- (Exam Topic 5)
You plan to store data in Azure Blob storage for many years. The stored data will be accessed rarely.
You need to ensure that the data in Blob storage is always available for immediate access. The solution must minimize storage costs.
Which storage tier should you use?

1. A. Cool
2. B. Archive
3. C. Hot

Correct Answer: A
Azure cool tier is equivalent to the Amazon S3 Infrequent Access (S3-IA) storage in AWS that provides a low cost high performance storage for infrequently access data.
Note: Azure’s cool storage tier, also known as Azure cool Blob storage, is for infrequently-accessed data that needs to be stored for a minimum of 30 days. Typical use cases include backing up data before tiering to archival systems, legal data, media files, system audit information, datasets used for big data analysis and more.
The storage cost for this Azure cold storage tier is lower than that of hot storage tier. Since it is expected that the data stored in this tier will be accessed less frequently, the data access charges are high when compared to hot tier. There are no additional changes required in your applications as these tiers can be accessed using APIs in the same manner that you access Azure storage.
References:
https://cloud.netapp.com/blog/low-cost-storage-options-on-azure

- (Exam Topic 4)
A company has an on-premises file server cbflserver that runs Windows Server 2019. Windows Admin Center manages this server. The company owns an Azure subscription. You need to provide an Azure solution to prevent data loss if the file server fails.
Solution: You decide to create an Azure Recovery Services vault. You then decide to install the Azure Backup agent and then schedule the backup. Would this meet the requirement?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 5)
You plan to deploy an Azure SQL database that will store Personally Identifiable Information (Pll). You need to ensure that only privileged users can view the Pll.
What should you include in the solution?

1. A. Transparent Data Encryption (TDE)
2. B. Data Discovery & Classification
3. C. dynamic data masking
4. D. role-based access control (RBAC)

Correct Answer: C

- (Exam Topic 5)
You have an Azure AD tenant.
You plan to deploy Azure Cosmos DB databases that will use the SQL API.
You need to recommend a solution to provide specific Azure AD user accounts with read access to the Cosmos DB databases.
What should you include in the recommendation?

1. A. a resource token and an Access control (1AM) role assignment
2. B. certificates and Azure Key Vault
3. C. master keys and Azure Information Protection policies
4. D. shared access signatures (SAS) and Conditional Access policies

Correct Answer: A

- (Exam Topic 5)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs. Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic
Does the solution meet the goal?

1. A. Yes
2. B. No

Correct Answer: A
The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
Note:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview