MCPA-Level-1-Maintenance MuleSoft Certified Platform Architect - Level 1 MAINTENANCE Questions and Answers

Explanation

Correct Answer: Apply a basic authentication - LDAP policy; the internal Active Directory will be configured as the LDAP source for authenticating users.

*****************************************

> > IP Whitelisting does NOT fit for this purpose. Moreover, the users workstations may not necessarily have static IPs in the network.

> > OAuth 2.0 enforcement requires a client provider which isn ' t in the organizations system components.

> > It is not an effective approach to let every user create separate client credentials and configure those for their usage.

The effective way it to apply a basic authentication - LDAP policy and the internal Active Directory will be configured as the LDAP source for authenticating users.

Explanation

Correct Answer: A CloudHub worker fails with an out-of-memory exception.

*****************************************

> > An AWS Region itself going down will definitely result in an outage as it does not matter how many workers are assigned to the Mule App as all of those in that region will go down. This is a complete downtime and outage.

> > Extended outage of API manager during initial deployment of API implementation will of course cause issues in proper application startup itself as the API Autodiscovery might fail or API policy templates and polices may not be downloaded to embed at the time of applicaiton startup etc... there are many reasons that could cause issues.

> > A network outage onpremises would of course cause the Order Management System not accessible and it does not matter how many workers are assigned to the app they all will fail and cause outage for sure.

The only option that does NOT result in a service outage is if a cloudhub worker fails with an out-of-memory exception. Even if a worker fails and goes down, there are still other workers to handle the requests and keep the API UP and Running. So, this is the right answer.

Explanation

Correct Answer: At the process and system tiers

*****************************************

> > Experience Layer APIs are modeled and designed exclusively for the end user ' s experience. So, the data models of experience layer vary based on the nature and type of such API consumer. For example, Mobile consumers will need light-weight data models to transfer with ease on the wire, where as web-based consumers will need detailed data models to render most of the info on web pages, so on. So, enterprise data models fit for the purpose of canonical models but not of good use for experience APIs.

> > That is why, EDMs should be used extensively in process and system tiers but NOT in experience tier.

Explanation

Correct Answer: Implement different system APIs named createCustomer, amendCustomer, retrieveCustomer and suspendCustomer as they are modular and has seperation of concerns

*****************************************

> > It is quite normal to have a single API and different Verb + Resource combinations. However, this fits well for an Experience API or a Process API but not a best architecture style for System APIs. So, option with just one customerManagement API is not the best choice here.

> > The option with APIs in createCustomerInCRMZ format is next close choice w.r.t modularization and less maintenance but the naming of APIs is directly coupled with the legacy system. A better foreseen approach would be to name your APIs by abstracting the backend system names as it allows seamless replacement/migration of any backend system anytime. So, this is not the correct choice too.

> > createCustomer, amendCustomer, retrieveCustomer and suspendCustomer is the right approach and is the best fit compared to other options as they are both modular and same time got the names decoupled from backend system and it has covered all requirements a System API needs.

Explanation

Correct Answer :  By refining the response definitions by adding the  x-ratelimit-*  response headers with description, type, and example

*****************************************

References :

https://docs.mulesoft.com/api-manager/2.x/rate-limiting-and-throttling#response-headers

https://docs.mulesoft.com/api-manage r/2.x/rate-limiting-and-throttling-sla-based-policies#response-headers

Explanation

Correct Answer: 4.0.0

*****************************************

As per semver.org semantic versioning specification:

Given a version number MAJOR.MINOR.PATCH, increment the:

- MAJOR version when you make incompatible API changes.

- MINOR version when you add functionality in a backwards compatible manner.

- PATCH version when you make backwards compatible bug fixes.

As per the scenario given in the question, the API implementation is completely changing its behavior. Although the format of the time is still being maintained as hh:mm:ss and there is no change in schema w.r.t format, the API will start functioning different after this change as the times are going to come completely different.

Example: Before the change, say, time is going as 09:00:00 representing the PST. Now on, after the change, the same time will go as 18:00:00 as Central European Summer Time is 9 hours ahead of Pacific Time.

> > This may lead to some uncertain behavior on API clients depending on how they are handling the times in the API response. All the API clients need to be informed that the API functionality is going to change and will return in CEST format. So, this considered as a MAJOR change and the version of API for this new change would be 4.0.0

Explanation

Correct Answer: They must be deployed to Anypoint Platform runtime planes that are managed by Anypoint Platform control planes, with both planes in the same Jurisdiction.

*****************************************

> > As per legal regulations, all data processing to be performed within a certain jurisdiction. Meaning, the data in USA should reside within USA and should not go out. Same way, the data in EU should reside within EU and should not go out.

> > So, just encrypting the data in transit and at rest does not help to be compliant with the rules. We need to make sure that data does not go out too.

> > The data that we are talking here is not just about the messages that are published to Anypoint MQ. It includes the apps running, transaction states, application logs, events, metric info and any other metadata. So, just replacing Anypoint MQ with a locally hosted ActiveMQ does NOT help.

> > The data that we are talking here is not just about the key/value pairs that are stored in Object Store. It includes the messages published, apps running, transaction states, application logs, events, metric info and any other metadata. So, just avoiding using Object Store does NOT help.

> > The only option left and also the right option in the given choices is to deploy application on runtime and control planes that are both within the jurisdiction.

Explanation

Correct Answer: Set a timeout of 100ms; that leaves 400ms for other two downstream APIs to complete

*****************************************

Key details to take from the given scenario:

> > Upstream API ' s designed SLA is 500ms (median). Lets ignore maximum SLA response times.

> > This API calls 3 downstream APIs sequentially and all these are of similar complexity.

> > The first downstream API is offering median SLA of 100ms, 80th percentile: 500ms; 95th percentile: 1000ms.

Based on the above details:

> > We can rule out the option which is suggesting to set 50ms timeout. Because, if the median SLA itself being offered is 100ms then most of the calls are going to timeout and time gets wasted in retried them and eventually gets exhausted with all retries. Even if some retries gets successful, the remaining time wont leave enough room for 2nd and 3rd downstream APIs to respond within time.

> > The option suggesting to NOT set a timeout as the invocation of this API is mandatory and so we must wait until it responds is silly. As not setting time out would go against the good implementation pattern and moreover if the first API is not responding within its offered median SLA 100ms then most probably it would either respond in 500ms (80th percentile) or 1000ms (95th percentile). In BOTH cases, getting a successful response from 1st downstream API does NO GOOD because already by this time the Upstream API SLA of 500 ms is breached. There is no time left to call 2nd and 3rd downstream APIs.

> > It is NOT true that no timeout is possible to meet the upstream APIs desired SLA.

As 1st downstream API is offering its median SLA of 100ms, it means MOST of the time we would get the responses within that time. So, setting a timeout of 100ms would be ideal for MOST calls as it leaves enough room of 400ms for remaining 2 downstream API calls.

Explanation

Correct Answer: Option A

*****************************************

> > Anypoint API Manager and API policies are applicable to all types of HTTP/1.x APIs.

> > They are not applicable to WebSocket APIs, HTTP/2 APIs and gRPC APIs

Explanation

Correct Answer: When a new required field is added to the method called by the API client

*****************************************

> > Generally, the logic on API clients need to be updated when the API contract breaks.

> > When a new method or a child method is added to an API , the API client does not break as it can still continue to use its existing method. So these two options are out.

> > We are left for two more where " datatype of the response if changed " and " a new required field is added " .

> > Changing the datatype of the response does break the API contract. However, the question is insisting on the " invocation " logic and not about the response handling logic. The API client can still invoke the API successfully and receive the response but the response will have a different datatype for some field.

> > Adding a new required field will break the API ' s invocation contract. When adding a new required field, the API contract breaks the RAML or API spec agreement that the API client/API consumer and API provider has between them. So this requires the API client invocation logic to also be updated.

Explanation

Correct Answer: A Non-Mule application

*****************************************

> > All type of Mule applications (Mule 3/ Mule 4/ with APIkit/ with Custom Java Code etc) running on Mule Runtimes support the Embedded Policy Enforcement on them.

> > The only option that cannot have or does not support embedded policy enforcement and must have API Proxy is for Non-Mule Applications.

So, Non-Mule application is the right answer.

Explanation

Correct Answer: GET, OPTIONS, HEAD

http://restcookbook.com/HTTP%20Methods/idempotency/

Explanation

Correct Answer:

1. Decrease the IT delivery gap

2. Meet various business demands without increasing the IT capacity

3. Make consumption of assets at the rate of production.

*****************************************

Explanation

Correct Answer :  Create separate Anypoint VPCs for non-production and production environments, then configure connections to the backend systems in the corresponding customer-hosted environments .

*****************************************

> >  Creating different Business Groups does NOT make any difference w.r.t accessing the non-prod and prod customer-hosted environments. Still they will be accessing from both Business Groups unless process network restrictions are put in place.

> >  We need to modify or couple the Mule Application Implementations with the environment. In fact, we should never implements application coupled with environments by binding them in the properties. Only basic things like endpoint URL etc should be bundled in properties but not environment level access restrictions.

> >  IP addresses on CloudHub are dynamic until unless a special static addresses are assigned. So it is not possible to setup firewall rules in customer-hosted infrastrcture. More over, even if static IP addresses are assigned, there could be 100s of applications running on cloudhub and setting up rules for all of them would be a hectic task, non-maintainable and definitely got a good practice.

> >  The  best practice recommended  by Mulesoft ( In fact any cloud provider ), is to have your Anypoint VPCs seperated for Prod and Non-Prod and perform the VPC peering or VPN tunneling for these Anypoint VPCs to respective Prod and Non-Prod customer-hosted environment networks.

Explanation

Correct Answer: The remaining capacity allowed by the API implementation.

*****************************************

> > Reference: https://docs.mulesoft.com/api-manager/2.x/rate-limiting-and-throttling-sla-based-policies#response-headers

Explanation

Correct Answer: API Consumer requests access to API > > API Client implementes logic to call an API > > API routes the request to > > API Implementation

*****************************************

> > API consumer does not implement any logic to invoke APIs. It is just a role. So, the option stating " API Consumer implementes logic to call an API " is INVALID.

> > API Implementation does not route any requests. It is a final piece of logic where functionality of target systems is exposed. So, the requests should be routed to the API implementation by some other entity. So, the options stating " API Implementation routes the request to > > API " is INVALID

> > The statements in one of the options are correct but sequence is wrong. The sequence is given as " API Client implementes logic to call an API > > API Consumer requests access to API > > API routes the request to > > API Implementation " . Here, the statements in the options are VALID but sequence is WRONG.

> > Right option and sequence is the one where API consumer first requests access to API on Anypoint Exchange and obtains client credentials. API client then writes logic to call an API by using the access client credentials requested by API consumer and the requests will be routed to API implementation via the API which is managed by API Manager.

Explanation

Correct Answer: The CloudHub shared load balancer

*****************************************

The scenario in this question can be split as below:

> > There are 3 CloudHub workers (So, there are already good number of workers to handle high volume of requests)

> > The workers are not using static IP addresses (So, one CANNOT use customer load-balancing solutions without static IPs)

> > Looking for most cost-effective component to load balance the client requests among the workers.

Based on the above details given in the scenario:

> > Runtime autoscaling is NOT at all cost-effective as it incurs extra cost. Most over, there are already 3 workers running which is a good number.

> > We cannot go for a customer-hosted load balancer as it is also NOT most cost-effective (needs custom load balancer to maintain and licensing) and same time the Mule App is not having Static IP Addresses which limits from going with custom load balancing.

> > An API Proxy is irrelevant there as it has no role to play w.r.t handling high volumes or load balancing.

So, the only right option to go with and fits the purpose of scenario being most cost-effective is - using a CloudHub Shared Load Balancer.

Explanation

Correct Answer: System Layer

The APIs used in an API-led approach to connectivity fall into three categories:

System APIs – these usually access the core systems of record and provide a means of insulating the user from the complexity or any changes to the underlying systems. Once built, many users, can access data without any need to learn the underlying systems and can reuse these APIs in multiple projects.

Process APIs – These APIs interact with and shape data within a single system or across systems (breaking down data silos) and are created here without a dependence on the source systems from which that data originates, as well as the target channels through which that data is delivered.

Experience APIs – Experience APIs are the means by which data can be reconfigured so that it is most easily consumed by its intended audience, all from a common data source, rather than setting up separate point-to-point integrations for each channel. An Experience API is usually created with API-first design principles where the API is designed for the specific user experience in mind.

Explanation

Correct Answer: The API consumer creates an API client, which sends API invocations to an API such that they are processed by an API implementation

*****************************************

Terminology:

> > API Client - It is a piece of code or program the is written to invoke an API

> > API Consumer - An owner/entity who owns the API Client. API Consumers write API clients.

> > API - The provider of the API functionality. Typically an API Instance on API Manager where they are managed and operated.

> > API Implementation - The actual piece of code written by API provider where the functionality of the API is implemented. Typically, these are Mule Applications running on Runtime Manager.

Explanation

Correct Answer: Unit tests (Whitebox)

*****************************************

Explanation

Correct Answer: When the response time of API invocations exceeds a threshold

*****************************************

> > Alerts can be setup for all the given options using the default Anypoint Platform functionality

> > However, the question insists on an alert whose conditions depend on the end-to-end request processing of the API implementation.

> > Alert w.r.t " Response Times " is the only one which requires end-to-end request processing of API implementation in order to determine if the threshold is exceeded or not.