Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Overview –
You are a developer for Contoso, Ltd. The company has a social networking website that is developed as a Single Page Application (SPA). The main web application for the social networking website loads user uploaded content from blob storage.
You are developing a solution to monitor uploaded data for inappropriate content. The following process occurs when users upload content by using the SPA:
- Messages are sent to ContentUploadService.
- Content is processed by ContentAnalysisService.
- After processing is complete, the content is posted to the social network or a rejection message is posted in its place.
The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named contosoimages.
The solution will use eight CPU cores.
Azure Active Directory –
Contoso, Ltd. uses Azure Active Directory (Azure AD) for both internal and guest accounts.
Requirements –
ContentAnalysisService –
The company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content. Any values over a specific threshold must be reviewed by an employee of Contoso, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.
Costs –
You must minimize costs for all Azure services.
Manual review –
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role. All completed reviews must include the reviewer’s email address for auditing purposes.
High availability –
All services must run in multiple regions. The failure of any service in a region must not impact overall application availability.
Monitoring –
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU cores.
Security –
You have the following security requirements:
- Any web service accessible over the Internet must be protected from cross site scripting attacks.
- All websites and services must use SSL from a valid root certificate authority.
- Azure Storage access keys must only be stored in memory and must be available only to the service.
- All Internal services must only be accessible from internal Virtual Networks (VNets).
- All parts of the system must support inbound and outbound traffic restrictions.
- All service calls must be authenticated by using Azure AD.
User agreements –
When a user submits content, they must agree to a user agreement. The agreement allows employees of Contoso, Ltd. to review content, store cookies on user devices, and track user’s IP addresses.
Information regarding agreements is used by multiple divisions within Contoso, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime. The volume of agreements is expected to be in the millions per hour.
Validation testing –
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.
Issues –
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.
Code –
ContentUploadService –
ApplicationManifest –
Question 1.
DRAG DROP –
You need to add markup at line AM04 to implement the ContentReview role.
How should you complete the markup? To answer, drag the appropriate json segments to the correct locations. Each json segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Box 1: allowedMemberTypes –
allowedMemberTypes specifies whether this app role definition can be assigned to users and groups by setting to “User”, or to other applications (that are accessing this application in daemon service scenarios) by setting to “Application”, or to both.
Note: The following example shows the appRoles that you can assign to users.
“appId”: “8763f1c4-f988-489c-a51e-158e9ef97d6a”,
“appRoles”: [
{
“allowedMemberTypes”: [
“User”
],
“displayName”: “Writer”,
“id”: “d1c2ade8-98f8-45fd-aa4a-6d06b947c66f”,
“isEnabled”: true,
“description”: “Writers Have the ability to create tasks.”,
“value”: “Writer”
}
],
“availableToOtherTenants”: false,
Box 2: User –
Scenario: In order to review content a user must be part of a ContentReviewer role.
Box 3: value –
value specifies the value which will be included in the roles claim in authentication and access tokens.
Reference: https://docs.microsoft.com/en-us/graph/api/resources/approle
Question 2.
HOTSPOT –
You need to add code at line AM09 to ensure that users can review content using ContentAnalysisService.
How should you complete the code? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: “oauth2AllowIdTokenImplicitFlow”:true
This value indicates whether the web app can request ID tokens of the implicit OAuth 2.0 flow. The default setting is “false”.
Box 2: “oauth2AllowImplicitFlow”:true
This value indicates whether the web app can request OAuth 2.0 implicit flow access tokens. The default setting is “false”.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest#oauth2allowidtokenimplicitflow-attribute
https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest#oauth2allowimplicitflow-attribute
Question 3.
HOTSPOT –
You need to ensure that network security policies are met.
How should you configure network security? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Valid root certificate –
Scenario: All websites and services must use SSL from a valid root certificate authority.
Box 2: Azure Application Gateway
Scenario:
✑ Any web service accessible over the Internet must be protected from cross site scripting attacks.
✑ All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.
Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features.
Note: Both Nginx and Azure Application Gateway act as a reverse proxy with Layer 7 load-balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.
You can modify Nginx web server configuration/SSL for X-XSS protection. This helps to prevent cross-site scripting exploits by forcing the injection of HTTP headers with X-XSS protection.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
https://www.upguard.com/articles/10-tips-for-securing-your-nginx-deployment
Question 4:
DRAG DROP –
You need to add YAML markup at line CS17 to ensure that the ContentUploadService can access Azure Storage access keys.
How should you complete the YAML markup? To answer, drag the appropriate YAML segments to the correct locations. Each YAML segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Box 1: volumeMounts –
Example:
volumeMounts:
– mountPath: /mnt/secrets
name: secretvolume1
volumes:
– name: secretvolume1
secret:
mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=
Box 2: volumes –
Reference: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-secret
Question 5
HOTSPOT –
You need to add code at line AM10 of the application manifest to ensure that the requirement for manually reviewing content can be met.
How should you complete the code? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: sid –
Sid: Session ID, used for per-session user sign-out. Personal and Azure AD accounts.
Scenario: Manual review –
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using
React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role.
Box 2: email –
Scenario: All completed reviews must include the reviewerג€™s email address for auditing purposes.
Question 6.
You need to monitor ContentUploadService according to the requirements.
Which command should you use?
A. az monitor metrics alert create -n alert -g \ – -scopes \ – -condition “avg Percentage CPU > 8”
B. az monitor metrics alert create -n alert -g \ – -scopes \ – -condition “avg Percentage CPU > 800”
C. az monitor metrics alert create -n alert -g \ – -scopes \ – -condition “CPU Usage > 800”
D. az monitor metrics alert create -n alert -g \ – -scopes \ – -condition “CPU Usage > 8”
Correct Answer: C
We are dealing with containers here not VM so “CPU usage” is a valid condition. Had it been VM then it should have been “Percentage CPU usage”. 800 is also correct since for containers its measured in millicores.
Reference : https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported#microsoftcontainerinstancecontainergroups
Question 7.
You need to investigate the http server log output to resolve the issue with the ContentUploadService.
Which command should you use first?
A. az webapp log
B. az ams live-output
C. az monitor activity-log
D. az container attach
Correct Answer: D
Question 9.
You need to deploy the CheckUserContent Azure Function. The solution must meet the security and cost requirements.
Which hosting model should you use?
A. Premium plan
B. App Service plan
C. Consumption plan
Correct Answer: B
Scenario:
You must minimize costs for all Azure services.
All Internal services must only be accessible from internal Virtual Networks (VNets).
Best for long-running scenarios where Durable Functions can’t be used. Consider an App Service plan in the following situations:
✑ You have existing, underutilized VMs that are already running other App Service instances.
✑ You want to provide a custom image on which to run your functions.
✑ Predictive scaling and costs are required.
Note: When you create a function app in Azure, you must choose a hosting plan for your app. There are three basic hosting plans available for Azure Functions:
Consumption plan, Premium plan, and Dedicated (App Service) plan.
Incorrect Answers:
A: A Premium plan would be more costly.
C: Need the VNET functionality.
Reference: https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale
Question 10.You need to configure the ContentUploadService deployment.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add the following markup to line CS23: type: Private
B. Add the following markup to line CS24: osType: Windows
C. Add the following markup to line CS24: osType: Linux
D. Add the following markup to line CS23: type: Public
Scenario: All Internal services must only be accessible from Internal Virtual Networks (VNets)
There are three Network Location types ג€” Private, Public and Domain
Question 11.
You need to store the user agreements.
Where should you store the agreement after it is completed?
A. Azure Storage queue
B. Azure Event Hub
C. Azure Service Bus topic
D. Azure Event Grid topic
Correct Answer: A
Question 12.
HOTSPOT –
You need to implement the bindings for the CheckUserContent function.
How should you complete the code segment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: [BlobTrigger(..)]
Box 2: [Blob(..)]
Azure Blob storage output binding for Azure Functions. The output binding allows you to modify and delete blob storage data in an Azure Function.
The attribute’s constructor takes the path to the blob and a FileAccess parameter indicating read or write, as shown in the following example:
[FunctionName(“ResizeImage”)]
public static void Run(
[BlobTrigger(“sample-images/{name}”)] Stream image,
[Blob(“sample-images-md/{name}”, FileAccess.Write)] Stream imageSmall)
{
…
}
Scenario: You must create an Azure Function named CheckUserContent to perform the content checks.
The companyג€™s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content. Any values over a specific threshold must be reviewed by an employee of Contoso, Ltd.
