[{"_1":2,"_287":-5,"_288":-5},"loaderData",{"_3":4},"routes/topics.$name",[5,25,39,53,62,74,84,105,116,127,136,155,166,175,185,195,207,217,223,235,247,258,267,273,281],{"_6":7,"_8":9,"_10":11,"_12":13,"_18":19,"_21":22,"_23":24},"id","878c71095c034c708745cfeb10bafe250f9e5bc384b7fce075dc41416ff40212","question","You receive `401 Access Denied` trying to get access to your API instance. What is happening?","answer","Pass a valid subscription key. \nServer errors are `5XX`, quota and ip restrictions are `403`.","options",[14,15,16,17],"Server crashed","You have to pass a valid subscription key.","Quota has been exceeded","IP Filter policy has been activated","answerIndexes",[20],1,"hasCode",false,"topic","API Management",{"_6":26,"_8":27,"_10":28,"_12":29,"_18":37,"_21":22,"_23":24},"a1be67b55483c8a6f3a01d72dcb08fb4202accdd6b7c26b543aa8db48e5c0deb","What rule should be used to serve this URL from cache: `https://myapi.azure-api.net/me`?","This looks like a user-specific endpoint. The response is typically user-dependent, and the `Authorization` header is often used to distinguish identities. \nSo, vary the cache by `Authorization` header. The rest of the options are irrelevant or malformed.",[30,31,32,33,34,35,36],"`

Authorization

`","`

`","``","``","``","``",[38],0,{"_6":40,"_8":41,"_10":42,"_12":43,"_18":51,"_21":22,"_23":24},"2d51cf23ae45549efccbf0901a0574c3d51be6c46c0554ff308bfa50ce72b0c7","You have JSON endpoint. The client expects XML response. What policy should be applied?","Response is transformed in outbound section",[44,45,46,47,48,49,50],"`xml-to-json-policy` in inbound section","`xml-to-json-policy` in backend section","`xml-to-json-policy` in outbound section","`json-to-xml-policy` in inbound section","`json-to-xml-policy` in backend section","`json-to-xml-policy` in outbound section","No policy should be applied",[52],5,{"_6":54,"_8":55,"_10":56,"_12":57,"_18":61,"_21":22,"_23":24},"04363fe5a3cabd750c902fd5844d51c5c5d22d467cea7bd36b9ba94bc131e569","Which of the following API Management policies would one use if one wants to apply a policy based on a condition?","The choose policy applies enclosed policy statements based on the outcome of evaluation of boolean expressions. \nThe forward-request policy forwards the incoming request to the backend service specified in the request context. \nThe return-response policy aborts pipeline execution and returns either a default or custom response to the caller.",[58,59,60],"forward-request","choose","return-response",[20],{"_6":63,"_8":64,"_10":65,"_12":66,"_18":72,"_21":22,"_23":24},"7097bb3fb30b84344638a319e628ad63750cfe7a3f2fde4b402cf07e9f52904e","In a company's API system hosted behind an Azure API Management service, you are tasked with implementing response caching. The user ID of the client must first be detected and saved. Then, the response must be cached specifically for that saved user ID. What types of policies should be used to accomplish this task?","Both inbound and outbound policies\n\n- Inbound Policy: The inbound policy is used to extract and save the user ID from the incoming request. The `` policy is used to save the user ID, and the `` policy with a custom key is used to check if a cached response exists for that user ID.\n- Outbound Policy: The outbound policy is used to store the response in the cache. The `` policy with a custom key is used to cache the response specifically for the saved user ID.\n\nTherefore, both inbound and outbound policies are needed to meet the requirements.",[67,68,69,70,71],"Inbound policy only","Outbound policy only","Both inbound and outbound policies","Backend policy only","Global policy only",[73],2,{"_6":75,"_8":76,"_10":77,"_12":78,"_18":83,"_21":22,"_23":24},"b8af13895a31820a5d120dfc0c8156ecab87bdf59be7e37536f8109399c9d6cf","Your organization has implemented Azure API Management (APIM) and requires a custom TLS/SSL certificate for securing communication. The certificate must be obtained from Azure Key Vault, and the process must adhere to security best practices without hardcoding any secrets or credentials in the APIM configuration. Which of the following policies should you apply to the APIM instance to fulfill this requirement?","By using a authentication-managed-identity identity, the APIM instance can authenticate to Azure Key Vault and retrieve the custom TLS/SSL certificate securely without needing to store any credentials in the code or configuration.",[79,80,81,82],"authentication-managed-identity","validate-jwt","check-header","set-body",[38],{"_6":85,"_8":86,"_10":87,"_12":88,"_18":103,"_21":22,"_23":24},"4f14335bcd6ebdcb692dfaba2e410a1a6c739d6b3c8873256dabce02b7cd2239","You are developing an API that needs to restrict a single client IP address to only 10 calls every minute, with a total of 100 calls and 100 MB of bandwidth per hour. Which policies should you implement to achieve this requirement?","`rate-limit-by-key` and `quota-by-key`, units in seconds and KB, `counter-key=\"@(context.Request.IpAddress)\"`.",[89,90,91,92,93,94,95,96,97,98,99,100,101,102],"``","``","``","``","``","``","``","``","``","``","``","``","`

\"@(context.Request.IpAddress)\"

`","`

\"@(context.Request.IpAddress)\"

`",[38,104],4,{"_6":106,"_8":107,"_10":108,"_12":109,"_18":115,"_21":22,"_23":24},"503302d30fbc18ef15b61c65374973fcc4ca3fd1297bdbc25af27b46791a8e59","In what unit is renewal period for Rate limiting / Quota policy?","All times are in seconds",[110,111,112,113,114],"Milliseconds","Seconds","Minutes","Hours","Days",[20],{"_6":117,"_8":118,"_10":119,"_12":120,"_18":126,"_21":22,"_23":24},"8a857bd281f3cf43da00da29e45430c07d13be300c35285f75c8d80412a652db","An API is integrated into an Azure API Management (APIM) gateway and is utilized by client applications worldwide. You are tasked with granting access to 10 new operations exclusively to a select group of 200 beta developers around the world. How can you enable these developers to test the new operations using the existing API URL?","Header-based versioning uses custom HTTP headers to determine the version of the API to be accessed. This allows different versions of the API to be accessed through the same URL.",[121,122,123,124,125],"Implement a revision in Azure API Management.","Implement path-based versioning.","Implement header-based versioning.","Implement query string-based versioning.","Create separate gateways.",[73],{"_6":128,"_8":129,"_10":130,"_12":131,"_18":135,"_21":22,"_23":24},"2ad205a4b5f59049a6b33423753323dfe7a4904b9e240f7571325202bdfd42af","In what unit is the bandwidth limit in Quota policy?","All sizes are in KB",[132,133,134],"KB","MB","GB",[38],{"_6":137,"_8":138,"_10":139,"_12":140,"_18":153,"_21":22,"_23":24},"f81ad0af33cae52307890bcdf96ac87e3767917e2b3f7e7e0facccba86b7d246","You establish an API Management (APIM) gateway and incorporate an existing App Services API app within it. Your goal is to limit each client application to a maximum of 1000 calls to the API on an hourly basis.\". Which policies could achieve this requirement?","To enforce a per-client limit of **1000 API calls per hour**, a combination of [rate-limit-by-key](https://learn.microsoft.com/en-us/azure/api-management/rate-limit-by-key-policy) and [quota-by-key](https://learn.microsoft.com/en-us/azure/api-management/quota-by-key-policy) policies is required:\n\n- `rate-limit-by-key` is used to control short-term bursts. However, this policy has a **maximum renewal period of 300 seconds (5 minutes)**. To approximate an hourly rate, the hour is divided into 12 intervals. By allowing **80 calls per 5 minutes**, the effective cap becomes 960 calls per hour, which satisfies the requirement of **not exceeding** 1000 calls/hour.\n- `quota-by-key` sets a hard cap on total usage. This policy allows a **minimum renewal period of 300 seconds**, so setting it to **1000 calls per 3600 seconds (1 hour)** provides a strict upper boundary per client.\n\n`counter-key` is required if you want the policy to apply per client (e.g., per subscription, per user, per IP). If you omit counter-key, the policy applies globally to all clients combined, which is rarely useful for rate-limiting or quotas in multi-tenant APIs.\n\nTogether, these policies ensure both **rate smoothing** and **strict quota enforcement**. All other options either violate APIM policy constraints (e.g., invalid renewal periods), omit required keys, or fail to distribute traffic safely within allowed limits.",[141,142,143,144,145,146,147,148,149,150,151,152],"``","``","``","``","``","``","``","``","``","``","``","``",[20,154],6,{"_6":156,"_8":157,"_10":158,"_12":159,"_18":165,"_21":22,"_23":24},"f4756458ae0930ba807d9ffd227f9b1e1aeb52dda503e560a19caad02bbbd350","Your company has a complex environment with APIs hosted both on-premises and in different cloud providers. You are tasked with centralizing the management of these APIs using Azure API Management, while ensuring low-latency access for local users. What actions should you take to accomplish this task?","The Premium tier is required to deploy self-hosted gateways, which are essential for managing APIs across different environments. Self-hosted gateways are containerized versions of managed gateways, suitable for hybrid and multicloud environments. \nMigrating all APIs to Azure App Service is not necessary for managing APIs across different environments. \nGenerating OpenAPI specifications is not directly related to managing APIs across multiple clouds and on-premises. \nConfiguring a VPN connection is not relevant to the scenario described.",[160,161,162,163,164],"Upgrade to the Premium tier of Azure API Management.","Implement a self-hosted gateway to manage on-premises APIs and APIs across multiple clouds.","Migrate all APIs to Azure App Service.","Generate OpenAPI specifications for all APIs.","Configure a VPN connection between the internal network and Azure.",[38,20],{"_6":167,"_8":168,"_10":169,"_12":170,"_18":174,"_21":22,"_23":24},"432139a6157dbd4579692cf8d715f98d2f6ec623499dbab8d67b5efb86acd59a","Which of the following components of the API Management service would a developer use if they need to create an account and subscribe to get API keys?","The Developer portal serves as the main web presence for developers, and is where they can subscribe to get API keys. \nThe API gateway routes calls, performs API transforms, and verifies keys. \nThe Azure portal is the administrative interface where you set up your API program.",[171,172,173],"API gateway","Azure portal","Developer portal",[73],{"_6":176,"_8":177,"_10":178,"_12":179,"_18":184,"_21":22,"_23":24},"a49b205783aa074b9c03bdf66557d75f98125973f2cacba810e039e5b23da8a7","Your team has developed an application API based on the OpenAPI specification. You need to make this API accessible through Azure API Management. Currently, no APIM instance exists.\n\nWhich Azure CLI commands should you run to accomplish this task?","\n\n1. **`az apim create`**: Creates the Azure API Management service instance. You cannot import APIs without an APIM instance.\n1. **`az apim api import`**: Imports your OpenAPI-based API definition into the APIM instance, making it accessible through APIM endpoints.\n\nIncorrect:\n\n- `az apim backend create`: Adds a backend service to APIM; does not create the API itself.\n- `az apim backend proxy create`: Creates a proxy backend; unrelated to importing an API.",[180,181,182,183],"`az apim create`","`az apim api import`","`az apim backend create`","`az apim backend proxy create`",[38,20],{"_6":186,"_8":187,"_10":188,"_12":189,"_18":194,"_21":22,"_23":24},"461f77bd010119f38b27f9c3d8a3c78d55c772860b3568d7d8e3ce61f5e2b776","A company uses Azure API Management to publish APIs for external consultants. The API needs to forward the user ID associated with the subscription key to the back-end service. Which type of policy should be used for this requirement?","Forwarding the user ID that is associated with the subscription key to the back-end service would be done in an inbound policy.\n\n```xml\n\n \n \n @(context.Subscription.Id)\n \n \n\n\n```",[190,191,192,193],"Inbound","Outbound","Backend","Error",[38],{"_6":196,"_8":197,"_10":198,"_12":199,"_18":206,"_21":22,"_23":24},"4e273eedead0a547f597362ec26b0124a156699a03aab122ba70cf2fa0302b24","You are working on an API where an end user is authenticated, and you need to generate a throttling key based on information that uniquely identifies that user. The requirement is to limit the calls to 10 every minute, with a total of 100 calls and 100 MB of bandwidth per hour. Which policies should you implement to achieve this requirement?","`rate-limit-by-key` and `quota-by-key`, units in seconds and KB, `counter-key=\"@(context.Request.Headers.GetValueOrDefault(\\\"Authorization\\\",\\\"\").AsJwt()?.Subject)\"`.",[200,201,91,92,202,203,204,205,97,98,99,100],"``","``","``","``","``","``",[38,104],{"_6":208,"_8":209,"_10":210,"_12":211,"_18":216,"_21":22,"_23":24},"68c45edc79c3ebcfe23302a9599723d2d52b73cf06728e07197b1a88443e503e","When attempting to access an API through Microsoft's API Management, a developer receives a `401 Access Denied error`. What could be the possible reasons for this error, and how can it be fixed? Select the correct options.","The key can be included in the request header as \"Ocp-Apim-Subscription-Key\" or as a query string \"subscription-key.\" Additionally, the API must be added to a product in the Azure Portal, which applies to a particular product (a collection of APIs) in API Management.",[212,213,214,215],"Add the API to product in Azure Portal","Include the `Ocp-Apim-Subscription-Key` header in the HTTP request.","Add the check-header policy statement for the Authorization header.","Disable OAuth2.0 in the API Management gateway.",[38,20],{"_6":218,"_8":219,"_10":220,"_12":221,"_18":222,"_21":22,"_23":24},"36cebc512c3735cfcff37709516871a40bb0dc417ddfc5eab7f3b3f104738e41","You are developing a solution that requires the Azure API Management (APIM) instance to authenticate to a backend service. The authentication process must be secure and aligned with best practices. The backend service supports authentication through specific methods, and you need to ensure that the APIM instance can access it without storing credentials within the APIM configuration. Which of the following policies should you apply to the APIM instance to achieve this requirement?","By using a authentication-managed-identity identity, you can authenticate to services that support Entra ID authentication without credentials in your code. In this scenario, it allows the APIM instance to authenticate to the backend service securely.",[79,80,81,82],[38],{"_6":224,"_8":225,"_10":226,"_12":227,"_18":234,"_21":22,"_23":24},"17f2f622b2afa624a1eb75816e02d614fb888d9bd41bbf4abef8dc62303f8c62","What rule should be used to serve this URL from cache: `https://myapi.azure-api.net/items?id=123456`?","The URL has a query parameter `id`. To cache per distinct ID, you must vary by `id`. \n`items` is not valid query parameter. `cache-lookup-value` is for retrieving cached value by name.",[228,229,230,231,232,233],"`

items

`","`

`","``","``","``","``",[20],{"_6":236,"_8":237,"_10":238,"_12":239,"_18":246,"_21":22,"_23":24},"e89966f40a5abb69b75d25bb0877934de5154c7c91d5aac29f70f4aa96b3364c","You are setting up an API Management instance to manage your organization's various API services. You have a REST API developed in-house that is already exposed to the public internet. What is the first step you should take before incorporating this REST API into the API Management instance?","OpenAPI specification enables Azure API Management to automatically discover the endpoints and methods supported by the API.",[240,241,242,243,244,245],"Establish a VPN connection between the in-house network and Azure.","Generate OpenAPI specification for the REST API.","Move the API to Azure Functions.","Implement OAuth 2.0 authentication for the API.","Set up a load balancer for the API in Azure.","Set up a self-hosted gateway between the internal network and Azure.",[20],{"_6":248,"_8":249,"_10":250,"_12":251,"_18":256,"_21":22,"_23":24},"29f0f64ae38d09bb91b184410bd83a83d83e90c82c5b5dacc51cc301e9e04cf7","Your client, once again, complains they receive a `403 Forbidden` error when trying to access your API. It was working just 5 minutes ago, they claim. You look into this \"urgent\" problem and see no policy changes have been made, and surprise, surprise, it works on your machine(tm). How would you make client to shut up and be happy?","A `403 Forbidden` error is either an IP filter policy or an exceeded quota. Since policy rules haven't been modified, it must be a quota issue. \nNote: Cursing your clients (in your mind) is a valid/invalid solution, depending on your morals.",[252,253,254,255],"The API endpoint must be faulty, so just remove it for now and debug it later, like everything else","Add an `ip-filter` policy that allows access to your client's IP, because that's never been a problem before","Call them idiots (in your head, of course) and tell them to use a different subscription key, like you've told them a hundred times","Modify the quota policy to be more generous, because probably they have been spamming your endpoint",[257],3,{"_6":259,"_8":260,"_10":261,"_12":262,"_18":266,"_21":22,"_23":24},"ee0fad95310e552de6085faa70c5a66149974904c6606257da0db5ee8d59eac5","What rule should be used to serve this URL from cache: `https://myapi.azure-api.net/items/123456`?","This URL has no query parameters, so you use an empty `` to cache based on the full path. \n`itemId` and `items` are invalid here, and `cache-lookup-value` is not applicable - it's for retrieving named values from the cache directly.",[31,263,264,265,228,232,233],"`

itemId

`","``","``",[38],{"_6":268,"_8":269,"_10":270,"_12":271,"_18":272,"_21":22,"_23":24},"78f533392543fe56efdc7442f62d446ad7b5bcfc7e2a1d6551b7a215e4c67fb4","You have JSON endpoint that expects JSON payload. The client sends XML payload. What policy should be applied?","Request is transformed in inbound section",[44,45,46,47,48,49,50],[38],{"_6":274,"_8":275,"_10":276,"_12":277,"_18":280,"_21":22,"_23":24},"cdbaddde8c7828ef08990a136c7aa561123e53ea0ca9f210b5ae9408617471db","Your organization offers web services to third-party clients. These services require non-anonymous access, authentication through OpenID Connect, and are accessed via APIs. To ensure secure Entra ID authentication, you decide to base it on a specific value embedded in the request query parameter. Which policy within Azure API Management should you enforce to meet this requirement?","The JWT Validation or \"validate-jwt\" policy in Azure API Management is used to validate the JWT (JSON Web Token) extracted from a specified HTTP Header or a URI query parameter. In this scenario, it allows you to securely support Entra ID authentication based on a value passed as a request query parameter. The other options do not provide this specific functionality.",[81,80,278,279],"set-header","control-client-flow",[20],{"_6":282,"_8":283,"_10":284,"_12":285,"_18":286,"_21":22,"_23":24},"5cb431738ad408b43dc62fd7928259120995a681b33133978b304345b0d8305e","You receive `403 Forbidden` trying to get access to your API instance. What are possible reasons for that?","Quota and ip restrictions are `403`. \nServer errors are `5XX`, Subscription errors are `401`",[14,15,16,17],[73,257],"actionData","errors"]

AZ-204 Quiz

← Back to Topics