AZ-204 Question #218: Real Exam Question with Answer & Explanation

Question

Case Study 6 - Contoso, Ltd Background Overview You are a developer for Contoso, Ltd. The company has a social networking website that is developed as a Single Page Application (SPA). The main web application for the social networking website loads user uploaded content from blob storage. You are developing a solution to monitor uploaded data for inappropriate content. The following process occurs when users upload content by using the SPA: Messages are sent to ContentUploadService. Content is processed by ContentAnalysisService. After processing is complete, the content is posted to the social network or a rejection message is posted in its place. The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named contosoimages. The solution will use eight CPU cores. Azure Active Directory Contoso, Ltd. uses Azure Active Directory (Azure AD) for both internal and guest accounts. Requirements ContentAnalysisService The company's data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content. Any values over a specific threshold must be reviewed by an employee of Contoso, Ltd. You must create an Azure Function named CheckUserContent to perform the content checks. Costs You must minimize costs for all Azure services. Manual review To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role. All completed reviews must include the reviewer's email address for auditing purposes. High availability All services must run in multiple regions. The failure of any service in a region must not impact overall application availability. Monitoring An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU cores. Security You have the following security requirements: Any web service accessible over the Internet must be protected from cross site scripting attacks. All websites and services must use SSL from a valid root certificate authority. Azure Storage access keys must only be stored in memory and must be available only to the service. All Internal services must only be accessible from internal Virtual Networks (VNets). All parts of the system must support inbound and outbound traffic restrictions. All service calls must be authenticated by using Azure AD. User agreements When a user submits content, they must agree to a user agreement. The agreement allows employees of Contoso, Ltd. to review content, store cookies on user devices, and track user's IP addresses. Information regarding agreements is used by multiple divisions within Contoso, Ltd. User responses must not be lost and must be available to all parties regardless of individual service uptime. The volume of agreements is expected to be in the millions per hour. Validation testing When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version. Issues Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages. Code ContentUploadService ApplicationManifest Drag and Drop Question You need to add YAML markup at line CS17 to ensure that the ContentUploadService can access Azure Storage access keys. How should you complete the YAML markup? To answer, drag the appropriate YAML segments to the correct locations. Each YAML segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Explanation

Explanation: ACR Event Grid YAML Markup

This question is about configuring an Azure Event Grid subscription in YAML for Azure Container Registry (ACR) events. Despite the question framing mentioning "Storage access keys," the YAML at line CS17 is for wiring up ACR event notifications — a common exam mismatch between the stated goal and the actual configuration artifact shown.

The YAML configures what events to listen for when images are pushed to the contosoimages private ACR registry.

Why This Arrangement

Position 1: ImagePushed

What it is: The ACR event type name for when a container image is successfully pushed to the registry.

Why it goes here: Azure Container Registry emits Event Grid events with specific type names. ImagePushed is the canonical event type (Microsoft.ContainerRegistry.ImagePushed) that signals a new image is available. This is the trigger that allows downstream services (like ContentAnalysisService deployment) to react.

Common mistake: Choosing ImageDeployed — this sounds logical but does not exist as an ACR event type. ACR emits ImagePushed and ImageDeleted, not ImageDeployed. RepositoryUpdated is similarly not a real ACR event type.

Position 2: repository

What it is: The Event Grid subject filter scope — scoping event subscriptions to a specific repository path within the registry.

Why it goes here: ACR event subjects follow the pattern /repository/{repositoryName}. The filter must use repository as the subject prefix to correctly scope which events are forwarded. Using image or imageCollection would not match the ACR subject path structure.

Common mistake: Choosing image — while images live inside repositories, the subject path starts with /repository/, so image would not match correctly.

Position 3: topic

What it is: The Event Grid destination/delivery target type.

Why it goes here: Event Grid subscriptions define where events are delivered. A topic is a custom Event Grid topic endpoint used to route events to subscribers (like an Azure Function or webhook). This is the correct sink type for this architecture.

Common mistake: Choosing service or aci — these are not valid Event Grid topic/destination types. aci (Azure Container Instances) is the compute runtime, not an event routing concept.

Summary Table

The core concept tested is knowledge of ACR + Event Grid integration: specifically, the valid event types ACR emits and how Event Grid subscriptions are structured in YAML.

No community discussion yet for this question.