Microsoft AZ-303 Microsoft Azure Architect Technologies Exam Practice Test

Scenario: WebApp1 running on the AKS cluster must be able to retrieve secrets from KV1.

KV1 is an Azure Key Vault

Managed Identities are assigned to Azure resources which needs access to Azure Key Vault. This is the recommended approach as Azure automatically rotates the identity and app/service doesn’t have to manage the secret.

Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate managed identities for Azure resources and identities in Azure AD with pods.

Table Description automatically generated

Box 1: resources

Scenario: You must be able to configure deny permissions for RG1 and for the resources in Resource Group RG1.

Box 2: New-AzManagementGroupDeployment

Scenario: Litware has Azure ResourceManager (ARM) templates that deploy Azure Policy definitions and assignments to a management group.

The New-AzManagementGroupDeployment cmdlet adds a deployment at a management group.

To add a deployment at a management group, specify the management group, location and a template. The location tells Azure Resource Manager where to store the deployment data. The template is a JSON string that contains individual resources to be deployed. The template includes parameter placeholders for required resources and configurable property values, such as names and sizes.

Text Description automatically generated

The Litware and Fabrikam datacenters are not connected.

Azure AD Connect Cloud Sync provides support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment.

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application Description automatically generated

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

Scenario:

Planned Changes include: move the existing product blueprint files to Azure Blob storage.

Technical Requirements include: Copy the blueprint files to Azure over the Internet.

References: https://docs.microsoft.com/en-us/azure/machine-learning/te am-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies

Table1 references Table4. Therefore Table4 must be created before Table1.

Table2 references Table1 and Table3. Therefore Table1 and Table3 must be created before Table2.

Note: FOREIGN KEY REFERENCES is a constraint that provides referential integrity for the data in the column or columns. FOREIGN KEY constraints require that each value in the column exists in the corresponding referenced column or columns in the referenced table. FOREIGN KEY constraints can reference only columns that are PRIMARY KEY or UNIQUE constraints in the referenced table or columns referenced in a UNIQUE INDEX on the referenced table.

Graphical user interface, text, application, email Description automatically generated

Box 1: A stored access policy and a service shared access signature (SAS)

A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the serverside. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy.

The following storage resources support stored access policies:

• Blob containers
• File shares
• Queues
• Tables

Box 2: Modify the stored access signature (SAS)

You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

Instead use Azure Storage Sync service and configure Azure File.

Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share.

Box 1: 10.0.0.0/16 Address prefix destination-> Vnet 1 (Address space of Vnet1)

Box 2: Virtual appliance Next hop type VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.

Box 3: Gateway Subnet Assigned to This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table -> subnet ->Associate.

Windows virtual machines (VMs) can use a managed identity to access Azure Key Vault.

A user-assigned managed identity can be shared. The same user-assigned managed identity can be associated with more than one Azure resource.

The managed identity used by the virtual machine needs to be granted access to the Key Vault. Use an access policy

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type ofconnection requires a VPN device, a local network gateway, located on-premises that has an externally facing public IP address assigned to it.

Finally, create a Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

References:

https://docs.microsoft.com/en-us/azure/vpn-gatew ay/vpn-gateway-howto-site-to-site-resource-manager-portal

The "Microsoft.Support/*" operation will allow the user to createsupport tickets.

References:

https://docs.microsoft .com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

One for the Windows VMs, and for each type of Linux VM.

Typically, you use Conditional Access to control access to your cloud apps. You can also set uppolicies to control access to Azure management.

The policy you create applies to all Azure management endpoints, including the following:

• Azure portal
• Azure Resource Manager provider
• Classic Service Management APIs
• Azure PowerShell
• Visual Studio subscriptions administrator portal
• Azure DevOps
• Azure Data Factory portal

To create a policy for Azure management, you select Microsoft Azure Management under Cloud apps when choosing the app to which to apply the policy.