Estas últimas semanas venho realizando o curso do AZ-900 e foi recomendando também cursar o curso online disponível no docs, esta publicação são minhas anotações sobre cada uma das partes e seus respectivos módulos. Até o momento não possuo a certificação, mas com toda certeza estou um passo mais próximo!
A segui uma breve introdução do que é o AZ-900 e do que se trata o curso.
O exame Azure Fundamentals é uma oportunidade de provar conhecimento de conceitos de nuvem, serviços, cargas de trabalho, segurança e privacidade no Azure, bem como preços e suporte do Azure. Os candidatos devem estar familiarizados com os conceitos gerais de tecnologia, incluindo conceitos de rede, armazenamento, computação, suporte a aplicativos e desenvolvimento de aplicativos.
O curso Azure Fundamentals pode ser usado para preparar o candidato para outras certificações baseadas em funções ou especialidades do Azure, mas não é um pré-requisito para nenhuma delas.
Azure Fundamentals part 1: Describe core Azure concepts
Module 1: Introduction to Azure fundamentals
- Describe the basic concepts of cloud computing.
- Determine whether Azure is the right solution for your business needs.
- Differentiate between the different methods of creating an Azure subscription.
(1) True or false: You need to purchase an Azure account before you can use any Azure resources.
(a) True
(b) False
You can use a free Azure account or a Microsoft Learn sandbox to create resources.
(2) What is meant by cloud computing?
(a) Delivery of computing services over the internet.
(b) Setting up your own datacenter.
(c) Using the internet
Cloud computing is the delivery of computing services over the internet, which is otherwise known as the cloud.
(3) What is not a reason to move to the cloud?
(a) Faster innovation
(b) A limited pool of services
(c) Speech recognition and other cognitive services
The cloud offers a nearly limitless pool of raw compute, storage, and networking components to help you deliver innovative and novel user experiences quickly.
Module 2: Discuss Azure fundamental concepts
In this module, you learned how Tailwind Traders can take advantage of several cloud computing features, which will help the company reduce its overall computing costs. You examined several of the benefits that cloud computing provides, such as high availability, scalability, and geographic distribution. You compared the differences between capital expenses and operating expenses in a cloud computing scenario. Lastly, you learned about the different categories (IaaS, PaaS, SaaS) and types (public, private, and hybrid) of cloud computing. Armed with this new knowledge, you can help Tailwind Traders migrate successfully to Azure.
(1) Which of the following choices isn’t a cloud computing category?
(a) Networking-as-a-Service (NaaS)
(b) Platform-as-a-Service (PaaS)
(c) Infrastructure-as-a-Service (IaaS)
(d) Software-as-a-Service (SaaS)
NaaS isn’t a cloud computing category.
(2) Which of the following statements is true?
(a) With Operating Expenses (OpEx), you are responsible for purchasing and maintaining your computing resources.
(b) With Operating Expenses (OpEx), you are only responsible for the computing resources that you use.
(c) With Capital Expenses (CapEx), you are only responsible for the computing resources that you use.
With Operating Expenses (OpEx), you are only responsible for the computing resources that you use.
(3) Which of the following options isn’t a type of cloud computing?
(a) Distributed cloud
(b) Hybrid cloud
(c) Private cloud
(d) Public cloud
A distributed cloud isn’t a valid type of cloud computing.
(4) Which of the following choices isn’t a benefit of using cloud services?
(a) Scalability
(b) Disaster recovery
(c) High availability
(d) Geographic isolation
You can choose to create resources in a single region; however, one of the primary advantages to cloud computing is geographic distribution.
Module 3: Describe core Azure architectural components
In this module, you learned the concepts and terminology for several of the core Azure architecture components. Now you have the basic level of understanding for Azure architecture that you’ll need to make Tailwind Traders successful as it migrates to the cloud.
- Azure subscriptions and management groups.
- Azure resources, resource groups, and Azure Resource Manager.
- Azure regions, region pairs, and availability zones.
(1) Which of the following can be used to manage governance across multiple Azure subscriptions?
(a) Azure initiatives
(b) Management groups
(c) Resource groups
Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each management group, with Azure Policy and Azure role-based access controls, to manage Azure subscriptions effectively. The resources and subscriptions assigned to a management group automatically inherit the conditions applied to the management group.
(2) Which of the following is a logical unit of Azure services that links to an Azure account?
(a) Azure subscription
(b) Management group
(c) Resource group
(d) Public cloud
An Azure subscription is a logical unit of Azure services that links to an Azure account.
(3) Which of the following features doesn’t apply to resource groups?
(a) Resources can be in only one resource group.
(b) Role-based access control can be applied to the resource group.
(c) Resource groups can be nested.
It does not apply, as resource groups can’t be nested.
(4) Which of the following statements is a valid statement about an Azure subscription?
(a) Using Azure doesn’t require a subscription.
(b) An Azure subscription is a logical unit of Azure services.
A subscription is a set of Azure services bundled together for tracking and billing purposes (You can’t have more than one subscription).
Azure Fundamentals part 2: Describe core Azure services
Module 1: Explore Azure Compute Services
In this module, you learned how you can help Tailwind Traders resolve its application demand challenges through the use of Azure virtualization services like Azure Virtual Machines, Azure Container Instances, and Azure Kubernetes Service. You also learned how you can use:
- Azure App Service to create your website front-ends.
- Azure Functions to create event-driven application logic that only runs when you need it.
- Windows Virtual Desktop to quickly provide a customized operating system and software environment for your remote workers.
(1) Which Azure compute resource can be deployed to manage a set of identical virtual machines?
(a) Virtual machine scale sets
(b) Virtual machine availability sets
(c) Virtual machine availability zones
Virtual machine scale sets let you deploy and manage a set of identical virtual machines.
(2) Which of the following services should be used when the primary concern is to perform work in response to an event (often via a REST command) that needs a response in a few seconds?
(a) Azure Functions
(b) Azure App Service
(c) Azure Container Instances
Azure Functions is used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
(3) Your company has a team of remote workers that need to use Windows-based software to develop your company’s applications, but your team members are using various operating systems like macOS, Linux, and Windows. Which Azure compute service would help resolve this scenario?
(a) Azure App Service
(b) Windows Virtual Desktop
(c) Azure Container Instances
Windows Virtual Desktop enables your team members to run Windows in the cloud, with access to the required applications for your company’s needs.
Module 2: Explore Azure networking services
In this module, you used the Tailwind Traders scenario to learn about the core networking resources that are available in Azure. You learned about the benefits and usage of Azure Virtual Network, Azure VPN Gateway, and Azure ExpressRoute.
You can now apply this information to help your business use Azure’s networking resources to configure its network infrastructure.
(1) Tailwind Traders wants to create a secure communication tunnel between its branch offices. Which of the following technologies can’t be used?
(a) Point-to-site virtual private network
(b) Implicit FTP over SSL
(c) Azure ExpressRoute
(d) Site-to-site virtual private network
FTP over SSL can’t be used to create a secure communication tunnel.
(2) Tailwind Traders wants to use Azure ExpressRoute to connect its on-premises network to the Microsoft cloud. Which of the following choices isn’t an ExpressRoute model that Tailwind Traders can use?
(a) Any-to-any connection
(b) Site-to-site virtual private network
(c) Point-to-point Ethernet connection
(d) CloudExchange colocation
A site-to-site virtual private network isn’t an ExpressRoute model.
(3) Which of the following options can you use to link virtual networks?
(a) Network address translation
(b) Multi-chassis link aggregation
(c) Dynamic Host Configuration Protocol
(d) Virtual network peering
Virtual network peering can be used to link virtual networks.
(4) Which of the following options isn’t a benefit of ExpressRoute?
(a) Redundant connectivity
(b) Consistent network throughput
(c) Encrypted network communication
(d) Access to Microsoft cloud services
ExpressRoute does provide private connectivity, but it isn’t encrypted.
Module 3: Explore Azure Storage services
In this module, you discovered how Azure Storage can provide your company with a variety of options for storing your data. For example, you learned that your first step when using Azure Storage is to create a storage account. After you’ve done so, Azure provides you with several options for storing your data:
- Azure Blob Storage
- Azure Disk Storage
- Azure Files Storage
In addition, Azure provides several access tiers that you can use to balance your storage costs with your business needs.
(1) What is the first step that you would take in order to share an image file as a blob in Azure Storage?
(a) Create an Azure Storage container to store the image.
(b) Create an Azure Storage account.
(c) Upload the image file and create a container.
(d) Use a Shared Access Signature (SAS) token to restrict access to the image.
You must create an Azure Storage account before you can use any Azure Storage features.
(2) Which Azure Storage option is better for storing data for backup and restore, disaster recovery, and archiving?
(a) Azure Files Storage
(b) Azure Disk Storage
(c) Azure Blob Storage
Azure Blob Storage is your best option for storing disaster recovery files and archives.
Module 4: Explore Azure database and analytics services
In this module, you learned how to help Tailwind Traders migrate its database workloads to Microsoft Azure. You saw how Azure SQL Database, Azure Database for MySQL, and Azure Database for PostgreSQL will enable your company to migrate its existing SQL Server, MySQL, and PostgreSQL databases to the cloud. You can do this even while preserving your company’s development and database administration strengths.
In addition, you saw how Azure Cosmos DB works with a variety of popular APIs, including SQL, MongoDB, Cassandra, Tables, and Gremlin. You can use these to migrate your data to the cloud and retain or enhance your developers’ skillsets. You also learned how you can use big data and analysis services like Azure Synapse Analytics, Azure HDInsight, Azure Databricks, and Azure Data Lake Analytics to analyze large volumes of data.
(1) Your development team is interested in writing Graph-based applications that take advantage of the Gremlin API. Which option would be ideal for that scenario?
(a) Azure Cosmos DB
(b) Azure SQL Database
(c) Azure Databricks
(d) Azure Database for PostgreSQL
Azure Cosmos DB supports SQL, MongoDB, Cassandra, Tables, and Gremlin APIs.
(2) Tailwind Traders uses the LAMP stack for several of its websites. Which option would be ideal for migration?
(a) Azure Cosmos DB
(b) Azure Database for MySQL
(c) Azure Database for PostgreSQL
Azure Database for MySQL is the logical choice for existing LAMP stack applications.
(3) Tailwind Traders has millions of log entries that it wants to analyze. Which option would be ideal for analysis?
(a) Azure Cosmos DB
(b) Azure SQL Database
(c) Azure Database for PostgreSQL
(d) Azure Synapse AnalyticsCheck your answers
Azure Synapse Analytics is the logical choice for analyzing large volumes of data.
Azure Fundamentals part 3: Describe core solutions and management tools on Azure
- Choose the correct Azure Artificial Intelligence service to address different kinds of business challenges.
- Choose the best software development process tools and services for a given business scenario.
- Choose the correct cloud monitoring service to address different kinds of business challenges.
- Choose the correct Azure management tool to address different kinds of technical needs and challenges.
- Choose the right serverless computing technology for your business scenario.
- Choose the best Azure IoT service for a given business scenario.
Modulo 1: Choose the best Azure IoT service for your application
Our goal in this module was to help Tailwind Traders explore various IoT services from Azure and choose the best service for the company’s business scenarios.
Tailwind Traders was able to capture telemetry data from appliances, combine it with some machine learning to predict future maintenance, and create a significant value-added service for customers by using Azure IoT Hub. The company was able to implement a complete real-time logistics system to track deliveries and vehicles by using Azure IoT Central and the Connected Logistics starter template. And, finally, it was able to design and build a secure, modern, point-of-sale self-checkout terminal by using Azure Sphere.
Without Azure IoT services, receiving messages from devices might still be possible, but it would likely be much less secure and require custom development to implement a dashboard for reporting and management. It would also be more difficult to push software or firmware updates to each device.
IoT is an exciting evolution in computing that bridges the physical and digital worlds. Azure IoT services provide a significant amount of functionality for organizations that want to build device-driven and sensor-driven solutions.
(1) A company wants to build a new voting kiosk for sales to governments around the world. Which IoT technologies should the company choose to ensure the highest degree of security?
(a) IoT Hub
(b) IoT Central
(c) Azure Sphere
Azure Sphere provides the highest degree of security to ensure the device has not been tampered with.
(2) A company wants to quickly manage its individual IoT devices by using a web-based user interface. Which IoT technology should it choose?
(a) IoT Hub
(b) IoT Central
(c) Azure Sphere
IoT Central quickly creates a web-based management portal to enable reporting and communication with IoT devices.
(3) You want to send messages from the IoT device to the cloud and vice versa. Which IoT technology can send and receive messages?
(a) IoT Hub
(b) IoT Central
(c) Azure Sphere
An IoT hub communicates to IoT devices by sending and receiving messages
Module 2: Choose the best AI service for your needs
Our goal in this module was to help Tailwind Traders explore several AI service offerings from Azure that it can apply to various business opportunities.
You identified a few product options and their capabilities, including Azure Bot Service, Azure Cognitive Services, and Azure Machine Learning. You analyzed certain decision criteria to help yourself choose one option over another depending on the scenario. Then you applied those decision criteria to three Tailwind Traders initiatives, helping the company find the best service option for each scenario.
Without AI services, Tailwind Traders would spend more time and effort on manual tasks, respond to customers less quickly, offer weak product recommendations, and be unable to fully support customers who speak languages other than English.
AI is one focus that could transform every area of a business. Such transformation is limited only by the creativity and imagination of the organization.
(1) You need to predict future behavior based on previous actions. Which product option should you select as a candidate?
(a) Azure Machine Learning
(b) Azure Bot Service
(c) Azure Cognitive Services
Azure Machine Learning enables you to build models to predict the likelihood of a future result. It should not be eliminated as a candidate.
(2) You need to create a human-computer interface that uses natural language to answer customer questions. Which product option should you select as a candidate?
(a) Azure Machine Learning
(b) Azure Bot Service
(c) Azure Cognitive Services
Azure Bot Service creates virtual agent solutions that utilize natural language. It should not be eliminated as a candidate.
(3) You need to identify the content of product images to automatically create alt tags for images formatted properly. Which product option is the best candidate?
(a) Azure Machine Learning
(b) Azure Bot Service
(c) Azure Cognitive Services
Azure Cognitive Services includes Vision services that can identify the content of an image. Azure Cognitive Services is the best candidate.
Module 3: Choose the best Azure serverless technology for your business scenario
In this module, we wanted to help Tailwind Traders choose the right serverless computing technology for its business scenarios.
When the company needed to build a solution that pulls code logic from an existing C# Windows service, we helped it choose Azure Functions.
When the company needed to orchestrate a workflow to improve customer retention after a negative shopping experience, we helped it choose Azure Logic Apps.
In both cases, we noted how choosing the other serverless computing service would be possible. However, we tried to help the company consider the decision criteria we outlined and choose the right service for the scenario.
Without serverless computing, Tailwind Traders would be forced to set up and manage its own computing infrastructure for these business scenarios. The team would have needed to closely monitor the services to determine whether it needed to scale the service. And it likely would have wasted money in the process, with either too many or too few computing resources dedicated to the solution.
Additionally, it might have had to design, write, test, and maintain custom code to get similar results.
By helping Tailwind Traders select the right serverless computing solutions, we were able to deploy new functionality to help the company improve customer satisfaction with its e-commerce platform.
(1) You need to process messages from a queue, parse them by using some existing imperative logic written in Java, and then send them to a third-party API. Which serverless option should you choose?
(a) Azure Functions
(b) Azure Logic Apps
Azure Functions is the correct choice because you can use existing Java code with minimal modification.
(2) You want to orchestrate a workflow by using APIs from several well-known services. Which is the best option for this scenario?
(a) Azure Functions
(b) Azure Logic Apps
Azure Logic Apps makes it easy to create a workflow across well-known services with less effort than writing code and manually orchestrating all the steps yourself.
(3) Your team has limited experience with writing custom code, but it sees tremendous value in automating several important business processes. Which of the following options is your team’s best option?
(a) Azure Functions
(b) Azure Logic Apps
Azure Logic Apps is best suited for users who are more comfortable in a visual environment that allows them to automate their business processes. Logic Apps is the best option in this scenario.
Module 4: Choose the best tools to help organizations build better solutions
The goal in this module was to help Tailwind Traders choose the best DevOps solution for a set of requirements across various software development and testing needs.
We identified various product options and capabilities, including Azure DevOps Services, GitHub (including GitHub Actions), and Azure DevTest Labs. We analyzed the criteria for choosing one option over another for each scenario. Then we applied those criteria to three separate challenges at Tailwind Traders, helping the team determine the best service option for the scenarios.
Without software development services and tools from Microsoft, the Tailwind Traders team might have difficulty in realizing the benefits of such DevOps practices as continuous integration and continuous delivery (CI/CD), source-code management, and work-item management.
DevOps practices and processes have changed the software development landscape, helping to accelerate software development and improve the deployability and quality of software systems. Microsoft offers a wealth of tools that can help organizations implement DevOps practices, experience better collaboration among technical teams, and achieve more consistent results from those teams.
(1) Which of the following choices would not be used to automate a CI/CD process?
(a) Azure Pipelines
(b) GitHub Actions
(c) Azure Boards
Azure Boards is an agile project-management tool. It would not be used to automate a CI/CD process.
(2) Which service could help you manage the VMs that your developers and testers need to ensure that your new app works across various operating systems?
(a) Azure DevTest Labs
(b) Azure Test Labs
(c) Azure Repos
Azure DevTest Labs is used to manage VMs for testing, including configuration, provisioning, and automatic de-provisioning.
(3) Which service lacks features to assign individual developers tasks to work on?
(a) Azure Boards
(b) GitHub
(c) Azure Pipelines
Azure Pipelines is a CI/CD tool for building an automated toolchain. It lacks features to assign tasks for individual developers to work on. However, it can automate other tools to assign tasks to users.
Module 5: Choose the best tools for managing and configuring your Azure environment
Our goal in this module was to help Tailwind Traders choose the right cloud management tools from Microsoft for its various technical needs.
We identified a variety of product options and their capabilities, including the Azure portal, the Azure mobile app, Azure PowerShell, the Azure CLI, and Azure Resource Manager templates (ARM templates).
We analyzed decision criteria for choosing one option over another in specific scenarios.
We then applied those decision criteria to three different Tailwind Traders initiatives, helping the company find the best service option for each scenario.
Without a full suite of management tools, the company would be severely limited in how it interacts with Azure. Fortunately, Azure provides a powerful mix of visual management tools, imperative scripting tools, and declarative infrastructure-as-code tools.
(1) As an administrator, you need to retrieve the IP address from a particular VM by using Bash. Which of the following tools should you use?
(a) ARM templates
(b) Azure PowerShell
(c) The Azure portal
(d) The Azure CLI
The Azure CLI enables you to use Bash to run one-off tasks on Azure.
(2) You’re a developer who needs to set up your first VM to host a process that runs nightly. Which of the following tools is your best choice?
(a) ARM templates
(b) Azure PowerShell
(c) The Azure portal
(d) The Azure CLI
The Azure portal is a great place for newcomers to learn about Azure and set up their first resources.
(3) What is the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively?
(a) ARM templates
(b) Azure PowerShell
(c) The Azure portal
(d) The Azure CLI
ARM templates are the best infrastructure-as-code option for quickly and reliably setting up your entire cloud infrastructure declaratively.
Modulo 6: Choose the best monitoring service for visibility, insight, and outage mitigation
Our goal in this module was to help Tailwind Traders explore several monitoring service offerings from Azure to apply to a variety of business scenarios.
We identified three product options and their capabilities: Azure Advisor, Azure Monitor, and Azure Service Health. We analyzed decision criteria for choosing one option over another for certain scenarios. Then we applied those decision criteria to three different challenges faced by Tailwind Traders, helping them find the best service option for the scenario.
Without monitoring services, Tailwind Traders would spend more money on its cloud environment, be unsure about its cloud security posture, have difficulty pinpointing issues in its application logic, and be unable to plan ahead for outages or supply formal outage reports to stakeholders.
Azure monitoring services provide a comprehensive array of features to help improve your cloud operations.
(1) You want to be alerted when new recommendations to improve your cloud environment are available. Which service will do this?
(a) Azure Advisor
(b) Azure Monitor
(c) Azure Service Health
Azure Advisor can alert you when new recommendations are available.
(2) Which service provides official outage root cause analyses (RCAs) for Azure incidents?
(a) Azure Advisor
(b) Azure Monitor
(c) Azure Service Health
Azure Service Health provides incident history and RCAs to share with your stakeholders.
(3) Which service is a platform that powers Application Insights, monitoring for VMs, containers, and Kubernetes?
(a) Azure Advisor
(b) Azure Monitor
(c) Azure Service Health
Azure Monitor is the platform used by Application Insights.
Azure Fundamentals part 4: Describe general security and network security features
Module 1: Protect against security threats on Azure
Tailwind Traders faces a number of security challenges. In today’s digital world, its needs aren’t unique.
Azure provides tools and services that can help you detect and act on important security events. It also provides ways to help keep your data safe, which can prevent security incidents from happening to begin with.
In this module, you learned about Azure services that relate to security. Here’s a brief summary:
- Azure Security Center provides visibility of your security posture across all of your services, both on Azure and on-premises.
- Azure Sentinel aggregates security data from many different sources, and provides additional capabilities for threat detection and response.
- Azure Key Vault stores your applications’ secrets, such as passwords, encryption keys, and certificates, in a single, central location.
- Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
Consider the following scenario. Then choose the best response for each question that follows.
Tailwind Traders is moving its online payment system from its datacenter to the cloud. The payment system consists of virtual machines (VMs) and SQL Server databases.
Here are a few security requirements that the company identifies as it plans the migration:
- It wants to ensure a good security posture across all of its systems, both on Azure and on-premises.
- In the datacenter, access to VMs requires a TLS certificate. The company needs a place to safely store and manage its certificates.
Here are some additional requirements that relate to regulatory compliance:
- Tailwind Traders must store certain customer data on-premises, in its datacenter.
- For certain workloads, the company must be the only customer running VMs on the physical hardware.
- The company must only run approved business applications on each VM.
See the following diagram that shows the proposed architecture.
On Azure, Tailwind Traders will use both standard VMs and VMs that run on dedicated physical hardware. In the datacenter, the company will run VMs that can connect to databases within its internal network.
(1) How can Tailwind Traders enforce having only certain applications run on its VMs?
(a) Connect your VMs to Azure Sentinel.
(b) Create an application control rule in Azure Security Center.
(c) Periodically run a script that lists the running processes on each VM. The IT manager can then shut down any applications that shouldn’t be running.
With Azure Security Center, you can define a list of allowed applications to ensure that only applications you allow can run. Azure Security Center can also detect and block malware from being installed on your VMs.
(2) What’s the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a single report that it can take action on?
(a) Collect security data in Azure Sentinel.
(b) Build a custom tool that collects security data, and displays a report through a web application.
(c) Look through each security log daily and email a summary to your team.
Azure Sentinel is Microsoft’s cloud-based SIEM. A SIEM aggregates security data from many different sources to provide additional capabilities for threat detection and responding to threats.
(3) Which is the best way for Tailwind Traders to safely store its certificates so that they’re accessible to cloud VMs?
(a) Place the certificates on a network share.
(b) Store them on a VM that’s protected by a password.
(c) Store the certificates in Azure Key Vault.
Azure Key Vault enables you to store your secrets in a single, central location. Key Vault also makes it easier to enroll and renew certificates from public certificate authorities (CAs).
(4) How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers?
(a) Configure the network to ensure that VMs on the same physical host are isolated.
(b) This is not possible. These workloads need to be run on-premises.
(c) Run the VMs on Azure Dedicated Host.
Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
Module 2: Secure network connectivity on Azure
In this module, you learned about some of the ways you can secure network traffic both on Azure and in your on-premises datacenter.
Defense in depth is the overriding theme. Think about security as a multiple-layer, multiple-vector concern. Threats come from places we don’t expect, and they can come with surprising strength.
Tailwind Traders now has a few tools and services that it can use to secure its networks. Here’s a brief summary:
- Azure Firewall is a managed, cloud-based network security service that helps protect resources in Azure virtual networks.
- An Azure virtual network is similar to a traditional network that you’d operate in your own datacenter. It enables virtual machines and other compute resources to securely communicate with each other, the internet, and on-premises networks.
- A network security group (NSG) enables you to filter network traffic to and from Azure resources within a virtual network.
- Azure DDoS Protection helps protect Azure resources from DDoS attacks.
Consider the following scenario. Then choose the best response for each question that follows.
Tailwind Traders is moving its online payment system to Azure. The processing of online orders begins through a website, which Tailwind Traders manages through Azure App Service. (App Service is a way to host web applications on Azure.)
The web application that runs the website passes order information to virtual machines (VMs), which further process each order. These VMs exist on an Azure virtual network, but they need to access the internet to retrieve software packages and system updates.
Here’s a diagram that shows the basic architecture of the company’s payment system:
The security team wants to ensure that only valid network traffic reaches the company’s Azure resources. As an extra layer of defense, the team also wants to ensure that the VMs can reach only trusted hosts on specific ports.
(1) An attacker can bring down your website by sending a large volume of network traffic to your servers. Which Azure service can help Tailwind Traders protect its App Service instance from this kind of attack?
(a) Azure Firewall
(b) Network security groups
(c) Azure DDoS Protection
DDoS Protection helps protect your Azure resources from DDoS attacks. A DDoS attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users.
(2) What’s the best way for Tailwind Traders to limit all outbound traffic from VMs to known hosts?
(a) Configure Azure DDoS Protection to limit network access to trusted ports and hosts.
(b) Create application rules in Azure Firewall.
(c) Ensure that all running applications communicate with only trusted ports and hosts.
Azure Firewall enables you to limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDNs).
(3) How can Tailwind Traders most easily implement a deny by default policy so that VMs can’t connect to each other?
(a) Allocate each VM on its own virtual network.
(b) Create a network security group rule that prevents access from another VM on the same network.
(c) Configure Azure DDoS Protection to limit network access within the virtual network.
A network security group rule enables you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features
Module 1: Secure access to your applications by using Azure identity services
Tailwind Traders needs to ensure that only its workforce can access its growing set of cloud applications, both from any location and from any device.
In building out its plan, Tailwind Traders learns that:
- Authentication (AuthN) establishes the user’s identity.
- Authorization (AuthZ) establishes the level of access that an authenticated user has.
- Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications.
- Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables an organization to control access to apps and resources based on its business requirements.
- Azure AD Multi-Factor Authentication provides additional security for identities by requiring two or more elements to fully authenticate. In general, multifactor authentication can include something the user knows, something the user has, and something the user is.
- Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals such as the user’s location.
With these ideas in place, the software development and IT administrator teams can begin to replace their existing authentication systems with ones that use multiple factors and allow access to multiple applications.
Consider the following scenario. Then choose the best response for each question that follows.
At Tailwind Traders, recall that retail employees are issued tablet devices from which they can track orders and plan their work schedules.
Tailwind Traders also allows delivery drivers to use their own mobile devices to access scheduling and logistics applications.
A stolen password might allow unauthorized access to company and customer data. Tailwind Traders wants to extend its investments in Active Directory to secure all of its applications, when accessed both from the intranet and from public networks.
The company is looking into how Azure Active Directory (Azure AD), single sign-on (SSO), multifactor authentication, and Conditional Access can help it achieve those goals.
(1) How can the IT department ensure that employees at the company’s retail stores can access company applications only from approved tablet devices?
(a) SSO
(b) Conditional Access
(c) Multifactor authentication
Conditional Access enables you to require users to access your applications only from approved, or managed, devices.
(2) How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers to prove their identities?
(a) SSO
(b) Conditional Access
(c) Multifactor authentication
Authenticating through multifactor authentication can include something the user knows, something the user has, and something the user is.
(3) How can the IT department reduce the number of times users must authenticate to access multiple applications?
(a) SSO
(b) Conditional Access
(c) Multifactor authentication
SSO enables a user to remember only one ID and one password to access multiple applications.
Module 2: Build a cloud governance strategy on Azure
You’ve been tasked with defining and implementing the governance strategy for Tailwind Traders.
Cloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption Framework for Azure can help you define and implement your governance strategy. There are several services and features in Azure to support these efforts:
- Azure role-based access control (Azure RBAC) enables you to create roles that define access permissions.
- Resource locks prevent resources from being accidentally deleted or changed.
- Resource tags provide extra information, or metadata, about your resources.
- Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.
- Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure resources that your organization requires.
With these points in mind, you’re ready to take the next step toward building a good cloud governance strategy.
Consider the following scenario. Then choose the best response for each question that follows.
Tailwind Traders has created environments for development and testing for its e-commerce system.
Here’s a diagram that shows the basic compute, database, and networking components found in each environment.
These environments provide a way for the team to build and test new application features. If you’ve gone through the Plan and manage your Azure costs module, then you’ve already seen this layout.
Although the development and test teams report to different departments, both environments exist under the same Azure subscription.
The IT manager wants to implement governance controls to help ensure that only authorized users can access these systems. Having these controls in place will also help them track and manage operating costs.
(1) How can Tailwind Traders allow some users to control the virtual machines in each environment but prevent them from modifying networking and other resources in the same resource group or Azure subscription?
(a) Create a role assignment through Azure role-based access control (Azure RBAC).
(b) Create a policy in Azure Policy that audits resource usage.
(c) Split the environment into separate resource groups.
Azure RBAC enables you to create roles that define access permissions. You might create one role that limits access only to virtual machines and a second role that provides administrators with access to everything.
(2) Which is the best way for Tailwind Traders to ensure that the team deploys only cost-effective virtual machine SKU sizes?
(a) Create a policy in Azure Policy that specifies the allowed SKU sizes.
(b) Periodically inspect the deployment manually to see which SKU sizes are used.
(c) Create an Azure RBAC role that defines the allowed virtual machine SKU sizes.
After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones. Azure Policy also evaluates any current virtual machines in your environment.
(3) Which is likely the best way for Tailwind Traders to identify which billing department each Azure resource belongs to?
(a) Track resource usage in a spreadsheet.
(b) Split the deployment into separate Azure subscriptions, where each subscription belongs to its own billing department.
(c) Apply a tag to each resource that includes the associated billing department.
Tags provide extra information, or metadata, about your resources. The team might create a tag that’s named BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure that the proper tags are assigned when resources are provisioned.
Module 3: Examine privacy, compliance, and data protection standards on Azure
In this module, you learned about Microsoft’s approach to privacy, security, and compliance. You explored resources specific to online services, including Azure, and how governments can use Azure to meet their specific security and compliance needs.
The security team at Tailwind Traders now has a better understanding of what resources are available to help it protect its data in the cloud and stay compliant:
- The Microsoft Privacy Statement provides trust in how Microsoft collects, protects, and uses customer data.
- The Trust Center provides you with documentation about compliance standards and how Azure can support your business.
- The Azure compliance documentation includes detailed information about legal and regulatory standards and compliance on Azure.
Keep in mind that compliance status for Azure products and services doesn’t automatically translate to compliance for the service or application you build or host on Azure. You’re responsible for ensuring that you achieve compliance with the legal and regulatory standards that you must follow.
Most services are the same on both Azure Government and global Azure. But there are some differences that you should be aware of. To learn more, compare Azure Government and global Azure.
Consider the following scenario. Then choose the best response for each question that follows.
At Tailwind Traders, the legal and IT departments want to better understand how Microsoft handles personal data. They also want to better understand how Azure services can help them meet their compliance goals.
Their needs go beyond just Azure. For example, applications in their retail stores use Cortana to help store employees quickly locate items.
(1) Where can the team access details about the personal data Microsoft processes and how the company processes it, including for Cortana?
(a) Microsoft Privacy Statement
(b) The Azure compliance documentation
(c) Microsoft compliance offerings
The Microsoft Privacy Statement provides information that’s relevant to specific services, including Cortana.
(2) Where can the legal team access information around how the Microsoft cloud helps them secure sensitive data and comply with applicable laws and regulations?
(a) Microsoft Privacy Statement
(b) Trust Center
(c) Online Services Terms
The Trust Center is a great resource for people in your organization who might play a role in security, privacy, and compliance.
(3) Where can the IT department find reference blueprints that it can apply directly to its Azure subscriptions?
(a) Online Services Terms
(b) Azure compliance documentation
(c) Microsoft Privacy Statement
The compliance documentation provides reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription.
Azure Fundamentals part 6: Describe Azure cost management and service level agreements
Modulo 1: Plan and manage your Azure costs
Tailwind Traders is taking a methodical approach toward cloud migration. While proof-of-concept projects can help demonstrate technical feasibility, having a clear picture of the total cost of running in the cloud will further help the team validate its approach.
To start, the Tailwind Traders team used the Total Cost of Ownership Calculator to estimate the cost savings of operating its solution on Azure instead of in its on-premises datacenter.
From there, the team used the Pricing calculator to get a more detailed estimate for running a typical workload on Azure each month.
The team also created a checklist of cost-saving measures that it can use to help keep down costs. This list includes:
- Perform cost analysis before you deploy.
- Use Azure Advisor to monitor your usage.
- Use spending limits to prevent accidental spending.
- Use Azure Reservations to prepay.
- Choose low-cost locations and regions.
- Research available cost-saving offers.
- Apply tags to identify cost owners.
With these measures in place, the Tailwind Traders team is ready to take the next steps toward cloud migration.
Consider the following scenario. Then choose the best response for each question that follows.
Before they migrate their existing e-commerce system from their datacenter to production environments on Azure, the Tailwind Traders team wants to first set up environments for development and testing.
Here’s a diagram that shows the basic compute, database, and networking components found in each environment:
An e-commerce system might require a website, the products database, a payment system, and so on. Because developers can’t always run the entire service from their local development environment, the Dev environment is the first place where everything the app needs comes together.
After the development team verifies changes to the Dev environment, they promote changes to the Test environment. The Test environment is where the testing team verifies new app features and also verifies that no regressions, or breaks to existing features, happen as new features are added.
The team will map each component in their existing infrastructure to the appropriate Azure service.
(1) Which is the best first step the team should take to compare the cost of running these environments on Azure versus in their datacenter?
(a) They’re just test environments. Spin them up and check the bill at the end of the month.
(b) Assume that running in the cloud costs about the same as running in the datacenter.
(c) Run the Total Cost of Ownership Calculator.
Running the Total Cost of Ownership Calculator is a great first step because it can provide an accurate comparison of running workloads in the datacenter versus on Azure, certified by an independent research company.
(2) What’s the best way to ensure that the development team doesn’t provision too many virtual machines at the same time?
(a) Do nothing. Let the development team use what they need.
(b) Apply spending limits to the development team’s Azure subscription.
(c) Verbally give the development lead a budget and hold them accountable for overages.
If you exceed your spending limit, active resources are deallocated. You can then decide whether to increase your limit or provision fewer resources.
(3) Which is the most efficient way for the testing team to save costs on virtual machines on weekends, when testers are not at work?
(a) Delete the virtual machines before the weekend and create a new set the following week.
(b) Deallocate virtual machines when they’re not in use.
(c) Just let everything run. Azure bills you only for the CPU time that you use.
When you deallocate virtual machines, the associated hard disks and data are still kept in Azure. But you don’t pay for CPU or network consumption, which can help save costs.
(4) Resources in the Dev and Test environments are each paid for by different departments. What’s the best way to categorize costs by department?
(a) Apply a tag to each virtual machine that identifies the appropriate billing department.
(b) Split the cost evenly between departments.
(c) Keep a spreadsheet that lists each team’s resources.
You can apply tags to groups of Azure resources to organize billing data.
Module 2: Choose the right Azure services by examining SLAs and service lifecycle
A service-level agreement (SLA) is the formal agreement between a service company and the customer. For Azure, this agreement defines the performance standards that Microsoft commits to for its customers.
The Tailwind Traders team is working on quite a variety of projects! In addition to its main website, the team is adding a mapping feature to its Special Orders application so that it can calculate routes between suppliers and retail stores. The team is also exploring how severe weather tracking can improve its drone guidance system.
As requirements evolve, it’s important for the team to understand how the SLA for each service it chooses affects the overall performance guarantees of its applications.
For example, the main website must be available as close to 100 percent of the time as possible. To accomplish that, Tailwind Traders might deploy extra instances of the same virtual machine across different availability zones in the same Azure region. Doing so helps ensure that if one zone is affected, virtual machine instances in the other zone can pick up the load.
The Special Orders application might have more flexible tolerances. As long as retail employees don’t lose data and can quickly regain network access, the Special Orders application might have a lower SLA. Here, the team can choose to include less redundancy in its design.
When defining your SLA requirements, be sure to consider both your business needs and the time it takes to restore a component after a failure. Also consider how the use of preview services and preview features might affect your systems in production.
Consider the following scenario. Then choose the best response for each question that follows.
Recall that the Tailwind Traders’ Special Orders application includes two virtual machines, Azure Load Balancer, and Azure SQL Database:
Here’s the service-level agreement (SLA) for each service:
| Service | SLA |
|---|---|
| Azure Virtual Machines | 99.9 percent |
| Azure SQL Database | 99.99 percent |
| Azure Load Balancer | 99.99 percent |
To compute the composite SLA for a set of services, you multiply the SLA of each individual service. Recall that the existing composite SLA is:
99.9%×99.9%×99.99%×99.99%=99.78%
The team wants to add a mapping feature so that it can calculate routes between nearby suppliers and each retail store. For that, the team will use Azure Maps.
The team also needs more processing power to keep up with demand. For that, it will add a third virtual machine to the pool.
Here’s a diagram that shows their proposed plan:
Recall that you can access SLAs from Service Level Agreements.
Tailwind Traders is also considering using an augmented reality service in the Special Orders app to help customers visualize their customizations. This Azure service is currently in the public preview phase.
(1) What’s the SLA for Azure Maps in terms of guaranteed uptime?
(a) 99 percent
(b) 99.9 percent
(c) 99.99 percent
Correct. The SLA for Azure Maps tells you the SLA.
(2) What’s the new composite SLA? Remember, the new SLA includes a third virtual machine and Azure Maps.
(a) 99.58 percent
(b) 99.78 percent
(c) 99.99 percent
To compute the composite SLA for a set of services, you multiply the SLA of each individual service.
(3) Adding a third virtual machine reduces the composite SLA. How can Tailwind Traders offset this reduction?
(a) Increase the size of each virtual machine.
(b) Deploy extra instances of the same virtual machines across the different availability zones in the same Azure region.
(c) Do nothing. Using Azure Load Balancer increases the SLA for virtual machines.
If one availability zone is affected, your virtual machine instance in the other availability zone should be unaffected.
(4) What approach might the company take in adding the augmented reality (AR) preview service to its architecture?
(a) The Special Orders app is already in production. The company shouldn’t look into the AR service until the service reaches general availability (GA).
(b) The Special Orders app is mainly for use by retail employees. The company can integrate the AR service now because potential downtime or failures aren’t an important factor.
(c) The development team can create a prototype version of the app that includes the AR service that it tests out with select retail employees.
After the AR service reaches general availability (GA), the team can roll it out to production.
Questionário
1 A software and hardware solution that provides communication and security features for IoT devices
(a) AZ Sphere
(B) IoT Central
(C) IoT Hub
2 Which AZ service should you use to collect events from multiple resources into a centralized repository?
(a) AZ Event Hubs
(b) AZ Analysis Services
(c) AZ Monitor
(d) AZ Stream Analytics
3 Your company plans to migrate all its data and resources to AZ. The company ACME’s migration plan states that only Platform as a Service (PaaS) solutions must be used in AZ. You need to deploy an AZ environment that meets the company migration plan. Solution: You create an AZ App Service and AZ virtual machines that have MS SQL Server installed. Does this meet the goal?
(a) Yes
(b) No
4 Your company plans to migrate to AZ. The company has several departments. All the AZ resources used by each department will be managed by a department administrator. What are two possible techniques to segment AZ for the departments? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
(a) multiple Azure Active Directory (Azure AD) directories
(b) multiple subscriptions
(c) multiple regions
(d) multiple resource groups
5 You have an on-premises application that sends email notifications automatically based on a rule. You plan to migrate the application to AZ. You need to recommend a serverless computing solution for the application. What should you include in the recommendation?
(a) a web app
(b) a server image in AZ Marketplace
(c) a logic app
(d) an API app3
6 A fully managed software as a service (SaaS) solution to connect, monitor and manage IoT devices at scale
(a) AZ Sphere
(b) IoT Central
(c) IoT Hub
7 To complete the sentence, select the appropriate option in the answer area. When planning to migrate a public web site to AZ you must plan to _____________
(a) deploy a VPN.
(b) pay monthly usage costs.
(c) pay to transfer all the website data to AZ.
(d) reduce the number of the connections to the website.
8 Your company plans to migrate all its data and resources to AZ. The company ACME’s migration plan states that only Platform as a Service (PaaS) solutions must be used in AZ. You need to deploy an AZ environment that meets the company migration plan. Solution: You create an AZ App Service and AZ SQL databases. Does this meet the goal?
(a) Yes
(b) No
9 You plan to store 20 TB of data in AZ. The data will be accessed infrequently and visualized by using MS Power BI. You need to recommend a storage solution for the data. Which two solutions should you recommend? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
(a) AZ Data Lake
(b) AZ Cosmos DB
(c) AZ Synapse Analytics
(d) AZ SQL Database
(e) AZ Database for PostgreSQL
10 Select only the TRUE sentences below. More than one choice is possible
(a) You can create a resource group inside of an other resource group
(b) An AZ VM can be in multiples resource groups
(c) A resource group can contain Resources from multiple AZ regions
11 Select only the TRUE sentences below. More than one choice is possible.
(a) You can use Availability Zones in AZ to protect AZ VMs from a datacenter failure
(b) You can use Availability Zones in AZ to protect AZ VMs from a region failure
(c) You can use Availability Zones in AZ to protect AZ Managed Disks from a datacenter failure
12 You plan to deploy a website to AZ. The website will be accessed by users worldwide and will host large video files. You need to recommend which AZ feature must be used to provide the best video playback experience. What should you recommend?
(a) an application gateway
(b) an AZ ExpressRoute circuit
(c) a content delivery network
(d) an AZ Traffic Manager profile
13 What are two characteristics of the public cloud? Each correct answer presents a complete solution.
(a) dedicated hardware
(b) unsecured connections
(c) limited storage
(d) metered pricing
(e) self-service management
14 A managed service that provides bidirectional communication between IoT devices and AZ
(a) AZ Sphere
(b) IoT Central
(c) IoT Hub
15 You plan to migrate several servers from an on-premises network to AZ. What is an advantage of using a public cloud service for the servers over an on-premises network?
(a) The public cloud is owned by the public, NOT a private corporation
(b) The public cloud is a crowd-sourcing solution that provides corporations with the ability to enhance the cloud
(c) All public cloud resources can be freely accessed by every member of the public
(d) The public cloud is a shared entity whereby multiple corporations each use a portion of the resources in the cloud
16 Which service provides serverless computing in AZ?
(a) AZ Virtual Machines
(b) AZ Functions
(c) AZ storage account
(d) AZ dedicated hosts
17 Your company hosts an accounting application named ACMEapp that is used by all the customers of the company. ACMEapp has low usage during the first three weeks of each month and very high usage during the last week of each month. Which benefit of AZ Cloud Services supports cost management for this type of usage pattern?
(a) high availability
(b) high latency
(c) elasticity
(d) load balancing
18 You have an on-premises network that contains several servers. You plan to migrate all the servers to AZ. You need to recommend a solution to ensure that some of the servers are available if a single AZ data center goes offline for an extended period. What should you include in the recommendation?
(a) fault tolerance
(b) elasticity
(c) scalability
(d) low latency
19 To complete the sentence, select the appropriate option in the answer area. When you are implementing a Software as a Service (SaaS) solution, you are responsible for ________________
(a) configuring high availability.
(b) defining scalability rules.
(c) installing the SaaS Solution.
(d) configuring the SaaS solution.
20 You need to be notified when MS plans to perform maintenance that can affect the resources deployed to an AZ subscription. What should you use?
(a) AZ Monitor
(b) AZ Service Health
(c) AZ Advisor
(d) MS Trust Center
Marcos Rocha 