MCPA-Level-1 Exam Questions

Total 95 Questions

Last Updated Exam : 16-Dec-2024

What is a typical result of using a fine-grained rather than a coarse-grained API deployment model to implement a given business process?


A.

A decrease in the number of connections within the application network supporting the business process


B.

A higher number of discoverable API-related assets in the application network


C.

A better response time for the end user as a result of the APIs being smaller in scope and complexity


D.

An overall tower usage of resources because each fine-grained API consumes less resources





B.
  

A higher number of discoverable API-related assets in the application network



Explanation: Explanation
Correct Answer: A higher number of discoverable API-related assets in the application
network.
*****************************************
>> We do NOT get faster response times in fine-grained approach when compared to
coarse-grained approach.
>> In fact, we get faster response times from a network having coarse-grained APIs
compared to a network having fine-grained APIs model. The reasons are below.
Fine-grained approach:
1. will have more APIs compared to coarse-grained
2. So, more orchestration needs to be done to achieve a functionality in business process.
3. Which means, lots of API calls to be made. So, more connections will needs to be
established. So, obviously more hops, more network i/o, more number of integration points
compared to coarse-grained approach where fewer APIs with bulk functionality embedded
in them.
4. That is why, because of all these extra hops and added latencies, fine-grained approach
will have bit more response times compared to coarse-grained.
5. Not only added latencies and connections, there will be more resources used up in finegrained
approach due to more number of APIs.
That's why, fine-grained APIs are good in a way to expose more number of resuable assets
in your network and make them discoverable. However, needs more maintenance, taking
care of integration points, connections, resources with a little compromise w.r.t network
hops and response times.

How can the application of a rate limiting API policy be accurately reflected in the RAML definition of an API?


A.

By refining the resource definitions by adding a description of the rate limiting policy behavior


B.

By refining the request definitions by adding a remaining Requests query parameter with description, type, and example


C.

By refining the response definitions by adding the out-of-the-box Anypoint Platform ratelimit-
enforcement securityScheme with description, type, and example


D.

By refining the response definitions by adding the x-ratelimit-* response headers with
description, type, and example





D.
  

By refining the response definitions by adding the x-ratelimit-* response headers with
description, type, and example



Explanation: Explanation
Correct Answer: By refining the response definitions by adding the x-ratelimit-* response
headers with description, type, and example
*****************************************

What do the API invocation metrics provided by Anypoint Platform provide?


A.

ROI metrics from APIs that can be directly shared with business users


B.

Measurements of the effectiveness of the application network based on the level of reuse


C.

Data on past API invocations to help identify anomalies and usage patterns across various APIs


D.

Proactive identification of likely future policy violations that exceed a given threat
threshold





C.
  

Data on past API invocations to help identify anomalies and usage patterns across various APIs



Explanation: Explanation
Correct Answer: Data on past API invocations to help identify anomalies and usage
patterns across various APIs
*****************************************
API Invocation metrics provided by Anypoint Platform:
>> Does NOT provide any Return Of Investment (ROI) related information. So the option
suggesting it is OUT.
>> Does NOT provide any information w.r.t how APIs are reused, whether there is effective
usage of APIs or not etc...
>> Does NOT prodive any prediction information as such to help us proactively identify any
future policy violations.
So, the kind of data/information we can get from such metrics is on past API invocations to
help identify anomalies and usage patterns across various APIs.
Reference:
https://usermanual.wiki/Document/APAAppNetstudentManual02may2018.991784750.pdf

What is most likely NOT a characteristic of an integration test for a REST API
implementation?


A.

The test needs all source and/or target systems configured and accessible


B.

The test runs immediately after the Mule application has been compiled and packaged


C.

The test is triggered by an external HTTP request


D.

The test prepares a known request payload and validates the response payload





B.
  

The test runs immediately after the Mule application has been compiled and packaged



Explanation: Explanation
Correct Answer: The test runs immediately after the Mule application has been compiled
and packaged
*****************************************
>> Integration tests are the last layer of tests we need to add to be fully covered.
>> These tests actually run against Mule running with your full configuration in place and are tested from external source as they work in PROD.
>> These tests exercise the application as a whole with actual transports enabled. So,
external systems are affected when these tests run.
So, these tests do NOT run immediately after the Mule application has been compiled and
packaged.
FYI... Unit Tests are the one that run immediately after the Mule application has been
compiled and packaged.
Reference: https://docs.mulesoft.com/mule-runtime/3.9/testing-strategies#integrationtesting

What API policy would LEAST likely be applied to a Process API?


A.

Custom circuit breaker


B.

Client ID enforcement


C.

Rate limiting


D.

JSON threat protection





D.
  

JSON threat protection



Explanation: Explanation
Correct Answer: JSON threat protection
*****************************************
Fact: Technically, there are no restrictions on what policy can be applied in what layer. Any
policy can be applied on any layer API. However, context should also be considered
properly before blindly applying the policies on APIs.
That is why, this question asked for a policy that would LEAST likely be applied to a
Process API.
From the given options:
>> All policies except "JSON threat protection" can be applied without hesitation to the
APIs in Process tier.
>> JSON threat protection policy ideally fits for experience APIs to prevent suspicious
JSON payload coming from external API clients. This covers more of a security aspect by
trying to avoid possibly malicious and harmful JSON payloads from external clients calling
experience APIs.
As external API clients are NEVER allowed to call Process APIs directly and also these
kind of malicious and harmful JSON payloads are always stopped at experience API layer
only using this policy, it is LEAST LIKELY that this same policy is again applied on Process
Layer API.

An organization has several APIs that accept JSON data over HTTP POST. The APIs are
all publicly available and are associated with several mobile applications and web
applications.
The organization does NOT want to use any authentication or compliance policies for these
APIs, but at the same time, is worried that some bad actor could send payloads that could
somehow compromise the applications or servers running the API implementations.
What out-of-the-box Anypoint Platform policy can address exposure to this threat?


A.

Shut out bad actors by using HTTPS mutual authentication for all API invocations


B.

Apply an IP blacklist policy to all APIs; the blacklist will Include all bad actors


C.

Apply a Header injection and removal policy that detects the malicious data before it is used


D.

Apply a JSON threat protection policy to all APIs to detect potential threat vectors





D.
  

Apply a JSON threat protection policy to all APIs to detect potential threat vectors



Explanation: Explanation
Correct Answer: Apply a JSON threat protection policy to all APIs to detect potential threat
vectors
*****************************************
>> Usually, if the APIs are designed and developed for specific consumers (known
consumers/customers) then we would IP Whitelist the same to ensure that traffic only
comes from them.
>> However, as this scenario states that the APIs are publicly available and being used by
so many mobile and web applications, it is NOT possible to identify and blacklist all
possible bad actors.
>> So, JSON threat protection policy is the best chance to prevent any bad JSON payloads
from such bad actors.

The implementation of a Process API must change.What is a valid approach that minimizes the impact of this change on API clients?


A.

Update the RAML definition of the current Process API and notify API client developers
by sending them links to the updated RAML definition


B.

Postpone changes until API consumers acknowledge they are ready to migrate to a new
Process API or API version


C.

Implement required changes to the Process API implementation so that whenever
possible, the Process API's RAML definition remains unchanged


D.

Implement the Process API changes in a new API implementation, and have the old API
implementation return an HTTP status code 301 - Moved Permanently to inform API clients
they should be calling the new API implementation





C.
  

Implement required changes to the Process API implementation so that whenever
possible, the Process API's RAML definition remains unchanged



Explanation: Explanation
Correct Answer: Implement required changes to the Process API implementation so that,
whenever possible, the Process API’s RAML definition remains unchanged.
*****************************************
Key requirement in the question is:
>> Approach that minimizes the impact of this change on API clients
Based on above:
>> Updating the RAML definition would possibly impact the API clients if the changes
require any thing mandatory from client side. So, one should try to avoid doing that until
really necessary.
>> Implementing the changes as a completely different API and then redirectly the clients
with 3xx status code is really upsetting design and heavily impacts the API clients.
>> Organisations and IT cannot simply postpone the changes required until all API
consumers acknowledge they are ready to migrate to a new Process API or API version.
This is unrealistic and not possible.
The best way to handle the changes always is to implement required changes to the API
implementations so that, whenever possible, the API’s RAML definition remains
unchanged.

What condition requires using a CloudHub Dedicated Load Balancer?


A.

When cross-region load balancing is required between separate deployments of the same Mule application


B.

When custom DNS names are required for API implementations deployed to customerhosted Mule runtimes


C.

When API invocations across multiple CloudHub workers must be load balanced


D.

When server-side load-balanced TLS mutual authentication is required between API
implementations and API clients





D.
  

When server-side load-balanced TLS mutual authentication is required between API
implementations and API clients



Explanation: Explanation
Correct Answer: When server-side load-balanced TLS mutual authentication is required
between API implementations and API clients
*****************************************
Fact/ Memory Tip: Although there are many benefits of CloudHub Dedicated Load
balancer, TWO important things that should come to ones mind for considering it are:
>> Having URL endpoints with Custom DNS names on CloudHub deployed apps
>> Configuring custom certificates for both HTTPS and Two-way (Mutual) authentication.
Coming to the options provided for this question:
>> We CANNOT use DLB to perform cross-region load balancing between separate
deployments of the same Mule application.
>> We can have mapping rules to have more than one DLB URL pointing to same Mule
app. But vicevera (More than one Mule app having same DLB URL) is NOT POSSIBLE
>> It is true that DLB helps to setup custom DNS names for Cloudhub deployed Mule apps
but NOT true for apps deployed to Customer-hosted Mule Runtimes.
>> It is true to that we can load balance API invocations across multiple CloudHub workers
using DLB but it is NOT A MUST. We can achieve the same (load balancing) using SLB
(Shared Load Balancer) too. We DO NOT necessarily require DLB for achieve it.
So the only right option that fits the scenario and requires us to use DLB is when TLS
mutual authentication is required between API implementations and API clients.
Reference: https://docs.mulesoft.com/runtime-manager/cloudhub-dedicated-load-balancer

When designing an upstream API and its implementation, the development team has been
advised to NOT set timeouts when invoking a downstream API, because that downstream
API has no SLA that can be relied upon. This is the only downstream API dependency of
that upstream API.
Assume the downstream API runs uninterrupted without crashing. What is the impact of
this advice?


A.

An SLA for the upstream API CANNOT be provided


B.

The invocation of the downstream API will run to completion without timing out


C.

A default timeout of 500 ms will automatically be applied by the Mule runtime in which the upstream API implementation executes


D.

A toad-dependent timeout of less than 1000 ms will be applied by the Mule runtime in
which the downstream API implementation executes





A.
  

An SLA for the upstream API CANNOT be provided



Explanation: Explanation
Correct Answer: An SLA for the upstream API CANNOT be provided.
*****************************************
>> First thing first, the default HTTP response timeout for HTTP connector is 10000 ms (10
seconds). NOT 500 ms.
>> Mule runtime does NOT apply any such "load-dependent" timeouts. There is no such
behavior currently in Mule.
>> As there is default 10000 ms time out for HTTP connector, we CANNOT always
guarantee that the invocation of the downstream API will run to completion without timing
out due to its unreliable SLA times. If the response time crosses 10 seconds then the
request may time out.
The main impact due to this is that a proper SLA for the upstream API CANNOT be
provided.
Reference: https://docs.mulesoft.com/http-connector/1.5/http-documentation#parameters-3

An organization wants to make sure only known partners can invoke the organization's
APIs. To achieve this security goal, the organization wants to enforce a Client ID
Enforcement policy in API Manager so that only registered partner applications can invoke
the organization's APIs. In what type of API implementation does MuleSoft recommend
adding an API proxy to enforce the Client ID Enforcement policy, rather than embedding
the policy directly in the application's JVM?


A.

A Mule 3 application using APIkit


B.

A Mule 3 or Mule 4 application modified with custom Java code


C.

A Mule 4 application with an API specification


D.

A Non-Mule application





D.
  

A Non-Mule application



Explanation: Explanation
Correct Answer: A Non-Mule application
*****************************************
>> All type of Mule applications (Mule 3/ Mule 4/ with APIkit/ with Custom Java Code etc)
running on Mule Runtimes support the Embedded Policy Enforcement on them.
>> The only option that cannot have or does not support embedded policy enforcement
and must have API Proxy is for Non-Mule Applications.
So, Non-Mule application is the right answer


Page 2 out of 10 Pages
Previous