Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AZ-104 > az-104 dumps topic 5, 1-150 > Flashcards

az-104 dumps topic 5, 1-150 Flashcards

1
Q

You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.
Tier Accessible from the Internet Number of virtual machines
Front-end web server Yes 10
Business logic No 100
Microsoft SQL Server database No 5
You need to recommend a networking solution to meet the following requirements:
✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement?
Hot Area:
Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines:
Protect the web servers from SQL injection attacks:
- an application gateway that uses the Standard tier
- an application gateway that uses the WAF tier
- an internal load balancer
- a network security group (NSG)
- a public load balancer

A

Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines:
- an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.

Protect the web servers from SQL injection attacks:
- an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.

Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?
A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway

A

B. three virtual hubs and one virtual WAN

https://learn.microsoft.com/en-us/azure/virtual-wan/hub-settings
You can have more than one virtual hub in the region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require?
Minimum number of network interfaces: 5, 10, 15, 20
Minimum number of network security groups: 1, 2, 5, 10

A

Minimum number of network interfaces: 5
A public and a private IP address can be assigned to a single network interface.

Minimum number of network security groups: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have an Azure subscription that contains the resources shown in the following table.
Name Туре
LB1 Load balancer
VM1 Virtual machine
VM2 Virtual machine
LB1 is configured as shown in the following table.
Name Type Value
bepool1 Backend pool VM1, VM2
LoadBalancerFrontEnd Frontend IP configuration Public IP address
hprobe1 Health probe Protocol: TCP, Port: 80, Interval: 5 seconds, Unhealthy threshold: 2
rule1 Load balancing rule IP version: IPv4, Frontend IP address: LoadBalancerFrontEnd, Port: 80, Backend Port: 80, Backend pool: bepool1, Health probe: hprobel
You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
✑ Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?
A. a frontend IP address
B. a load balancing rule
C. a health probe
D. a backend pool

A

A. a frontend IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
Name Private IP address Public IP address Virtual network name DNS suffix configured in Windows Server
VM1 10.1.0.4 52.186.85.63 VNET1 Adatum.com
VM2 10.1.0.5 13.92.168.13 VNET1 Contoso.com
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine?
Hot Area:
A records for VM1:
A records for VM2:
None
Private IP address only
Public IP address only
Private IP address and public IP address

A

A records for VM1:
A records for VM2: Private IP address only

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).

Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do?
Resource to create:
An Azure Event Grid
An Azure Log Analytics workspace
An Azure Storage account
Resource on which to enable diagnostics:
ILB1
NSG1
The Azure virtual machines

A

Resource to create: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
sources, and solutions

Resource on which to enable diagnostics: ILB1
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/loadbalancer/load-balancer-standard-diagnostics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have the Azure virtual networks shown in the following table.
Name Address space Subnet Resource group Azure region
VNet1 10.11.0.0/16 10.11.0.0/17 West US
VNet2 10.11.0.0/17 10.11.0.0/25 West US
VNet3 10.10.0.0/22 10.10.1.0/24 East US
VNet4 192.168.16.0/22 192.168.16.0/24 North Europe
To which virtual networks can you establish a peering connection from VNet1?
A. VNet2 andVNet3 only
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2, VNet3, and VNet4

A

C. VNet3 and VNet4 only

VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)
VNet2 10.11.0.0/17 = 10.11.0.1 - 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)

Possible peerings are:
VNet1 -> Vnet3
VNet1 -> Vnet4

If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can’t be connected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform?
A. Deploy a basic load balancer
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
E. Add a frontend IP configuration, a backend pool, and a health probe
F. Add a frontend IP configuration, two backend pools, and a health probe

A

B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
F. Add a frontend IP configuration, two backend pools, and a health probe

B - HA ports need are not supported by a basic loadbalancer
C - You need a floating ip for the active-active configuration to switch over quickly
F - You need 2 backend pools for the 2 different services

A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/loadbalancer/load-balancer-multivip-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the following table.
Name Virtual network DNS suffix configured in Windows Server
VM1 VNET2 Contoso.com
VM2 VNET2 None
VM3 VNET2 Adatum.com
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
You create a virtual network link for contoso.com as shown in the following exhibit.
link1: contoso.com
Link name: link1
Link state: Completed
Provisioning state: Succeeded
Virtual network: VNET2
Configuration: [+] Enable auto registration
Yes/No
When VM1 starts, a record for VM1 is added to the contoso.com DNS zone.
When VM2 starts, a record for VM2 is added to the contoso.com DNS zone.
When VM3 starts, a record for VM3 is added to the adatum.com DNS zone.

A

When VM1 starts, a record for VM1 is added to the contoso.com DNS zone. - Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

When VM2 starts, a record for VM2 is added to the contoso.com DNS zone. - Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

When VM3 starts, a record for VM3 is added to the adatum.com DNS zone. - No
None of the VM will auto-register to the public Azure DNS zone named adatum.com

All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2 and VM3 will auto-register their host records to contoso.com.
None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com)

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure subscription that contains the resources in the following table.
Name Type Azure region Resource group
VNet1 Virtual network West US RG2
VNet2 Virtual network West US RG1
VNet3 Virtual network East US RG1
NSG1 Network security group (NSG) East US RG2
To which subnets can you apply NSG1?
A. the subnets on VNet1 only
B. the subnets on VNet2 and VNet3 only
C. the subnets on VNet2 only
D. the subnets on VNet3 only
E. the subnets on VNet1, VNet2, and VNet3

A

D. the subnets on VNet3 only

All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same
region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
Virtual network Address space Subnet Peering
VNet1 10.1.0.0/16 10.1.0.0/24, 10.1.1.0/26 VNet2
VNet2 10.2.0.0/16 10.2.0.0/24 VNet1
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence?
Select and Place Actions:
Remove VNet1.
Add the 10.33.0.0/16 address space to VNet1.
Create a new virtual network named VNet1.
On the peering connection in VNet2, allow gateway transit.
Recreate peering between VNet1 and VNet2.
On the peering connection in VNet1, allow gateway transit.
Remove peering between VNet1 and VNet2

A

Remove peering between VNet1 and VNet2.
Add the 10.33.0.0/16 address space to VNet1.
Recreate peering between VNet1 and VNet2.

You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have an Azure subscription that contains the resource groups shown in the following table.
Name Location
RG1 West US
RG2 East US
RG1 contains the resources shown in the following table.
Name Type Location
storage1 Storage account West US
VNet1 Virtual network West US
NIC1 Network interface West US
Disk1 Disk West US
VM1 Virtual machine West US
VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.
Yes/No Statements
You can move storage1 to RG2.
You can move NIC1 to RG2.
If you move IP2 to RG1, the location of IP2 will change.

A

You can move storage1 to RG2. - Yes
You can move NIC1 to RG2. - Yes
If you move IP2 to RG1, the location of IP2 will change. - No

  1. You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate the Storage Account.
  2. You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example, you must also move the virtual machine, and other virtual machine-related resources.
  3. You can move IP2 to RG1, as it isn’t associated with any other resource, however it stayed in the East US region. The location will not change.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway

A

C. Connect webapp1 to VNET1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
Buttons: Connect (is en) Start (is en) Restart (is dis) Stop (is dis)
Status: Stopped (deallocated)
You need to enable Desired State Configuration for VM1.
What should you do first?
A. Connect to VM1.
B. Start VM1.
C. Capture a snapshot of VM1.
D. Configure a DNS name for VM1.

A

B. Start VM1.

Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure. The VM needs to be started.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
A. Floating IP (direct server return) to Disabled
B. Session persistence to None
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP
E. Protocol to UDP
F. a health probe
G. Idle Time-out (minutes) to 20

A

D. Session persistence to Client IP
(or Session persistence to Client IP and protocol)

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol. Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the
same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Note: This question is part of a series of questions that present the same scenario.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections.
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?
A. Yes
B. No

A

A. Yes

NSG-Subnet 1 is correctly modified with TCP 3389 and NSG-VM1 is removed.
If you have no NSG (Network Security Group) attached to your VM’s network interface (NIC) or subnet, then NSG rules will not block RDP traffic.
- “Another solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Note: This question is part of a series of questions that present the same scenario.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections.
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.
Does this meet the goal?
A. Yes
B. No

A

B. No

The default port for RDP is TCP port 3389.
- “Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.”
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Note: This question is part of a series of questions that present the same scenario.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections.
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?
A. Yes
B. No

A

A. Yes

Both rules on NSG-VM1 allow. And the 101 allows RDP.
- “Another solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.”
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
addressSpace: “addressPrefixes”: [ “10.2.0.0/16” ]
subnets: “addressPrefixes”: [ “10.2.0.0/24” ]
Drop-downs:
Before a virtual machine on VNet1 can receive an IP address from 192.168.1.0/24, you must first:
Before a virtual machine on VNet1 can receive an IP address from 10.2.1.0/24, you must first:
- add a network interface
- add a subnet
- add an address space
- delete a subnet
- delete an address space

A

Before a virtual machine on VNet1 can receive an IP address from 192.168.1.0/24, you must first: - add an address space

Before a virtual machine on VNet1 can receive an IP address from 10.2.1.0/24, you must first: - add a subnet

1: add an address space -
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.

Box 2: - add a subnet
The 10.2.0.0/24 subnet exists, the 10.2.1.0/24 doesn’t (first 24 digits reserved for subnet).
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
Name Connected VM
Subnet1 VM1, VM2
Subnet2 VM3, VM4
Subnet3 VM5, VM6
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1
B. 3
C. 4
D. 12

A

A. 1
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose.

So, you can create 1 NSG and associate it with all 3 Subnets:
- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You have an Azure subscription that contains the resources shown in the following table.
Name Type Resource group
VNET1 V net RG1
VM1 V mach RG1
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1. What should you do first?
A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.

A

A. Remove Microsoft.Compute/virtualMachines from the policy.

The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block. Virtual Networks and Virtual Machines are prohibited.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console
✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?
A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console

A

A - Azure CLI.
https://docs.microsoft.com/en-us/azure/dns/dns-import-export
- Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.

PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?
A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule
(next 25)

A

A. an inbound NAT rule

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azureload-balancer-for-rds/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24. You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence?
Create a local gateway.
Create a VPN gateway.
Create a gateway subnet.
Create a custom DNS server.
Create a VPN connection.
Create an Azure Content Delivery Network (CDN) profile.
(next 28)

A

Create a gateway subnet.
Create a VPN gateway.
Create a local gateway.
Create a VPN connection.

Always work from the Azure side first, it’s a dependency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant. Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16. Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2. What should you do first? A. Move VM1 to Subscription2. B. Move VNet1 to Subscription2. C. Modify the IP address space of VNet2. D. Provision virtual network gateways (next 30)
D. Provision virtual network gateways There is no overlap between the VNets: VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255 VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255 Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected. You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
26
Note: This question is part of a series of questions that present the same scenario. You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: You modify the Azure Active Directory (Azure AD) authentication policies. Does this meet the goal? A. Yes B. No
B. No Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
27
Note: This question is part of a series of questions that present the same scenario. You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: You join Computer2 to Azure Active Directory (Azure AD). Does this meet the goal? A. Yes B. No
B. No Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
28
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You create a resource lock, and then you assign the lock to the subscription. Does this meet the goal? A. Yes B. No (next 36)
B. No
29
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address. The virtual machines host several applications that are accessible over port 443 to users on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1. You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network. You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users. What should you do? A. Modify the address space of the local network gateway B. Create a deny rule in a network security group (NSG) that is linked to Subnet1 C. Remove the public IP addresses from the virtual machines D. Modify the address space of Subnet1
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1 You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
30
You have an Azure subscription that contains the resources in the following table. Name Type ASG1 Application security group NSG1 Network security group (NSG) Subnet1 Subnet VNet1 Virtual network NIC1 Network interface VM1 Virtual machine Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1. You need to apply ASG1 to VM1. What should you do? A. Associate NIC1 to ASG1 B. Modify the properties of ASG1 C. Modify the properties of NSG1
A. Associate NIC1 to ASG1 Application Security Group can be associated with NICs. References: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
31
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute. You plan to prepare the environment for automatic failover in case of ExpressRoute failure. You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost. Which three actions should you perform? A. Create a connection B. Create a local site VPN gateway C. Create a VPN gateway that uses the VpnGw1 SKU D. Create a gateway subnet E. Create a VPN gateway that uses the Basic SKU
A. Create a connection B. Create a local site VPN gateway C. Create a VPN gateway that uses the VpnGw1 SKU For a site to site VPN, you need: - a local gateway - a gateway subnet - a VPN gateway - a connection to connect the local gateway and the VPN gateway However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute connection, VNET1 must already be configured with a gateway subnet so we don't need another one. Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN gateway.
32
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute. You plan to prepare the environment for automatic failover in case of ExpressRoute failure. You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost. Which three actions should you perform? A. Create a connection B. Create a local site VPN gateway C. Create a VPN gateway that uses the VpnGw1 SKU D. Create a gateway subnet E. Create a VPN gateway that uses the Basic SKU
A. Create a connection B. Create a local site VPN gateway C. Create a VPN gateway that uses the VpnGw1 SKU For a site to site VPN, you need: - a local gateway - a gateway subnet - a VPN gateway - a connection to connect the local gateway and the VPN gateway However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute connection, VNET1 must already be configured with a gateway subnet so we don't need another one. Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN gateway. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal https://azure.microsoft.com/es-es/pricing/details/vpn-gateway
33
You have peering configured as shown in the following exhibit. vnet6 peerings peering1 disconnected vnet1 enabled gateway transit peering2 disconnected vnet2 disabled gateway transit Dropdowns: Hosts on vNET6 can communicate with hosts on [answer choice]: VNET6 only VNET6 and VNET1 only vNET6, vNET1, and vNET2 only all the virtual networks in the subscription To change the status of the peering connection to vNET1 to Connected, you must first [answer choice]: add a service endpoint add a subnet delete peering1 modify the address space
Hosts on vNET6 can communicate with hosts on [answer choice]: vNET6 only Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6. To change the status of the peering connection to vNET1 to Connected, you must first [answer choice]: delete peering1 Peering to vNET1 is enabled but disconnected. We need to delete the peering from both virtual networks, and then re-create them. You can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
34
You have an Azure subscription that contains the resources in the following table. Name Type VM1 Virtual machine VM2 Virtual machine LB1 Load balancer (Basic SKU) You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1. LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.) SKU: Basic Health probe: Probe1 Load balancing rule: Rule1 Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.) Name: Rule1 IPv: IPv4 Frontend IP address: 104.40.178.194 (LoadBalanceFrontEnd) Protocol: TCP Port: 80 Backend port: 80 Backend pool: 2 VMs Health probe: Probe1 (http:80/prob1.htm) Session persistence: None Idle: 4 mins Floating IP: disabled Yes/No VM1 is in the same availability set as VM2. If Probe1.htm is present on VM1 and VM2, LB1 will balance TCP port 80 between VM1 and VM2. If you delete Rule 1, LB1 will balance all the requests between VM1 and VM2 for all the ports.
VM1 is in the same availability set as VM2. - Yes If Probe1.htm is present on VM1 and VM2, LB1 will balance TCP port 80 between VM1 and VM2. - Yes If you delete Rule 1, LB1 will balance all the requests between VM1 and VM2 for all the ports. - No 1. A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set. 2. When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted. 3. There will be no loadbalancing between the VMs. Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set. Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/skus https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
35
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations: ✑ Subnet: 10.0.0.0/24 ✑ Availability set: AVSet ✑ Network security group (NSG): None ✑ Private IP address: 10.0.0.4 (dynamic) ✑ Public IP address: 40.90.219.6 (dynamic) You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1. Which changes should you apply to VM1 as you configure slb1? Before you create a backend pool on slb1, you must: Create and assign an NSG to VM1 Remove the public IP address from VM1 Change the private IP address of VM1 to static Before you can connect to VM1 from slb1, you must: Create and configure an NSG Remove the public IP address from VM1 Change the private IP address of VM1 to static
Before you create a backend pool on slb1, you must: Remove the public IP address from VM1 -> Reason being when you create a LB and add VM to backend pool make sure VM doesn't have a Public IP assigned to it. Before you can connect to VM1 from slb1, you must: Create and configure an NSG - > key thing to notice in question is "STANDAR LB " . Backend pool VM in standard LB should compulsorily have NSG associated to it and configured with required port to be allowed. 1. Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Only Basic SKU IPs work with the Basic SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers. 2. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. Note: You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Reference: https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-addresses https://stackoverflow.com/questions/52882024/cannot-add-vm-to-standard-azure-load-balancer https://docs.microsoft.com/en-us/azure/load-balancer/skus https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
36
You have an Azure subscription that contains the resources shown in the following table. Name Туре Location VNET1 Virtual network East US IP1 Public IP address West Europe RT1 Route table North Europe You need to create a network interface named NIC1. In which location can you create NIC1? A. East US and North Europe only B. East US only C. East US, West Europe, and North Europe D. East US and West Europe only
B. East US only Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in. If you try to create a NIC on a location that does not have any Vnets you will get the following error: "The currently selected subscription and location lack any existing virtual networks. Create a virtual network first." Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
37
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table. Name Virtual network name DNS suffix configured in Windows Server VM1 VNET1 Contoso.com VM2 VNET2 Contoso.com You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.) contoso.com Link name: link1 Link state: Completed Provisioning state: Succeeded Virtual network: VNET1 Configuration: [ ] Enable auto registration You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet. You need to ensure that VM1 can resolve host names in adatum.com. What should you do? A. Update the DNS suffix on VM1 to be adatum.com B. Configure the name servers for adatum.com at the domain registrar C. Create an SRV record in the contoso.com zone D. Modify the Access control (IAM) settings for link1
B. Configure the name servers for adatum.com at the domain registrar Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
38
You plan to use Azure Network Watcher to perform the following tasks: ✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine. ✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host. Which feature should you use for each task? Task1: IP flow verify Next hop Packet capture Security group view Traffic Analytics Task2: Connection troubleshoot IP flow verify Next hop NSG flow logs Traffic Analytics
Task1: IP flow verify At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which. Task2: Connection troubleshoot Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
39
You have an Azure subscription that contains the Azure virtual machines shown in the following table. Name Operating system Subnet Virtual network VM1 Windows Server 2019 Subnet1 VNET1 VM2 Windows Server 2019 Subnet2 VNET1 VM3 Red Hat Enterprise Linux 7.7 Subnet3 VNET1 You configure the network interfaces of the virtual machines to use the settings shown in the following table. Name DNS server VM1 None VM2 192.168.10.15 VM3 192.168.10.15 From the settings of VNET1 you configure the DNS servers shown in the following exhibit. DNS servers: [ ] Default (Azure-provided) [+] Custom 193.77.134.10 The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of 193.77.134.10. Yes/No Statements VM1 connects to 193.77.134.10 for DNS queries. VM2 connects to 193.77.134.10 for DNS queries. VM3 connects to 192.168.10.15 for DNS queries.
VM1 connects to 193.77.134.10 for DNS queries. - Yes VM1 uses the VNET configured DNS 193.77.134.10. You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet. The DNS is set on the VNET level. VM2 connects to 193.77.134.10 for DNS queries. - No VM2 uses the NIC configured DNS 192.168.10.15. You can set DNS servers per VM or cloud service to override the default network settings. This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1. VM3 connects to 192.168.10.15 for DNS queries. - Yes VM3 uses the NIC configured DNS 192.168.10.15 You can set DNS servers per VM or cloud service to override the default network settings. This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1. NIC configured DNS servers takes precedence over VNET configured DNS servers. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns
40
You have an Azure subscription that contains the resource groups shown in the following table. Name Lock name Lock type RG1 None None RG2 Lock Delete RG1 contains the resources shown in the following table. Name Туре Lock name Lock type storage2 Storage account Lock1 Delete VNET2 Virtual network Lock2 Read-only IP2 Public IP address None None You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1. Which resources should you identify? Hot Area: Resources that you can move from RG1 to RG2: None IP1 only IP1 and storage1 only IP1 and VNET1 only IP1, VNET2, and storage1 Resources that you can move from RG2 to RG1: None IP2 only IP2 and storage2 only IP2 and VNET2 only IP2, VNET2, and storage2
Resources that you can move from RG1 to RG2: IP1, VNET2, and storage1 Resources that you can move from RG2 to RG1: IP2, VNET2, and storage2 Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything in the resource. A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group. But note that a resource with read-only lock can be moved to another resource group. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-your-locks
41
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains the virtual machines shown in the following table. Name Public IP SKU Connected to Status VM1 None VNET1/Subnet1 Stopped (deallocated) VM2 Basic VNET1/Subnet2 Running You deploy a load balancer that has the following configurations: ✑ Name: LB1 ✑ Type: Internal ✑ SKU: Standard ✑ Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1. Does this meet the goal? A. Yes B. No
B. No It's not valid, because: LB1: Standard SKU VM1: Basic SKU public IP VM2: Basic SKU public IP You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP. The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
42
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains the virtual machines shown in the following table. Name Public IP SKU Connected to Status VM1 None VNET1/Subnet1 Stopped (deallocated) VM2 Basic VNET1/Subnet2 Running You deploy a load balancer that has the following configurations: ✑ Name: LB1 ✑ Type: Internal ✑ SKU: Standard ✑ Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2. Does this meet the goal? A. Yes B. No
B. No It's not valid, because: LB1: Standard SKU VM1: Standard SKU public IP VM2: Basic SKU public IP You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP. The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
43
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains the virtual machines shown in the following table. Name Public IP SKU Connected to Status VM1 None VNET1/Subnet1 Stopped (deallocated) VM2 Basic VNET1/Subnet2 Running You deploy a load balancer that has the following configurations: ✑ Name: LB1 ✑ Type: Internal ✑ SKU: Standard ✑ Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine. Does this meet the goal? A. Yes B. No
A. Yes It's valid, because: LB1: Standard SKU VM1: Standard SKU public IP VM2: Standard SKU public IP
44
Note: This question is part of a series of questions that present the same scenario. You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal? A. Yes B. No
A. Yes Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
45
You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.) Inbound port rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 300 RDP 3389 TCP Any Any Allow 400 Rule1 80 TCP Any Any Deny 500 Rule2 80,443 TCP Any Any Deny 1000 Rule4 50-100,400-500 UDP Any Any Allow 2000 Rule5 50-5000 Any Any VirtualNetwork Deny 3000 Rule6 150-300 Any Any Any Allow 4000 Rule3 60-500 Any Any VirtualNetwork Allow You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do? A. Modify the protocol of Rule4 B. Delete Rule1 C. For Rule5, change the Action to Allow and change the priority to 401 D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
C. For Rule5, change the Action to Allow and change the priority to 401 HTTPS uses port 443. Rule2, with priority 500, denies HTTPS traffic. Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic. Note: There are several versions of this question in the exam. The question has two possible correct answers: 1. Change the priority of Rule3 to 450. 2. For Rule5, change the Action to Allow and change the priority to 401. Other incorrect answer options you may see on the exam include the following: ✑ Modify the action of Rule1. ✑ Change the priority of Rule6 to 100. ✑ For Rule4, change the protocol from UDP to Any. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
46
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. Does this meet the goal? A. Yes B. No
B. No You should use a policy definition. Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. Same questions with 4 different answers: 1) Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. - No 2) Solution: You assign a built-in policy definition to the subscription. - No 3) Solution: You create a resource lock, and then you assign the lock to the subscription. - No 4) Solution: You configure a custom policy definition, and then you assign the policy to the subscription. - Yes Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
47
You manage two Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following virtual networks: Name Address space Location VNET1 10.10.10.0/24 West Europe VNET2 172.16.0.0/16 West US The virtual networks contain the following subnets: Name Address space In virtual network Subnet11 10.10.10.0/24 VNET1 Subnet21 172.16.0.0/18 VNET2 Subnet22 172.16.128.0/18 VNET2 Subscription2 contains the following virtual network: ✑ Name: VNETA ✑ Address space: 10.10.128.0/17 ✑ Location: Canada Central VNETA contains the following subnets: Name Address space SubnetA1 10.10.130.0/24 SubnetA2 10.10.131.0/24 Yes/No Statements A Site-to-Site connection can be established between VNET1 and VNET2. VNET1 and VNET2 can be peered. VNET1 and VNETA can be peered.
A Site-to-Site connection can be established between VNET1 and VNET2. - No VNET1 and VNET2 can be peered. - Yes VNET1 and VNETA can be peered.- Yes VNET1: 10.10.10.0 - 10.10.10.255 VNET2: 172.16.0.0 - 172.16.255.255 VNETA: 10.10.128.0 - 10.10.255.255 Box 1: No To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a Gateway Subnet and thus to establish a VNet to VNet VPN connection. Box 2: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap. Box 3: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
48
Note: This question is part of a series of questions that present the same scenario. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit. [Attach network interface](enabled) [Detach network interface](disabled) Inb rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 100 Allow_131.107.100.50 443 TCP 131.107.100.50 VirtualNetwork Allow 200 BlockAllOther443 443 Any Any Any Deny You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443. Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. Does this meet the goal? A. Yes B. No
B. No (correct sln: : You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150) You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound rule with low priority. It doesn’t make any sense. Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden. The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons: - Load Balancer backend pool VM is unhealthy. - Load Balancer backend pool VM is not listening on the probe port. - Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs. - Other misconfigurations in Load Balancer. Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16). "Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated! Reference: https://fastreroute.com/azure-network-security-groups-explained/ https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
49
Note: This question is part of a series of questions that present the same scenario. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit. [Attach network interface](enabled) [Detach network interface](disabled) Inb rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 100 Allow_131.107.100.50 443 TCP 131.107.100.50 VirtualNetwork Allow 200 BlockAllOther443 443 Any Any Any Deny You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443. Solution: You delete the BlockAllOther443 inbound security rule. Does this meet the goal? A. Yes B. No
B. No (correct sln: : You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150) Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source 131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is somewhere else, maybe the VMs are off, or the firewall is blocking it. Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden. The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons: - Load Balancer backend pool VM is unhealthy. - Load Balancer backend pool VM is not listening on the probe port. - Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs. - Other misconfigurations in Load Balancer. Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16). "Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated! Reference: https://fastreroute.com/azure-network-security-groups-explained/ https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
50
Note: This question is part of a series of questions that present the same scenario. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit. [Attach network interface](enabled) [Detach network interface](disabled) Inb rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 100 Allow_131.107.100.50 443 TCP 131.107.100.50 VirtualNetwork Allow 200 BlockAllOther443 443 Any Any Any Deny You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443. Solution: : You modify the priority of the Allow_131.107.100.50 inbound security rule. Does this meet the goal? A. Yes B. No
B. No (correct sln: : You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150) Allow_131.107.100.50 rule has a higher priority (100). The issue is not related with the priority of the rule. Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden. The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons: - Load Balancer backend pool VM is unhealthy. - Load Balancer backend pool VM is not listening on the probe port. - Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs. - Other misconfigurations in Load Balancer. Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16). "Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated! Reference: https://fastreroute.com/azure-network-security-groups-explained/ https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
51
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You assign a built-in policy definition to the subscription. Does this meet the goal?
B. No Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. You should use a custom policy definition. Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. Same questions with 4 different answers: 1) Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. - No 2) Solution: You assign a built-in policy definition to the subscription. - No 3) Solution: You create a resource lock, and then you assign the lock to the subscription. - No 4) Solution: You configure a custom policy definition, and then you assign the policy to the subscription. - Yes Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
52
You have an Azure subscription. You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod. For the AKS cluster, you need to choose a network type that will support App1. What should you choose? A. kubenet B. Azure Container Networking Interface (CNI) C. Hybrid Connection endpoints D. Azure Private Link
B. Azure Container Networking Interface (CNI) With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space. Incorrect Answers: A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network. C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking Reference: https://docs.microsoft.com/en-us/azure/aks/concepts-network
53
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains the virtual machines shown in the following table. Name Public IP SKU Connected to Status VM1 None VNET1/Subnet1 Stopped (deallocated) VM2 Basic VNET1/Subnet2 Running You deploy a load balancer that has the following configurations: ✑ Name: LB1 ✑ Type: Internal ✑ SKU: Standard ✑ Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You disassociate the public IP address from the network interface of VM2. Does this meet the goal? A. Yes B. No
B. No It's not valid, because: LB1: Standard SKU VM1: Basic SKU public IP You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP. The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs. Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
54
Note: This question is part of a series of questions that present the same scenario. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?
B. Yes You should use a custom policy definition. Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. Same questions with 4 different answers: 1) Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. - No 2) Solution: You assign a built-in policy definition to the subscription. - No 3) Solution: You create a resource lock, and then you assign the lock to the subscription. - No 4) Solution: You configure a custom policy definition, and then you assign the policy to the subscription. - Yes Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
55
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2. VM1 hosts a frontend application that connects to VM2 to retrieve data. Users report that the frontend application is slower than usual. You need to view the average round-trip time (RTT) of the packets from VM1 to VM2. Which Azure Network Watcher feature should you use? A. IP flow verify B. Connection troubleshoot C. Connection monitor D. NSG flow logs
C. Connection monitor Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds, so you can monitor latency over time. The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint. Incorrect Answers: A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem. B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
56
You have an Azure subscription that contains the public load balancers shown in the following table. Name SKU LB1 Basic LB2 Standard You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual machines. You need to create the virtual machines for the planned solution. How should you create the virtual machines? The virtual machines that will be load balanced by using LB1 must: The virtual machines that will be load balanced by using LB2 must: - be connected to the same virtual network - be created in the same resource group - be created in the same availability set or virtual machine scale set - run the same operating system
The virtual machines that will be load balanced by using LB1: - be created in the same availability set or virtual machine scale set LB2: - be connected to the same virtual network 1: The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine. 2: The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines. Reference: https://www.petri.com/comparing-basic-standard-azure-load-balancers
57
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet. You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes. What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? public IP addresses: virtual network gateways: local network gateways: 1, 2, 3, 4
public IP addresses: 4 virtual network gateways: 2 local network gateways: 2 1: Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET. The most reliable option is to combine the active-active gateways on both your network and Azure. 2: Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. Box 3: Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
58
You have an Azure subscription that contains two virtual machines as shown in the following table. Name Operating system Location IP address DNS server VM1 Windows Server 2019 West Europe 10.0.0.4 Default (Azure-provided) VM2 Windows Server 2019 West Europe 10.0.0.5 Default (Azure-provided) You perform a reverse DNS lookup for 10.0.0.4 from VM2. Which FQDN will be returned? A. vm1.core.windows.net B. vm1.azure.com C. vm1.westeurope.cloudapp.azure.com D. vm1.internal.cloudapp.net
D. vm1.internal.cloudapp.net When performing a reverse DNS lookup in Azure for a private IP address assigned to a virtual machine, the Fully Qualified Domain Name (FQDN) follows the format *.internal.cloudapp.net. This naming convention is used for private IP addresses within a virtual network in Azure. Thus, the FQDN returned for VM1 with the IP address 10.0.0.4 would be vm1.internal.cloudapp.net.
59
Note: This question is part of a series of questions that present the same scenario. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit. Buttons: Attach network interface(enabled) Detach network interface(disabled) Inb rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 100 Allow_131.107.100.50 443 TCP 131.107.100.50 VirtualNetwork Allow 200 BlockAllOther443 443 Any Any Any Deny You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443. Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. Does this meet the goal? A. Yes B. No
B. No Because of "cost", correct "priority"
60
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. Which two actions should you perform? A. Add a service endpoint to VNet1 B. Reset GW1 C. Create a route-based virtual network gateway D. Add a connection to GW1 E. Delete GW1 F. Add a public IP address space to VNet1
C. Create a route-based virtual network gateway E. Delete GW1 Azure do not support Point-to-Site connections with Policy-Based Gateways, supports point-to-site connections ONLY with a Route-Based Virtual Network Gateway. Since GW1 is Policy-Based, first we need to Delete the GW1 first and then create route-based virtual network gateway. C: A VPN gateway is used when creating a VPN connection to your on-premises network. Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface). E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine. Incorrect Answers: F: Point-to-Site connections do not require a VPN device or a public-facing IP address. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpngateway/vpn-gateway-connect-multiple-policybased-rm-ps
61
You have an Azure subscription that contains the resources in the following table: Name Туре VMRG Resource group VNet1 Virtual network VNet2 Virtual network VM5 Virtual machine connected to VNet1 VM6 Virtual machine connected to VNet2 In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit: Resource group: vmrg Name server 1, 2, 3, 4: - Name Туре TTL VALUE @ SOA 3600 Email: azuredn... vm1 A 3600 10.1.0.4 vm9 A 3600 10.1.0.12 Yes/No Statements: The A record for VM5 will be registered automatically in the adatum.com zone. VM5 can resolve VM9.adatum.com. VM6 can resolve VM9.adatum.com.
The A record for VM5 will be registered automatically in the adatum.com zone. - No VM5 can resolve VM9.adatum.com. - No VM6 can resolve VM9.adatum.com. - Yes VNet1 (NOT A Registration Netvork) : VM5 VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9 1. VM5 is in VNet1 - answer is NO. 2. VM5 is in VNet1 - answer is NO. 3. VM6 is in VNet2 - answer is YES. 1: Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though. 2: Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network. 3: VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone. By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network. Reference: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
62
You have an Azure subscription that contains the virtual networks shown in the following table. Name Location VNET1 West US VNET2 West US VNET3 East US The subscription contains the private DNS zones shown in the following table. Name Location Zone1.com West US Zone2.com West US Zone3.com East US You add virtual network links to the private DNS zones as shown in the following table. Name Private DNS zone Virtual network Enable auto registration Link1 Zone1.com VNET1 Yes Link2 Zone2.com VNET2 No Link3 Zone3.com VNET3 No Yes/No statements: You can enable auto registration for Link2. You can add a virtual network link for VNET1 to Zone3.com. You can add a virtual network link for VNET2 to Zone1.com and enable auto registration.
You can enable auto registration for Link2. - Yes You can add a virtual network link for VNET1 to Zone3.com. - Yes You can add a virtual network link for VNET2 to Zone1.com and enable auto registration. - Yes 1. You can click the checkbox to Enable Auto-Reg. Note: You can do this to any VNET as long as that VNET is not linked to another Zone with Auto-reg ON. So if VNET is in another zone but Auto-reg is OFF, then you can enable Auto-Reg in Only One Zone 2. You can add Vnet1 to Zone3 but make sure Auto Reg is OFF. You cannot add Vnet1 to Zone3 with Auto Reg is ON. 3. You can add Vnet2 to Zone1 and set to Auto Reg ON because VNET2 has no link yet to any zone with Auto Reg ON. to summarize: Zones can have multiple VNETs. Each VNET can be set to Auto Reg ON VNETs can be linked to multiple Zones but they can only Auto Reg to one Zone
63
You have an Azure subscription. You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion. subnets: "name": "LAN02", "properties": { "addressPrefix": 10.10.10.128/25 How should you complete the template? "name": - AzureBastionSubnet - AzureFirewallSubnet - LANO1 - RemoteAccessSubnet "properties": { "addressPrefix": - 10.10.10.0/27 - 10.10.10.0/29 - 10.10.10.0/30
"name": - AzureBastionSubnet "properties": { "addressPrefix": - 10.10.10.0/27 To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26. (Question is outdated)Also see documentation here: https://docs.microsoft.com/en-gb/azure/bastion/quickstart-host-portal For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.).
64
Note: This question is part of a series of questions that present the same scenario. You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal? A. Yes B. No
A. Yes. Using Azure Network Watcher to create a packet capture allows for monitoring network traffic between VM1 and VM2 for three hours, effectively meeting the requirement. There are several versions of this question. The following are the possible Correct and Incorrect solutions. Correct solution: Meets the goal. -Solution: From Azure Network Watcher, you create a packet capture. Incorrect solution: Does not meet the goal. -Solution: From Azure Monitor, you create a metric on Network In and Network Out. -Solution: From Azure Network Watcher, you create a connection monitor. -Solution: From Performance Monitor, you create a Data Collector Set (DCS).
65
Note: This question is part of a series of questions that present the same scenario. You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Network Watcher, you create a connection monitor. Does this meet the goal? A. Yes B. No
B. No. Using Azure Network Watcher to create a packet capture allows for monitoring network traffic between VM1 and VM2 for three hours, effectively meeting the requirement. There are several versions of this question. The following are the possible Correct and Incorrect solutions. Correct solution: Meets the goal. -Solution: From Azure Network Watcher, you create a packet capture. Incorrect solution: Does not meet the goal. -Solution: From Azure Monitor, you create a metric on Network In and Network Out. -Solution: From Azure Network Watcher, you create a connection monitor. -Solution: From Performance Monitor, you create a Data Collector Set (DCS).
66
Note: This question is part of a series of questions that present the same scenario. You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Performance Monitor, you create a Data Collector Set (DCS). Does this meet the goal? A. Yes B. No
B. No. Using Azure Network Watcher to create a packet capture allows for monitoring network traffic between VM1 and VM2 for three hours, effectively meeting the requirement. There are several versions of this question. The following are the possible Correct and Incorrect solutions. Correct solution: Meets the goal. -Solution: From Azure Network Watcher, you create a packet capture. Incorrect solution: Does not meet the goal. -Solution: From Azure Monitor, you create a metric on Network In and Network Out. -Solution: From Azure Network Watcher, you create a connection monitor. -Solution: From Performance Monitor, you create a Data Collector Set (DCS).
67
You have an Azure subscription that contains the resources shown in the following table. Name Туре Description vm1 Virtual machine Uses a basic public IP address vm2 Virtual machine Uses a basic public IP address nsg1 Network security group (NSG) Allows incoming traffic from port 443 Ib1 Azure Standard Load Balancer Not applicable You need to load balance HTTPS connections to vm1 and vm2 by using lb1. Which three actions should you perform in sequence? Remove nsg1. Remove the public IP addresses from vm1 and vm2. Create a health probe and backend pool on Ib1. Create an availability set. Create a load balancing rule on lb1.
- Remove the public IP addresses from vm1 and vm2. - Create a health probe and backend pool on Ib1. - Create a load balancing rule on lb1. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal
68
Note: This question is part of a series of questions that present the same scenario. You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal? A. Yes B. No
B. No. Using Azure Network Watcher to create a packet capture allows for monitoring network traffic between VM1 and VM2 for three hours, effectively meeting the requirement. There are several versions of this question. The following are the possible Correct and Incorrect solutions. Correct solution: Meets the goal. -Solution: From Azure Network Watcher, you create a packet capture. Incorrect solution: Does not meet the goal. -Solution: From Azure Monitor, you create a metric on Network In and Network Out. -Solution: From Azure Network Watcher, you create a connection monitor. -Solution: From Performance Monitor, you create a Data Collector Set (DCS).
69
Note: This question is part of a series of questions that present the same scenario. You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer. The effective network security configurations for VM2 are shown in the following exhibit. Buttons: Attach network interface(enabled) Detach network interface(disabled) Inb rules: PRIORITY NAME PORT PROTOCOL SOURCE DESTINATION ACTION 100 Allow_131.107.100.50 443 TCP 131.107.100.50 VirtualNetwork Allow 200 BlockAllOther443 443 Any Any Any Deny You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443. Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999. Does this meet the goal? A. Yes B. No
B. No (correct sln: : You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150) You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound rule with low priority. It doesn’t make any sense. Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden.
70
You have an Azure subscription that contains two on-premises locations named site1 and site2. You need to connect site1 and site2 by using an Azure Virtual WAN. Which four actions should you perform in sequence? Create a virtual hub. Create VPN sites. Connect the virtual networks to the hub. Create a Virtual WAN resource. Connect the VPN sites to the hub.
Create a Virtual WAN resource. Create a virtual hub. Create VPN sites. Connect the VPN sites to the hub. Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
71
You have an Azure subscription that contains the virtual networks shown in the following table. Name Peered with DNS server VNET1 VNET2 Default (Azure-provided) VNET2 VNET1 10.10.0.4 You have the virtual machines shown in the following table. Name IP address Network interface Connects to Server1 10.10.0.4 NIC1 VNET1/Subnet1 Server2 172.16.0.4 NIC2 VNET1/Subnet2 Server3 192.168.0.4 NIC3 VNET2/Subnet2 You have the virtual network interfaces shown in the following table. Name DNS server NIC1 Inherit from virtual network NIC2 10.10.0.4 NIC3 Inherit from virtual network Server1 is a DNS server that contains the resources shown in the following table. Name Туре Value contoso.com Primary DNS zone Not applicable Host1.contoso.com A record 131.107.10.15 You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table. Name Type Value Host1 A record 131.107.200.20 Host2 A record 131.107.50.50 Yes/No statements: Server2 resolves host2.contoso.com to 131.107.50.50. Server2 resolves host1.contoso.com to 131.107.10.15. Server3 resolves host2.contoso.com to 131.107.50.50.
Server2 resolves host2.contoso.com to 131.107.50.50. - No Server2 resolves host1.contoso.com to 131.107.10.15. - Yes Server3 resolves host2.contoso.com to 131.107.50.50. - No No: Server2 uses Server1 for DNS. Server1 has no host2.contoso.com record for 131.107.50.50. It would work if VNET1 hat a virtual network link to the private zone contoso.com. Yes: Server2 uses Server1 for DNS. Server1 has a host1.contoso.com record for 131.107.10.15 No: Server3 uses 10.10.0.4 as DNS (inherited from VNET2). 10.10.0.4 (Server1) has no record for host2.contoso.com. The virtual network link for the private zone contoso.com on VNET2 won't be used since the DNS from VNET1 is set on VNET2. VNET1 DNS is not aware of the private zone contoso.com. It would work if VNET1 had a virtual network link to the private zone contoso.com.
72
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.) Address space: 10.2.0.0/16 No devices are connected to VNet1. You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16. You need to create the peering. What should you do first? A. Modify the address space of VNet1. B. Add a gateway subnet to VNet1. C. Create a subnet on VNet1 and VNet2. D. Configure a service endpoint on VNet2
A. Modify the address space of VNet1. The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
73
You have the Azure virtual machines shown in the following table. Name IP address Virtual network VM1 10.0.0.4 VNET1 VM2 10.0.0.5 VNET1 VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table. Name Туре TTL Value Auto registered comp1 TXT 3600 10.0.0.5 False comp2 A 3600 10.0.0.5 False comp3 CNAME 3600 comp1.contoso.com False comp4 PTR 3600 10.0.0.5 False You need to ping VM2 from VM1. Which DNS names can you use to ping VM2? A. comp2.contoso.com and comp4.contoso.com only B. comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com C. comp2.contoso.com only D. comp1.contoso.com and comp2.contoso.com only E. comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only
C. comp2.contoso.com only A record: Is used to map a DNS/domain name to an IP Ref:https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/ TXT records in a lot of cases get used to prove ownership of a domain, it has other purposes too. Reference: https://support.google.com/a/answer/2716800?hl=en#:~:text=TXT%20records%20are%20a%20type,and%20to%20ensure%20email%20security. PTR: A Reverse DNS lookup is used by remote hosts to determine who 'owns' an IP address. Reference: https://www.mailenable.com/kb/content/article.asp?ID=ME020206 CNAME records get used to redirect a DNS name or subdomain name to another DNS name or domain name or subdomain name. reference: https://support.dnsimple.com/articles/cname-record/ Basic understanding of DNS record types and what they are used for. https://ns1.com/resources/dns-types-records-servers-and-queries
74
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.) Protocol SourcePorts DestPorts SourceAddr DestAddr Access Priority Direction ALLOW_HTTPS TCP {*} {443} (*) {*} Allow 100 Inbound DENY_PING ICMP {*} {*} {VirtualNetwork} (*) Deny 111 Outbound NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table. Name IP address VM1 10.1.0.10 VM2 10.1.0.11 You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege. How should you configure the rule? Direction: Outbound, Inbound Source: Any, 10.1.0.10, 10.1.0.11, both, 10.1.0.0/28 Destination: Any, 10.1.0.10, 10.1.0.11, both, 10.1.0.0/28 Priority: 110, 111, 112
Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 Both the VMs are from the same Vnet. So inbound is allow by default within the n/w. "Rules in inbound direction affect traffic that is being initiated from external sources, such as the Internet or another VM, to a virtual machine. Outbound security rules affect traffic sent from a VM." The ICMP traffic is being sent from VM1, so outbound.
75
Note: This question is part of a series of questions that present the same scenario. You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic. Does this meet the goal? A. Yes B. No
B. No Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
76
You have an Azure subscription that uses the public IP addresses shown in the following table. Name IP version SKU IP address assignment Availability zone IP1 IPv6 Basic Static Not applicable IP2 IPv6 Basic Dynamic Not applicable IP3 IPv6 Standard Static Zone-redundant You need to create a public Azure Standard Load Balancer. Which public IP addresses can you use? A. IP1, IP2, and IP3 B. IP2 only C. IP3 only D. IP1 and IP3 only
C. IP3 only Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU resources. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
77
You have an Azure subscription. You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking. You need to restrict network traffic between the pods. What should you configure on the AKS cluster? A. the Azure network policy B. the Calico network policy C. pod security policies D. an application security group
B. the Calico network policy Reference: https://docs.microsoft.com/en-us/azure/aks/use-network-policies
78
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the VPN Gateway and subnets in the following table: Name IP address range Subnet0 10.0.0.0/24 Subnet1 10.0.1.0/24 Subnet2 10.0.2.0/24 GatewaySubnet 10.0.254.0/24 Subnet1 contains a virtual appliance named VM1 that operates as a router. You create a routing table named RT1. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1. How should you configure RT1? Dropdowns: Address prefix: 10.0.0.0/16 10.0.1.0/24 10.0.254.0/24 Next hop type: Virtual appliance Virtual network Virtual network gateway Assigned to: GatewaySubnet Subnet0 Subnet1 and Subnet2
Address prefix: 10.0.0.0/16 Next hop type: Virtual appliance Assigned to: GatewaySubnet 1. destination-> Vnet 1 (Address space of Vnet1) 2. VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance. 3. This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table -> subnet ->Associate.
79
You have an Azure subscription that contains the virtual machines shown in the following table: Name Operating system Connects to VM1 Windows Server 2019 Subnet1 VM2 Windows Server 2019 Subnet2 VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections. Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules. NSG2 uses the default rules and the following custom incoming rule: ✑ Priority: 100 ✑ Name: Rule1 ✑ Port: 3389 ✑ Protocol: TCP ✑ Source: Any ✑ Destination: Any ✑ Action: Allow NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. Yes/No statements From the Internet, you can connect to VM1 by using Remote Desktop. From the Internet, you can connect to VM2 by using Remote Desktop. From VM1, you can connect to VM2 by using Remote Desktop.
From the Internet, you can connect to VM1 by using Remote Desktop. - No From the Internet, you can connect to VM2 by using Remote Desktop. - Yes From VM1, you can connect to VM2 by using Remote Desktop. - Yes No: VM1 has default rules which denies any port open for inbound rules Yes: VM2 has custom rule allowing RDP port Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
80
You have an Azure subscription that contains two virtual machines named VM1 and VM2. You create an Azure load balancer. You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2. Which two additional load balancer resources should you create before you can create the load balancing rule? A. a frontend IP address B. an inbound NAT rule C. a virtual network D. a backend pool E. a health probe
D. a backend pool E. a health probe If you want to add a rule to your LB later you have to create a backend pool and health probe first.
81
You have an on-premises network that contains a database server named dbserver1. You have an Azure subscription. You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone. You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ensure that the virtual machines can connect to dbserver1. Which type of public IP address SKU and assignment should you use for the gateway? A. a basic SKU and a static IP address assignment B. a standard SKU and a static IP address assignment C. a basic SKU and a dynamic IP address assignment (next 93)
B. a standard SKU and a static IP address assignment
82
You have two Azure virtual machines as shown in the following table. Name OS Private IP Public IP DNS suffix configured in the OS Connected to vm1 Win Server 2019 10.0.1.4 131.107.50.20 Contoso.com vnet1 vm2 SUSE Lin Ent Serv 10.0.1.5 131.107.90.80 None vnet1 You create the Azure DNS zones shown in the following table. Name Type Contoso.com DNS zone Fabrikam.com Private DNS zone You perform the following actions: ✑ For fabrikam.com, you add a virtual network link to vnet1 and enable auto registration. ✑ For contoso.com, you assign vm1 and vm2 the Owner role. Yes/No statements The DNS A record for vm1 is added to contoso.com and has the IP address of 131.107.50.20. The DNS A record for vm1 is added to fabrikam.com and has the IP address of 10.0.1.4. The DNS A record for vm2 is added to fabrikam.com and has the IP address of 10.0.1.5.
The DNS A record for vm1 is added to contoso.com and has the IP address of 131.107.50.20. - No The DNS A record for vm1 is added to fabrikam.com and has the IP address of 10.0.1.4. - Yes The DNS A record for vm2 is added to fabrikam.com and has the IP address of 10.0.1.5. - Yes 1. none of the actions in question added the VM1 record to contoso.com dns. 2, 3. vnet1 is linked and auto-rego is enabled, records get added automatically. Fabrikam.com is a Private DNS zone. The private IP address is used. Note: The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each virtual machine deployed in the virtual network. For each virtual machine, an A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically created in the linked private DNS zone. Note: If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines. Reference: https://docs.microsoft.com/en-us/azure/dns/dns-zones-records https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
83
You have an on-premises datacenter and an Azure subscription. You plan to connect the datacenter to Azure by using ExpressRoute. You need to deploy an ExpressRoute gateway. The solution must meet the following requirements: ✑ Support up to 10 Gbps of traffic. ✑ Support availability zones. ✑ Support FastPath. ✑ Minimize costs. Which SKU should you deploy? A. ERGw1AZ B. ERGw2 C. ErGw3 D. ErGw3AZ
D. ErGw3AZ
84
You have a virtual network named VNET1 that contains the subnets shown in the following table: Name Subnet Network security group (NSG) Subnet1 10.10.1.0/24 NSG1 Subnet2 10.10.2.0/24 None You have Azure virtual machines that have the network configurations shown in the following table: Name Subnet IP address NSG VM1 Subnet1 10.10.1.5 NSG2 VM2 Subnet2 10.10.2.5 None VM3 Subnet2 10.10.2.6 None For NSG1, you create the inbound security rule shown in the following table: Priority: 101 Source: 10.10.2.0/24 Destination: 10.10.1.0/24 Destination port: TCP/1433 Action: Allow For NSG2, you create the inbound security rule shown in the following table: Priority: 125 Source: 10.10.2.5 Destination: 10.10.1.5 Destination port: TCP/1433 Action: Block Yes/No statements: VM2 can connect to the TCP port 1433 services on VM1. VM1 can connect to the TCP port 1433 services on VM2. VM2 can connect to the TCP port 1433 services on VM3.
VM2 can connect to the TCP port 1433 services on VM1. - No VM1 can connect to the TCP port 1433 services on VM2. - Yes VM2 can connect to the TCP port 1433 services on VM3. - Yes 2. No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied. 3. No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
85
You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table: Name IP address VM1 10.0.1.4 VM2 10.0.2.4 VM3 10.0.3.4 Subscription1 contains a virtual network named VNet1 that has the subnets in the following table: Name Address space Connected VM Subnet1 10.0.1.0/24 VM1 Subnet2 10.0.2.0/24 VM2 Subnet3 10.0.3.0/24 VM3 VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table: Address prefix Next hop type Next hop address 10.0.1.0/24 Virtual appliance 10.0.3.4 10.0.2.0/24 Virtual appliance 10.0.3.4 Yes/No statements: VM3 can establish a network connection to VM1. If VM3 is turned off, VM2 can establish a network connection to VM1. VM1 can establish a network connection to VM2.
VM3 can establish a network connection to VM1. - Yes If VM3 is turned off, VM2 can establish a network connection to VM1. - No VM1 can establish a network connection to VM2. - Yes Y = RT is not applied to VM3. VM3 will have the default route between subnets in a vnet. N = VM2 > Subnet2 has RT applied to it. VM3 is the next hop which is turned off. Y = VM3 has has IP forwarding enabled which can fwd traffic from VM1 to VM2. 1. The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1. 2. VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1. 3. The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3. IP forwarding enables the virtual machine a network interface is attached to: ✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface. Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations. The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
86
Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources: ✑ A web app named webapp1 ✑ A virtual network named VNET1 You need to ensure that webapp1 can connect to Share1. What should you deploy? A. an Azure Application Gateway B. an Azure Active Directory (Azure AD) Application Proxy C. an Azure Virtual Network Gateway
C. an Azure Virtual Network Gateway A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it. A: Application Gateway is for http, https and Websocket - Not SMB B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
87
Your on-premises network contains a VPN gateway. You have an Azure subscription that contains the resources shown in the following table. Name Туре Description vgw1 Virtual network gateway Gateway for Site-to-Site VPN to the on-premises network storage1 Storage account Standard performance tier Vnet1 Virtual network Enabled forced tunneling VM1 Virtual machine Connected to Vnet1 You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure? A. a network security group (NSG) B. service endpoints C. Azure Peering Service D. Azure Firewall
B. service endpoints "Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. " https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
88
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network. Which tunneling protocol should you use? A. IKEv1 B. PPTP C. IKEv2 D. L2TP
C. IKEv2 keyword is "Route-Based" coz "Policy-based" only supports IKEv1. A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. IKEv2 supports 10 S2S connections, while IKEv1 only supports 1. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/enus/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
89
You have an Azure subscription that contains the resources shown in the following table. Name: VNET1 Туре: Virtual network Description Azure region: US East Contains the following subnets: * Subnet1: 172.16.1.0/24 * Subnet2: 172.16.2.0/24 * Subnet3: 172.16.3.0/24 Name: VNET2 Type: Virtual network Description Azure region: West US Contains the following subnets: * DemoSubnet1: 172.16.1.0/24 * RecoverySubnetA: 172.16.5.0/24 * RecoverySubnetB: 172.16.3.0/24 * TestSubnet1:172.16.2.0/24 VM1 : Virtual machine : Connected to Subnet2 You configure Azure Site Recovery to replicate VM1 between the US East and West US regions. You perform a test failover of VM1 and specify VNET2 as the target virtual network. When the test version of VM1 is created, to which subnet will the virtual machine be connected? A. TestSubnet1 B. DemoSubnet1 C. RecoverySubnetA D. RecoverySubnetB
B. DemoSubnet1 https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping The subnet of the target VM is selected based on the name of the subnet of the source VM. - If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM. - If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
90
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and VNET2 that are peered. You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1. You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1. Which port should you configure for the inbound security rule? A. 22 B. 443 C. 389 D. 8080
B. 443 Using Bastion your RDP/SSH session is over TLS on port 443. https://learn.microsoft.com/en-us/azure/bastion/bastion-overview If you say port 22 then what about windows VM as it is not mentioned that the VM is windows or Linux? You will have to allow port 443 in NSG.
91
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers shown in the following table. Name IP address Role DC1 192.168.2.1/16 Domain controller DNS server Server1 192.168.2.50/16 Member server You plan to migrate contoso.com to Azure. You create an Azure virtual network named VNET1 that has the following settings: * Address space: 10.0.0.0/16 * Subnet: o Name: Subnet1 o IPv4: 10.0.1.0/24 You need to move DC1 to VNET1. The solution must ensure that the member servers in contoso.com can resolve AD DS DNS names. How should you configure DC1? IP address: Obtain an IP address automatically Use 10.0.1.3 Use 10.0.2.1 Use 192.168.2.1 Name resolution: Configure VNET1 to use a custom DNS server Configure VNET1 to use the default Azure-provided DNS server Create an Azure Private DNS zone named contoso.com Create an Azure public DNS zone named contoso.com
IP address: Obtain an IP address automatically Name resolution: Configure VNET1 to use a custom DNS server 1. The first 4 IP addresses within a subnet space are getting reserved for Azure automatically. Thus, 10.0.1.3 can't be the right answer. 10.0.2.1 is in the VNET space but falls out of the subnet space. 192.168.2.1 is just out of the VNET. 2. This VNET1 should use our pre-created DNS server as its DNS server so tahat the member servers in contoso.com can resolve AD DS DNS names.
92
You have an Azure subscription that contains the virtual networks shown in the following table. Name Azure region Resource group VNET1 West US RG1 VNET2 Central US RG1 VNET3 Central US RG2 VNET4 West US RG2 You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region. To which virtual networks can you deploy AF1? A. VNET1, VNET2, VNET3, and VNET4 B. VNET1 and VNET2 only C. VNET1 only D. VNET1, VNET2, and VNET4 only E. VNET1 and VNET4 only
C. VNET1 only
93
You have an on-premises network. You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and connected to the on-premises network. The subscription contains the virtual machines shown in the following table. Name Location Connected to VM1 West US VNET1 VM2 West US VNET1 VM3 West US VNET2 VM4 Central US VNET3 You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor. What is the minimum number of connection monitors you should deploy? A. 1 B. 2 C. 3 D. 4 (next 111)
B. 2 Connection monitor resource: A region-specific Azure resource. https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#before-you-begin
94
You have an Azure subscription that contains a storage account. The account stores website data. You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location. What should you configure? A. private endpoints B. Azure Firewall rules C. Routing preference D. load balancing
C. Routing preference Routing preference in Azure Traffic Manager allows you to specify how to route traffic to your Azure service endpoints based on various criteria, such as the geographic location of the client or the endpoint, the performance of the endpoint, or the priority of the endpoint. By configuring routing preference, you can direct incoming user traffic to the Microsoft point-of-presence (POP) closest to the user's location, ensuring the best possible user experience. This can be achieved by selecting the "Performance" routing method in Azure Traffic Manager, which uses DNS-based traffic routing to direct users to the endpoint that offers the best performance from the user's location. https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
95
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1. Subnet1 is in a virtual network named VNet1. You need to prevent VM1 from accessing VM2 on port 3389. What should you do? A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1. B. Configure Azure Bastion in VNet1. C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1. D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.
96
You have an Azure subscription that contains the resources shown in the following table. Name Tуре Description App1 App Service Virtual network integration enabled for VNET1 ASP1 App Service plan Standard SKU VNET1 Virtual network None Firewall1 Azure Firewall Connected to VNET1 You need to manage outbound traffic from VNET1 by using Firewall1. What should you do first? A. Configure the Hybrid Connection Manager. B. Upgrade ASP1 to the Premium SKU. C. Create a route table. D. Create an Azure Network Watcher.
C. Create a route table.
97
You have an Azure subscription that contains the resources shown in the following table. Name Туре VM1 Virtual machine App1 Web app contoso.com Azure Active Directory Domain Services (Azure AD DS) domain All the resources connect to a virtual network named VNet1. You plan to deploy an Azure Bastion host named Bastion1 to VNet1. Which resources can be protected by using Bastion1? A. VM1 only B. contoso.com only C. App1 and contoso.com only D. VM1 and contoso.com only E. VM1, App1, and contoso.com
A. VM1 only https://learn.microsoft.com/en-us/azure/bastion/bastion-overview Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer.
98
You have an Azure subscription that contains 10 virtual machines and the resources shown in the following table. Name Туре Description VNET1 Virtual network none Bastion1 Basic SKU Azure Bastion host Subnet size /26 You need to ensure that Bastion1 can support 100 concurrent SSH users. The solution must minimize administrative effort. What should you do first? A. Resize the subnet of Bastion1 B. Configure host scaling. C. Create a network security group (NSG) D. Upgrade Bastion1 to the Standard SKU (next 120)
D. Upgrade Bastion1 to the Standard SKU https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. This is called host scaling. Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.
99
You have an Azure subscription that has the public IP addresses shown in the following table. Name IP version SKU Tier IP address assignment IP1 IPv4 Standard Regional Static IP2 IPv4 Standard Global Static IP3 IPv4 Basic Regional Dynamic IP4 IPv4 Basic Regional Static IP5 IPv6 Basic Regional Dynamic You plan to deploy an Azure Bastion Basic SKU host named Bastion1. Which IP addresses can you use? A. IP1 only B. IP1 and IP2 only C. IP3, IP4, and IP5 only D. IP1, IP2, IP4, and IP5 only E. IP1, IP2, IP3, IP4, and IP5
A. IP1 only - IPv4 Standard Regional Static Tested in sandbox - IPv4 - Static - Standard - Global: Error during the selection in the interface - A Global Tier PublicIPAddress cannot be attached to Bastions. - IPv4 - Static - Standard - Regional: OK - IPv4 - Static - Basic - Regional Error during the selection in the interface - Static public IP addresses cannot be associated. - IPv4 - Dynamic - Basic - Regional Error during the selection in the interface - The SKU type for the public IP address does not match the SKU type of the load balancer (?? I don't know why this message). - IPv6 - Static - Standard - Regional: Error during deployment (The selected IPv6 public IP address is not supported for Azure Bastion. To fix this, please recreate your Azure Bastion with an IPv4 public IP address. (Code: PublicIpAddressVersionNotSupported))
100
You have two Azure subscriptions named Sub1 and Sub2. Sub1 contains a virtual machine named VM1 and a storage account named storage1. VM1 is associated to the resources shown in the following table. Name Type Disk1 Operating system disk NetInt1 Network interface VNet1 Virtual network You need to move VM1 to Sub2. Which resources should you move to Sub2? A. VM1, Disk1, and NetInt1 only B. VM1, Disk1, and VNet1 only C. VM1, Disk1, and storage1 only D. VM1, Disk1, NetInt1, and VNet1
D. VM1, Disk1, NetInt1, and VNet1 When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved along with it. In the given scenario, VM1 is associated with the resources Disk1 (OS Disk), NetInt1 (Network Interface), and VNet1 (Virtual Network), and the storage account named storage1 is not associated with VM1. Therefore, to move VM1 to Sub2, you need to move the following resources: VM1: This is the virtual machine that you want to move to Sub2. Disk1: This is the OS disk for VM1, and it contains the operating system and boot files. NetInt1: This is the network interface that is attached to VM1 and provides connectivity to the virtual network. VNet1: This is the virtual network that is associated with VM1, and it provides the network connectivity to the virtual machine.
101
You have an Azure subscription that contains a Recovery Services vault named Vault1. You need to enable multi-user authorization (MAU) for Vault1. Which resource should you create first? A. an administrative unit B. a managed identity C. a resource guard D. a custom Azure role (next 135)
C. a resource guard Resource Guard is an Azure feature that helps protect critical resources, such as Recovery Services Vaults and Backup Vaults, from unauthorized modifications. It does this by adding an extra layer of authorization to critical operations. How Resource Guard works Resource Guard works by associating a vault with a Resource Guard. When you try to perform a critical operation on the vault, Azure first checks to see if you have the appropriate permissions on the Resource Guard. If you do not have the appropriate permissions, the operation will fail. How to create a Resource Guard Creating a Resource Guard is a simple process that can be done in the Azure portal. You can create a Resource Guard in the same subscription or a different subscription as the vault you want to protect. https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault Before you start Testing scenarios Create a Resource Guard Enable MUA on a Recovery Services vault Protected operations on a vault using MUA Authorize critical operations on a vault Disable MUA on a Recovery Services vault
102
You have an Azure subscription that contains the virtual networks shown in the following table. Name Location Vnet1 US East Vnet2 US East Vnet3 US East Vnet4 UK South Vnet5 UK South Vnet6 UK South Vnet7 Asia East Vnet8 Asia East Vnet9 Asia East Vnet10 Asia East All the virtual networks are peered. Each virtual network contains nine virtual machines. You need to configure secure RDP connections to the virtual machines by using Azure Bastion. What is the minimum number of Bastion hosts required? A. 1 B. 3 C. 9 D. 10 (next 137)
A. 1 Azure Bastion supports reaching virtual machines in globally peered virtual networks, but if the region that hosts your Azure Bastion resource is unavailable, you won't be able to use your Azure Bastion resource. https://learn.microsoft.com/en-us/azure/reliability/reliability-bastion#multi-region-support Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual network peering. Azure Bastion works with the following types of peering: Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions.
103
You have an Azure subscription that contains a resource group named RG1 and a virtual network named VNet1. You plan to create an Azure container instance named container1. You need to be able to configure DNS name label scope reuse for container1. What should you configure for container1? A. the private networking type B. the public networking type C. a new subnet on VNet1 D. a confidential SKU (next 141)
B. the public networking type
104
You have an Azure subscription that contains a resource group named RG1. You plan to create an Azure Resource Manager (ARM) template to deploy a new virtual machine named VM1. VM1 must support the capture of performance data. You need to specify resource dependencies for the ARM template. In which order should you deploy the resources? virtual machine Azure Monitor extension network interface virtual network
virtual network network interface virtual machine Azure Monitor extension
105
You have an Azure subscription that contains the virtual networks shown in the following table. Name Region Peers with VNet1 West US VNet2 VNet2 West US VNet1, VNet3 VNet3 East US VNet2 The subscription contains the virtual machines shown in the following table. Name Connected to VM1 VNet1 VM2 VNet2 VM3 VNet3 All the virtual machines have only private IP addresses. You deploy an Azure Bastion host named Bastion1 to VNet1. To which virtual machines can you connect through Bastion1? A. VM1 only B. VM1 and VM2 only C. VM1 and VM3 only D. VM1, VM2, and VM3
B. VM1 and VM2 only
106
You have an Azure subscription. You plan to migrate 50 virtual machines from VMware vSphere to the subscription. You create a Recovery Services vault. What should you do next? A. Configure an extended network. B. Create a recovery plan. C. Deploy an Open Virtualization Application (OVA) template to vSphere. D. Configure a virtual network.
D. Configure a virtual network. In order to migrate 50 VMs to Azure using Azure Site Recovery, one needs: - Recovery Service Vault (which is created) - Configure virtual network - configure extended network (next step after)
107
You have an Azure subscription that contains the virtual networks shown in the following table. Name Location Peered with VNet1 East US VNet2 Vnet2 East Us VNet1 Each virtual network has 50 connected virtual machines. You need to implement Azure Bastion. The solution must meet the fallowing requirements: * Support host scaling. * Support uploading and downloading files. * Support the virtual machines on both VNet1 and VNet2. * Minimize the number of addresses on the Azure Bastion subnet. How should you configure Azure Bastion? Subnet size: /24, /26, /28, /29 Public IP: Basic SKU with a dynamic allocation Basic SKU with a static allocation Standard SKU with a static allocation
Subnet size: /26 Public IP: Standard SKU with a static allocation
108
You have an Azure subscription that contains the virtual networks shown in the following table. Name Location VNet1 West US VNet2 Cenral Europe You need to ensure that all the traffic between VNet1 and VNet2 traverses the Microsoft backbone network. What should you configure? A. a private endpoint B. peering C. Express Route D. a route table
B. peering
109
You have an Azure subscription. You are creating a new Azure container instance that will have the following settings: * Container name: cont1 * SKU: Standard * OS type: Windows * Networking type: Public * Memory (GiB): 2.5 * Number of CPU cores: 2 You discover that the Private setting for Networking type is unavailable. You need to ensure that cont1 can be configured to use private networking. Which setting should you change? A. Memory (GiB) B. Networking type C. Number of CPU cores D. OS type E. SKU
D. OS type VS B. Networking type ???
110
You have an Azure subscription that contains two peered virtual networks named VNet1 and VNet2. You have a Network Virtual Appliance (NVA) named NetVA1. You need to ensure that the traffic from VNet1 to VNet2 is inspected by using NetVA1. What should you use? A. a local network gateway B. a route table that has custom routes C. a service endpoint D. IP address reservations
B. a route table that has custom routes

AZ-104 (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions