121-140

Question 1

QUESTION 121

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Solution: You modify a network security group (NSG).

Does this meet the goal?

Yes

No

Answer 1

Correct Answer: A

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network. You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).

References:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Question 2

QUESTION 122

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Solution: You modify a DDoS protection plan.

Does this meet the goal?

Yes

No

Answer 2

Correct Answer: B

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

DDoS is a form of attack on a network resource. A DDoS protection plan is used to protect against DDoS attacks; it does not provide connectivity to a virtual machine.

To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or Azure Firewall.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview

Question 3

QUESTION 123

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Solution: You modify an Azure firewall.

Does this meet the goal?

A. Yes

B. No

Answer 3

Correct Answer: A

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

In this question, we need to add a rule to Azure Firewall to allow the connection to the virtual machine on port 80 (HTTP).

References:

https://docs.microsoft.com/en-us/azure/firewall/overview

Question 4

QUESTION 124

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these

questions will not appear in the review screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Solution: You modify an Azure Traffic Manager profile.

Does this meet the goal?

1. Yes
2. No

Answer 4

Correct Answer: B

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Azure Traffic Manager is a DNS-based load balancing solution. It is not used to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.

To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you need to modify a network security group or Azure Firewall.

In this question, we need to add a rule to a network security group or Azure Firewall to allow the connection to the virtual machine on port 80 (HTTP).

References:

https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

Question 5

QUESTION 125

Your company plans to deploy several web servers and several database servers to Azure.

You need to recommend an Azure solution to limit the types of connections from the web servers to the database servers.

What should you include in the recommendation?

1. network security groups (NSGs)
2. Azure Service Bus
3. a local network gateway
4. a route filter

Answer 5

Correct Answer: A

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network. You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Question 6

QUESTION 126

HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Hot Area:

Answer 6

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

You would use the Azure Activity Log, not Access Control to view which user turned off a specific virtual machine during the last 14 days.

Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.

In this question, we would create a filter to display shutdown operations on the virtual machine in the last 14 days.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit

Question 7

QUESTION 127

Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?

1. Azure Firewall
2. an application security group
3. Azure DDoS protection
4. a network security group (NSG)

Answer 7

Correct Answer: A

Section: Describe general security and network security features

Explanation

Explanation/Reference:

Explanation:

You can restrict traffic to multiple virtual networks in multiple subscriptions with a single Azure firewall.

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.

References:

https://docs.microsoft.com/en-us/azure/firewall/overview

Question 8

QUESTION 128

Which Azure service should you use to store certificates?

1. Azure Security Center
2. an Azure Storage account
3. Azure Key Vault
4. Azure Information Protection

Answer 8

Correct Answer: C

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Azure Key Vault is a secure store for storage various types of sensitive information including passwords and certificates.

Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.

Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.

References:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview

Question 9

QUESTION 129

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 9

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Box 1: No

Azure firewall does not encrypt network traffic. It is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol.

Box 2: No

A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol.

Box 3: No

The question is rather vague as it would depend on the configuration of the host on the Internet. Windows Server does come with a VPN client and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if the Internet host was configured to require or accept the encryption. However, the VM could not encrypt the traffic to an Internet host that is not configured to require the encryption.

Reference:

https://docs.microsoft.com/en-us/azure/security/azure-security-data-encryption-best-practices#protect-data-in- transit

Question 10

QUESTION 130

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 10

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Box 1: Yes

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they’re in Azure or not - as well as on premises.

Box 2: No

Only two features: Continuous assessment and security recommendations, and Azure secure score, are free.

Box 3: Yes

The advanced monitoring capabilities in Security Center also let you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.

References:

https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Question 11

QUESTION 131

You need to configure an Azure solution that meets the following requirements:

Secures websites from attacks

Generates reports that contain details of attempted attacks

What should you include in the solution?

1. Azure Firewall
2. a network security group (NSG)
3. Azure Information Protection
4. DDoS protection

Answer 11

Correct Answer: D

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

DDoS is a type of attack that tries to exhaust application resources. The goal is to affect the application’s availability and its ability to handle legitimate requests. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Azure has two DDoS service offerings that provide protection from network attacks: DDoS Protection Basic and DDoS Protection Standard.

DDoS Basic protection is integrated into the Azure platform by default and at no extra cost.

You have the option of paying for DDoS Standard. It has several advantages over the basic service, including logging, alerting, and telemetry. DDoS Standard can generate reports that contain details of attempted attacks as required in this question.

References:

https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices

Question 12

QUESTION 132

HOTSPOT

You plan to implement several security services for an Azure environment. You need to identify which Azure services must be used to meet the following security requirements:

Monitor threats by using sensors

Enforce Azure Multi-Factor Authentication (MFA) based on a condition

Which Azure service should you identify for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 12

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

Box 1:

To monitor threats by using sensors, you would use Azure Advanced Threat Protection (ATP).

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Sensors are software packages you install on your servers to upload information to Azure ATP.

Box 2:

To enforce MFA based on a condition, you would use Azure Active Directory Identity Protection.

Azure AD Identity Protection helps you manage the roll-out of Azure Multi-Factor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you are signing in to.

References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-__mfa-policy

Question 13

QUESTION 133

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. What are two possible solutions? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

1. Modify an Azure Traffic Manager profile
2. Modify a network security group (NSG)
3. Modify a DDoS protection plan
4. Modify an Azure firewall

Answer 13

Correct Answer: B (This is the only answer in the Dummy)

( D should be another answer)

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network. You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Question 14

QUESTION 134

HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Hot Area:

Answer 14

Section: Describe general security and network security features Explanation

Explanation/Reference:

Explanation:

The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center allows you to lock down inbound traffic to your Azure Virtual Machines. This reduces exposure to attacks while providing easy access when you need to connect to a VM.

Reference:

https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit- request-asc

Question 15

QUESTION 135

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 15

Section: Describe general security and network security features Explanation

Explanation/Reference:

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Question 16

QUESTION 136

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 16

Section: Describe identity, governance, privacy, and compliance features Explanation

Explanation/Reference:

References:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Question 17

QUESTION 137

Your company plans to migrate all on-premises data to Azure.

You need to identify whether Azure complies with the company’s regional requirements. What should you use?

1. the Knowledge Center
2. Azure Marketplace
3. the Azure portal
4. the Trust Center

Answer 17

Correct Answer: D

Section: Describe identity, governance, privacy, and compliance features Explanation

Explanation/Reference:

Explanation:

Azure has more than 90 compliance certifications, including over 50 specific to global regions and countries, such as the US, the European Union, Germany, Japan, the United Kingdom, India and China.

You can view a list of compliance certifications in the Trust Center to determine whether Azure meets your regional requirements.

Reference:

https://azure.microsoft.com/en-gb/overview/trusted-cloud/compliance/

https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal

Question 18

QUESTION 138

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Answer 18

Section: Describe identity, governance, privacy, and compliance features Explanation

Explanation/Reference:

Explanation:

Box 1: No

Authorization to access Azure resources can be provided by other identity providers by using federation. A commonly used example of this is to federate your on-premises Active Directory environment with Azure AD and use this federation for authentication and authorization.

Box 2: Yes

As described above, third-party cloud services and on-premises Active Directory can be used to access Azure resources. This is known as ‘federation’.

Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.

Box 3: Yes

Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources.

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

Question 19

QUESTION 139

HOTSPOT

To complete the sentence, select the appropriate option in the answer area.

Hot Area:

Answer 19

Section: Describe identity, governance, privacy, and compliance features Explanation

Explanation/Reference:

Explanation:

You can configure a lock on a resource group to prevent the accidental deletion of the resource group. The lock applies to everyone, including global administrators. If you want to delete the resource group, the lock must be removed first.

As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level

to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.

ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

Question 20

QUESTION 140

This question requires that you evaluate the underlined text to determine if it is correct.

Azure Germany can be used by legal residents of Germany only.

Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

1. no change is needed
2. only enterprises that are registered in Germany
3. only enterprises that purchase their azure licenses from a partner based in Germany
4. any user or enterprise that requires its data to reside in Germany

Answer 20

Correct Answer: D

Section: Describe identity, governance, privacy, and compliance features Explanation

Explanation/Reference:

Explanation:

Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/ EFTA, including the United Kingdom.

Azure Germany offers a separate instance of Microsoft Azure services from within German datacenters. The datacenters are in two locations, Frankfurt/Main and Magdeburg. This placement ensures that customer data remains in Germany and that the datacenters connect to each other through a private network. All customer data is exclusively stored in those datacenters. A designated German company–the German data trustee– controls access to customer data and the systems and infrastructure that hold customer data.

References:

https://docs.microsoft.com/en-us/azure/germany/germany-welcome?toc=%2fazure%2fgermany%2ftoc.json

https://docs.microsoft.com/en-us/azure/germany/germany-overview-data-trustee