DP-203: Data Engineering on Microsoft Azure
You have an Azure Cosmos DB database that uses the SQL API.
You need to delete stale data from the database automatically.
What should you use?
soft delete
Low Latency Analytical Processing (LLAP)
schema on read
Time to Live (TTL)
Answer is Time to Live (TTL)
With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. By default, you can set time to live at the container level and override the value on a per-item basis. After you set the TTL at a container or at an item level, Azure Cosmos DB will automatically remove these items after the time period, since the time they were last modified.
References:
https://docs.microsoft.com/en-us/azure/cosmos-db/time-to-live
You develop data engineering solutions for a company. An application creates a database on Microsoft Azure. You have the following code:
Which database and authorization types are used?
A-A
A-B
A-C
B-B
B-C
C-C
D-A
D-B
Box 1: Azure Cosmos DB
The DocumentClient.CreateDatabaseAsync(Database, RequestOptions) method creates a database resource as an asychronous operation in the Azure Cosmos DB service.
Box 2: Master Key
Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources: Master Key, Resource Tokens
Master keys provide access to the all the administrative resources for the database account. Master keys:
- Provide access to accounts, databases, users, and permissions.
- Cannot be used to provide granular access to containers and documents.
- Are created during the creation of an account.
- Can be regenerated at any time.
Incorrect Answers:
Resource Token: Resource tokens provide access to the application resources within a database.
References:
https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.documents.client.documentclient.createdatabaseasync
https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
You have an Azure Cosmos DB database.
You need to use Azure Stream Analytics to check for uneven distributions of queries that can affect performance.
Which two settings should you configure?
A-B
B-C
C-D
D-E
E-F
F-G
G-A
Answer is D - E
PartitionKeyStatistics: Select this option to log the statistics of the partition keys. This is currently represented with the storage size (KB) of the partition keys.
PartitionKeyRUConsumption: This log reports the aggregated per-second RU/s consumption of partition keys. Currently, Azure Cosmos DB reports partition keys for SQL API accounts only and for point read/write and stored procedure operations. other APIs and operation types are not supported. For other APIs, the partition key column in the diagnostic log table will be empty. This log contains data such as subscription ID, region name, database name, collection name, partition key, operation type, and request charge.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/cosmosdb-monitor-resource-logs
A company is planning to use Microsoft Azure Cosmos DB as the data store for an application. You have the following Azure CLI command:
az cosmosdb create name cosmosdbdev1 -resource-group rgdevYou need to minimize latency and expose the SQL API. How should you complete the command?
A-B
B-C
C-C
D-B
A-A
B-A
C-A
D-C
Answer is C-C
Box 1: Eventual
With Azure Cosmos DB, developers can choose from five well-defined consistency models on the consistency spectrum. From strongest to more relaxed, the models include strong, bounded staleness, session, consistent prefix, and eventual consistency.
Box 2: GlobalDocumentDB
Select Core(SQL) to create a document database and query by using SQL syntax.
Note: The API determines the type of account to create. Azure Cosmos DB provides five APIs: Core(SQL) and MongoDB for document databases, Gremlin for graph databases, Azure Table, and Cassandra.
References:
https://docs.microsoft.com/en-us/azure/cosmos-db/consistency-levels
https://docs.microsoft.com/en-us/azure/cosmos-db/create-sql-api-dotnet
A company runs Microsoft SQL Server in an on-premises virtual machine (VM).
You must migrate the database to Azure SQL Database. You synchronize users from Active Directory to Azure Active Directory (Azure AD).
You need to configure Azure SQL Database to use an Azure AD user as administrator.
What should you configure?
For each Azure SQL Database, set the Access Control to administrator.
For each Azure SQL Database server, set the Active Directory to administrator.
For each Azure SQL Database, set the Active Directory administrator role.
For each Azure SQL Database server, set the Access Control to administrator.
Answer is "For each Azure SQL Database, set the Active Directory administrator role."
There are two administrative accounts (Server admin and Active Directory admin) that act as administrators.
One Azure Active Directory account, either an individual or security group account, can also be configured as an administrator. It is optional to configure an Azure AD administrator, but an Azure AD administrator must be configured if you want to use Azure AD accounts to connect to SQL Database.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins
Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Answer is Infrastructure as a service (IaaS)
Infrastructure as a service (IaaS). At this level, the cloud provider provides physical security to compute resources. However, it's your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure. With Platform as a service (PaaS) the cloud provider handles many security concerns, more than with other categories. This includes providing physical security and keeping operating systems patched and up to date. With Software as a service (SaaS) the cloud provider handles most security concerns for you. Your main responsibility is to provide your organization's users with proper access to the software.
Which one of the following is a key difference between global Azure and Azure Government?
Azure Government has a marketplace from which you can deploy pre-built images from Microsoft and partners.
Azure Government has a portal from which you can manage your resources.
Azure Government is a physically separate instance of Azure.
Answer is Azure Government is a physically separate instance of Azure.
Azure Government is a sovereign cloud and is physically separate in its own set of data centers. The other answers are incorrect as Both global Azure and Azure Government offer a marketplace and a portal.
Which of these is the strongest way to protect sensitive customer data?
Encrypt data as it sits in your database
Encrypt data as it travels over the network
Encrypt data both as it sits in your database and as it travels over the network
Answer is "Encrypt data both as it sits in your database and as it travels over the network"
Encrypting your data at all times, both as it sits in your database and as it travels over the network, minimizes the opportunity for an attacker to access your data in plain text.
You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?
Azure Key Vault
Azure AD
Answer is Azure Key Vault
Because it is a centralized cloud service for storing application secrets, referred to as a secret store. MSIP is a cloud-based solution that helps an organization classify, and optionally, protect its documents and emails by applying labels. Azure AD is Microsoft’s cloud-based identity and access management service that helps employees of an organization sign in and access resources.
Mike is working as a consultant developing an application for a national Realtor company. They store thousands of images of houses in an Azure BLOB storage account. The web application Mike is developing needs to have access these images. How can Mike provide secure access for the third-party web application?
Use Anonymous access to give the web application access
Use a storage account key to give the web application access
Use a Shared Access Signature to give the web application access.
Answer is "Use a Shared Access Signature to give the web application access."
The shared access signature is the best approach to use should you require a third party application to have access to data in a blob storage account. This can provide access without sharing the storage account key.
Anonymous access is not appropriate as you require secure access to the data and the storage account key is the key that provides access. Sharing this with third party increases the risk of the data being compromised