Mulesoft MuleSoft Certified Platform Architect MCPA-LEVEL-1-MAINTENANCE Questions & Answers

• Question 1:

  An API implementation returns three X-RateLimit-* HTTP response headers to a requesting API client. What type of information do these response headers indicate to the API client?

  A. The error codes that result from throttling

  B. A correlation ID that should be sent in the next request

  C. The HTTP response size

  D. The remaining capacity allowed by the API implementation

  Correct Answer: D

  The remaining capacity allowed by the API implementation.

  *****************************************

  >> Reference: https://docs.mulesoft.com/api-manager/2.x/rate-limiting-and-throttling-sla- based-policies#response-headers

• Question 2:

  What is the main change to the IT operating model that MuleSoft recommends to organizations to improve innovation and clock speed?

  A. Drive consumption as much as production of assets; this enables developers to discover and reuse assets from other projects and encourages standardization

  B. Expose assets using a Master Data Management (MDM) system; this standardizes projects and enables developers to quickly discover and reuse assets from other projects

  C. Implement SOA for reusable APIs to focus on production over consumption; this standardizes on XML and WSDL formats to speed up decision making

  D. Create a lean and agile organization that makes many small decisions everyday; this speeds up decision making and enables each line of business to take ownership of its projects

  Correct Answer: A

  Drive consumption as much as production of assets; this enables developers to discover and reuse assets from other projects and encourages standardization

  *****************************************

  >> The main motto of the new IT Operating Model that MuleSoft recommends and made popular is to change the way that they are delivered from a production model to a production + consumption model, which is done through an API

  strategy called API-led connectivity.

  >> The assets built should also be discoverable and self-serveable for reusablity across LOBs and organization.

  >> MuleSoft's IT operating model does not talk about SDLC model (Agile/ Lean etc) or MDM at all. So, options suggesting these are not valid.

  References:

  https://blogs.mulesoft.com/biz/connectivity/what-is-a-center-for-enablement-c4e/

  https://www.mulesoft.com/resources/api/secret-to-managing-it-projects

• Question 3:

  A code-centric API documentation environment should allow API consumers to investigate and execute API client source code that demonstrates invoking one or more APIs as part of representative scenarios.

  What is the most effective way to provide this type of code-centric API documentation environment using Anypoint Platform?

  A. Enable mocking services for each of the relevant APIs and expose them via their Anypoint Exchange entry

  B. Ensure the APIs are well documented through their Anypoint Exchange entries and API Consoles and share these pages with all API consumers

  C. Create API Notebooks and include them in the relevant Anypoint Exchange entries

  D. Make relevant APIs discoverable via an Anypoint Exchange entry

  Correct Answer: C

  Create API Notebooks and Include them in the relevant Anypoint exchange entries ***************************************** >> API Notebooks are the one on Anypoint Platform that enable us to provide code-centric API documentation : https://docs.mulesoft.com/exchange/to-use-api-notebook

• Question 4:

  A company has created a successful enterprise data model (EDM). The company is committed to building an application network by adopting modern APIs as a core enabler of the company's IT operating model. At what API tiers (experience, process, system) should the company require reusing the EDM when designing modern API data models?

  A. At the experience and process tiers

  B. At the experience and system tiers

  C. At the process and system tiers

  D. At the experience, process, and system tiers

  Correct Answer: C

  At the process and system tiers ***************************************** >> Experience Layer APIs are modeled and designed exclusively for the end user's experience. So, the data models of experience layer vary based on the nature and type of such API consumer. For example, Mobile consumers will need light-weight data models to transfer with ease on the wire, where as web-based consumers will need detailed data models to render most of the info on web pages, so on. So, enterprise data models fit for the purpose of canonical models but not of good use for experience APIs. >> That is why, EDMs should be used extensively in process and system tiers but NOT in experience tier.

• Question 5:

  Refer to the exhibit.

  

  An organization uses one specific CloudHub (AWS) region for all CloudHub deployments.

  How are CloudHub workers assigned to availability zones (AZs) when the organization's Mule applications are deployed to CloudHub in that region?

  A. Workers belonging to a given environment are assigned to the same AZ within that region

  B. AZs are selected as part of the Mule application's deployment configuration

  C. Workers are randomly distributed across available AZs within that region

  D. An AZ is randomly selected for a Mule application, and all the Mule application's CloudHub workers are assigned to that one AZ

  Correct Answer: D

  Workers are randomly distributed across available AZs within that region.

  *****************************************

  >> Currently, we only have control to choose which AWS Region to choose but there is no control at all using any configurations or deployment options to decide what Availability Zone (AZ) to assign to what worker.

  >> There are NO fixed or implicit rules on platform too w.r.t assignment of AZ to workers based on environment or application.

  >> They are completely assigned in random. However, cloudhub definitely ensures that HA is achieved by assigning the workers to more than on AZ so that all workers are not assigned to same AZ for same application. : https://help.mulesoft.com/s/question/0D52T000051rqDj/one-cloudhub-aws-region-how- cloudhub-workers-are-assigned-to-availability-zones-azs-

• Question 6:

  Once an API Implementation is ready and the API is registered on API Manager, who should request the access to the API on Anypoint Exchange?

  A. None

  B. Both

  C. API Client

  D. API Consumer

  Correct Answer: D

  API Consumer ***************************************** >> API clients are piece of code or programs that use the client credentials of API consumer but does not directly interact with Anypoint Exchange to get the access >> API consumer is the one who should get registered and request access to API and then API client needs to use those client credentials to hit the APIs So, API consumer is the one who needs to request access on the API from Anypoint Exchange

• Question 7:

  Refer to the exhibit. An organization is running a Mule standalone runtime and has configured Active Directory as the Anypoint Platform external Identity Provider. The organization does not have budget for other system components.

  

  What policy should be applied to all instances of APIs in the organization to most effecuvelyKestrict access to a specific group of internal users?

  A. Apply a basic authentication - LDAP policy; the internal Active Directory will be configured as the LDAP source for authenticating users

  B. Apply a client ID enforcement policy; the specific group of users will configure their client applications to use their specific client credentials

  C. Apply an IP whitelist policy; only the specific users' workstations will be in the whitelist

  D. Apply an OAuth 2.0 access token enforcement policy; the internal Active Directory will be configured as the OAuth server

  Correct Answer: A

  Apply a basic authentication - LDAP policy; the internal Active Directory will be configured as the LDAP source for authenticating users.

  *****************************************

  >> IP Whitelisting does NOT fit for this purpose. Moreover, the users workstations may not necessarily have static IPs in the network.

  >> OAuth 2.0 enforcement requires a client provider which isn't in the organizations system components.

  >> It is not an effective approach to let every user create separate client credentials and configure those for their usage.

  The effective way it to apply a basic authentication - LDAP policy and the internal Active Directory will be configured as the LDAP source for authenticating users.

  Reference: https://docs.mulesoft.com/api-manager/2.x/basic-authentication-ldap-concept

• Question 8:

  When must an API implementation be deployed to an Anypoint VPC?

  A. When the API Implementation must invoke publicly exposed services that are deployed outside of CloudHub in a customer- managed AWS instance

  B. When the API implementation must be accessible within a subnet of a restricted customer-hosted network that does not allow public access

  C. When the API implementation must be deployed to a production AWS VPC using the Mule Maven plugin

  D. When the API Implementation must write to a persistent Object Store

  Correct Answer: A

• Question 9:

  A System API is designed to retrieve data from a backend system that has scalability challenges. What API policy can best safeguard the backend system?

  A. IPwhitelist

  B. SLA-based rate limiting

  C. Auth 2 token enforcement

  D. Client ID enforcement

  Correct Answer: B

  SLA-based rate limiting

  *****************************************

  >> Client Id enforement policy is a "Compliance" related NFR and does not help in maintaining the "Quality of Service (QoS)". It CANNOT and NOT meant for protecting the backend systems from scalability challenges.

  >> IP Whitelisting and OAuth 2.0 token enforcement are "Security" related NFRs and again does not help in maintaining the "Quality of Service (QoS)". They CANNOT and are NOT meant for protecting the backend systems from scalability

  challenges. Rate Limiting, Rate Limiting-SLA, Throttling, Spike Control are the policies that are "Quality of Service (QOS)" related NFRs and are meant to help in protecting the backend systems from getting overloaded.

  https://dzone.com/articles/how-to-secure-apis

• Question 10:

  What is most likely NOT a characteristic of an integration test for a REST API implementation?

  A. The test needs all source and/or target systems configured and accessible

  B. The test runs immediately after the Mule application has been compiled and packaged

  C. The test is triggered by an external HTTP request

  D. The test prepares a known request payload and validates the response payload

  Correct Answer: B

  The test runs immediately after the Mule application has been compiled and packaged

  *****************************************

  >> Integration tests are the last layer of tests we need to add to be fully covered. >> These tests actually run against Mule running with your full configuration in place and are tested from external source as they work in PROD. >> These tests

  exercise the application as a whole with actual transports enabled. So, external systems are affected when these tests run. So, these tests do NOT run immediately after the Mule application has been compiled and packaged.

  FYI... Unit Tests are the one that run immediately after the Mule application has been compiled and packaged.

  Reference: https://docs.mulesoft.com/mule-runtime/3.9/testing-strategies#integration- testing