Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
You are a developer for Litware Inc., a SaaS company that provides a solution for managing employee expenses. The solution consists of an ASP.NET Core Web API project that is deployed as an Azure Web App.
Overall architecture –
Employees upload receipts for the system to process. When processing is complete, the employee receives a summary report email that details the processing results. Employees then use a web application to manage their receipts and perform any additional tasks needed for reimbursement.
Receipt processing –
Employees may upload receipts in two ways:
- Uploading using an Azure Files mounted folder
- Uploading using the web application
Data Storage –
Receipt and employee information is stored in an Azure SQL database.
Documentation –
Employees are provided with a getting started document when they first use the solution. The documentation includes details on supported operating systems for Azure File upload, and instructions on how to configure the mounted folder.
Solution details –
Users table –
Web Application –
You enable MSI for the Web App and configure the Web App to use the security principal name WebAppIdentity.
Processing –
Processing is performed by an Azure Function that uses version 2 of the Azure Function runtime. Once processing is completed, results are stored in Azure Blob
Storage and an Azure SQL database. Then, an email summary is sent to the user with a link to the processing report. The link to the report must remain valid if the email is forwarded to another user.
Logging –
Azure Application Insights is used for telemetry and logging in both the processor and the web application. The processor also has TraceWriter logging enabled.
Application Insights must always contain all log messages.
Requirements –
Receipt processing –
Concurrent processing of a receipt must be prevented.
Disaster recovery –
Regional outage must not impact application availability. All DR operations must not be dependent on application running and must ensure that data in the DR region is up to date.
Security –
User’s SecurityPin must be stored in such a way that access to the database does not allow the viewing of SecurityPins. The web application is the only system that should have access to SecurityPins.
All certificates and secrets used to secure data must be stored in Azure Key Vault.
You must adhere to the principle of least privilege and provide privileges which are essential to perform the intended function.
All access to Azure Storage and Azure SQL database must use the application’s Managed Service Identity (MSI).
Receipt data must always be encrypted at rest.
All data must be protected in transit.
User’s expense account number must be visible only to logged in users. All other views of the expense account number should include only the last segment, with the remaining parts obscured.
In the case of a security breach, access to all summary reports must be revoked without impacting other parts of the system.
Issues –
Upload format issue –
Employees occasionally report an issue with uploading a receipt using the web application. They report that when they upload a receipt using the Azure File Share, the receipt does not appear in their profile. When this occurs, they delete the file in the file share and use the web application, which returns a 500 Internal Server error page.
Capacity issue –
During busy periods, employees report long delays between the time they upload the receipt and when it appears in the web application.
Log capacity issue –
Developers report that the number of log messages in the trace output for the processor is too high, resulting in lost log messages.
Application code –
Processing.cs –
Database.cs –
ReceiptUploader.cs –
ConfigureSSE.ps1 –
HOTSPOT –
You need to add code at line PC26 of Processing.cs to ensure that security policies are met.
How should you complete the code that you will add at line PC26? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: var key = await Resolver.ResolveKeyAsyn(keyBundle,KeyIdentifier.CancellationToken.None);
Box 2: var x = new BlobEncryptionPolicy(key,resolver);
Example:
// We begin with cloudKey1, and a resolver capable of resolving and caching Key Vault secrets.
BlobEncryptionPolicy encryptionPolicy = new BlobEncryptionPolicy(cloudKey1, cachingResolver); client.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy;
Box 3: cloudblobClient. DefaultRequestOptions.EncryptionPolicy = x;
Reference:
https://github.com/Azure/azure-storage-net/blob/master/Samples/GettingStarted/EncryptionSamples/KeyRotation/Program.cs
Question 2.
You need to ensure the security policies are met.
What code do you add at line CS07 of ConfigureSSE.ps1?
A. ג€”PermissionsToKeys create, encrypt, decrypt
B. ג€”PermissionsToCertificates create, encrypt, decrypt
C. ג€”PermissionsToCertificates wrapkey, unwrapkey, get
D. ג€”PermissionsToKeys wrapkey, unwrapkey, get
The policy should belong to a key. In the case study the code retrieve the key so the GET access policy is mandatory. The wrap/unwrap is used for symmetric encryption and in this case study the task is to encrypt the blobs.
PermissionsToKeys wrapkey, unwrapkey, get
https://docs.microsoft.com/en-us/powershell/module/az.storage/set-azstorageaccount?view=azps-5.8.0#example-5–set-encryption-keysource-to-keyvault
code example at line 7
Reference:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy
Question 3.
You need to ensure receipt processing occurs correctly.
What should you do?
A. Use blob properties to prevent concurrency problems
B. Use blob SnapshotTime to prevent concurrency problems
C. Use blob metadata to prevent concurrency problems
D. Use blob leases to prevent concurrency problems
Correct Answer: D
Use blob leases to prevent concurrency problems
Reference: https://docs.microsoft.com/en-us/rest/api/storageservices/lease-blob
Question 4.
You need to resolve the capacity issue.
What should you do?
A. Convert the trigger on the Azure Function to an Azure Blob storage trigger
B. Ensure that the consumption plan is configured correctly to allow scaling
C. Move the Azure Function to a dedicated App Service Plan
D. Update the loop starting on line PC09 to process items in parallel
Correct Answer: D
If you want to read the files in parallel, you cannot use forEach. Each of the async callback function calls does return a promise. You can await the array of promises that you’ll get with Promise.all.
Scenario: Capacity issue: During busy periods, employees report long delays between the time they upload the receipt and when it appears in the web application.
Question 5.
You need to resolve the log capacity issue.
What should you do?
A. Create an Application Insights Telemetry Filter
B. Change the minimum log level in the host.json file for the function
C. Implement Application Insights Sampling
D. Set a LogCategoryFilter during startup
Scenario, the log capacity issue: Developers report that the number of log message in the trace output for the processor is too high, resulting in lost log messages.
Sampling is a feature in Azure Application Insights. It is the recommended way to reduce telemetry traffic and storage, while preserving a statistically correct analysis of application data. The filter selects items that are related, so that you can navigate between items when you are doing diagnostic investigations. When metric counts are presented to you in the portal, they are renormalized to take account of the sampling, to minimize any effect on the statistics.
Sampling reduces traffic and data costs, and helps you avoid throttling.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/sampling
Question 6.
DRAG DROP –
You need to add code at line PC32 in Processing.cs to implement the GetCredentials method in the Processing class.
How should you complete the code? To answer, drag the appropriate code segments to the correct locations. Each code segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Box 1: AzureServiceTokenProvider()
Box 2: tp.GetAccessTokenAsync(“..”)
Acquiring an access token is then quite easy. Example code:
private async Task<string> GetAccessTokenAsync()
{
var tokenProvider = new AzureServiceTokenProvider();
return await tokenProvider.GetAccessTokenAsync(“https://storage.azure.com/”);
}
Reference: https://joonasw.net/view/azure-ad-authentication-with-azure-storage-and-managed-service-identity
Question 7
DRAG DROP –
You need to ensure disaster recovery requirements are met.
What code should you add at line PC16?
To answer, drag the appropriate code fragments to the correct locations. Each code fragment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Scenario: Disaster recovery. Regional outage must not impact application availability. All DR operations must not be dependent on application running and must ensure that data in the DR region is up to date.
Box 1: DirectoryTransferContext –
We transfer all files in the directory.
Note: The TransferContext object comes in two forms: SingleTransferContext and DirectoryTransferContext. The former is for transferring a single file and the latter is for transferring a directory of files.
Box 2: ShouldTransferCallbackAsync
The DirectoryTransferContext.ShouldTransferCallbackAsync delegate callback is invoked to tell whether a transfer should be done.
Box 3: False –
If you want to use the retry policy in Copy, and want the copy can be resume if break in the middle, you can use SyncCopy (isServiceCopy = false).
Note that if you choose to use service side copy (‘isServiceCopy’ set to true), Azure (currently) doesn’t provide SLA for that. Setting ‘isServiceCopy’ to false will download the source blob loca
