az-104 dumps topic 11, 1- Flashcards
Case study -
…
Overview - General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment - Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an onpremises Active Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based access for file share
storage1 Storage West US sharea Azure Active Directory Domain
(gen. purp. v1) Services (Azure AD DS)
storage2 StorageV2 East US shareb, Disabled
(gen. purp. v2) sharec
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure AD DS
Requirements - Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and congure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any VNetwork Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 VNetwork Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
Associate NSG2 to VNET1/Subnet2.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy denitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP trac from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to create container1 and share1.
Which storage accounts should you use for each resource?
container1: …
storage2 only
storage2 and storage3 only
storage1, storage2, and storage3 only
storage2, storage3, and storage4 only
storage1, storage2, storage3, and storage4
share1: …
storage2 only
storage4 only
storage2 and storage4 only
storage1, storage2, and storage4 only
storage1, storage2, storage3, and storage4
container1: storage2 and storage3 only
share1: storage2 only
Storage (general-purpose v1) doesn’t support tier.
Standard (general-purpose v2) supports tier for Blob service and for Azure file.
Premium BlockBlobStorage doesn’t support tier.
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Legacy Standard BlobStorage supports tier.
https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#default-account-access-tier-setting
Premium FileStorage doesn’t support tier.
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
Container1 with tier: Can be created in storage2 (storagev2) and storage3. The question refers to BlobStorage (standard legacy one that supports tier) and not to BlockBlobStorage (Premium one that doesn’t support tier).
Share1 with tier: Can be created in storage2 (storagev2) only.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/enus/azure/storage/common/storage-account-overview
Storage 1(general purpose v1) & 4 (Premium fileshare) does not support tiering.
Answer: Box 1: Container 1, Can be created in storage2 (storagev2) and storage3
Box 2: share1, Can be created in storage2 (storagev2) only
Case study -
…
Overview - General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment - Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an onpremises Active Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based access for file share
storage1 Storage West US sharea Azure Active Directory Domain
(gen. purp. v1) Services (Azure AD DS)
storage2 StorageV2 East US shareb, Disabled
(gen. purp. v2) sharec
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure AD DS
Requirements - Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and congure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any VNetwork Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 VNetwork Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
Associate NSG2 to VNET1/Subnet2.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy denitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP trac from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account?
Account kind: …
BlobStorage
BlockBlobStorage
Storage (general purpose v1)
StorageV2 (general purpose v2)
Destination: …
Storage1
Storage2
Storage3
Storage4
Account kind: StorageV2 (general purpose v2)
Destination: Storage2
We want to use replication for blobs and only that storage type is available. The other one is in Premium, which should never apply to the exams.
Quoting from https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal:
“Before you configure object replication, create the source and destination storage accounts if they do not already exist. The source and destination accounts can be either general-purpose v2 storage accounts or premium block blob accounts (preview). “
Case study -
…
Overview - General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Environment - Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an onpremises Active Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based access for file share
storage1 Storage West US sharea Azure Active Directory Domain
(gen. purp. v1) Services (Azure AD DS)
storage2 StorageV2 East US shareb, Disabled
(gen. purp. v2) sharec
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure AD DS
Requirements - Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and congure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any VNetwork Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 VNetwork Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow
Associate NSG2 to VNET1/Subnet2.
Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy denitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.
Question
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements. Which storage account should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
B. storage2
For at least two reasons, storage2 is the only candidate:
- Location: The storage account used must be in the same region as the NSG.
- Retention is available only if you use General Purpose v2 Storage accounts (GPv2).
Network Watcher ‘Flow Logs’ tool is used to log information about Azure IP traffic and stores the data in Azure storage. You can log IP traffic using either of the two following tools:
i. NSG Flow Logs (log information about IP traffic flowing through a network security group) or
ii. VNET Flow Logs (log information about IP traffic flowing through a virtual network)
It is to be noted that NSG flow logs have a retention feature that allows deleting the logs automatically up to a year after their creation. Retention is available only if you use general-purpose v2 storage accounts.
So, despite the fact that there is no mention of NSG for VM5, in order to make use of retention feature, NSG flow must be implemented which would need GPv2 storage account. Also, VNET Flow logs is currently in Preview and is not recommended for Production workloads.
Reference:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
