Exam revision: October 11, 2024

Learning Path/App Service.md

@@ -289,7 +289,7 @@ To add a new app setting, select **\+ Add**. If you're using deployment slots yo
 
 When finished, select **Apply**. Don't forget to select **Apply** back in the **Environment variables** page.
 
-:information_source: In a default Linux app service or a custom Linux container, any nested JSON key structure in the app setting name like `ApplicationInsights:InstrumentationKey` needs to be configured in App Service as `ApplicationInsights__InstrumentationKey` for the key name. In other words, any `:` should be replaced by `__` (double underscore). Any periods in the app setting name will be replaced with a `*` (single underscore).
+:information\*source: In a default Linux app service or a custom Linux container, any nested JSON key structure in the app setting name like `ApplicationInsights:InstrumentationKey` needs to be configured in App Service as `ApplicationInsights__InstrumentationKey` for the key name. In other words, any `:` should be replaced by `__` (double underscore). Any periods in the app setting name will be replaced with a `_` (single underscore).
 
 ##### Editing application settings in bulk
 

Questions/App Configuration.md

@@ -99,3 +99,68 @@ builder.Configuration.AddAzureAppConfiguration(options =>
 Answer: Merge and override previous values
 
 ---
+
+Question: In Azure App Configuration, how can you explicitly reference a key-value that does not have a label?
+
+- [ ] Use the label "unlabeled"
+- [x] Use the label "\0"
+- [ ] Use the label "%00"
+- [ ] Use the label "null"
+- [ ] Leave the label field blank
+
+Answer: To explicitly reference a key-value without a label, use `\0` (URL encoded as `%00`). This acts as a placeholder to indicate that the key-value in question is unlabeled, allowing you to differentiate it from key-values that might have been assigned specific labels.
+
+---
+
+Question: You are setting up resources in Azure App Configuration and have the following entries:
+
+- Key = `AppName:Region1:DbEndpoint`
+- Key = `AppName:region1:dbendpoint`
+- Key = `AppName:Service1:ApiEndpoint`
+- Key = `AppName:Service1:ApiEndpoint` with Label = `\0`
+- Key = `AppName:Service1:ApiEndpoint` with Label = `Test`
+
+What is the total count of distinct keys that will be saved in Azure App Configuration?
+
+- [ ] 2
+- [ ] 3
+- [ ] 4
+- [x] 5
+
+Answer: Here's the breakdown:
+
+- `AppName:Region1:DbEndpoint` and `AppName:region1:dbendpoint` are considered two unique keys because they differ in case.
+- `AppName:Service1:ApiEndpoint` appears three times with different label variations:
+  - No label (default label)
+  - Label `\0` (acts as no label, but explicitly specified, and is also considered distinct)
+  - Label `Test`
+
+Since different labels create different versions of the same key, these are considered distinct entries.
+
+Therefore, the total number of unique keys stored in Azure App Configuration is: **5**.
+
+---
+
+Question: You are configuring an Azure App Configuration standard tier to use a customer-managed key from Azure Key Vault. What are the essential actions you must perform to ensure secure key access and compliance? Choose all that apply.
+
+- [x] Enable purge protection on the Azure Key Vault.
+- [ ] Connect the Azure App Configuration to a virtual network.
+- [x] Assign a managed identity to the Azure App Configuration instance.
+- [x] Grant the managed identity appropriate permissions on the Azure Key Vault.
+- [ ] Enable public network access for the Azure App Configuration.
+
+Answer: Virtual network connection is not required for customer-managed key integration. The focus is on permissions and identity, not network settings.  
+Public network access is unrelated to key integration and could pose security risks. Key integration relies on identity and access control, not public accessibility.
+
+---
+
+Question: Which Azure CLI command option would correctly configure key access permissions for a managed identity in your Key Vault?
+
+- [x] `az keyvault set-policy --vault-name 'MyVault' --object-id 'userObjectId' --key-permissions get wrapKey unwrapKey`
+- [ ] `az keyvault policy-update --vault 'MyVault' --object-id 'userObjectId' --permissions keys read write`
+- [ ] `az keyvault set-policy --name 'MyVault' --identity-id 'userObjectId' --key-access get list`
+- [ ] `az keyvault update-policy --vault 'MyVault' --object-id 'userObjectId' --permissions keys get list`
+
+Answer: This command correctly sets the necessary permissions: `GET`, `WRAP`, and `UNWRAP`.
+
+---

Questions/App Service.md

@@ -1420,6 +1420,19 @@ Answer: The "Always On" setting is required to enable Application Insights Profi
 
 ---
 
+Question: Your company is evaluating Azure App Services Basic plan and needs to have some continuous WebJobs and WebJobs triggered by a CRON expression. What steps must be taken, while staying cost effective?
+
+- [ ] Activate Deployment Slots
+- [x] Turn on "Always On" Feature
+- [ ] Disable IP Restrictions
+- [ ] Switch to Standard Plan
+- [ ] Switch to Premium Plan
+- [ ] Configure a free managed certificate
+
+Answer: To run Continuous WebJobs or WebJobs triggered by a CRON expression in Azure App Service, you must enable the "Always On" feature and have at least a "Basic Plan". The "Always On" setting ensures that the WebJobs continue running even when there is no incoming traffic, and the "Basic Plan" or higher is required to support these operations.
+
+---
+
 Question: Your organization has a web app deployed on Azure using the D1 App Service Plan. You are tasked with setting up the infrastructure to automatically scale when CPU utilization hits 85%, while also keeping costs low. Which of the following actions should you take to meet these objectives?
 
 - [x] Activate autoscaling for the Web App
@@ -1470,3 +1483,23 @@ Questions: Which of the following won't trigger a restart?
 Answer: Storage failover requires app restart or remounting of Azure Storage.
 
 ---
+
+Question: Which of the following can be used for Continuous Integration and Deployment (CI/CD) with Azure App Service? Select all that apply.
+
+- [x] Azure DevOps Services
+- [x] GitLab or other third party git repository
+- [x] Local git repository
+- [x] FTP
+- [ ] Azure File Sync
+- [x] Azure Container Registry
+- [x] Docker Hub or other third party container registries
+- [ ] Azure Pipelines Artifacts
+- [ ] Azure Blob Storage
+
+Answer: Out-of-the-box CI/CD is available through Azure Portal with Git (Azure DevOps, third party, local), FTP, Container Registry (ACR, third-party).
+
+- **Azure File Sync**: Used for synchronizing files between servers and Azure, not for code deployment.
+- **Azure Pipelines Artifacts**: Primarily used for storing artifacts produced by CI/CD pipelines, not directly for deployment.
+- **Azure Blob Storage**: Typically used for general storage purposes, not specifically for CI/CD targeting web apps.
+
+---

Questions/Application Insights.md

@@ -377,3 +377,28 @@ Question: You have a running application and you want to control the rate of dat
 Answer: Ingestion sampling happens at the Application Insights service endpoint and allows you to set the sampling rate without redeploying your app. It helps you keep within your monthly quota.
 
 ---
+
+Question: Which method should be used here instead of `XXXXXXXXXX` to track response time:
+
+```cs
+var startTime = DateTime.UtcNow;
+var timer = System.Diagnostics.Stopwatch.StartNew();
+
+try {
+  await sendRequest();
+}
+finally {
+  timer.Stop();
+  telemetry.XXXXXXXXXX("type", "name", "myTracedRequest", startTime, timer.Elapsed, success);
+}
+```
+
+- [ ] `TrackEvent`
+- [ ] `TrackException`
+- [x] `TrackDependency`
+- [ ] `TrackRequest`
+- [ ] `TrackTrace`
+
+Answer: `TrackDependency`: for those dependencies not automatically collected by SDK, like response times.
+
+---

Questions/Blob Storage.md

@@ -90,19 +90,6 @@ The BlobClient class is limited to manipulating blobs.
 
 ---
 
-Question: You arrive at work donned in your favorite furry costume and discover a task from your supervisor demanding you take the company's website offline in order to perform some maintenance on it. The website consists of a single `_index.html` file stored in Azure Storage's `$web` container. You promptly set the access level of that specific file to private and consider the job done as you dive into some leisurely Reddit browsing. Just half an hour later, your supervisor storms over to your desk and fires you on the spot. What could be the reason behind this unexpected termination?
-
-- [ ] Your choice of unconventional office attire: a furry costume (you did nothing wrong).
-- [ ] You erred in your task; you were supposed to set the access level of the entire `$web` container to private.
-- [ ] To make the site inaccessible to users, you should have set the entire storage account to private.
-- [x] You have a fundamental misunderstanding of how things function within Azure Static Site hosting.
-
-Answer: In this situation, to make the static website inaccessible, you need to turn off the Static Website hosting feature from your Azure Storage account. You know nothing...
-
-You actually cannot set the access level of an individual blob (file), but rather the access level is set on the container level. However, even setting the access level of the `$web` container to private wouldn't take the static website offline. This is due to the fact that Azure's static website feature always serves files in the `$web` container anonymously, regardless of the container's access level setting. Same goes for setting the entire storage account to private.
-
----
-
 Question: As an Azure Developer working for a company named Contoso, your task involves managing the company's Azure storage account. The storage account contains numerous block blobs, all of which are tagged with specific metadata indicating the project they are associated with. For instance, some blobs are tagged as "Project: Contoso".
 
 However, due to new privacy regulations, Contoso has decided to delete all blobs tagged with "Project: Contoso" as soon as possible after they have been uploaded to the storage. This is to ensure that sensitive data is not retained longer than necessary.

Questions/Content Delivery Network.md

@@ -41,7 +41,6 @@ Question: Which products support asset pre-loading?
 - [x] Azure CDN Premium from Edgio
 - [x] Azure CDN Standard from Edgio
 - [ ] Standard Microsoft
-- [ ] Standard Akamai
 
 Answer: Azure CDN from Edgio only
 
@@ -52,7 +51,6 @@ Question: Which product supports real-time stats and alerts?
 - [x] Azure CDN Premium from Edgio
 - [ ] Azure CDN Standard from Edgio
 - [ ] Standard Microsoft
-- [ ] Standard Akamai
 
 Answer: Azure CDN Premium from Edgio only
 
@@ -137,25 +135,27 @@ Deleting refers to removing the file from the origin server, not the cache, and
 
 ---
 
-Question: What are the Azure CDN configuration propagation times for Standard (Verizon):
+Question: What are the Azure CDN configuration propagation times for Azure CDN Standard from Microsoft:
 
 - [ ] Instant
-- [ ] Around 1 minute.
-- [x] Around 10 minutes.
-- [ ] Around 1 hour.
+- [ ] Within 1 minute.
+- [x] Within 10 minutes.
+- [ ] Within 30 minutes.
+- [ ] Within 1 hour.
 
-Answer: 1 minute is for Standard (Akamai).
+Answer: For Azure CDN Standard from Microsoft profiles, propagation usually completes in 10 minutes. For Azure CDN Standard from Edgio and Azure CDN Premium from Edgio profiles, propagation usually completes within 30 minutes.
 
 ---
 
-Question: What are the Azure CDN configuration propagation times for Standard (Akamai):
+Question: What are the Azure CDN configuration propagation times for zure CDN Premium from Edgio:
 
 - [ ] Instant
-- [x] Around 1 minute.
-- [ ] Around 10 minutes.
-- [ ] Around 1 hour.
+- [ ] Within 1 minute.
+- [ ] Within 10 minutes.
+- [x] Within 30 minutes.
+- [ ] Within 1 hour.
 
-Answer: 10 minutes is for Standard (Verizon).
+Answer: For Azure CDN Standard from Microsoft profiles, propagation usually completes in 10 minutes. For Azure CDN Standard from Edgio and Azure CDN Premium from Edgio profiles, propagation usually completes within 30 minutes.
 
 ---
 

Questions/Event Grid.md

@@ -221,3 +221,17 @@ az eventgrid event-subscription create \
 ```
 
 ---
+
+Question: You need to enable a third-party SaaS application to send events directly to your Azure subscription for processing by your custom applications. What type of Event Grid topic should you configure to achieve this?
+
+- [ ] System Topic
+- [x] Partner Topic
+- [ ] Custom Topic
+- [ ] Event Hub Topic
+
+Answer: Partner Topics are designed specifically for enabling third-party services or SaaS applications to push events into your Azure subscription. These events can then be processed by Azure Functions, Logic Apps, or other subscribers to the topic.  
+System Topic: This is for Azure services that natively emit events, like Blob Storage or Event Hubs. You use system topics when you’re dealing with Azure-native resources.  
+Custom topics are for your own applications to send events into Event Grid—not for third-party SaaS. If the source isn’t a partner but something you built, this would be the choice.  
+Event Hub Topic: Event Hub isn’t even part of Event Grid’s topic system. It’s used for high-throughput streaming of telemetry or event data, not the discrete events Event Grid handles.
+
+---

Questions/Functions.md

@@ -1157,3 +1157,23 @@ Question: You are developing an application using Azure Functions to handle HTTP
 Answer: The requirement is to have a custom handler web server that starts up in less than 60 seconds.
 
 ---
+
+Questions: It’s Christmas at Grandma’s, and just as you’re savoring your third glass of wine, work calls with an “urgent” issue. Instead of launching into full-blown tech mode, you decide to cobble together an Azure Function - because nothing says “holiday spirit” like a little on-the-fly coding. What’s your go-to approach for resolving this with minimal fuss?
+
+- [ ] Use you poor grandma's Pentium II computer.
+- [x] Use your phone's browser.
+- [ ] Install vim.
+- [ ] Install bunch of SDKs.
+- [x] Choose `C# Script` because you are drunk.
+- [ ] Choose `Java` because you are REALLY drunk.
+- [ ] Create `host.json` file.
+- [x] Create `function.json`.
+- [ ] None of these is applicable, you have to go back to the office and break everyone's hearts.
+
+Answer: You can use your phone to access Azure Portal. Languages like `C# Script`, `JavaScript`, `Python`, `PowerShell` are natively supported for editing in the portal. Because you use a scripting language, you must also create `function.json`.
+
+- Grandma’s ancient computer? Probably best left for playing solitaire.
+- Installing an SDK and editor on that dinosaur will be akin to climbing Everest with slippers on.
+- If you choose Java, you have to use an editor, thus a computer - not the best option here.
+
+---

Questions/Key Vault.md

@@ -217,3 +217,21 @@ az keyvault certificate create --vault-name $kvName -n $certName -p "$(az keyvau
 ```
 
 ---
+
+Question: You are tasked with deploying a cloud-based application that leverages Azure Key Vault for storing sensitive information like certificates and API keys. The application will be rolled out in the following phases:
+
+- Development
+- Testing
+- Staging
+- Production
+
+What is the optimal Azure Key Vault configuration to ensure secure and efficient management of secrets across these phases?
+
+- [ ] Use a single Azure Key Vault for all phases
+- [ ] Set up two Azure Key Vaults: one for Development and Testing, and another for Staging and Production
+- [ ] Establish a unique Azure Key Vault for Production and merge the others into one
+- [x] Create a dedicated Azure Key Vault for each phase
+
+Answer: By allocating a separate Azure Key Vault for each phase you ensure isolation of sensitive data, enabling you to manage access policies, secret lifecycles, and audit logs independently for each phase. This approach enhances security and operational efficiency.
+
+---

README.md

@@ -188,6 +188,8 @@ In these study notes, emojis may be ambiguous and the correct meaning has to be
 
 The content found in this repository is a result of my personal study and understanding of the AZ-204 exam topics. While I have made every effort to ensure accuracy, there may be inaccuracies, or even incorrect or missing information contained within these notes.
 
+Since passing the exam in October 2023, I strive to keep this information current, but updates are made on a best-effort basis rather than through active maintenance.
+
 I welcome corrections and contributions from others to enhance the quality and accuracy of this material. If you find any errors or have suggestions for improvement, please feel free to open an issue or submit a pull request.
 
 Please use these notes at your own discretion and cross-reference with official materials and resources to ensure complete understanding of the subject matter.

Topics/App Configuration.md

@@ -9,7 +9,7 @@ You can import and export configuration between Azure App Configuration and sepa
 Azure App Configuration manages configuration data using key-value pairs.
 
 - **Keys**: Unique, _case-sensitive_ identifiers for values. They can include any unicode character except `*`, `,`, and `\` (reserved can be escaped with '\'). Use delimiters like `/` or `:` for hierarchical organization. Azure treats _keys as a whole_ and doesn't enforce any structure. Example: `AppName:Service1:ApiEndpoint`
-- **Labels**: Group keys by criteria, ex: environments or versions (which is _not supported natively_). Default label is `null`. Example: `Key = AppName:DbEndpoint & Label = Test`. Key prefixes are alternative way of grouping (labeling).
+- **Labels**: Group keys by criteria, ex: environments or versions (which is _not supported natively_). Default label is `null`. Example: `Key = AppName:DbEndpoint & Label = Test`. Key prefixes are alternative way of grouping (labeling). To explicitly reference a key-value without a label, use `\0`. Different labels create different versions of the same key, these are considered distinct (unique) entries.
 - **Values**: Unicode strings optionally associated with a user-defined content type for additional metadata.
 
 ### Configuration and Querying
@@ -46,7 +46,7 @@ When using multiple `.Select()`, if a key with the same name exists in both labe
 .Select("TestApp:*", "dev");
 ```
 
-## Feature Management
+## [Feature Management](https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-feature-filters)
 
 - **Feature flag**: A binary variable (on/off) that controls the execution of an associated code block.
 - **Feature manager**: A software package managing feature flags' lifecycle, providing additional functions like caching and updating flag states.
@@ -160,7 +160,7 @@ Azure App Configuration serves as a centralized repository for feature flags, en
 
 ## Security
 
-### Using Customer-Managed Keys for Encryption
+### [Using Customer-Managed Keys for Encryption](https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-customer-managed-keys)
 
 A managed identity authenticates with Microsoft Entra ID and wraps the encryption key using Azure Key Vault. The wrapped key is stored and the unwrapped key is cached for an hour, then refreshed.
 
@@ -173,7 +173,7 @@ Prerequisites:
 After setup, assign a managed identity to the App Configuration and grant it `GET`, `WRAP`, and `UNWRAP` (permits decrypting previously wrapped keys) permissions in the Key Vault's access policy:
 
 ```sh
-az keyvault set-policy --name 'MyVault' --object-id 'userObjectId' --key-permissions get list --secret-permissions get list
+az keyvault set-policy --key-permissions get wrapKey unwrapKey
 ```
 
 ## Configure Key Vault