reference : https://docs.microsoft.com/en-us/azure/event-grid/overview
Question 42:
You can significantly reduce costs (up-to 72%) as compared to pay-as-you-go pricing
by _______________.
Using Reserved Instances
Using the free tier
Provisioning a lot of resources
Not using a lot of resources
Explanation
You can significantly reduce costs — up to 72 percent compared to pay-as-you-go prices—
with
one-year or three-year terms on Windows and Linux virtual machines (VMs). When you
combine the cost savings gained from Azure RIs (reserved instances) with the added value
of the Azure Hybrid Benefit, you can save up to 80 percent**.
It is possible to lower your total cost of ownership by combining Azure Reserved Instances
with pay-as-you-go prices to manage costs across predictable and variable workloads. In
many cases, you can further reduce your costs with reserved instance size flexibility.
Reference : https://azure.microsoft.com/en-us/pricing/reserved-vm-instances/
Question 43:
Yes or No: Permissions are by default inherited by all resources residing in a resource
group.
No
Yes
Explanation
From the official docs:
A resource group can be used to scope access control for administrative actions. By default,
permissions set at the resource level are inherited by the resources in the resource group.
More info about resources :
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-
overview
Question 44:
Power BI can access infrequently used data from which of the following?
Azure DataLake
Azure PostgreSQL
Azure SQL Data Warehouse
Azure Cosmos DB
Explanation
Azure DataLake and Azure SQL Data Warehouse are the correct options:
Reference : https://powerbi.microsoft.com/fr-fr/blog/power-bi-dataflows-and-azure-data-
lake-storage-gen2-integration-preview/
Question 45:
What is the present maximum capacity for storage accounts?
750 TiB
2 PiB
400 TB
5 PiB
Explanation
Referring to the official Azure docs again:
*These might change with time so if you feel it has changed, inform me through message or
in the Q/A section, I'll highly appreciate it :)
Reference : https://docs.microsoft.com/en-us/azure/storage/common/scalability-targets-
standard-account
Question 46:
When computing and processing demand increases beyond an on-premises datacenter’s
capabilities, businesses can easily use the ___________ cloud to instantly scale capacity
up or down to handle excess capacity.
Public
Private
Explanation
From the official docs:
Reference: https://azure.microsoft.com/en-gb/overview/what-is-hybrid-cloud-computing/
Question 47:
You have dozens of Virtual Machines (VM) hosted in Azure. The lead architect has
asked for your suggestions to migrate all the VMs to an Azure pay-as-you-go
subscription. Which expenditure model would apply to the stated requirement?
Operational
Scalable
Fault Tolerant
Capital
Explanation
Fault Tolerant and Scalable are wrong answers because such payment models don't exist.
Capital expenditure is also since we aren't going to be paying anything up front. Operational
makes most sense since it means 'pay as you go' , i.e paying only for what you consume and
nothing else.
Pay-As-You-Go
This offer is billed at the standard Pay-As-You-Go rates, except as otherwise specified.
You will be notified through email at least 30 days in advance of any changes to the Pay-As-
You-Go rates. New services may be added periodically to the Azure platform. Azure will
notify you in advance of these new services and any fees that might be charged for using
them. However, you would only be charged if you elect to use the new services.
Any taxes which may result from receiving services at no charge are the sole responsibility of
the recipient.
Reference : https://azure.microsoft.com/en-us/offers/ms-azr-0003p/
Question 48:
Which of the following services can automatically sign users in when they are on their
corporate devices & connected to your corporate network?
Azure Sentinel
Password Auth
Multi-Factor Authentication (MFA)
Single-Sign-On (SSO)
Explanation
From the official documentation: Azure Active Directory Seamless Single Sign-On (Azure
AD Seamless SSO) automatically signs users in when they are on their corporate devices
connected to your corporate network. When enabled, users don't need to type in their
passwords to sign in to Azure AD, and usually, even type in their usernames. This feature
provides your users easy access to your cloud-based applications without needing any
additional on-premises components.
With single sign-on, users sign in once with one account to access domain-joined devices,
company resources, software as a service (SaaS) applications, and web applications. After
signing in, the user can launch applications from the Office 365 portal or the Azure AD
MyApps access panel. Administrators can centralize user account management, and
automatically add or remove user access to applications based on group membership.
Reference : https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-
single-sign-on
Question 49:
A hacker group recently attacked your video streaming website and all your resources
were exhausted and unavailable to your users. What can you do to prevent this type of
attack in the future?
Use Azure DDoS protection
Use Azure Virtual Networks
Use an Azure Firewall
Use a Network Security Group
Explanation
Azure has two DDoS service offerings that provide protection from network attacks (Layer 3
and 4): DDoS Protection Basic and DDoS Protection Standard.
Basic protection is integrated into the Azure by default at no additional cost. The scale and
capacity of the globally deployed Azure network provides defense against common network-
layer attacks through always-on traffic monitoring and real-time mitigation. DDoS Protection
Basic requires no user configuration or application changes. DDoS Protection Basic helps
protect all Azure services, including PaaS services like Azure DNS.
Basic DDoS protection in Azure consists of both software and hardware components. A
software control plane decides when, where, and what type of traffic should be steered
through hardware appliances that analyze and remove attack traffic. The control plane makes
this decision based on an infrastructure-wide DDoS Protection policy. This policy is statically
set and universally applied to all Azure customers.
For example, the DDoS Protection policy specifies at what traffic volume the protection
should be triggered. (That is, the tenant’s traffic should be routed through scrubbing
appliances.) The policy then specifies how the scrubbing appliances should mitigate the
attack.
The Azure DDoS Protection Basic service is targeted at protection of the infrastructure and
protection of the Azure platform. It mitigates traffic when it exceeds a rate that is so
significant that it might affect multiple customers in a multitenant environment. It doesn’t
provide alerting or per-customer customized policies.
Standard protection provides enhanced DDoS mitigation features. It's automatically tuned to
help protect your specific Azure resources in a virtual network. Protection is simple to enable
on any new or existing virtual network, and it requires no application or resource changes. It
has several advantages over the basic service, including logging, alerting, and telemetry. The
following sections outline the key features of the Azure DDoS Protection Standard service.
Reference : https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-
practices
Question 50:
True or False: Resources don't inherit the tags you apply to a resource group or a
subscription.
True
False
Explanation
From the official docs :
Yes, this is true. Resources don't inherit the tags you apply to a resource group or a
subscription. To apply tags from a subscription or resource group to the resources, see Azure
Policies - tags.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
manage-resource-groups-portal#tag-resource-groups
Question 51:
Yes or no?
No
Yes
Explanation
No, according to the official documentation, Tags CANNOT be applied to all resource types.
See below:
Reference : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
tag-resources
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate
tasks, business processes, and workflows when you need to integrate apps, data, systems, and
services across enterprises or organizations. Logic Apps simplifies how you design and build
scalable solutions for app integration, data integration, system integration, enterprise
application integration (EAI), and business-to-business (B2B) communication, whether in the
cloud, on premises, or both.
For example, here are just a few workloads you can automate with logic apps:
-> Process and route orders across on-premises systems and cloud services.
-> Send email notifications with Office 365 when events happen in various systems, apps,
and services.
-> Move uploaded files from an SFTP or FTP server to Azure Storage.
-> Monitor tweets for a specific subject, analyze the sentiment, and create alerts or tasks for
items that need review.
An example of a flow:
References: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
Question 53:
Yes or No:
Your company has explored some of the services in Azure Public preview. One of the
architects working in your team has advised to deploy mission critical
services/applications to these services. Are they correct?
No
Yes
Explanation
According to the official documentation, it is important to note that the services offered in
public preview are excluded from the Service Level Agreements (SLAs) . It is therefore
not a good idea to deploy production environments on resources / services that are in
preview (public or private).
Reference : https://azure.microsoft.com/en-ca/support/legal/preview-supplemental-terms/
One of the definitions of the Hybrid cloud model is to use multiple Public Clouds in
conjunction with a Private Cloud.
Yes
No
Explanation
From the official docs:
Reference: https://azure.microsoft.com/en-gb/overview/what-is-hybrid-cloud-computing/
Question 55:
Which of the following is a distributed network of servers that can efficiently deliver
web content to users?
Azure Virtual Network
Azure Logic Apps
Azure Application Gateway
Azure Content Delivery Network
Explanation
According to the official docs, a Content Delivery Network (CDN) is a distributed
network of servers that can efficiently deliver web content to users. CDNs store cached
content on edge servers in point-of-presence (POP) locations that are close to end users, to
minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly
delivering high-bandwidth content to users by caching their content at strategically placed
physical nodes across the world. Azure CDN can also accelerate dynamic content, which
cannot be cached, by leveraging various network optimizations using CDN POPs. For
example, route optimization to bypass Border Gateway Protocol (BGP).
Reference : https://docs.microsoft.com/en-us/azure/cdn/cdn-overview
No
Yes
Explanation
No! 1 resource = 1 resource group (very simply logic)
Reference : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
overview#resource-groups
Question 57:
What is the maximum number of management groups that can be supported in a single
directory?
10,000
20,000
5,000
1,000
Explanation
The maximum number of management groups that can be supported in a single directory
is 10,000. This allows for efficient management of access, policies, and compliance for a
large number of subscriptions in an organization.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-
components-of-azure/6-describe-azure-management-infrastructure
Question 58:
Which of the following factors can affect the availability of an Azure service under the
SLA?
Natural disasters
Network disruptions outside of Azure
Hardware or software failures within Azure
Planned maintenance activities
Explanation
The Service Level Agreement (SLA) for Azure services guarantees a certain level of
availability, which is expressed as a percentage of uptime over a specific period of time.
However, certain factors can affect the availability of an Azure service, even if it is covered
under the SLA.
Network disruptions outside of Azure, such as issues with your own internet service
provider (ISP), can impact your ability to connect to Azure services and can affect their
availability. However, these types of disruptions are outside of Microsoft's control, so they
are NOT considered in the Azure SLA.
Planned maintenance activities, which are performed to update or maintain Azure services,
can cause temporary downtime. However, Microsoft typically schedules maintenance
activities during off-peak hours to minimize their impact on availability.
Hardware or software failures within Azure can cause disruptions to service availability.
Microsoft implements measures to minimize the impact of these failures, such as redundancy
and failover mechanisms, but they can still occur.
Natural disasters, such as earthquakes or hurricanes, can also impact the availability of
Azure services, but this is outside of Microsoft's control.
Reference: https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-
SLA-for-Online-Services?
Question 59:
What is the significance of implementing security controls at the "data" layer in the
defense-in-depth model?
It ensures the physical security of data storage.
It reduces the impact of denial of service (DoS) attacks.
It prevents network-based attacks against resources.
It protects sensitive data and ensures confidentiality, integrity, and availability.
Explanation
The "data" layer in the defense-in-depth model is responsible for controlling access to
business and customer data. It ensures that sensitive data is properly secured and complies
with regulatory requirements, ensuring its confidentiality, integrity, and availability.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-
access-security/8-describe-defense-depth
Question 60:
Can you apply a read-only lock to an Azure resource that already has a delete lock
applied to it?
Yes, but only by the owner of the subscription
No, a delete lock overrides all other locks and prevents any modifications or
deletions
No, but a read-only lock can be temporarily disabled to make modifications
Explanation
As an administrator, you can lock an Azure subscription, resource group, or resource to
protect them from accidental user deletions and modifications. The lock overrides any user
permissions.
You can set locks that prevent either deletions or modifications. In the portal, these locks are
called Delete and Read-only. In the command line, these locks are
called CanNotDelete and ReadOnly.
CanNotDelete means authorized users can read and modify a resource, but they can't
delete it.
ReadOnly means authorized users can read a resource, but they can't delete or update
it. Applying this lock is similar to restricting all authorized users to the permissions
that the Reader role provides.
Try this out in the Azure portal, you should be able to add a read-only lock to a resource
having a CanNotDelete lock already!
Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources?tabs=json
Question 61:
In the defense-in-depth model, what is the role of the "network" layer?
It limits communication between resources and enforces access controls.
It focuses on securing access to applications.
It ensures the physical security of computing hardware.
It secures access to virtual machines.
Explanation
The "network" layer in the defense-in-depth model is responsible for limiting communication
between resources, which helps prevent the spread of attacks. It enforces access controls to
ensure that only necessary communication occurs and reduces the risk of an attack affecting
other systems.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-
access-security/8-describe-defense-depth
Question 62:
You've been asked by senior management to prepare a presentation describing not only
the benefits, but also the estimated cost savings you can realize by migrating your
workloads to Azure. As the lead architect, which service would you use for these
calculations?
Azure Advisor
Azure Monitor
Azure Cost Management
Azure TCO calculator
Explanation
For users wishing to adopt cloud services, Azure provides a web-based TCO Calculator. You
can use this calculator to estimate the costs of migrating your data and applications to
Azure and predict potential savings.
Reference: https://azure.microsoft.com/en-in/pricing/tco/calculator/
Question 63:
During live telecasts of football matches, streaming platforms sometimes experience
massive spikes in viewerships and users visiting their websites when a goal is scored.
Which of the following would be beneficial to deal with such expected demand of
resources?
Virtual Machines
Containers
Kubernetes
Serverless Computing
Explanation
Serverless computing enables developers to build applications faster by eliminating the need
for them to manage infrastructure. With serverless applications, the cloud service provider
automatically provisions, scales, and manages the infrastructure required to run the code.
While understanding the definition of serverless computing, it’s important to note that servers
are still running the code. The serverless name comes from the fact that the tasks associated
with infrastructure provisioning and management are invisible to the developer. This
approach enables developers to increase their focus on the business logic and deliver more
value to the core of the business (IMPORTANT). Serverless computing helps teams
increase their productivity and bring products to market faster, and it allows organizations to
better optimize resources and stay focused on innovation.
Reference : https://azure.microsoft.com/en-us/overview/serverless-computing/
Question 64: Correct
Which of the following services provides a personalized view of the health of the Azure
services, regions, and resources you rely on?
Azure Resource Health
Azure Service Health
Azure Advisor
Azure Monitor
Explanation
From the Official Azure Documentation:
Azure Service Health provides a personalized view of the health of the Azure services,
regions, and resources you rely on. The status.azure.com website, which displays only major
issues that broadly affect Azure customers, doesn't provide the full picture. But Azure Service
Health displays both major and smaller, localized issues that affect you. Service issues are
rare, but it's important to be prepared for the unexpected. You can set up alerts that help you
triage outages and planned maintenance. After an outage, Service Health provides official
incident reports, called root cause analyses (RCAs), which you can share with stakeholders.
Reference: https://docs.microsoft.com/en-ca/learn/modules/monitoring-fundamentals/2-
identify-product-options
https://docs.microsoft.com/en-us/office365/enterprise/subscriptions-licenses-accounts-and-
tenants-for-microsoft-cloud-offerings
Question 66:
Which of the following can be used to manage your Azure Resources from an iPhone?
Windows PowerShell
Azure Mobile App
Azure CLI
Azure Cloud Shell
Azure Portal
Explanation
The Azure portal is the web-based portal for managing Azure. Being web-based, you can
use the Azure portal on an iPhone.
Azure Cloud Shell is a web-based command line for managing Azure. You access the Azure
Cloud Shell from the Azure portal. Being web-based, you can use the Azure Cloud Shell on
an iPhone.
Answers:
A: Azure CLI can be installed on MacOS but it cannot be installed on an iPhone.
References: http://www.deployazure.com/management/managing-azure-from-ipad/
Question 67:
Which of the following actions can help you reduce your Azure costs?
Reducing the amount of data transferred between Azure regions
Keeping all virtual machines running 24/7
Enabling automatic scaling for all virtual machines
Increasing the number of virtual machines deployed
Explanation
Reducing the amount of data transferred between Azure regions can help reduce costs by
minimizing data egress charges.
Other options:
Deploying more virtual machines: This can actually increase costs if they are not
utilized efficiently.
Enabling automatic scaling: This can help optimize resource usage and reduce costs,
but it depends on the specific workload and usage patterns.
Keeping virtual machines running 24/7: This can result in unnecessary costs,
especially if they are not utilized all the time. It is recommended to use automation to
start and stop VMs based on usage patterns.
Reference: https://learn.microsoft.com/en-us/azure/cost-management-billing/cost-
management-billing-overview
Which of the following is an advantage of the Public Cloud that you'll realize thanks to
the migration?
Answers:
Resources are not shared with others, so higher levels of control and privacy are
possible - This is a characteristic of a Private Cloud.
Your organization can customize its cloud environment to meet specific business needs
- This is also a characteristic of a Private Cloud.
Peace of mind that Azure will send over hardware for you to store in your warehouse
- Azure stores all infrastructure on their end. You'd be storing hardware that you purchased
and incur CapEx in a Private cloud setup.
Reference: https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-
are-private-public-hybrid-clouds/#overview
Question 69:
_________________ offers fully managed file shares in the cloud that are accessible via
the industry standard Server Message Block (SMB) protocol or Network File System
(NFS) protocol. This means it can be used to completely replace or supplement
traditional on-premises file servers or NAS devices.
Azure Files
Azure SQL Database
Azure Blob Storage
Azure Data Lake Storage
Explanation
From the official docs:
Azure Files is Microsoft's easy-to-use cloud file system. Azure file shares can be seamlessly
used in Windows and Windows Server. To use an Azure file share with Windows, you must
either mount it, which means assigning it a drive letter or mount point path, or access it via its
UNC path.
Unlike other SMB shares you may have interacted with, such as those hosted on a Windows
Server, Linux Samba server, or NAS device, Azure file shares do not currently support
Kerberos authentication with your Active Directory (AD) or Azure Active Directory (AAD)
identity.
Instead, you must access your Azure file share with the storage account key for the storage
account containing your Azure file share. A storage account key is an administrator key for a
storage account, including administrator permissions to all files and folders within the file
share you're accessing, and for all file shares and other storage resources (blobs, queues,
tables, etc) contained within your storage account.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-
windows
Question 70:
Which of the following services provides information about Azure service incidents,
planned maintenance and can notify you of issues via Email, SMS and push
notifications?
Azure Monitor
Azure Service Health
Azure Trust Portal
Azure Initiatives
Explanation
According to the official Azure docs:
Azure Service Health notifies you about Azure service incidents and planned maintenance
so you can take action to mitigate downtime. We can configure customizable cloud
alerts and use your personalized dashboard to analyze health issues, monitor the impact to
your cloud resources, get guidance and support, and share details and updates.
Reference : https://azure.microsoft.com/en-us/features/service-health/#features
Yes
No
Explanation
An Azure App Service is a PaaS (Platform as a Service) example so this is not an issue.
However, Azure Virtual machines fall under the category of IaaS (Infrastructure as a
Service) service since you're renting infrastructure. Therefore, we would disagree with this
decision.
References:
https://azure.microsoft.com/en-us/overview/what-is-paas/
https://azure.microsoft.com/en-us/overview/what-is-iaas/
Question 72: Correct
For industries that work with highly sensitive data, such as banking, finance,
government, and healthcare, ___________ cloud may be their best cloud option.
Public
Hybrid
Private
Explanation
From the official docs:
For industries that work with highly sensitive data, such as banking, finance, government,
and healthcare, hybrid may be their best cloud option. For example, some regulated industries
require certain types of data to be stored on-premises while allowing less sensitive data to be
stored on the cloud. In this kind of hybrid cloud architecture, organizations gain the flexibility
of the public cloud for less regulated computing tasks, while still meeting their industry
requirements.
Reference: https://azure.microsoft.com/en-gb/overview/what-is-hybrid-cloud-computing/
Question 73:
The ___________________ is a regulation in EU law on data protection and privacy in
the European Union and the European Economic Area.
American National Standards Institute (ANSI)
Center for Internet Security (CIS)
General Data Protection Regulation (GDPR)
International Organization for Standardization (ISO)
Explanation
The General Data Protection Regulation (GDPR) is a regulation in EU law on data
protection and privacy in the European Union and the European Economic Area. The GDPR
is an important component of EU privacy law and of human rights law, in particular Article 8
of the Charter of Fundamental Rights of the European Union.
Reference: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
You can set locks that prevent either deletions or modifications. In the portal, these locks are
called Delete and Read-only. In the command line, these locks are
called CanNotDelete and ReadOnly.
CanNotDelete means authorized users can read and modify a resource, but they can't
delete it.
ReadOnly means authorized users can read a resource, but they can't delete or update
it. Applying this lock is similar to restricting all authorized users to the permissions
that the Reader role provides.
Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources?tabs=json
Yes
No
Explanation
From the Azure official docs:
Deleting the resource group will remove the resource group as well as all the resources in
that resource group. This can be useful for the management of resources. For example, a
virtual machine has several components (the VM itself, virtual disks, network adapter etc.).
By placing the VM in its own resource group, you can delete the VM along with all its
associated components by deleting the resource group.
Another example is when creating a test environment. You could place the entire test
environment (Network components, virtual machines etc.) in one resource group. You can
then delete the entire test environment by deleting the resource group.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
manage-resource-groups-portal
Question 76:
Yes or No:
It is possible to deploy Azure resources through a Tablet by using Bash in the Azure
Cloud Shell.
No
Yes
Explanation
From the official docs:
With the public cloud, you get pay-as-you-go pricing and you pay only for what you use, no
CapEx costs are involved.
With the public cloud, you have self-service management. You are responsible for the
deployment and configuration of the cloud resources such as virtual machines or web sites.
The underlying hardware that hosts the cloud resources is managed by the cloud provider.
Answers:
Hardware must be purchased for start-up and maintenance - You don't have to purchase
any hardware on the public cloud. The underlying hardware is shared so you could have
multiple customers using cloud resources hosted on the same physical hardware. Moreover,
this is a characteristic of the private cloud.
References : https://docs.microsoft.com/en-gb/learn/modules/principles-cloud-computing/4-
cloud-deployment-models
Question 78:
Which of the following services would you help achieve the following:
2) Provide high availability and application resiliency by distributing VMs across availability
zones
For all Virtual Machines that have two or more instances deployed across two or more
Availability Zones in the same Azure region, we guarantee you will have Virtual
Machine Connectivity to at least one instance at least 99.99% of the time.
For all Virtual Machines that have two or more instances deployed in the same
Availability Set or in the same Dedicated Host Group, we guarantee you will have
Virtual Machine Connectivity to at least one instance at least 99.95% of the time.
For any Single Instance Virtual Machine using Premium SSD or Ultra Disk for all
Operating System Disks and Data Disks, we guarantee you will have Virtual Machine
Connectivity of at least 99.9%.
For any Single Instance Virtual Machine using Standard SSD Managed Disks for
Operating System Disk and Data Disks, we guarantee you will have Virtual Machine
Connectivity of at least 99.5%.
For any Single Instance Virtual Machine using Standard HDD Managed Disks for
Operating System Disks and Data Disks, we guarantee you will have Virtual Machine
Connectivity of at least 95%.
Reference: https://www.azure.cn/en-us/support/sla/virtual-machines/
Question 80:
Which of the following factors influence the cost of Azure resources? (Select all that
apply)
Consumption
Geography
Maintenance
Resource type
Explanation
The correct answers are - Resource type, Consumption, and Geography. These factors
influence the cost of Azure resources. Maintenance, on the other hand, is an important aspect
of managing resources to control costs but does not directly influence the cost of the
resources themselves.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/2-describe-factors-affect-costs-azure
Question 8: Incorrect
For industries that work with highly sensitive data, such as banking, finance,
government, and healthcare, ___________ cloud may be their best cloud option.
Public
Hybrid
Private
Explanation
From the official docs:
For industries that work with highly sensitive data, such as banking, finance, government,
and healthcare, hybrid may be their best cloud option. For example, some regulated industries
require certain types of data to be stored on-premises while allowing less sensitive data to be
stored on the cloud. In this kind of hybrid cloud architecture, organizations gain the flexibility
of the public cloud for less regulated computing tasks, while still meeting their industry
requirements.
Reference: https://azure.microsoft.com/en-gb/overview/what-is-hybrid-cloud-computing/
Question 49: Incorrect
_________________ offers fully managed file shares in the cloud that are accessible via
the industry standard Server Message Block (SMB) protocol or Network File System
(NFS) protocol. This means it can be used to completely replace or supplement
traditional on-premises file servers or NAS devices.
Azure Data Lake Storage
Azure Blob Storage
Azure Files
Azure SQL Database
Explanation
From the official docs:
Azure Files is Microsoft's easy-to-use cloud file system. Azure file shares can be seamlessly
used in Windows and Windows Server. To use an Azure file share with Windows, you must
either mount it, which means assigning it a drive letter or mount point path, or access it via its
UNC path.
Unlike other SMB shares you may have interacted with, such as those hosted on a Windows
Server, Linux Samba server, or NAS device, Azure file shares do not currently support
Kerberos authentication with your Active Directory (AD) or Azure Active Directory (AAD)
identity.
Instead, you must access your Azure file share with the storage account key for the storage
account containing your Azure file share. A storage account key is an administrator key for a
storage account, including administrator permissions to all files and folders within the file
share you're accessing, and for all file shares and other storage resources (blobs, queues,
tables, etc) contained within your storage account.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-
windows
Practice Test 2
Question 1: Correct
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-
services/3-redundancy
Question 2:
Skipped
If you want to raise the limit or quota above the default limit, _____________________
define a blueprint in Azure Blueprint to implement this change
Upgrade your support plan
create an Azure policy defining this increase but it will be charged.
open an online customer support request at no charge.
Explanation
If you want to raise the limit or quota above the default limit, you can open an online
customer support request at no charge.
Reference: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits
Question 3: Correct
To compare the costs of running on-premises and Azure Cloud infrastructure - This
option is incorrect because this function is performed by the Total Cost of Ownership (TCO)
Calculator, not the Pricing Calculator.
To provision resources in Azure - This option is incorrect because the Pricing Calculator
does not provision resources; it only provides cost estimates for resources. To provision
resources, you would use the Azure Portal or other management tools.
To manage the billing of your Azure account - This option is incorrect because the Pricing
Calculator does not manage billing. It only provides cost estimates for resources. To manage
billing, you would use the Azure Cost Management and Billing tools.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/3-compare-pricing-total-cost-of-ownership-calculators
Question 4:
True or False:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A
subscription trusts Azure AD to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory. Each subscription can
only trust a single directory.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-how-subscriptions-associated-directory
Question 5:
True or False:
A Platform as a Service (PaaS) solution that has already been deployed cannot be scaled
up or out without re-deploying it.
True
False
Explanation
You can always scale your PaaS solution up (increase the memory) or out (add more
instances) without re-deployment.
The very beauty of PaaS is that it allows you to avoid the expense and complexity of buying
and managing software licences, the underlying application infrastructure and middleware,
container orchestrators such as Kubernetes or the development tools and other resources. You
manage the applications and services that you develop, and the cloud service provider
typically manages everything else.
Reference: https://azure.microsoft.com/en-gb/overview/what-is-paas/
Question 6: Correct
The Azure ________ is a fully managed Platform as a Service (PaaS) that provides a
runtime environment for hosting, deploying, and scaling applications.
Azure Advisor
Azure App Service
Azure Logic Apps
Azure Front Door
Explanation
The Azure App Service is the correct answer and is a fully managed Platform as a Service
(PaaS) that provides a runtime environment for hosting, deploying, and scaling applications.
Azure App Service supports a variety of programming languages, including .NET, Java,
Node.js, Python, and PHP, among others. It also provides built-in support for popular content
management systems like WordPress and Drupal, and integrates with Azure DevOps for
streamlined deployment and continuous integration/continuous deployment (CI/CD).
Other Options:
Azure Logic Apps is designed more for workflow automation and integration, and
does not provide a runtime environment for hosting and deploying applications. While
it is possible to use Azure Logic Apps to trigger actions in response to events in Azure
App Service (for example, deploying a new version of an application), it is not a
direct replacement for Azure App Service.
Azure Advisor is a valuable tool for optimizing Azure resources, it is not a fully
managed Platform as a Service (PaaS) like Azure App Service. Azure Advisor does
not provide a runtime environment for hosting, deploying, and scaling applications,
and it does not support a variety of programming languages.
Azure Front Door is a useful service for load balancing and routing traffic, it is not a
fully managed Platform as a Service (PaaS) like Azure App Service. Azure Front
Door does not provide a runtime environment for hosting, deploying, and scaling
applications, and it does not support a variety of programming languages.
Reference: https://learn.microsoft.com/en-us/azure/app-service/overview
Question 7: Incorrect
Suppose the lead architect in your company has asked your team to implement a PaaS
based solution in Azure for a quick Proof-of-Concept (POC) to senior management.
One of your colleagues goes ahead and creates an Azure SQL Database and an Azure
Load Balancer.
Yes
No
Explanation
Tricky question!
References: https://azure.microsoft.com/en-us/overview/what-is-paas/
https://docs.microsoft.com/en-us/answers/questions/221143/azure-storage-account-is-iaas-or-
paas.html
Question 8: Correct
Which of the following requires the greatest security effort on your part?
Software as a service (Saas)
Database as a service (Daas)
Infrastructure as a service (Iaas)
Platform as a service (Paas)
Explanation
IaaS (Infrastructure as a Service) is, in effect, where a cloud provider hosts the
infrastructure components traditionally present in an on-premises data center including
servers (operating systems), storage and networking hardware as well as the virtualization or
hypervisor layer.
From a security perspective, this offering is probably the closest to traditional in-house IT
infrastructure, (Indeed, many companies will effectively move existing server payloads to
IaaS either partially or completely resulting in a hybrid solution.) and it will require much of
the same security tools as a result.
Reference : https://www.tripwire.com/state-of-security/security-data-protection/cloud/
secure-configuration-cloud-iaas-paas-saas/
Question 9: Correct
Your compliance team has contacted you and stated that a certain VM running a
mission critical database (with confidential data) should not be able to connect to other
applications and VMs. How would you accomplish this?
No need to do anything as a VM cannot communicate with other services.
Deploy the VM to a certain subnet and restrict traffic using a Network Security
Group (NSG).
Deploy the VM to a brand new resource group
Use an Azure Load Balancer
Explanation
Azure Virtual Network (VNet) is the fundamental building block for your private network
in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines
(VM), to securely communicate with each other, the internet, and on-premises networks.
VNet is similar to a traditional network that you'd operate in your own data center, but brings
with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.
Subnets: Subnets enable you to segment the virtual network into one or more sub-networks
and allocate a portion of the virtual network's address space to each subnet. You can then
deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow
you to segment your VNet address space into segments that are appropriate for the
organization's internal network. This also improves address allocation efficiency. You can
secure resources within subnets using Network Security Groups. For more information,
see Security groups.
You can filter network traffic between subnets using either or both of the following options:
1) Security groups: Network security groups and application security groups can contain
multiple inbound and outbound security rules that enable you to filter traffic to and from
resources by source and destination IP address, port, and protocol. To learn more,
see Network security groups or Application security groups.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-
overview
Question 10: Incorrect
Yes or No:
Azure HDInsight an example of a Software as a Service (SaaS) offering.
No
Yes
Explanation
No, Azure HDInsight is a PaaS offering.
Run popular open-source frameworks—including Apache Hadoop, Spark, Hive, Kafka, and
more—using Azure HDInsight, a customizable, enterprise-grade service for open-source
analytics. Effortlessly process massive amounts of data and get all the benefits of the broad
open-source project ecosystem with the global scale of Azure. Easily migrate your big data
workloads and processing to the cloud.
References:https://azure.microsoft.com/en-us/services/hdinsight/#features
Question 11: Correct
In which of the following scenarios, would an IaaS deployment make the most sense?
For finance and expense tracking
For analytics or business intelligence
For a lift-and-shift migration
For setting a development framework
Explanation
From the official docs: Infrastructure as a service (IaaS) is the most flexible category of
cloud services, as it provides you the maximum amount of control for your cloud resources.
In an IaaS model, the cloud provider is responsible for maintaining the hardware, network
connectivity (to the internet), and physical security. You’re responsible for everything else:
operating system installation, configuration, and maintenance; network configuration;
database and storage configuration; and so on. With IaaS, you’re essentially renting the
hardware in a cloud datacenter, but what you do with that hardware is up to you.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-
types/2-describe-infrastructure-service
Question 12: Correct
Other options -
By the number of users: While the number of users may affect the overall amount of
network traffic, the cost is not directly determined by the number of users. Instead, it is
determined by the amount of data transferred and the geographical zones involved.
By resource type: The cost of network traffic is related to the amount of data transferred and
the zones involved, not the specific Azure resources being used. While the type of resources
may have an impact on the amount of data transferred, the cost of network traffic itself is not
directly influenced by the resource type.
By the type of subscription: The type of subscription may affect the overall cost of Azure
services, including usage allowances, but it doesn't directly determine the cost of network
traffic. Network traffic costs are determined by the amount of data transferred and the
geographical zones involved.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/2-describe-factors-affect-costs-azure
Question 13: Incorrect
Which of the following can you use to filter traffic to and from an Azure Virtual
Network?
Azure DDoS Protection
Azure Firewall
Azure Network Security Group
Azure Advanced Threat Protection (ATP)
Explanation
You can use Azure network security group to filter network traffic to and from Azure
resources in an Azure virtual network. A network security group contains security rules that
allow or deny inbound network traffic to, or outbound network traffic from, several types of
Azure resources.
For each rule, you can specify source and destination, port, and protocol. This article
describes properties of a network security group rule, the default security rules that are
applied, and the rule properties that you can modify to create an augmented security rule.
Reference : https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question 14: Correct
True or False:
Azure Active Directory can restrict access attempts to only those coming from known
devices.
True
False
Explanation
From the Official Azure Documentation:
Azure AD provides services such as:
Authentication
This includes verifying identity to access applications and resources. It also includes
providing functionality such as self-service password reset, multifactor authentication,
a custom list of banned passwords, and smart lockout services.
Single sign-on
SSO enables you to remember only one username and one password to access
multiple applications. A single identity is tied to a user, which simplifies the security
model. As users change roles or leave an organization, access modifications are tied
to that identity, which greatly reduces the effort needed to change or disable accounts.
Application management
You can manage your cloud and on-premises apps by using Azure AD. Features like
Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and
single sign-on provide a better user experience.
Device management
Along with accounts for individual people, Azure AD supports the registration of
devices. Registration enables devices to be managed through tools like Microsoft
Intune. It also allows for device-based Conditional Access policies to restrict access
attempts to only those coming from known devices, regardless of the requesting user
account.
Reference: https://docs.microsoft.com/en-ca/learn/modules/secure-access-azure-identity-
services/3-what-is-azure-active-directory
A startup has deployed a set of Virtual Machines which are critical for their day-to-day
operations. They need to ensure their availability even if a single data center goes down.
One of their interns has suggested that deploying the VMs through a Scale Set would
solve the problem. Do you agree?
Yes
No
Explanation
This answer does not specify that the scale set will be configured across multiple data centers
so this solution does not meet the goal.
Azure virtual machine scale sets let you create and manage a group of load balanced VMs.
The number of VM instances can automatically increase or decrease in response to demand
or a defined schedule. Scale sets provide high availability to your applications, and allow you
to centrally manage, configure, and update many VMs.
Virtual machines in a scale set can be deployed across multiple update domains and fault
domains to maximize availability and resilience to outages due to data center outages, and
planned or unplanned maintenance events.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/availability
Question 16: Incorrect
Which of the following would you use if you want to keep track of the performance or
issues related to your specific VM or container instances, databases, your applications?
Azure Service Health
Azure Advisor
Azure Monitor
Azure Sentinel
Explanation
From the Official Azure Documentation:
If you want to keep track of the performance or issues related to your specific VM or
container instances, databases, your applications, and so on, you want to visit Azure Monitor
and create reports and notifications to help you understand how your services are performing
or diagnose issues related to your Azure usage.
Reference: https://docs.microsoft.com/en-ca/learn/modules/monitoring-fundamentals/3-
analyze-decision-criteria
Question 17: Correct
A startup has deployed a set of Virtual Machines which are critical for their day-to-day
operations. They need to ensure their availability even if a single data center goes down.
One of their interns has suggested that deploying these VMs to multiple resource groups
would solve the problem. Do you agree?
No
Yes
Explanation
A resource group is a logical container for Azure resources. When you create a resource
group, you specify which location to create the resource group in.
However, when you create a virtual machine and place it in the resource group, the virtual
machine can still be in a different location (different datacenter).
Therefore, creating multiple resource groups, even if they are in separate datacenters does not
ensure that the services running on the virtual machines are available if a single data center
fails. What you really need is high availability and deploying the VM to multiple Regions and
AZs.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
overview#resource-groups
Question 18: Incorrect
Yes or No:
Explanation
No. Private is a phase when Azure invites a few customers to take part in early access to new
concepts and features. This phase does not include formal support. It is not available to
the general public as well.
Reference: https://azure.microsoft.com/en-ca/support/legal/preview-supplemental-terms/
Your manager has asked you to recommend an Azure Service that can be used to
securely manage and store certificates for your teams services. Which of the following
would you recommend?
Azure Bastion
Azure Key Vault
Azure Confidential Ledger
Azure Active Directory
Explanation
Secure key management is essential to protect data in the cloud . Azure Key Vault encrypts
keys and small secrets like passwords that use keys stored in hardware security modules
(HSMs).
For more assurance, it is possible to import or generate keys in HSMs, and Microsoft
processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With
Key Vault, Microsoft doesn’t see or extract your keys.
You can monitor and audit your key use with Azure logging—pipe logs into Azure
HDInsight or your security information and event management (SIEM) solution for more
analysis and threat detection.
By using Key Vault, you don’t need to provision, configure, patch, and maintain HSMs and
key management software. Provision new vaults and keys (or import keys from your own
HSMs) in minutes and centrally manage keys, secrets, and policies. You keep control over
your keys—simply grant permission for your own and partner applications to use them as
needed. Applications never have direct access to keys. Developers manage keys used for
Dev/Test and seamlessly migrate to production the keys that are managed by security
operations.
Reference : https://azure.microsoft.com/en-us/services/key-vault/
Question 20: Correct
date of activation.
Reference: https://azure.microsoft.com/en-in/free/
Question 21: Correct
Select the valid types of storage tiers for Azure Blob Storage?
Deep Sleep Tier
Infrequently Accessed Tier
Hot Tier
Cold Tier
Archive Storage Tier
Explanation
Azure storage offers different access tiers, which allow you to store blob object data in the
most cost-effective manner. The available access tiers include:
Reference : https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?
tabs=azure-portal
Question 22: Correct
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
manage-resource-groups-portal
Question 23: Incorrect
Yes or No:
An Azure subscription can trust multiple Azure Active Directory (Azure AD) tenants
Yes
No
Explanation
From the official Azure docs:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A
subscription trusts Azure AD to authenticate users, services, and devices.
Please Note :
Multiple subscriptions can trust the same Azure AD directory. Each subscription can
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-how-subscriptions-associated-directory
Question 24: Incorrect
True or False:
In a Private Preview, Azure invites all customers to take part in early access to new
concepts and features.
False
True
Explanation
From the official documentation:
Private Preview - During this phase we invite a few customers to take part in early access to
new concepts and features. This phase DOES NOT include formal support.
Reference:https://azure.microsoft.com/en-ca/support/legal/preview-supplemental-terms/
Question 25: Correct
It should be noted that the free and shared tiers of many services DO NOT come with an
SLA. (Imp.)
Reference : https://cloudacademy.com/course/understanding-azure-pricing-and-support/
service-level-agreements/
Question 26: Correct
CDN is a service for delivering static content (such as images, videos, and other files) from a
distributed network of servers. It is not designed for running and deploying containerized
applications.
On the other hand, Azure Kubernetes Service (AKS), Azure Container Instances (ACI), and
Azure Virtual Machines (VMs) can all be used to deploy containerized applications.
Azure Container Instances (ACI) is a serverless service that allows you to run
containers on demand without having to manage the underlying infrastructure.
Azure Virtual Machines (VMs) provide a more flexible option for running
containers by allowing you to choose the operating system and configure the
environment to your specific needs.
Reference: https://learn.microsoft.com/en-us/azure/frontdoor/
Question 27: Incorrect
You have managed an App that you developed and deployed On-Prem for a long time,
but would now like to move it to Azure and be relieved of all the manual administration
and maintenance. Which of the following buckets would be most suitable for your use
case?
Software as a service (Saas)
Database as a Service (Daas)
Platform as a service (Paas)
Infrastructure as a Service (Iaas)
Explanation
Platform as a service (PaaS) is a complete development and deployment environment in the
cloud, with resources that enable you to deliver everything from simple cloud-based apps to
sophisticated, cloud-enabled enterprise applications. You purchase the resources you need
from a cloud service provider on a pay-as-you-go basis and access them over a secure
Internet connection.
PaaS allows you to avoid the expense and complexity of buying and managing software
licenses, the underlying application infrastructure and middleware, container orchestrators
such as Kubernetes, or the development tools and other resources. You manage the
applications and services you develop, and the cloud service provider typically manages
everything else.
Since we need to reduce the overhead effort of managing everything, and create our
own solution, PaaS is the best option!
References : https://azure.microsoft.com/en-us/overview/what-is-paas/
Question 28: Correct
Yes or No:
You want to set up a VPN connection between two Azure virtual networks that are in
different regions. Which of the following VPN connection types would be best suited for
this scenario?
Site-to-Site (IPsec)
VNet-to-VNet (IPsec)
Point-to-Site (VPN over SSL)
ExpressRoute
Explanation
The correct answer Site-to-Site (IPsec).
Site-to-Site (IPsec) VPN connection type is used to connect two or more virtual networks that
are in different regions, data centers, or even different cloud providers. It allows you to
connect an on-premises network or a branch office network to an Azure virtual network, or to
connect two Azure virtual networks that are in different regions. Site-to-Site VPN
connections use a VPN gateway to provide a secure connection over the Internet. IPsec is the
protocol used to secure the VPN connection.
Other options:
VNet-to-VNet (IPsec): This is not the best choice for this scenario because it is designed to
connect two virtual networks within the same region. It creates an IPsec tunnel between the
two virtual networks, allowing resources to communicate securely and privately over the
Microsoft backbone network. Since the two virtual networks in this scenario are in different
regions, VNet-to-VNet (IPsec) would not be the most efficient or cost-effective option.
Point-to-Site (VPN over SSL): This is used to connect individual devices to an Azure virtual
network over a VPN connection. It is not suitable for connecting virtual networks in different
regions.
Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Question 30: Correct
An organization is planning to migrate large amounts of data from their On-Prem storage to
Azure. However, they are worried of incurring huge costs for this transfer and have halted
their plans for now.
Reference: https://azure.microsoft.com/en-us/pricing/details/bandwidth/
Question 31: Incorrect
Which of the following services can help you decouple components and asynchronous
message storage, for communication between application components, whether they are
running in the cloud, on the desktop, on-premise, or on mobile devices?
Azure Asynchronous Communicator
Azure Queue Storage
Azure Data Box
Azure File Sync
Explanation
From the official Azure documentation:
You can use Azure Queue Storage to build flexible applications and separate functions for
better durability across large workloads. When you design applications for scale, application
components can be decoupled, so that they can scale independently. Queue storage gives you
asynchronous message queueing for communication between application components,
whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.
A single queue message can be up to 64 KB in size, and a queue can contain millions of
messages, up to the total capacity limit of a storage account. Queue storage is often used to
create a backlog of work to process asynchronously.
Reference : https://azure.microsoft.com/en-us/services/storage/queues/#overview
Question 32: Correct
Azure Machine Learning, Azure Event Hubs, Azure HDInsight are all examples of Platform
as a Service (Paas)
References:
https://azure.microsoft.com/en-gb/overview/what-is-iaas/
https://azure.microsoft.com/en-gb/overview/what-is-paas/
https://techcommunity.microsoft.com/t5/educator-developer-blog/getting-started-with-
windows-azure-series-1-overview/ba-p/378385
Question 33: Correct
Reference: https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/ise/
how-to-write-and-run-scripts-in-the-windows-powershell-ise?view=powershell-
7.1&viewFallbackFrom=powershell-6
Question 34: Correct
Availability for all Azure services is calculated over a ____________ billing cycle.
weekly
monthly
yearly
quarterly
Explanation
From the official Azure docs:
Availability for all Azure services is calculated over a monthly billing cycle. Click here to
download SLA for most Microsoft Azure Services.
Reference : https://azure.microsoft.com/en-us/support/legal/sla/summary/
Question 35: Correct
Yes or No:
A SaaS solution allows access to the underlying Operating System of the application.
No
Yes
Explanation
A SaaS solution does not provide access to the operating system. In fact, with a SaaS we
have the least maintenance effort but also the least degree of control.
Reference: https://azure.microsoft.com/en-gb/overview/what-is-saas/
Question 36: Incorrect
Explanation
The Total Cost of Ownership (TCO) calculator is designed to help you compare the costs
for running an on-premises infrastructure compared to an Azure Cloud infrastructure. It takes
into account your current infrastructure configuration, power costs, IT labor costs, and other
factors to provide an estimate of the cost difference between the two environments.
Other options -
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/3-compare-pricing-total-cost-of-ownership-calculators
Question 37: Correct
The Azure ________ service allows you to create and manage private networks in the
cloud and connect them to on-premises networks using a VPN gateway.
Azure Security Center
Azure Virtual Network
Azure Traffic Manager
Azure DNS
Explanation
The correct answer is Azure Virtual Network. The Azure Virtual Network service allows
you to create and manage private networks in the cloud and connect them to on-premises
networks using a VPN gateway.
Azure Virtual Network is a networking service that allows you to create and manage virtual
networks in the cloud, and connect them securely to your on-premises infrastructure. With
Azure Virtual Network, you can create subnets, assign IP addresses, and control traffic flow
between virtual machines and other resources.
The VPN gateway in Azure Virtual Network provides a secure, encrypted connection
between your virtual network in Azure and your on-premises network. This allows you to
extend your on-premises infrastructure to the cloud, and access resources in Azure as if they
were located on your local network.
Other Options -
Azure DNS: While Azure DNS provides a scalable and reliable domain name system
(DNS) service that can be used to resolve domain names to IP addresses, it is not
directly related to creating and managing private networks or connecting them to on-
premises networks using a VPN gateway.
Azure Traffic Manager: While Azure Traffic Manager is a global DNS-based traffic
load balancer that can be used to distribute traffic across multiple endpoints, it is not
directly related to creating and managing private networks or connecting them to on-
premises networks using a VPN gateway.
Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-
overview
Question 38: Correct
Yes or No:
Azure Advisor has the ability to provide recommendations for Azure ExpressRoute.
No
Yes
Explanation
From the official Azure documentation:
Advisor is a personalized cloud consultant that helps you follow best practices to optimize
your Azure deployments. It analyzes your resource configuration and usage telemetry and
then recommends solutions that can help you improve the cost effectiveness, performance,
Reliability (formerly called High availability), and security of your Azure resources.
You can set locks that prevent either deletions or modifications. In the portal, these locks are
called Delete and Read-only. In the command line, these locks are
called CanNotDelete and ReadOnly. In the left navigation panel, the subscription lock
feature's name is Resource locks, while the resource group lock feature's name is Locks.
CanNotDelete means authorized users can read and modify a resource, but they can't
delete it.
ReadOnly means authorized users can read a resource, but they can't delete or update
it. Applying this lock is similar to restricting all authorized users to the permissions
that the Reader role provides.
Reference : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources
Question 41: Correct
Yes or No:
It's possible to deploy an Azure VM from an Ubuntu system by using PowerShell in the
Cloud Shell.
No
Yes
Explanation
Tip: Most such questions mentioning Operating Systems (Ubuntu, Linux, Windows, MacOS)
are to create confusion. If you can open a browser - you can access the Cloud Shell which
gives you access to Bash or PowerShell.
Which of the following services would you use to embed the ability to see, hear, speak,
search, understand, and accelerate decision-making into your apps without having any
machine-learning expertise?
Azure Machine Learning Studio
Azure App Service
Azure Events Hub
Azure Cognitive Services
Explanation
Cognitive Services bring AI within reach of every developer—without requiring machine-
learning expertise. All it takes is an API call to embed the ability to see, hear, speak, search,
understand, and accelerate decision-making into your apps.
Reference : https://azure.microsoft.com/en-us/services/cognitive-services/#features
Question 43: Correct
Which Azure Service allows you to create, assign and manage policies to enforce
different rules and stay compliant with your Service Level Agreements (SLAs)?
Azure Security Center
Azure Policy
Azure Trust Portal
Azure Blueprints
Explanation
Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
Through its compliance dashboard, it provides an aggregated view to evaluate the overall
state of the environment, with the ability to drill-down to the per-resource, per-policy
granularity. It also helps to bring your resources to compliance through bulk remediation for
existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource
consistency, regulatory compliance, security, cost, and management. Policy definitions for
these common use cases are already available in your Azure environment as built-ins to help
you get started.
References : https://docs.microsoft.com/en-us/azure/governance/policy/overview
Question 44: Correct
Yes or No:
When a subscription expires, the trusted instance of the Azure AD service remains, but the
security principals still maintain access to Azure resources.
Yes
No
Explanation
From the official Azure docs:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A
subscription trusts Azure AD to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory. Each subscription can only
trust a single directory.
One or more Azure subscriptions can establish a trust relationship with an instance of Azure
Active Directory (Azure AD) in order to authenticate and authorize security principals and
devices against Azure services. When a subscription expires, the trusted instance of the
Azure AD service remains, but the security principals LOSE access to Azure resources.
References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-how-subscriptions-associated-directory
Question 45: Correct
Where can you obtain up-to-date details about the personal data Microsoft processes,
how it processes it and for what purposes?
Compliance Manager
Azure Knowledge Center
Microsoft Privacy Statement
Azure Trust Center
Explanation
This privacy statement explains the personal data Microsoft processes, how Microsoft
processes it, and for what purposes.
Microsoft offers a wide range of products, including server products used to help operate
enterprises worldwide, devices you use in your home, software that students use at school,
and services developers use to create and host what’s next. References to Microsoft products
in this statement include Microsoft services, websites, apps, software, servers, and devices.
Please read the product-specific details in this privacy statement, which provide additional
relevant information. This statement applies to the interactions Microsoft has with you and
the Microsoft products listed below, as well as other Microsoft products that display this
statement.
Reference: https://privacy.microsoft.com/en-ca/privacystatement
Question 46: Correct
Which of the following services can facilitate the deployment and scaling of containers?
Azure Active Directory
Azure Kubernetes
Azure Logic Apps
Azure Cognitive Services
Explanation
From the official Azure documentation:
Azure Kubernetes Service (AKS) offers the quickest way to start developing and deploying
cloud-native apps, with built-in code-to-cloud pipelines and guardrails. Get unified
management and governance for on-premises, edge, and multicloud Kubernetes clusters.
Interoperate with Azure security, identity, cost management, and migration services.
Reference : https://azure.microsoft.com/en-us/services/kubernetes-service/
Question 47: Correct
Lot of people get confused between Azure Databricks and Azure HDInsight.
Azure HDInsight is primarily a managed Apache Hadoop service that lets you run Apache
Spark, Apache Hive, Apache Kafka, Apache HBase, and more in the cloud.
Azure Databricks is a premium Spark offering that is ideal for customers who want their
data scientists to collaborate easily and run their Spark based workloads efficiently and at
industry leading performance.
It is essentially an Apache Spark-based analytics platform optimized for the Microsoft Azure
cloud services platform.
References:
https://docs.microsoft.com/en-us/answers/questions/26097/can-anyone-please-post-the-
differences-between-azu.html
https://docs.microsoft.com/en-us/azure/databricks/
https://docs.microsoft.com/en-us/azure/hdinsight/
Question 48: Correct
You are designing a solution to improve the resiliency of your application in Azure.
Which of the following would you choose to ensure your application remains available
during planned maintenance events?
Scale Sets
Availability Sets
Availability Zones
Azure Container Registry
Explanation
Availability Zones are a high-availability offering from Microsoft Azure that provide a fault-
tolerant architecture for applications. Availability Zones are physically separate data centers
within an Azure region, each with their own power, cooling, and networking infrastructure.
By deploying virtual machines and other resources across multiple Availability Zones, you
can ensure that your application remains available even in the event of a data center outage or
other disruption. Availability Zones provide redundancy and isolation, which helps protect
your application from both planned and unplanned downtime.
Other options -
Availability Sets are a feature of Microsoft Azure that help ensure that virtual
machines are distributed across multiple fault domains and update domains within a
single data center or region. This helps protect against hardware failures and other
disruptions by ensuring that virtual machines are not all located in the same physical
rack or power source. However, Availability Sets do not provide any inherent
protection against data center-wide outages, which can occur due to issues such as
network outages, power failures, or natural disasters. In such cases, all virtual
machines in the affected data center or region may become unavailable.
Scale Sets is not necessarily the best choice for ensuring availability during planned
maintenance events because it only provides horizontal scalability by adding or
removing virtual machines based on demand, but does not inherently provide any
availability benefits beyond what is provided by the underlying infrastructure.
Scale Sets are a feature of Microsoft Azure that provide automatic scaling of a set of
virtual machines based on demand. This helps ensure that the application can handle
varying levels of traffic and usage, but does not necessarily provide inherent
resiliency against planned maintenance events or other types of disruptions.
Azure Container Registry is a managed private Docker registry service that enables
you to store and manage container images in Azure. While it provides benefits such as
secure storage, authentication, and geo-replication of container images, it is not
directly related to ensuring availability during planned maintenance events.
Reference: https://learn.microsoft.com/en-us/azure/reliability/availability-zones-overview
Question 49: Incorrect
Yes or No:
When you cancel an Azure Subscription, your resources are immediately deleted
permanently to free up space.
Yes
No
Explanation
From the official Azure Docs:
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources
Question 50: Incorrect
A startup is planning to run a few simulations and needs to deploy pre-configured Virtual
Machines in a lab-like environment using ARM templates. These VMs will be used to test
app versions and scale up load testing by creating multiple test agents and environments.
As the principal consultant, which of the following services would you recommend?
Azure Reserved Virtual Machine (VM) Instances
Azure Virtual Machine Scale Sets
Azure DevTest Labs
Microsoft Managed Desktop
Explanation
From the official documentation :
Azure DevTest Labs is a service for easily creating, using, and managing infrastructure-as-a-
service (IaaS) virtual machines (VMs) and platform-as-a-service (PaaS) environments in labs.
Labs offer preconfigured bases and artifacts for creating VMs, and Azure Resource Manager
(ARM) templates for creating environments like Azure Web Apps or SharePoint farms.
Lab owners can create preconfigured VMs that have tools and software lab users need. Lab
users can claim preconfigured VMs, or create and configure their own VMs and
environments. Lab policies and other methods track and control lab usage and costs.
Reference: https://docs.microsoft.com/en-us/azure/lab-services/devtest-lab-overview
Question 51: Incorrect
_______________ enables a user to log in one time and use that credential to access
multiple resources and applications from different providers.
Domain Name Service (DNS)
Multi-factor Authentication (MFA)
SSO enables you to remember only one username and one password to access multiple
applications. A single identity is tied to a user, which simplifies the security model. As users
change roles or leave an organization, access modifications are tied to that identity, which
greatly reduces the effort needed to change or disable accounts.
Reference: https://docs.microsoft.com/en-ca/learn/modules/secure-access-azure-identity-
services/3-what-is-azure-active-directory
Question 52: Correct
Which of the following would you need to set up alerts for outages or when autoscaling
is about to deploy new instances?
Azure Service Health
Azure Advisor
Azure Monitor
Azure Bastion
Explanation
You can use Azure Monitor to set up alerts for key events that are related to your specific
resources.
Reference : https://docs.microsoft.com/en-ca/learn/modules/monitoring-fundamentals/3-
analyze-decision-criteria
Question 53: Correct
Yes or No:
Azure guarantees 99.99% availability for the Free version of the Azure Active Directory
(AAD).
Yes
No
Explanation
From the official documentation:
Note from the above image that NO SLA is provided for the FREE tier of the Azure Active
Directory!
Reference : https://azure.microsoft.com/en-us/support/legal/sla/active-directory/v1_1/
Question 54: Correct
Suppose the lead architect in your company has asked your team to implement a PaaS
based solution in Azure for a quick Proof-of-Concept (POC) to senior management.
One of your colleagues goes ahead and creates an Azure Event Hubs and Azure
Blob Storage.
No
Yes
Explanation
Yes, both of these services fall under the PaaS category, and therefore meet our requirements!
Question 55: Incorrect
What information can you input into the TCO calculator to estimate the cost difference
between your current datacenter and Azure? (Select all that apply)
Current infrastructure configuration
Power costs
Subscription type
IT labor costs
Explanation
Current infrastructure configuration - Correct, the TCO calculator allows you to
input your current infrastructure configuration, including servers, databases, storage,
and outbound network traffic.
Power costs - Correct, the TCO calculator lets you add assumptions about power
costs in your current environment to estimate the cost difference between on-premises
and Azure.
IT labor costs - Correct, the TCO calculator allows you to include assumptions about
IT labor costs to help estimate the cost difference between your current environment
and Azure.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/3-compare-pricing-total-cost-of-ownership-calculators
Question 56: Correct
If you setup a free Azure account, then does the Standard support plan come along with
this free account?
No
Yes
Explanation
The BASIC Support plan is associated with all accounts but a STANDARD plan needs to be
purchased and costs $100/month.
Reference: https://azure.microsoft.com/en-in/support/plans/
Question 57: Incorrect
Which of the following services can be used to store unstructured data in Azure?
Azure Blob Storage
Azure File Storage
Azure Table Storage
Azure Queue Storage
Explanation
The Azure services that can be used to store unstructured data are: Azure Blob Storage,
Azure Table Storage and Azure File Storage.
Azure Table Storage can also be used to store unstructured data in Azure. Azure Table
Storage is a NoSQL key-value store that can be used to store structured and semi-structured
data, as well as unstructured data such as large text and binary data. Azure Table Storage
allows you to store large amounts of data in a flexible schema that can evolve over time,
making it a good choice for storing unstructured data that does not fit well into a fixed
schema.
Azure File Storage can also be used to store unstructured data in Azure. Azure File Storage
is a fully managed file share service that can be used to store and share unstructured data,
such as documents, media files, and logs. Azure File Storage provides the standard SMB
(Server Message Block) file share protocol, which allows you to easily mount file shares
from multiple VMs in the same region or across regions. This makes it a good choice for
scenarios where you need to share unstructured data between multiple VMs or applications.
Azure Blob Storage is a massively scalable object storage service that allows you to store
and access large amounts of unstructured data, such as text and binary data, images, and
videos. It's commonly used for data storage, backup and recovery, and data archiving.
Incorrect -
Azure Queue Storage, on the other hand, is not suitable for storing unstructured data. It is
designed for reliably queuing and processing messages between different components of a
distributed application, rather than for storing large amounts of unstructured data.
Reference: https://learn.microsoft.com/en-us/azure/storage/common/storage-introduction
Question 58: Correct
Yes or No:
You can run popular open-source frameworks—including Apache Hadoop, Spark, Hive,
Kafka,
and more —using Azure HDInsight, a customizable, enterprise-grade service for open-source
analytics. You can also effortlessly process massive amounts of data and get all the benefits
of the broad open-source project ecosystem with the global scale of Azure. Easily migrate
your big data workloads and processing to the cloud.
Reference: https://azure.microsoft.com/en-gb/services/hdinsight/#documentation
Question 59: Correct
Yes or No:
In the case of Resource groups, the most restrictive lock in the inheritance takes
precedence.
Yes
No
Explanation
From the official Azure docs:
When you apply a lock at a parent scope, all resources within that scope inherit the same
lock. Even resources you add later inherit the same parent lock. The most restrictive lock in
the inheritance takes precedence.
If you have a Delete lock on a resource and attempt to delete its resource group, the feature
blocks the whole delete operation. Even if the resource group or other resources in the
resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources?tabs=json
Question 60: Incorrect
Yes or No:
The composite SLA for an application replying on multiple services would be higher
than the individual SLAs of the particular services.
No
Yes
Explanation
From the official Azure documentation:
Composite SLAs involve multiple services supporting an application, each with differing
levels of availability.
For example, consider an App Service web app that writes to Azure SQL Database. At the
time of this writing, these Azure services have the following SLAs:
You can improve the composite SLA by creating independent fallback paths. For example, if
SQL Database is unavailable, put transactions into a queue to be processed later.
With this design, the application is still available even if it can't connect to the database.
However, it fails if the database and the queue both fail at the same time. The expected
percentage of time for a simultaneous failure is 0.0001 × 0.001, so the composite SLA for
this combined path is:
There are tradeoffs to this approach. The application logic is more complex, you are paying
for the queue, and you need to consider data consistency issues.
Reference : https://docs.microsoft.com/en-us/azure/architecture/framework/resiliency/
business-metrics
Question 61: Incorrect
Your organization is using Azure for disaster recovery purposes. You have set up
replication of virtual machines to an Azure region different from the primary region.
Which of the following factors could affect the cost of this setup?
The types of virtual machines being replicated.
The amount of data being replicated
The number of virtual machines being replicated
The network bandwidth between the primary and secondary regions
Explanation
All of the options could potentially affect the cost of this setup.
The number of virtual machines being replicated - The more virtual machines
being replicated, the higher the cost will be, as each VM will require resources to be
replicated to the secondary region.
The amount of data being replicated - The amount of data being replicated can have
a significant impact on the cost, as data transfer between regions incurs charges.
The network bandwidth between the primary and secondary regions - The
network bandwidth between the primary and secondary regions can also impact the
cost, as higher bandwidth requirements will result in higher charges.
The types of virtual machines being replicated - The types of virtual machines
being replicated could also impact the cost, as certain VM sizes are more expensive
than others.
Reference: https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
Question 62: Incorrect
_______ is capable of sending encrypted traffic between an Azure virtual network and
an on-premises location over the public Internet.
A Firewall
Network Security Group (NSG)
An Application Gateway
A VPN Gateway
Explanation
From the official documentation:
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted
traffic between an Azure virtual network and an on-premises location over the public
Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual
networks over the Microsoft network. Each virtual network can have only one VPN gateway.
However, you can create multiple connections to the same VPN gateway. When you create
multiple connections to the same VPN gateway, all VPN tunnels share the available gateway
bandwidth.
Reference : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-
vpngateways
Question 63: Correct
With Azure ___________ , you can scale your applications and create highly available
services
Load Balancer
Information Protection
Bastion
Kubernetes
Explanation
From the official documentation:
Load balancing refers to evenly distributing load (incoming network traffic) across a group
of backend resources or servers.
With Azure Load Balancer, you can scale your applications and create highly available
services. Load balancer supports both inbound and outbound scenarios. Load balancer
provides low latency and high throughput, and scales up to millions of flows for all TCP and
UDP applications.
Reference : https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Question 64: Correct
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-
services/3-redundancy
Question 65: Correct
While it's recommended that resources in a resource group be located in the same region for
optimal performance, it's not a strict requirement. Resources in a resource group can span
different regions, and this can be useful for achieving high availability and disaster recovery
scenarios, as well as for optimizing data access for users in different geographic locations.
Other options:
Resource group can contain resources located in different regions: This is a valid
Azure resource group constraint. As mentioned above, resources in a resource group
can span different regions.
Resource group can be used to apply consistent policies to resources: This is also
a valid Azure resource group constraint. Azure Policy can be used to apply
governance policies to all resources in a resource group, ensuring consistent
compliance across resources.
Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/
overview
Question 66: Correct
You have configured a VPN connection between an on-premises network and an Azure
virtual network using Site-to-Site VPN (IPsec). However, you are experiencing
connectivity issues and suspect that there is an issue with the VPN gateway. Which
Azure service can you use to diagnose connectivity issues for your VPN gateway?
Azure Traffic Manager
Azure Application Gateway
Azure Network Watcher
Azure ExpressRoute
Explanation
The correct answer is Azure Network Watcher.
Azure Network Watcher is a monitoring and diagnostic service that provides tools to
diagnose network issues in Azure. It includes a VPN diagnostics tool that can be used to
diagnose connectivity issues with VPN gateways, including Site-to-Site VPN (IPsec)
gateways. The tool can help identify configuration issues, routing issues, and other common
problems that can cause connectivity issues.
Other Options:
Azure Traffic Manager: This is a global DNS load balancer that can be used to
distribute incoming traffic across multiple Azure regions. It is not designed for
diagnosing network connectivity issues.
Azure Application Gateway: This is a web traffic load balancer that can be used to
manage and route HTTP and HTTPS traffic. It is not designed for diagnosing network
connectivity issues.
Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-
monitoring-overview
Question 67: Correct
Yes or No:
Reference : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
overview#resource-groups
Question 68: Incorrect
In the context of Azure subscriptions, what does an Azure free trial subscription
provide? (Select all that apply)
Credit to spend within the first 30 days of sign-up
Unlimited access to all Azure services
Access to more than 25 products that are always free
Access to a number of Azure products free for 12 months
Explanation
Access to a number of Azure products free for 12 months - This is correct because an
Azure free trial subscription provides access to several Azure products for free during the
first 12 months.
Credit to spend within the first 30 days of sign-up - This is correct as the Azure free trial
subscription offers credit to spend within the first 30 days after sign-up, which allows users to
explore and use various Azure services during that period.
Unlimited access to all Azure services - This is incorrect because the Azure free trial
subscription does not provide unlimited access to all Azure services. It offers a limited set of
free services, usage allowances, and credits to spend within a specified timeframe.
Access to more than 25 products that are always free - This is correct because, in addition
to the free services available during the trial period, the Azure free trial subscription provides
access to more than 25 products that are always free, based on resource and region
availability. These products can be used without any additional costs even after the trial
period is over.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-cost-management-
azure/2-describe-factors-affect-costs-azure
Question 69: Correct
Azure _____________ are unique physical buildings—located all over the globe—that house
a group of networked computer servers.
Datacenters
Geographies
Regions
Availability Zones
Explanation
From the official Azure docs:
Azure datacentres are unique physical buildings—located all over the globe—that house a
group of networked computer servers.
References: https://azure.microsoft.com/en-gb/global-infrastructure/regions/
Question 70: Correct
Load balancing refers to evenly distributing load (incoming network traffic) across a group
of backend resources or servers.
Azure Load Balancer operates at layer 4 of the Open Systems Interconnection (OSI) model.
It's the single point of contact for clients. Load balancer distributes inbound flows that arrive
at the load balancer's front end to backend pool instances. These flows are according to
configured load-balancing rules and health probes. The backend pool instances can be Azure
Virtual Machines or instances in a virtual machine scale set.
A public load balancer can provide outbound connections for virtual machines (VMs) inside
your virtual network. These connections are accomplished by translating their private IP
addresses to public IP addresses. Public Load Balancers are used to load balance internet
traffic to your VMs.
An internal (or private) load balancer is used where private IPs are needed at the frontend
only. Internal load balancers are used to load balance traffic inside a virtual network. A load
balancer frontend can be accessed from an on-premises network in a hybrid scenario.
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Question 71: Correct
Yes or No:
Reference: https://azure.microsoft.com/en-us/global-infrastructure/geographies/#overview
Question 72: Correct
Which of the following is a great place to start when examining the security of your
Azure-based solutions and provides threat protection across all of your services both in
Azure, and on-premises?
Azure Trust Center
Azure Security Center
Azure Compliance Manager
Azure Advanced Threat Protection
Explanation
A great place to start when examining the security of your Azure-based solutions is Azure
Security Center. Security Center is a monitoring service that provides threat protection
across all of your services both in Azure, and on-premises. Security Center can:
2) Monitor security settings across on-premises and cloud workloads, and automatically
apply
3) Continuously monitor all your services, and perform automatic security assessments to
4) Use machine learning to detect and block malware from being installed on your virtual
machines and services. You can also define a list of allowed applications to ensure that only
5) Analyze and identify potential inbound attacks, and help to investigate threats and any
post-
Yes or No:
In order to move a VM from one region to another, one must be prepared for a brief
downtime.
No
Yes
Explanation
From the official documentation:
For VMs, replica VMs are created in the target region. The source VM is shut down, and
some downtime occurs (usually minutes).
Reference: https://learn.microsoft.com/en-us/azure/resource-mover/tutorial-move-region-
virtual-machines
Question 74: Correct
References: https://azure.microsoft.com/en-us/global-infrastructure/regions/
https://azure.microsoft.com/en-us/pricing/details/bandwidth/
Question 75: Correct
What are the two options for replicating data within the primary region in Azure
Storage?
Geo-zone-redundant storage and locally redundant storage.
Geo-redundant storage and zone-redundant storage.
Locally redundant storage and zone-redundant storage.
Geo-redundant storage and geo-zone-redundant storage.
Explanation
Data in an Azure Storage account is always replicated three times in the primary region.
Azure Storage offers two options for how your data is replicated in the primary region,
locally redundant storage (LRS) and zone-redundant storage (ZRS).
Also, Azure Storage offers locally redundant storage (LRS) and zone-redundant storage
(ZRS) as options for replicating data within the primary region.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-
services/3-redundancy
Question 76: Incorrect
A company has approached you to help them plan an architecture, that would be
capable of capturing data from millions of connected devices and securely storing them
for analysis. Which of the following two services would you include in the project
proposal?
Azure Data Lake
Azure ExpressRoute
Azure Notification Hubs
Azure IoT Hubs
Explanation
From the official Azure documentation:
Azure IoT Hub is a managed service hosted in the cloud that acts as a central message hub for
communication between an IoT application and its attached devices. You can connect
millions of devices and their backend solutions reliably and securely. Almost any device can
be connected to an IoT hub.
IoT Hub scales to millions of simultaneously connected devices and millions of events per
second to support your IoT workloads. For more information about scaling your IoT Hub,
see IoT Hub scaling. To learn more about the tiers of service offered by IoT Hub, check out
the pricing page.
IoT Hub can further route messages to Azure Data Lake Storage.
Reference 1 (IoT Hub) - https://azure.microsoft.com/en-in/services/iot-hub/
Reference 2 (Data Lake) - https://azure.microsoft.com/en-in/solutions/data-lake/
Question 77: Correct
Your organization has deployed a Virtual Machine in Azure with the Standard_D2s_v3
VM size. The Virtual Machine is running a resource-intensive workload, and you want
to optimize costs. Which of the following could be an effective way to achieve this?
Use a different Azure region with lower VM pricing.
Use a larger VM size to improve performance
Use a smaller VM size to reduce costs
Enable automatic scaling to adjust VM size based on workload
Explanation
The correct answer is 'Enable automatic scaling to adjust VM size based on workload' as
it could be an effective way to optimize costs for the Virtual Machine in Azure. Automatic
scaling allows you to automatically adjust the number of Virtual Machine instances and the
size of the instances based on demand, which can help you save costs by avoiding
overprovisioning.
Using a larger VM size : This would increase costs as its more expensive to use a larger
VM size.
Using a smaller VM size: This could reduce performance and may not be suitable for a
resource-intensive workload.
Using a different Azure region with lower VM pricing: This may not be a practical
solution if the workload requires a specific region for compliance or latency reasons.
Question 78: Correct
Yes or No:
If you have a Delete lock on a resource and attempt to delete its resource group, all resources
inside the resource group still get deleted.
Yes
No
Explanation
From the official docs:
When you apply a lock at a parent scope, all resources within that scope inherit the same
lock. Even resources you add later inherit the same parent lock. The most restrictive lock in
the inheritance takes precedence.
If you have a Delete lock on a resource and attempt to delete its resource group, the
feature blocks the whole delete operation. Even if the resource group or other resources in the
resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.
References: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
lock-resources
Question 79: Incorrect
Which of the following statements BEST describes the Modern Lifecycle Policy for
Azure products and services?
For products governed by the Modern Lifecycle Policy, Microsoft will provide a
minimum of 6 months' notification prior to ending support if no successor
product or service is offered—excluding free services or preview releases.
For products governed by the Modern Lifecycle Policy, Microsoft will provide a
minimum of 12 months' notification prior to ending support if no successor
product or service is offered—excluding free services or preview releases.
For products and services governed by the Modern Lifecycle Policy, unless
otherwise noted, Microsoft's policy is to provide a minimum 90 days' notification
when customers are required to take action in order to avoid significant
degradation to the normal use of the product or service.
For products and services governed by the Modern Lifecycle Policy, unless
otherwise noted, Microsoft's policy is to provide a minimum 120
days' notification when customers are required to take action in order to avoid
significant degradation to the normal use of the product or service.
Explanation
The Modern Lifecycle Policy covers products and services that are serviced and supported
continuously. Under this policy, the product or service remains in support if the following
criteria are met:
Customers must stay current as per the servicing and system requirements published for the
product or service.
What is the key advantage of using zone-redundant storage (ZRS) in the primary
region?
It guarantees data replication to a secondary region.
It allows data to be accessible even if a zone becomes unavailable.
It offers the highest level of durability compared to other options.
It provides read access to replicated data in the secondary region.
Explanation
From the official documentation:
For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates your Azure
Storage data synchronously across three Azure availability zones in the primary region. ZRS
offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a
given year.
With ZRS, your data is still accessible for both read and write operations even if a zone
becomes unavailable.
Reference: https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-
services/3-redundancy