Skip to Content

AZ-303 Microsoft Azure Architect Technologies Exam Questions and Answers – Page 2

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Microsoft AZ-303 Microsoft Azure Architect Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-303 Microsoft Azure Architect Technologies exam and earn Microsoft AZ-303 Microsoft Azure Architect Technologies certification.

AZ-303 Microsoft Azure Architect Technologies Exam Questions and Answers

Exam Question 121

You are implementing the virtual network for a new application. The application uses two Azure Virtual Machines (VMs):
webserver: an Azure VM that only accepts network connections from the internet using ports 80 and 443 directly from a static public IP
database: an Azure VM running MySQL server that accepts connections only from the webserver’s private IP address on port 3306
You need to evaluate the minimum number of network interface cards (NICs) and network security groups (NSGs) you need to provision.
How many resources should you provision? To answer, select the appropriate options from the drop-down menus.

Network Interface Cards:

  • 0
  • 1
  • 2
  • 3

Network Security Groups:

  • 0
  • 1
  • 2
  • 3

Correct Answer:
Network Interface Cards: 2
Network Security Groups: 2
Answer Description:
You should provision at least two NICs. You need to associate one NIC for each Azure VM, and for the webserver, you should associate a static public IP address on the same NIC. You have a required private IP address that is defined by the virtual network and an optional public IP address per NIC.
You should provision at least two NSGs. One NSG should be associated with the webserver’s NIC to allow network traffic on ports 80 and 433 from the internet. Another NSG should be associated with the database NIC to allow network traffic on port 3306 from the webserver’s private IP address.
References:
Microsoft Docs > Associate a public IP address to a virtual machine
Microsoft Docs > Add, change, or remove IP addresses for an Azure network interface
Microsoft Docs > Create, change, or delete a network security group

Exam Question 122

You are managing your company’s virtual networks in Azure.
Your company has Azure Virtual Machines (VMs) across three virtual networks.

  • vnet1 has the address space 10.0.0.0/16.
  • vnet2 has the address space 10.1.0.0/16.
  • vnet3 has the address space 10.2.0.0/16.

You configure virtual network peering on the following networks:

  • vnet1 network peering allows virtual network access to vnet2.
  • vnet2 network peering allows virtual network access to vnet3.
  • vnet3 network peering allows virtual network access to vnet2.

You need to determine if Azure VMs in a specific virtual network can communicate with Azure VMs in other virtual networks.
How can Azure VMs communicate with each other? To answer, select the appropriate options from the drop-down menus.

Azure VMs on vnet1 can connect to Azure VMs in:

  • vnet2 and vnet3
  • vnet2 only
  • vnet3 only

Azure VMs on vnet2 can connect to Azure VMs in:

  • vnet1 only
  • vnet1 and vnet3
  • vnet3 only

Azure VMs on vnet3 can connect to Azure VMs in:

  • vnet1 only
  • vnet1 and vnet2
  • vnet2 only

Correct Answer:
Azure VMs on vnet1 can connect to Azure VMs in: vnet2 only
Azure VMs on vnet2 can connect to Azure VMs in: vnet3 only
Azure VMs on vnet3 can connect to Azure VMs in: vnet2 only
Answer Description:
Azure VMs on vnet1 can connect to Azure VMs on vnet2 only. You configured a virtual network peering in vnet1 to vnet2, allowing resources from vnet1 to connect with resources in vnet2.
Azure VMs on vnet2 can connect to Azure VMs on vnet3 only and vice versa. You configured a virtual network peering on vnet2 to vnet3, and also a peering on vnet3 to vnet2, allowing resources from vnet2 and vnet3 to connect with each other.
Azure VMs on vnet1 cannot connect to Azure VMs on vnet3 and vice versa. A virtual network peering is established between two virtual networks only, and it is not transitive. If you want to connect resources on vnet1 with resources on vnet3, you need to configure a network peering between vnet1 to vnet3.
Azure VMs on vnet2 cannot connect to Azure VMs on vnet1. You configured a virtual network peering in vnet1 to vnet2 only. A virtual network peering does not work in both directions. To allow connections to resources from vnet2 to vnet1, you need to configure a network peering between vnet2 to vnet1.
References:
Microsoft Docs > Virtual network peering
Microsoft Docs > Create, change, or delete a virtual network peering

Exam Question 123

You manage your company’s Azure virtual network. You have a virtual network named vnet1 with the address space 10.0.0.0/16 that contains three subnets:

  • public: subnet with the address space 10.0.1.0/24
  • private: subnet with the address space 10.0.2.0/24
  • dmz: subnet with the address space 10.0.3.0/24

You create a new network virtual appliance named nvm1 in the dmz subnet with the private IP address 10.0.3.11.
You need to configure a custom route in the private subnet to route the traffic to nvm1.
How should you configure the custom route? To answer, select the appropriate options from the drop-down menus.

Address prefix:

  • 10.0.1.0/24
  • 10.0.2.0/24
  • 10.0.3.0/24

Next hop type:

  • Internet
  • Virtual appliance
  • Virtual network

Next hop address:

  • 0.0.0.0/0
  • 10.0.3.11
  • 10.0.1.0/24

Correct Answer:
Address prefix: 10.0.2.0/24
Next hop type: Virtual appliance
Next hop address: 10.0.3.11
Answer Description:
You should configure the address prefix as 10.0.2.0/24. You can use the address prefix to configure where the traffic is coming from, which is from the private subnet.
Next, you should configure the next hop type as Virtual appliance. This option configures the type of destination where traffic is routed, which is the nvm1 network virtual appliance.
Finally, you should configure the next hop address as 10.0.3.11. You can use this option to configure the routing destination, which is the nvm1 private IP address.
You should not configure the address prefix as 10.0.1.0/24 or 10.0.3.0/24. These addresses prefixes refer to public and dmz subnets, respectively. You need to route traffic from the private subnet.
You should not configure the next hop type as Internet or Virtual network. You should configure these next hop types to route traffic to the internet or to a virtual network, respectively.
You should not configure the next hop address as 0.0.0.0/0 or 10.0.1.0/24. These addresses could be used to route traffic to the internet or the public subnet, respectively. You need to configure the next hop type as Internet or Virtual network with these addresses.
References:
Microsoft Docs > Virtual network traffic routing
Microsoft Docs > Tutorial: Route network traffic with a route table using the Azure portal

Exam Question 124

You are implementing network connectivity between your on-premises network with two Azure virtual networks.
You configure your network with the addresses spaces below:

  • on-premises network: 10.0.1.0/16
  • vnet1 (Azure): 10.0.11.0/16
  • vnet2 (Azure): 10.0.12.0/16

You decide to implement a hub-spoke network topology to optimize the cost. You create a new virtual network named hub with the address space 10.0.10.0/16 and implement virtual network peering between vnet1 and hub, and vnet2 and the hub virtual network.
You need to complete the hub-spoke network topology configuration.
Which three actions should you perform?

A. 1. Implement a VPN gateway on the hub virtual network. 2. Configure the peering connection on the hub virtual network to allow gateway transit. 3. Configure the peering connection on vnet1 and vnet2 to use remote gateways.
B. 1. Implement a VPN gateway on the hub virtual network. 2. Configure the peering connection on the hub virtual network to allow gateway transit. 3. Configure all peering connections to use remote gateways;
C. 1. Implement a VPN gateway on the hub virtual network. 2. Configure the peering connection on the hub virtual network to allow gateway transit. 3. Implement a VPN gateway on the vnet1, vnet2, and hub virtual network;
D. 1. Implement a VPN gateway on the hub virtual network. 2. Configure the peering connection on vnet1 and vnet2 to use remote gateways. 3. Configure the peering connection on the hub virtual network to allow gateway transit.
Correct Answer:
A. 1. Implement a VPN gateway on the hub virtual network. 2. Configure the peering connection on the hub virtual network to allow gateway transit. 3. Configure the peering connection on vnet1 and vnet2 to use remote gateways.
Answer Description:
You should perform the following actions:

  1. Implement a VPN gateway on the hub virtual network.
  2. Configure the peering connection on the hub virtual network to allow gateway transit.
  3. Configure the peering connection on vnet1 and vnet2 to use remote gateways.

You should implement a VPN gateway on the hub virtual network. The hub virtual network centralizes connectivity to your on-premises network. You should implement a VPN gateway only on this virtual network. The spoke networks connects to on-premises through this hub network.
You should also configure the peering connection on the hub virtual network to allow gateway transit. This allows the on-premises network to access vnet1 and vnet2 virtual networks.
Finally, you should also configure the peering connections on vnet1 and vnet2 to use remote gateways. This allows the spoke networks to connect back with the on-premises network.
You should not implement a VPN gateway on the vnet1, vnet2, and hub virtual networks. You can configure network peering between Azure virtual networks by using a VPN gateway. However, you already configured virtual network peering between the virtual networks and the hub network. Implementing a VPN gateway in all virtual networks results is a more expensive solution.
You should not configure all peering connections to use remote gateways. You need to use remote gateways only in the spoke networks in a hub-spoke network topology, which, in this case, is vnet1 and vnet2.
References:
Microsoft Docs > Hub-spoke network topology in Azure
Microsoft Docs > Configure VPN gateway transit for virtual network peering
Microsoft Docs > Virtual network peering

Exam Question 125

You create a new, empty virtual network named vnet1 as shown in the exhibit.

You have another virtual network named vnet2 in a different Azure subscription. vnet2 is provisioned in the Azure Central US region with the address space 10.2.0.0/16.
You need to create a virtual network peering between vnet1 and vnet2.
What should you do first?

A. Move vnet2 to the same subscription.
B. Create a gateway subnet in vnet2.
C. Move vnet1 to the Central US region.
D. Modify the address space of vnet1.
Correct Answer:
D. Modify the address space of vnet1.
Answer Description:
You should modify the address space of vnet1. To create a virtual network peering, both networks must have non-overlapping IP address spaces. Since vnet1 and vnet2 use the same address space, you need to use a different address space for vnet1, like 10.1.0.0/16 for example, before you create the virtual network peering.
You should not move vnet2 to the same subscription. You can create a virtual network peering between virtual networks in different subscriptions. If the subscriptions belong to different Azure Active Directory (AD) tenants, you should use the Azure Command-line interface (CLI), or the PowerShell Az Module to create the virtual network peering instead of the Azure portal.
You should not move vnet1 to the Central US region. You can create a virtual network peering between virtual networks in different regions. This is also called global virtual network peering.
You should not create a gateway subnet in vnet2. You should create a gateway subnet if you plan to deploy a virtual network gateway in vnet2. You do not need this to create a virtual network peering.
References:
Microsoft Docs > Create, change, or delete a virtual network peering
Microsoft Docs > What is VPN Gateway?

Exam Question 126

Your company has on-premises Domain Name System (DNS) servers that are authoritative for its domain. You create a directory in Azure Active Directory (Azure AD). You want to create a custom domain for this directory that matches your company’s domain.
You need to configure the environment so that you can have Azure verify the custom domain.
What should you do?

A. Add a CNAME record at your company’s domain registrar.
B. Add a TXT record at your company’s domain registrar.
C. Add a TXT record to your company’s DNS servers.
D. Add a CNAME record to your company’s DNS servers.
Correct Answer:
C. Add a TXT record to your company’s DNS servers.
Answer Description:
You should add a TXT record to your company’s DNS servers. When you ask Azure to verify a custom domain, it issues DNS queries for TXT records. Because your company has on-premises DNS servers that are authoritative for its domain, Azure sends the DNS queries to your company’s DNS servers. If the TXT entry in Azure matches the TXT entry in your company’s DNS servers, verification is successful.
You should not add a TXT record to your company’s domain registrar. You should do this only if the registrar is authoritative for the domain.
You should not add CNAME records. CNAME records are alias records that allow you to forward requests from a domain name to another domain name or server.
References:
Microsoft Docs > Add your custom domain name using the Azure Active Directory portal
Microsoft Docs > Configuring a custom domain name for an Azure cloud service

Exam Question 127

You plan to enable Azure Active Directory (AD) Identity Protection for your company. The configuration must include the following:

  • A role that allows full access to Identity Protection but without resetting passwords for users
  • A policy that will analyze user sign-in and learn typical user behavior

Which role and policy will meet these requirements?

Role:

  • Global Administrator
  • Security Administrator
  • Security Reader

Policy:

  • MFA registration policy
  • Sign-in risk policy
  • User risk policy

Correct Answer:
Role: Security Administrator
Policy: User risk policy
Answer Description:
You should recommend the Security administrator role. This role provides full access to Identity Protection but cannot reset user passwords.
You should not recommend the Global administrator role. This role has full access to Identity Protection but can reset user passwords.
You should not recommend the Security reader role. This role has read-only access to Identity Protection and cannot configure policies or reset passwords.
You should recommend a user risk policy. With this type of policy, Azure AD analyzes each user’s sign-in so it can detect suspicious actions (risk events) related to the sign-in. After a particular learning period, the system can learn typical user behavior.
You should not recommend an MFA registration policy. This type of policy provides a second layer of security to user sign-ins and transactions, but it does not analyze user sign-ins and learn typical user behavior.
You should not recommend a sign-in policy. This type of policy is used to define a response for a specific sign-in risk level. It does not analyze user sign-in or learn typical user behavior.
References:
Microsoft Docs > Azure AD Identity Protection documentation
Microsoft Docs > How To: Configure and enable risk policies

Exam Question 128

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.
Existing Infrastructure: The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.
Business Requirements: The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.
Technical Requirements: The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.
You create two Windows 10 virtual machines for the lawyer and legal assistant. You must ensure that the lawyer and legal assistant can connect to their desktop computers from any location and from any device.
What should you do?

A. Add an inbound port rule to each VM.
B. Place the two VMs in the same availability set.
C. Move each VM into its own subnet.
D. Assign a static public IP address to each VM.
Correct Answer:
D. Assign a static public IP address to each VM.
Answer Description:
You should add an inbound port rule to each VM. An inbound port rule specifies the port that must be open for the VM. In this scenario, you can open a Remote Desktop Protocol (RDP) port to allow the lawyer and legal assistant to remotely connect to the VMs.
You should not place the two VMs in the same availability set. An availability set allows one VM to be responsive when another VM is down for maintenance or some unexpected event. It does not allow users to connect to a VM remotely.
You should not move each VM into its own subnet. This increases resource management. Both VMs can be part of the same subnet.
You should not assign a static public IP address to each VM. This is not necessary, and it will add to the monthly cost. You can continue to use the dynamic public IP address that is assigned to each VM by default.
References:
Microsoft Docs > Create a virtual machine with a static public IP address using the Azure portal
Microsoft Docs > Manage the availability of Windows virtual machines in Azure
Microsoft Docs > How to open ports to a virtual machine with the Azure portal
Microsoft Docs > Virtual networks and virtual machines in Azure

Exam Question 129

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.
Existing Infrastructure: The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.
Business Requirements: The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.
Technical Requirements: The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.
You need to meet the availability demands for the Windows computers.
What should you do?

A. Implement horizontal auto-scaling.
B. Create one availability set for both VMs.
C. Implement vertical auto-scaling.
D. Create one availability set for each VM.
Correct Answer:
D. Create one availability set for each VM.
Answer Description:
You should create one availability set for each VM. An availability set allows you to group VMs for availability. For example, the first availability set can contain the Windows 10 computer for the assistant, with additional VM instances for failover support. The second availability set can contain the Windows 10 computer for the lawyer, with additional VM instances for failover support.
You should not create one availability set for both VMs. This would cause the lawyer’s VM to be used when the assistant’s VM is being upgraded, and vice versa.
You should not implement horizontal auto-scaling. Horizontal auto-scaling allows more VMs to be created as load on a particular VM increases. It does not provide failover support.
You should not implement vertical auto-scaling. Vertical auto-scaling allows more resources to be added to a VM as load on a particular VM increases. It does not provide failover support.
References:
Microsoft Docs > Manage the availability of Windows virtual machines in Azure
Microsoft Docs > Overview of autoscale with Azure virtual machine scale sets
Microsoft Docs > Automatically scale a virtual machine scale set in the Azure portal

Exam Question 130

You are the IT administrator for a small law firm. The company has one lawyer and one legal assistant. The company has two Windows 10 Professional desktop computers and a Linux server that hosts a web-based case management system.
Existing Infrastructure: The two desktop computers and the Linux server are connected by a network hub. The hub itself is connected to a router, which connects directly to the Internet via cable. No inbound ports are open on the router. The desktop computers host client applications that connect to the case management system at IP address 10.10.10.10 over TCP port 24000.
Business Requirements: The owner of the firm wants it to transition to a virtual firm. The lawyer and the assistant must be able to work from home by connecting to the Windows 10 desktop computers from any device. The owner wants you to move the existing infrastructure to Azure and make the system work as if it were in the physical office. However, the owner wants to use the minimum amount of resources and the least expensive options.
Technical Requirements: The two computers and server should be imported into Azure as virtual machines (VMs). The VMs for the lawyer and assistant should be always available, even during periods of upgrades or maintenance. As more cases are imported into the case management system, the disk attached to the Linux VM should automatically resize to ensure that it always has 20 percent of free space.
You need to ensure that the Linux virtual machine (VM) automatically expands its disk size when it is running low on space.
Which two actions should you perform? Each correct answer presents part of the solution.

A. Configure Azure Monitor with an alert rule.
B. Run an Azure CLI command from the VM.
C. Create an Azure Function that uses an HTTP trigger.
D. Create an Azure Function that uses a Queue trigger.
E. Run an Azure PowerShell command from the VM
Correct Answer:
A. Configure Azure Monitor with an alert rule.
C. Create an Azure Function that uses an HTTP trigger.
Answer Description:
You should configure Azure Monitor with an alert rule. Azure Monitor can monitor a VM for free disk space and an alert rule can trigger an alert. This alert can run actions in response to alerts, like send an email, SMS, Automation Runbook, and Azure Functions.
You should also create an Azure Function that uses an HTTP trigger. When the trigger is invoked by the alert, it should stop the VM, expand the disk, and then restart the VM.
You should not create an Azure Function that uses a Queue trigger. To invoke an Azure Function from an alert rule, you should call a existing Azure Function that uses an HTTP trigger.
You should not run an Azure PowerShell or Azure CLI command from the VM. Although both types of commands can be used to expand a disk, they should be run from a separate computer or VM instance.
References:
Microsoft Docs > Create and manage action groups in the Azure portal
Microsoft Docs > Expand virtual hard disks on a Linux VM with the Azure CLI
Microsoft Docs > How to monitor virtual machines in Azure
Microsoft Docs > Azure Monitor data platform
Microsoft Docs > Create a Web Hook or API Azure Function
Microsoft Docs > Azure Functions HTTP triggers and bindings overview