You plan to deploy a custom database solution that will have multiple instances as shown in the following table.
Client applications will access database servers by using db.contoso.com.
You need to recommend load balancing services for the planned deployment. The solution must meet the following requirements:
Access to at least one database server must be maintained in the event of a regional outage. The virtual machines must not connect to the internet directly.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer is in the explanation below.
Reference / correct answer:
Box 1: Azure Traffic Manager
Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness. Because Traffic Manager is a DNS-based load-balancing service, it load balances only at the domain level. For that reason, it can't fail over as quickly as Front Door, because of common challenges around DNS caching and systems not honoring DNS TTLs.
Incorrect Answers:
Front Door is an application delivery network that provides global load balancing and site acceleration service for web applications.
Box 2: Azure Load Balancer
Azure Load Balancer is a high-performance, ultra low-latency Layer 4 load-balancing service (inbound and outbound) for all UDP and TCP protocols. It is built to handle millions of requests per second while ensuring your solution is highly available. Azure Load Balancer is zone-redundant, ensuring high availability across Availability Zones.
Incorrect Answers:
Front Door is an application delivery network that provides global load balancing and site acceleration service for web applications. Reference:
You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned an Azure AD Premium P1 license.
You deploy Azure AD Connect.
Which two features are available in this environment that can reduce operational overhead for your company’s help desk? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Select all that apply, then click Submit answer.
○
Azure AD Privileged Identity Management policies
○
access reviews
○
password writeback
○
Microsoft Cloud App Security Conditional Access App Control
○
self-service password reset
Reference / correct answer:
password writeback
self-service password reset
Question 6(Mixed Questions)
You are designing an Azure resource deployment that will use Azure Resource Manager templates. The deployment will use Azure Key Vault to store secrets.
You need to recommend a solution to meet the following requirements:
Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault. Use the principle of least privilege.
Which two actions should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Select all that apply, then click Submit answer.
○
Create a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions.
○
From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment.
○
Create a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions.
○
Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.
○
Assign the Key Vault Contributor role to the IT staff.
Reference / correct answer:
From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment.
Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.
B: To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true.
D: The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault.
Incorrect Answers:
E: To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope.
If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has Contributor role access to your key vaults. Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.
Access to at least one database server must be maintained in the event of a regional outage. 
