The latest Microsoft AZ-303 Microsoft Azure Architect Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-303 Microsoft Azure Architect Technologies exam and earn Microsoft AZ-303 Microsoft Azure Architect Technologies certification.
Exam Question 141
You are deploying two new applications in your Azure subscription.
The applications have the following requirements:
- application1: a global multi-region application that needs to redirect user traffic automatically to the closest region using a single domain
- application2: a secure application that requires Transport Layer Security (TLS) termination at the edge
You need to implement the appropriate network service for each application.
Which services should you implement?
application1:
- Application Gateway or Front Door
- Application Gateway or Traffic Manager
- Application Gateway, Front Door, or Traffic Manager
- Front Door or Traffic Manager
application2:
- Application Gateway or Front Door
- Application Gateway or Traffic Manager
- Application Gateway, Front Door, or Traffic Manager
- Front Door or Traffic Manager
Correct Answer:
application1: Front Door or Traffic Manager
application2: Application Gateway or Front Door
Answer Description:
You should implement Front Door or Traffic Manager for application1. Azure Front Door works as a global HTTP/HTTPS layer load balancer, and it is integrated with Microsoft Content Delivery Network (CDN) and DNS-based global routing. Azure Front Door supports a range of traffic-routing methods for DNS-based routing, such as latency-based traffic routing that routes the web traffic to the closest region. You can also implement Azure Traffic Manager to define DNS-based global routing for multi-region application by using performance traffic routing.
You should implement Application Gateway or Front Door for application2. Azure Application Gateway works as an HTTP/HTTPS layer load balancer to route web traffic for one or multiple applications. You can use Application Gateway or Azure Front Door to provide TLS termination on the edge for application2, offloading the application servers to handle TLS encryption.
You should not implement Application Gateway for application1. Azure Application Gateway does not support routing the web traffic to the closest region. You need to implement a service that supports DNS-based load balancing, such as Azure Traffic Manager or Azure Front Door.
You should not implement Traffic Manager for application2. You can use Azure Traffic Manager to define DNS-based global routing for your applications. You need to implement a service that supports TLS termination on the edge, such as Azure Application Gateway or Azure Front Door.
References:
Microsoft Docs > What is Azure Front Door?
Microsoft Docs > What is Traffic Manager?
Microsoft Docs > What is Azure Application Gateway?
Exam Question 142
You have an Azure Virtual Machine (VM) named vm1 running Windows Server 2019.
Vm1 should not have a public IP address attached to it.
You need to access vm1 using a Remote Desktop Protocol (RDP) session.
What should you use?
A. Azure Bastion
B. Virtual network peering
C. Azure Firewall
D. Azure Front Door
Correct Answer:
A. Azure Bastion
Answer Description:
You should use Azure Bastion. Azure Bastion is a service that you can provision in your virtual network to provide RDP and SSH connectivity to your Azure VMs without needing to attach a public IP address to your VMs. It creates a secure connection to access your VMs without having to manage network security groups to allow RDP connection to your VMs.
You should not use Azure Firewall. Azure Firewall is a managed service to centralize network security in a VM. You can use Azure Firewall to create network filtering rules without needing to deploy and manage a network virtual appliance.
You should not use virtual network peering. You can use virtual network peering to integrate two virtual networks, in the same or different Azure regions, using the Microsoft private network. You cannot use only virtual network peering to connect to a private Azure VM and start an RDP session.
You should not use Azure Front Door. Azure Front Door works as a global HTTP/HTTPS layer load balancer. It is integrated with Microsoft Content Delivery Network (CDN) and DNS-based global routing. Azure Front Door supports a range of traffic routing methods for DNS-based routing, such as a latency-based traffic routing that routes the web traffic to the closest region.
References:
Microsoft Docs > What is Azure Bastion?
Microsoft Docs > What is Azure Firewall?
Microsoft Docs > Virtual network peering
Microsoft Docs > What is Azure Front Door?
Exam Question 143
You manage a virtual network named vnet1 that contains a subnet named subnet1.
You deploy 30 Azure Virtual Machines (VMs) in subnet1. Five of these Azure VMs are used for a distributed database, 20 VMs are used by a batch application, and the other VMs host a web application. The private IP address for all Azure VMs changes frequently.
The distributed database VMs should be accessed by the batch application VMs only.
You need to restrict network access in subnet1.
Which two services or features should you use? Each correct answer presents part of the solution.
A. Network rule
B. Azure Firewall
C. Network Security Groups (NSG)
D. Service tags
E. Application Security Groups (ASGs)
Correct Answer:
C. Network Security Groups (NSG)
E. Application Security Groups (ASGs)
Answer Description:
You should use ASGs. You can use an ASG to group the network interface cards (NICs) used by the distributed database VMs and another ASG to group the batch application VM NICs. You can use these groups to configure NSG rules later.
You should also use NSGs. You can create an NSG with rules to allow network connectivity between the NICs from the batch application group with the distributed database and deny network connectivity for the other VMs. You should attach this NSG to all VMs in subnet1.
You should not use Azure Firewall. Azure Firewall is a managed network security service from Azure that protects the Azure virtual network. You can use Azure Firewall to centralize network connectivity policies by using Application fully qualified domain name (FQDN) and Network traffic filtering rules. You should not use Azure Firewall to identify which network traffic comes from a batch application VM to distributed database VMs because the private IP address for all Azure VMs changes frequently.
You should not use a Network rule. This is a type of rule used by Azure Firewall to define the source address, protocol, destination port, and destination address. A network rule is similar to an NSG rule.
You should not use Service tags. A Service tag represents a group of IP address prefixes from a given Azure service. You can use a service tag to make it easier to configure NSG rules or Azure Firewall network rules for Azure services, like ApiManagement or AzureCosmosDB.
References:
Microsoft Docs > Application security groups
Microsoft Docs > Network security groups
Microsoft Docs > Azure Firewall features
Microsoft Docs > Virtual network service tags
Exam Question 144
You must create a custom role that allows the following operations:
- To read data from a blob but not write data to the blob
- To display a list of containers.
- To define the role, you must assign permissions to these operations.
What permissions should you use?
Read data from a blob:
- NotDataActions
- DataActions
- Actions
- NotActions
Exclude write data to a blob:
- NotDataActions
- DataActions
- Actions
- NotActions
Display a list of containers:
- NotDataActions
- DataActions
- Actions
- NotActions
Correct Answer:
Read data from a blob: DataActions
Exclude write data to a blob: NotDataActions
Display a list of containers: Actions
Answer Description:
You should use the DataActions permission element to allow reading data from a blob because this is a data-related operation. The DataActions permission specifies the data operations that the role allows to be performed to the data within that object.
You should use the NotDataActions permission element to exclude writing data to the blob. The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. The access granted by the role is computed by subtracting the NotDataActions operations from the DataActions operations. The NotActions permission element is used for management operations. The NotActions permission specifies the management operations that are excluded from the allowed Actions. You should use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. The access granted by a role is computed by subtracting the NotActions operations from the Actions operations.
You should use the Actions permission element to allow displaying a list of containers because this operation is related to management instead of data. The Actions permission specifies the management operations that the role allows to be performed. It is a collection of operation strings that identify securable operations of Azure resource providers.
References:
Microsoft Docs > Understand role definitions for Azure resources
Microsoft Docs > Azure built-in roles
Exam Question 145
A member of the development team needs to have the ability to create Azure resources. However, the developer should not be allowed to grant resource access to other users.
You need to assign the appropriate role to the developer.
Which role should you assign?
A. Reader
B. Contributor
C. User Access Administrator
D. Owner
Correct Answer:
B. Contributor
Answer Description:
You should assign the Contributor role to the developer. This role allows the developer to create all types of Azure resources, without the ability to grant resource access to other users.
You should not assign the Owner role to the developer. This role allows the developer to have full access to Azure, including granting resource access to other users.
You should not assign the Reader role to the developer. This role only allows the developer to view resources, not create them.
You should not assign the User Access Administrator role to the developer. This role allows the developer to grant resource access to other users.
References:
Microsoft Docs > What is role-based access control (RBAC) for Azure resources?
Exam Question 146
You have a custom role in a file named CustomRole.json.
You need to add this role to Azure by using Azure CLI.
Which command should you use?
A. az role create –role-definition CustomRole.json
B. az role definition create –role-definition CustomRole.json
C. az role definition create CustomRole.json
D. az role create CustomRole.json
Correct Answer:
B. az role definition create –role-definition CustomRole.json
Answer Description:
You should use the following command: az role definition create --role-definition CustomRole.json
The az role definition create command creates the role. The –role-definition parameter specifies the name of the role definition JSON file.
You should not use the following command: az role create --role-definition CustomRole.json
This command is missing the definition token.
You should not use the following command: az role definition create CustomRole.json
This command is missing the –role-definition parameter.
You should not use the following command: az role create CustomRole.json
This command is missing the definition token and –role-definition parameter.
References:
Microsoft Docs > Create or update custom roles for Azure resources using Azure CLI
Exam Question 147
You want to add a security group named Development to the Website Contributor built-in role.
You need to use Azure CLI.
Which command should you use?
A. az role assignment create –resource-group “Development” –role “Website Contributor”
B. az role definition create –resource-group “Development” –role “Website Contributor”
C. az role assignment create –assignee “Development” –role “Website Contributor”
D. az role definition create –assignee “Development” –role “Website Contributor”
Correct Answer:
C. az role assignment create –assignee “Development” –role “Website Contributor”
Answer Description:
You should use the following command:
az role assignment create --assignee "Development" --role "Website Contributor"
This command adds the group development to the role Website Contributor. The –assignee parameter specifies the user name or group. The –role parameter specifies the role.
You should not use the following command:
az role definition create --resource-group "Development" --role "Website Contributor"
This command creates a role, not a role assignment.
You should not use the following command:
az role definition create --assignee "Development" --role "Website Contributor"
This command creates a role, not a role assignment.
You should not use the following command:
az role assignment create --resource-group "Development" --role "Website Contributor"
The –resource-group parameter specifies the name of a resource group, not a security group.
References:
Microsoft Docs > az role assignment
Exam Question 148
You plan to perform an Azure Active Directory (Azure AD) Access Review because you have found a higher number of users than you expected in certain groups and roles.
You need to review the security group members, Azure AD roles, and Azure resource roles.
Where will you create reviews for the different groups?
Security group members:
- Azure AD Access Reviews
- Azure AD enterprise apps
- Azure AD PIM
Azure AD roles:
- Azure AD Access Reviews
- Azure AD enterprise apps
- Azure AD PIM
Azure resource roles:
- Azure AD Access Reviews
- Azure AD enterprise apps
- Azure AD PIM
Correct Answer:
Security group members:
Azure AD roles:
Azure resource roles:
Answer Description:
The review for security group members should be created in Azure AD Access reviews. This can be done from the access panel in Azure. To use the access reviews, you need to have an Azure AD Premium P2 license and an Enterprise Mobility + Security E5 license.
The review for Azure AD roles and Azure resource roles should be created in Azure AD Privileged Identity Management (PIM). This can be done from the Azure portal. Azure PIM is a service that enables you to manage, control, and monitor access to important resources in your organization.
Azure AD enterprise apps is used for reviews of users assigned to connected apps.
References:
Microsoft Docs > What are Azure AD access reviews?
Microsoft Docs > What is Azure AD Privileged Identity Management?
Exam Question 149
You are reviewing role assignments in your company’s Azure Active Directory (Azure AD) tenant.
You have role assignments in a resource group named rg1. The role assignments are shown in the exhibit.
You need to determine which users can create a virtual network in rg1.
Which users can create a virtual network in rg1?
A. admin, userA, and userB
B. admin and userA only
C. admin only
D. userA and userB only
E. userA only
Correct Answer:
B. admin and userA only
Answer Description:
The users that can create a virtual network in rg1 are admin and userA only. The admin user is associated with the Owner built-in role and can create any resource in this subscription, including a virtual network. UserA can also create a virtual network because it is associated with the Network Contributor role, but only in this resource group.
UserB cannot create a virtual network in rg1. The Security Assessment Contributor role allows userB to push assessments to Security Center.
References:
Microsoft Docs > List Azure role assignments using the Azure portal
Microsoft Docs > Azure built-in roles
Exam Question 150
You plan to move an Azure virtual machine (VM) to another region by using Azure Site Recovery (ASR). You are not a subscription administrator.
You need permissions to create a VM in an Azure resource group and perform ASR operations.
Which roles provide the required permissions?
Create a VM in an Azure resource group:
- Virtual Machine Contributor
- Site Recovery Contributor
- Virtual Machine Administrator Login
- Virtual Machine User Login
- Site Recovery Operator
- Site Recovery Reader
Perform ASR operations:
- Virtual Machine Contributor
- Site Recovery Contributor
- Virtual Machine Administrator Login
- Virtual Machine User Login
- Site Recovery Operator
- Site Recovery Reader
Correct Answer:
Create a VM in an Azure resource group: Virtual Machine Contributor
Perform ASR operations: Site Recovery Contributor
Answer Description:
You should have the Virtual Machine Contributor role to create a VM in an Azure resource group. This role allows you to manage VMs. It does not allow access to the VM.
You should not use the Virtual Administrator Login role to create a VM in an Azure resource group. This role allows you to view virtual machines in the portal and log in as administrator.
You should not use the Virtual Machine User Login role to create a VM in an Azure resource group. This role allows you to view VMs in the portal and log in as a regular user.
You should have the Site Recovery Contributor role to perform ASR operations. This role has all permissions required to manage ASR operations in a Recovery Services vault. This role is intended for disaster recovery administrators who can enable and manage disaster recovery for applications or entire organizations.
You should not use the Site Recovery Operator role to perform ASR operations. This role has permissions to execute and manage Failover and Failback operations. This role is intended for disaster recovery operators who can failover VMs or applications when instructed by application owners and IT administrators.
You should not use the Site Recovery Reader role to perform ASR operations. This role has permissions to view all Site Recovery management operations. It is intended for IT monitoring executives who can monitor the current state of protection and raise support tickets if required.
References:
Microsoft Docs > Move Azure VMs to another region
Microsoft Docs > Manage Site Recovery access with role-based access control (RBAC)
Microsoft Docs > Azure built-in roles