Microsoft Azure Fundamentals Practice Test (AZ-900)

Azure Private Endpoint maps the Azure service to a private IP address in your virtual network. Traffic between the VNet and the service stays on the Microsoft backbone, and you can disable the public endpoint, so no packets are exposed to the public internet. A Virtual Network service endpoint also keeps traffic on the Microsoft backbone but connects to the service's public IP address, meaning the resource can still be reached publicly if firewall rules allow. Azure VPN Gateway builds encrypted tunnels over the public internet between networks. Azure ExpressRoute provides a dedicated private circuit between on-premises networks and Azure but does not create private endpoints for PaaS resources inside a VNet.

Management groups in Azure allow you to organize multiple subscriptions into a hierarchy for unified policy and access management. This enables you to apply policies and role-based access controls at the management group level, which are inherited by all subscriptions within the group.

Resource groups organize resources within a single subscription.

Azure Active Directory manages identities.

Resource locks prevent accidental deletion or modification of resources.

Azure Monitor collects and analyzes telemetry data from a variety of resources in Azure, providing deep insights into the performance and health of applications, infrastructure, and networks. This includes collecting data such as metrics, logs, and events that enable developers and IT professionals to understand the state of their resources and diagnose potential issues. Azure Activity Log, on the other hand, is a log that provides insight into subscription-level events, which includes actions and changes. Azure Service Dashboard offers a view of the health of Azure services, and Azure Cost Management is a tool for analyzing and managing cloud spending. The primary function of Azure Monitor is to collect and analyze telemetry data to monitor the state of resources.

The hybrid cloud model is the most appropriate in this scenario. It combines private and public cloud environments, allowing the company to keep sensitive data on-premises to meet compliance requirements while leveraging the scalability of the public cloud to handle variable workloads. A public cloud doesn't provide the required data control, and a private cloud alone may not offer the necessary scalability for peak demands.

Conditional Access in Microsoft Entra ID enables organizations to create policies that control user access based on various signals like location, device compliance, and risk detection. By using Conditional Access, the company can ensure that access to resources is granted only when specific conditions are met.

Privileged Identity Management manages and monitors access to privileged roles but doesn't enforce access policies based on signals.

Azure Information Protection classifies and protects documents and emails, not user access.

Multi-Factor Authentication (MFA) adds an extra layer of security but doesn't provide dynamic access controls based on factors like location or device compliance.

The private cloud model is the best fit because it allows the organization to host cloud services on-premises within its own data center, providing exclusive access and greater control over data and infrastructure. This meets the requirement of keeping data and services within the organization's premises.

Public cloud services are hosted by third-party providers and do not reside within the organization's data center.

Hybrid cloud combines public and private clouds, so some data or services would be off-premises, which does not meet the requirement.

Multi-cloud involves using multiple cloud services from different providers, which may not ensure data stays within the organization's data center.

Azure Portal is a web-based graphical user interface that allows users to manage and monitor Azure resources through a web browser.

Azure PowerShell and Azure CLI are command-line tools used for scripting and automation.

Azure Resource Manager templates are used for deploying resources as code but do not provide a graphical interface.

When creating a new virtual machine in Azure, you must specify a virtual machine size, which determines the amount of CPU, memory, and temporary storage available to the VM. An Operating System disk is required to boot the virtual machine, and a Network Interface allows the VM to communicate within Azure and to the Internet. Additional data disks can be attached for storage purposes, but they are not a requirement for creating a virtual machine.

Infrastructure as a Service (IaaS) provides the greatest level of control over cloud resources. It allows users to manage virtual machines, storage, and network configurations according to their specific requirements. This flexibility is ideal for organizations that need to customize their infrastructure. Platform as a Service (PaaS) offers a managed platform where users can deploy applications without managing the underlying infrastructure, reducing control. Software as a Service (SaaS) delivers fully managed applications over the internet, offering minimal control over configuration.

Azure Advisor provides personalized recommendations to help you optimize your Azure resources for cost, security, reliability, and performance. In terms of cost, it identifies underutilized resources that can be reduced or eliminated to save money.

Azure Policy enables you to create, assign, and manage policies that enforce rules over your resources, ensuring they remain compliant with your organization's standards and service-level agreements (SLAs). It evaluates resources for compliance and can prevent non-compliant resources from being created.

Scalability in the cloud refers to the ability to increase or decrease IT resources as needed to meet changing demand. Since the application experiences unpredictable spikes in usage, cloud scalability allows the company to handle this fluctuation without manual intervention or over-provisioning resources, which provides cost savings and ensures performance.

Management Groups in Azure provide a way to organize multiple subscriptions into a hierarchy. This allows you to apply policies, access controls, and compliance settings at the management group level, which then flow down to all associated subscriptions. This simplifies management across large organizations with numerous subscriptions.

Resource Groups are used to organize resources within a single subscription, not across multiple subscriptions.

Azure Active Directory manages identities and access but does not organize subscriptions.

Resource Locks prevent accidental changes or deletion of resources but are not used for organizing subscriptions.

Data transfer between Azure regions incurs charges. When data moves between services located in different regions, Azure charges for the outbound data transfer. This can significantly increase costs when expanding services across multiple regions, especially with large data volumes. Data transfer within the same virtual network or the same availability zone is free of charge. Inbound data transfer from the internet is also free.

Scalability provides the ability for a cloud service to accommodate growth in workload by enabling the addition of resources, thus maintaining performance levels. Unlike elasticity, which is designed to quickly adjust to short-term fluctuations in demand, scalability ensures that the system's capacity can grow over time as needed. Cost efficiency and infrastructure resilience, while benefits of the cloud, do not directly describe a system's ability to handle long-term increased demand while maintaining performance.

The described model is Software as a Service (SaaS). In SaaS, the cloud provider hosts the application and all supporting infrastructure, applies updates, and handles security and backups. Customers access the application over the internet, typically via a web browser. Platform as a Service (PaaS) instead provides a development platform where customers build and deploy their own applications. Infrastructure as a Service (IaaS) offers virtualized computing resources that the customer must configure and manage. Serverless computing focuses on running code in response to events and is not a standalone application-delivery model.

The Zero Trust Model requires all users, devices, and network components to be authenticated, authorized, and continuously validated before accessing applications and data. This model assumes that no user or device is trusted by default, regardless of their location within or outside the network.

The Perimeter-based Security Model relies on securing the network boundary and assumes that everything inside is trusted, which is less effective against modern threats that can originate from within.

The Defense-in-depth Model is a layered approach to security but does not specifically require continuous verification of trust for all access attempts.

The Principle of Least Privilege ensures users have minimal necessary access rights but does not inherently mandate continuous authentication and validation processes.

Tags are key-value pairs that enable you to categorize resources according to your organizational needs. They are primarily used to organize resources for cost tracking, management, and billing purposes. By tagging resources, you can group them logically and generate consolidated billing reports based on those tags. Tags do not modify resource configurations, improve performance, or enforce security policies.

A hybrid cloud model combines on-premises infrastructure (private cloud) with public cloud services, allowing organizations to keep sensitive data on-premises while leveraging the scalability and flexibility of the public cloud for other operations. This approach satisfies their need for compliance with data regulations and the desire to utilize cloud services. The public cloud model does not provide on-premises infrastructure, so it cannot meet the requirement to keep sensitive data on-premises. The private cloud model keeps all resources on-premises or in a dedicated environment, but the organization would miss out on the scalability benefits of the public cloud.

Azure File Sync provides the capability to synchronize files between on-premises Windows Servers and Azure File Shares, allowing for continuous replication and bi-directional sync. This enables the on-premises servers to cache frequently accessed files while keeping data synchronized with Azure.

AzCopy is a command-line tool designed for one-time data transfer tasks, not continuous synchronization.

Azure Storage Explorer is a GUI tool for managing and transferring files but does not offer automatic synchronization.

Azure Data Box is a physical device used for offline data transfer to Azure, suitable for large datasets but not for continuous sync.