az-104 dumps topic 6, 1-60 Flashcards by Марина Тимченко

You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the following table:
Name Operating system Auto-shutdown
VM1 Windows Server 2012 R2 Off
VM2 Windows Server 2016 19:00
VM3 Ubuntu Server 18.04 LTS Off
VM4 Windows 10 19:00
You plan to schedule backups to occur every night at 23:00.
Which virtual machines can you back up by using Azure Backup?
A. VM1 and VM3 only
B. VM1, VM2, VM3 and VM4
C. VM1 and VM2 only
D. VM1 only

B. VM1, VM2, VM3 and VM4
Azure Backup supports backup of:
- 64-bit Windows server operating system from Windows Server 2008.
- 64-bit Windows 10 operating system.
- 64-bit Ubuntu Server operating system from Ubuntu 12.04.
- VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtualmachines/linux/endorsed-distros

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2.
What should you create for Azure Monitor?
A. an action group
B. a mail-enabled security group
C. a distribution group
D. a Microsoft 365 group

A. an action group

“Alerts consist of:
- Action groups
- Alert conditions
- User response
- Alert processing rules”
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview

How well did you know this?

Not at all

Perfectly

You have the Azure virtual machines shown in the following table:
Name Azure Region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?
A. Create a new Recovery Services vault
B. Create a storage account
C. Congure the extensions for VM3 and VM4
D. Create a new backup policy

A. Create a new Recovery Services vault

VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with VM3 and VM4. For storage account, it is created automatically by Azure.

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services.

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
Name Member of
User1 Group1
User2 Group2
User3 Group1
You plan to monitor storage1 and to configure email notications for the signals shown in the following table.
Name Type Users to notify
Ingress Metric User1 and User3 only
Egress Metric User1 only
Delete storage account Activity log User1, User2, and User3
Restore blob ranges Activity log User1 and User3 only
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify?
Hot Area:
Alert rules: 1, 2, 3, 4
Action groups: 1, 2, 3, 4

Alert rules: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Action groups: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.

You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains the identities shown in the following table.
Name Type Member of
User1 User None
User2 User Group1
Principal1 Managed identity None
Principal2 Managed identity Group1
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notication type and is configured to email the Monitoring Reader role.
You create an alert rule named Alert1 that uses AG1.
You need to identity who will receive an email notication when Alert1 is triggered. Who should you identify?
A. User1 and Principal1 only
B. User1, User2, Principal1, and Principal2
C. User1 only
D. User1 and User2 only

D. User1 and User2 only

When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription’s role. Email is sent to Microsoft Entra ID user or group members of the role.
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager
Action Groups only supports emailing the following roles: Owner, Contributor, Reader, Monitoring Contributor, Monitoring Reader.

How well did you know this?

Not at all

Perfectly

You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit.
Policy1
Backup schedule
Frequency Time Timezone
Daily 2:00am UTC
Retention range
Daily: at 2:00am for 5 days
Weekly: on Sunday at 2:00am for 20 weeks
Monthly: on 2 at 2:00am for 24 weeks
Yearly: in Jan on 9 at 2:00am for 24 months
You congure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1. How many recovery points are available on January 8 and January 15?
January 8 at 2:00 PM (14:00): … 5, 6, 8, 9
January 15 at 2:00 PM (14:00): … 5, 8, 17, 19

January 8 at 2:00 PM (14:00): 6
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
January 15 at 2:00 PM (14:00): 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Backups at the same day counted as one.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-andstorage-used? forum=windowsazureonlinebackup

How well did you know this?

Not at all

Perfectly

You have the web apps shown in the following table.
Name Web framework Hosting environment
App1 Microsoft ASP.NET (1)
App2 Microsoft ASP.NET Core (2)
(1) An on-premises physical server that runs Windows Server 2019 and has Internet Information Services (IIS) configured
(2) An Azure virtual machine that runs Windows Server 2019 and has Internet Information Services (IIS) configured
You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modications to the application code. What should you do on each app?
App1: …
App2: …
- Install the Log Analytics agent
- Install the Azure Monitor agent
- Use the Application Insights SDK
- Install the Application Insights Agent

App1: - Install the Application Insights Agent
App2: - Install the Application Insights Agent

There are two ways to enable application monitoring for OnPrem, VM or App Services Web APP:
- Auto-instrumentation by using Application Insight Agent
- Manual instrumentation by installing the Application Insight SDK through code
So as it’s mentioned the solution must minimize the modification then it’s Application Insight Agent

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps

How well did you know this?

Not at all

Perfectly

You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?
A. Modify the size of VM1.
B. Reset the password for the built-in administrator account.
C. Add a data disk.
D. Copy Budget.xls to Data.

D. Copy Budget.xls to Data.
Conclusion, VM size and password will not be overridden by the restore process. Add a data disk - Data disk will not gone (deleted). It will be unmapped.
You will need to perform the changes again:
2. Copy the file.

Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore

How well did you know this?

Not at all

Perfectly

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.
Name Member of Role assigned
User1 Group1 None
User2 Group2 None
User3 Group1, Group2 User administrator
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)
Self service password reset enabled: None | [Selected] | All
Selected group: Group2
You congure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.)
Number of methods required to reset: 1 | [2]
Methods available to users:
Mobile app notification
Mobile app code
Email
[Mobile phone]
Office phone
[Security questions]
Number of questions required to register: 3 | 4 | [5]
Number of questions required to reset: [3] | 4 | 5
Select security questions: 10 security questions selected
Yes/No:
After User2 answers three security questions correctly, he can reset his password immediately.
If User1 forgets her password, she can reset the password by using the mobile phone app.
User3 can add security questions to the password reset process.

After User2 answers three security questions correctly, he can reset his password immediately. - No, two methods are required.
If User1 forgets her password, she can reset the password by using the mobile phone app. - No, self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
User3 can add security questions to the password reset process. - Yes, as a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/activedirectory/authentication/active-directory-passwords-faq

How well did you know this?

Not at all

Perfectly

Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?
A. Assign the User administrator role to User1.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.

B. From the Device settings blade, modify the Maximum number of devices per user setting.

The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and None. The default is All.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azuread-join/

How well did you know this?

Not at all

Perfectly

You have two Azure App Service app named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Conguration settings for the production slots are shown in the following table.
App Backup every Start backup schedule from Retention(days) Keep at least one backup
App1, 1 Days, January 6, 2021, 0, Yes
App2, 1 Days, January 6, 2021, 30, Yes
Yes/No:
On January 15, 2021, App1 will have only one backup in storage.
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021.
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot.

On January 15, 2021, App1 will have only one backup in storage. - No
On January 15th you will have 9 backups as 0 day retention is defined as indefinite.
[How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.]
https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest

On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021. - No
The DevOps / Web apps backup in the questions only includes the production slot. One cannot restore a test slot from a production slot backup.
[If a slot is not specified, the API will create a backup for the production slot.]
https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/backup-slot

On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot. - Yes
January 6th backup will still be within the 30 days retention as of January 15th.

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the onpremises Active Directory domain. The domain contains the users shown in the following table.
Name Role
SecAdmin1 Security administrator
BillAdmin1 Billing administrator
User1 Reports reader
You enable self-service password reset (SSPR) for all users and congure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2
✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?
✑ In what city was your first job?
✑ What was the name of your first pet?
Yes/No:
SecAdmin1 must answer the following question during the self-service password reset: In what city was your first job?
BillAdmin1 must answer the following question during the self-service password reset: What is your favorite food?
User1 must answer the following question during the self-service password reset: What was the name of your first pet?

SecAdmin1 must answer the following question during the self-service password reset: In what city was your first job? - No
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed.
With a two-gate policy, administrators don’t have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
BillAdmin1 must answer the following question during the self-service password reset: What is your favorite food? - No
User1 must answer the following question during the self-service password reset: What was the name of your first pet? - Yes

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
Name Role Scope
User1 Global administrator Azure Active Directory
User2 Global administrator Azure Active Directory
User3 User administrator Azure Active Directory
User4 Owner Azure Subscription
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts.
Does that meet the goal?
A. Yes
B. No

A. Yes
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

How well did you know this?

Not at all

Perfectly

You have an existing Azure subscription that contains 10 virtual machines.
You need to monitor the latency between your on-premises network and the virtual machines.
What should you use?
A. Service Map
B. Connection troubleshoot
C. Network Performance Monitor
D. Effective routes

C. Network Performance Monitor

Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and
mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
IP Flow - latency and network issues at the VM LEVEL
Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments.

How well did you know this?

Not at all

Perfectly

You have an Azure App Service plan named ASP1.
CPU usage for ASP1 is shown in the following exhibit.

???(pic)

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
The average CPU percentage is calculated [answer choice] per day:
- once, - four times, - six times, - 24 times
ASP1 must be [answer choice] to optimize CPU usage:
- scaled up, - scaled down, - scaled out

The average CPU percentage is calculated [answer choice] per day: four times.
From the exhibit we see that the time granularity is 6 hours: Last 30 days (Automatic - 6 hours). CPU Percentage Last days Automatic - hours

ASP1 must be [answer choice] to optimize CPU usage: scaled up.
This is app plan and VM so you scale up only.
Scale up when:
* You see that your workloads are hitting some performance limit such as CPU or I/O limits.
* You need to quickly react to x performance issues that can’t be solved with classic database optimization.
* You need a solution that allows you to change service tiers to adapt to changing latency requirements.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-troubleshoot https://azure.microsoft.com/en-us/overview/scalingout-vs-scaling-up

How well did you know this?

Not at all

Perfectly

You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.
Which four actions should you perform in sequence?

Download and run the script to mount a drive on the local computer
Select a restore point that contains the deleted files
From the Azure portal, click Restore VM from the vault
From the Azure portal, click File Recovery from the vault
Mount a VHD
Copy the files by using AZCopy
Copy the files by using File Explorer

From the Azure portal, click File Recovery from the vault
Select a restore point that contains the deleted files
Download and run the script to mount a drive on the local computer
Generate and download script to browse and recover les:
Copy the files by using File Explorer
After the disks are attached, use Windows File Explorer to browse the new volumes and files. The restore files functionality provides access to all files in a recovery point. Manage the files via File Explorer as you would for normal files.
(restore As soon as possible. File explorer will be faster than AZCopy to blob storage and next to Windows 2016.)
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-les-from-vm https://docs.microsoft.com/en-us/azure/backup/backupazure-vms-automation#restore-les-from-an-azure-vm-backup

How well did you know this?

Not at all

Perfectly

You purchase a new Azure subscription named Subscription1.
You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup.
You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.
What should you do?
Location in which to store the backups: …
A blob container
A file share
A Recovery Services vault
A storage account
Object to use to configure the protection for VM1: …
A backup policy
A batch job
A batch schedule
A recovery plan

Location in which to store the backups: A Recovery Services vault.
You can set up a Recovery Services vault and congure backup for multiple Azure VMs.

Object to use to configure the protection for VM1: A backup policy
In Choose backup policy, do one of the following:
✑ Leave the default policy. This backs up the VM once a day at the time specied, and retains backups in the vault for 30 days.
✑ Select an existing backup policy if you have one.
✑ Create a new policy, and dene the policy settings.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-rst-look-arm

How well did you know this?

Not at all

Perfectly

You have an Azure virtual machine named VM1.
Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1. Which target resource should you monitor in the alert rule?
A. virtual machine extension
B. virtual machine
C. metric alert
D. Azure Log Analytics workspace

D. Azure Log Analytics workspace
For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the resource, since this is a log based alert signal.
The log data goes to the analytics workspace and it is from there that the alert is triggered.

Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor

the Azure Monitor Agent (Not the Log Analytics agent since it will be deprecated by August 2024)

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains 100 virtual machines.
You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Azure Cost Management, view Cost Analysis
B. From Azure Advisor, modify the Advisor conguration
C. From Microsoft Azure Storage Explorer, view the Account Management properties
D. From Azure Cost Management, view Advisor Recommendations

D. From Azure Cost Management, view Advisor Recommendations
From Home -> Cost Management + Billing -> Cost Management, scroll down on the options and select View Recommendations.
Azure Cost Management / Advisor - From here you will see the recommendations for your subscription, if you have orphaned disks, they will be listed.
Reference:
https://codeserendipity.com/2020/07/08/microsoft-azure-nd-unattached-disks-that-can-be-deleted-and-other-recommendations/

How well did you know this?

Not at all

Perfectly

You have an Azure web app named webapp1.
Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details. What should you do first?
A. From webapp1, enable Web server logging
B. From Azure Monitor, create a workbook
C. From Azure Monitor, create a Service Health alert
D. From webapp1, turn on Application Logging

A. From webapp1, enable Web server logging

Raw HTTP request data is provided by Web server logging and the question mentions 500 error codes.

You need to catch connection error. When the connection fails it happens on web server, not within application. You can do it opening the web application -> Application Service logs -> Web server logging (there are multiple switches there).

You can also see the errors live going to “Log stream” pane.

Web server logging Windows App Service file system or Azure Storage blobs Raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.

How well did you know this?

Not at all

Perfectly

You have an Azure web app named App1.
You need to monitor the availability of App1 by using a multi-step web test. What should you use in Azure Monitor?
A. Azure Service Health
B. Azure Application Insights
C. the Diagnostic settings
D. metrics

B. Azure Application Insights

Upload the web test -
1. In the Application Insights portal on the Availability pane select Add Classic test, then select Multi-step as the SKU.
2. Upload your multi-step web test.
3. Set the test locations, frequency, and alert parameters.
4. Select Create.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that has diagnostic logging enabled and is congured to send logs to a Log Analytics workspace.
You are investigating a service outage.
You need to view the event time, the event name, and the affected resources.
How should you complete the query?
… | Where Level == ‘Critical’ … TimeGenerated, OperationNameValue, ResouceId
1. - AzureActivity
- Heartbeat
- NetworkMonitoring
- Perf
2. - extend
- join
- print
- project

AzureActivity | Where Level == ‘Critical’ project TimeGenerated, OperationNameValue, ResouceId
1. - AzureActivity
The AzureActivity table has entries from the Azure activity log, which provides insight into subscription-level or management group-level events occuring in Azure.

Let’s see only Critical entries during a specific week.
The where operator is common in the Kusto Query Language. where filters a table to rows that match specic criteria. The following example uses multiple commands. First, the query retrieves all records for the table. Then, it filters the data for only records that are in the time range. Finally, it filters those results for only records that have a Critical level.
AzureActivity -
| where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
| where Level == ‘Critical’
Incorrect:
not Perf: The Perf table has performance data that’s collected from virtual machines that run the Log Analytics agent.

- project
  Select a subset of columns: project. Use project to include only the columns you want. Building on the preceding example, let’s limit the output to certain columns:
  AzureActivity -
  | where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
  | where Level == ‘Critical’
  | project TimeGenerated, Level, OperationNameValue, ResourceGroup, _ResourceId
  Reference:
  https://github.com/MicrosoftDocs/dataexplorer-docs/blob/main/data-explorer/kusto/query/tutorial.md

How well did you know this?

Not at all

Perfectly

You have a Recovery Services vault named RSV1. RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days.
RSV1 performs daily backups of VM1. VM1 hosts a static website that was updated eight days ago.
You need to recover VM1 to a point eight days ago. The solution must minimize downtime. What should you do first?
A. Deallocate VM1.
B. Restore VM1 by using the Replace existing restore conguration option.
C. Delete VM1.
D. Restore VM1 by using the Create new restore conguration option.

B. Restore VM1 by using the Replace existing restore conguration option.
Replace existing:
You can restore a disk, and use it to replace a disk on the existing VM.
The current VM must exist. If it’s been deleted, this option can’t be used. Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.
The snapshot is copied to the vault, and retained in accordance with the retention policy.
After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren’t needed.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

(maybe D. create new)

Replace existing restore configuration: This option restores the backup directly onto the original VM, preserving its network settings and configurations.
Create new restore configuration: This option creates a new VM from the backup, requiring additional steps to update network settings, DNS, and other configurations to resume production service.

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains the resources shown in the following table.
Name Туре
VM1 Virtual machine
storage1 Storage account
Workspace1 Log Analytics workspace
DB1 Azure SQL database
You plan to create a data collection rule named DCR1 in Azure Monitor.
Which resources can you set as data sources in DCR1, and which resources can you set as destinations in DCR1?
Data sources: …
- VM1 only
- VM1 and storage1 only
- VM1, storage1, and DB1 only
- VM1, storage1, Workspace1, and DB1
Destinations: …
- storage1 only
- Workspace1 only
- Workspace1 and storage1 only
- Workspace1, storage1, and DB1 only1

Data sources: - VM1 only
it uses Azure monitor agent which needs to be installed on a VM.
A virtual machine may have an association to multiple DCRs, and a DCR may have multiple virtual machines associated to it.
In the Resources tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule applied.

Destinations: - Workspace1 only
Data then gets sent to Workspace.
On the Destination tab, add one or more destinations for the data source. You can select multiple destinations of same of different types, for instance multiple Log Analytics workspaces (i.e. “multi-homing”).
Note: The Data Collection Rules (or DCR) improve on a few key areas of data collection from VMs including like better control and scoping of data collection (e.g. collect from a subset of VMs for a single workspace), collect once and send to both Log Analytics and Azure Monitor Metrics, send to multiple workspaces (multi- homing for Linux), improved Windows event ltering, and improved extension management.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

You have the role assignment file shown in the following exhibit. [ { "Scope": "/subscriptions/{id}", "DisplayName": "User1", "RoleDefinitionName": "Owner", ... }, { "Scope": "/subscriptions/{id}/resourceGroups/RG2", "DisplayName":"User2", "RoleDefinitionName": "Owner", ... }, { "Scope": "/subscriptions/{id}/resourceGroups/RG1/providers/ Microsoft.Compute/virtualMachines/VM1", "DisplayName": "User3", "RoleDefinitionName": "Owner", ... }, { "Scope": "/subscriptions/{id}/resourceGroups/RG1", "DisplayName": "User4", "RoleDefinitionName": "Contributor", ... } ] Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. [Answer choice] assigned the Owner role for VM1: - User3 is - User3 and User4 are - User1 and User3 are - User1, User3, and User4 are - User1, User2, User3, and User4 [Answer choice] can create a virtual machine in RG1: - User1 and User4 - User1, User2, and User3 - User1, User2, and User4 - User1, User3, and User4 - User1, User2, User3, and User4

[Answer choice] assigned the Owner role for VM1: - User1 and User3 are User 1 being owner of the Subscription is the Owner of every resource under it. He has Full power to do anything under the Subscription. [Answer choice] can create a virtual machine in RG1: - User1 and User4 User1 - Owner of the subscription. (He can manage any resources in the subscription.) User 2 - Owner of RG2(He can manage any resources in the RG2.) User 3 - Owner of a single VM that is VM1.(he can manage VM1 only) User 4 - Contributor of RG1.(He can manage everything in RG1, even he can delete VMs in RG1. But cannot change RBAC)

You have the following custom role-based access control (RBAC) role. { "id": "b988327b-7dae-4d00-8925-1cc14fd68be4", "properties": { "roleName": "Role1", "assignableScopes:" [ "/subscriptions/{id}" ], "permissions": [ "actions": [ "Microsoft.Resources/subscription/resourceGroups/resources/read", "Microsoft.Resources/subscription/resourceGroups/read", "Microsoft.Authorization/*/read", "Microsoft.Compute/*/read", "Microsoft.Authorization/*/read", "Microsoft.Network/virtual Networks/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscription/resourceGroups/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/poweroff/action", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/*", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read", "Microsoft.Network/networkinterfaces/*" "notAction": [ "Microsoft.Authorization/*/Delete", "Microsoft.Authorization/*/Write", "Microsoft.Authorization/elevateAccess/Action" ] } Yes/No Users that are assigned Role1 can assign Role1 to users. Users that are assigned Role1 can deploy new virtual machines. Users that are assigned Role1 can set a static IP address on a virtual machine.

Users that are assigned Role1 can assign Role1 to users. - No ( notAction = Authorization/elevateAccess/Action ) Users that are assigned Role1 can deploy new virtual machines. - Yes Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines. Users that are assigned Role1 can set a static IP address on a virtual machine. - Yes Contributor (Microsoft.Resources/deployments/*) – Grants broader resource management, including networking changes.

You have an Azure subscription that contains the resources shown in the following table. Name Туре Description VNET1 Virtual network Contains subnet1 and subnet2 subnet1 Subnet IP address space 10.3.0.0/24 subnet2 Subnet IP address space 10.4.0.0/24 NSG1 Network security group (NS) None vm1 Virtual machine IP address 10.3.0.15 vm2 Virtual machine IP address 10.4.0.16 storage1 Storage account None NSG1 is congured as shown in the following exhibit. Yes/No VM1 can access storage1. VM2 can access VM1 by using the HTTPS protocol. The security rules for NSG1 apply to any virtual machine on VNET1.

VM1 can access storage1. - Yes VM2 can access VM1 by using the HTTPS protocol. - No The security rules for NSG1 apply to any virtual machine on VNET1. - No

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1. On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1. You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2. You need to ensure that you can connect Client1 to VNet2. What should you do? A. Select Use the remote virtual network's gateway or Route Server on VNet1 to VNet2 peering. B. Select Use the remote virtual network's gateway or Route Server on VNet2 to VNet1 peering. C. Download and re-install the VPN client conguration package on Client1. D. Enable BGP on VPNGW1.

C. Download and re-install the VPN client conguration package on Client1. After changes in topology it is needed to re-install the VPN client.

You have two Azure subscriptions named Sub1 and Sub2. Sub1 is in a management group named MG1. Sub2 is in a management group named MG2. You have the resource groups shown in the following table. Name Subscription RG1 Sub1 RG2 Sub2 You have the virtual machines shown in the following table. Name Resource Group VM1 RG1 VM2 RG2 VM3 RG2 You assign roles to users as shown in the following table. User Role Resource User1 Virtual Machine Contributor MG1 User1 Virtual Machine User Login Sub2 User2 Virtual Machine Contributor MG2 User2 Virtual Machine User Login Sub1 User2 Virtual Machine User Login VM3 Yes/No: User1 can sign in to VM1. User2 can manage disks and disk snapshots of VM1. User2 can manage disks and disk snapshots of VM3.

User1 can sign in to VM1. - Yes User2 can manage disks and disk snapshots of VM1. - No User2 can manage disks and disk snapshots of VM3. - No

You have an Azure Active Directory (Azure AD) tenant that is linked to 10 Azure subscriptions. You need to centrally monitor user activity across all the subscriptions. What should you use? A. Azure Application Insights Proler B. access reviews C. Activity log filters D. a Log Analytics workspace

D. a Log Analytics workspace keywords are "centrally monitor" and "all subs" https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you: - Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.

You have an Azure subscription that contains a virtual machine name VM1. VM1 has an operating system disk named Disk1 and a data disk named Disk2. You need to back up Disk2 by using Azure Backup. Which three actions should you perform in sequence? Configure a managed identity Create an Azure Backup vault Create a Recovery Services vault Delegate permissions for the vault Create a backup policy and configure the backup

Create an Azure Backup vault Create a backup policy and configure the backup Configure a managed identity https://docs.microsoft.com/en-us/azure/backup/backup-managed-disks#:~:text=Review%20%2B%20create.-,Configure%20backup,-Azure%20Disk%20backup Azure Recovery Services vaults can protect the following types of datasources: Azure Virtual machines SQL in Azure VM Azure Files (Azure Storage) SAP HANA in Azure VM Azure Backup Server Azure Backup Agent DPM Azure Backup vaults can protect the following types of datasources: Azure Database for PostgreSQL servers Azure Blobs (Azure Storage) Azure Disks Kubernetes Service AVS Virtual machines

You have a subnet named Subnet1 that contains Azure virtual machines. A network security group (NSG) named NSG1 is associated to Subnet1. NSG1 only contains the default rules. You need to create a rule in NSG1 to prevent the hosts on Subnet1 from connecting to the Azure portal. The hosts must be able to connect to other internet hosts. To what should you set Destination in the rule? A. Application security group B. IP Addresses C. Service Tag D. Any

C. Service Tag You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services. https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

You have an Azure App Service web app named App1. You need to collect performance traces for App1. What should you use? A. Azure Application Insights Proler B. the Activity log C. the Deployment center D. the Diagnose and solve problems settings

B. the Activity log

You have an Azure subscription that contains the storage accounts shown in the following table. Name Kind Location storage1 StorageV2 Central US storage2 BlobStorage West US storage3 BlockBlobStorage West US storage4 FileStorage East US You deploy a web app named App1 to the West US Azure region. You need to back up App1. The solution must minimize costs. Which storage account should you use as the target for the backup? A. storage1 B. storage2 C. storage3 D. storage4

B. storage2 To minimize costs, you should use the storage account that is in the same region as the web app that you are backing up. In this case, the web app is in the West US region, so you should use storage2. Since we don't have the data structure to use block blob storage, correct answer is B, storage2.

You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2. The subscription contains the resources shown in the following table. Name Type Description RG1 Resource group None VM1 Virtual machine Created in RG1 The subscription contains the alert rules shown in the following table. Name Scope Condition Alert1 RG1 All Administrative operations Alert2 VM1 All Administrative operations The users perform the following action: * User1 creates a new virtual disk and attaches the disk to VM1 * User2 creates a new resource tag and assigns the tag to RG1 and VM1 Which alert rules are triggered by each user? User1: ... User2: ... - No alert is triggered - Only Alert1 is triggered - Only Alert2 is triggered - Alert1 and Alert2 are triggered

User1: - Only Alert2 is triggered User2: - Alert1 and Alert2 are triggered

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template. You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use? A. a Desired State Conguration (DSC) extension B. the New-AzCongurationAssignment cmdlet C. Azure Application Insights D. a Microsoft Endpoint Manager device conguration prole

A. A Desired State Configuration (DSC) extension

You have an Azure subscription that contains eight virtual machines and the resources shown in the following table. Name Description storage1 Storage account storage2 Storage account KeyVault1 Key vault VNET1 Virtual network with a single subnet that has five virtual machines connected VNET2 Virtual network with a single subnet that has three virtual machines connected You need to configure access for VNET1. The solution must meet the following requirements: * The virtual machines connected to VNET1 must be able to communicate with the virtual machines connected to VNET2 by using the Microsoft backbone. * The virtual machines connected to VNET1 must be able to access storage1, storage2, and Azure AD by using the Microsoft backbone. What is the minimum number of service endpoints you should add to VNET1? A. 1 B. 2 C. 3 D. 5

B. 2 You create one Service Endpoint per Azure service per Vnet (Vnet-to-Vnet does not require nor can it be configured with service endpoints) Hence: 1 service endpoint for Vnet1 to Microsoft.Storage service 1 service endpoint for Vnet1 to Microsoft.KeyVault service https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

You need to configure an Azure web app named contoso.azurewebsites.net to host www.contoso.com. What should you do rst? A. Create A records named www.contoso.com and asuid.contoso.com. B. Create a TXT record named asuid that contains the domain verication ID. C. Create a CNAME record named asuid that contains the domain verication ID. D. Create a TXT record named www.contoso.com that has a value of contoso.azurewebsites.net.

B. Create a TXT record named asuid that contains the domain verication ID. From that link : "To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider." https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=subdomain%2Cazurecli

You have an Azure subscription that contains 10 network security groups (NSGs), 10 virtual machines, and a Log Analytics workspace named Workspace1. Each NSG is connected to a virtual machine. You need to configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected. What should you do first? A. Deploy Connection Monitor. B. Configure data collection endpoints. C. Configure a private link. D. Configure NSG flow logs.

D. Configure NSG flow logs. To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you should first configure NSG flow logs. NSG flow logs provide information about traffic that is allowed or denied by an NSG. By configuring NSG flow logs, you will be able to monitor the traffic passing through your NSGs and detect any suspicious activity.

You have an Azure subscription named Sub1 that contains the resources shown in the following table. Name Description RG1 Resource group Action1 Action group that sends an email message to admin1@contoso.com Sub1 contains the following alert rule: * Name: Alert1 * Scope: All resource groups in Sub1 o Include all future resources * Condition: All administrative operations * Actions: Action1 Sub1 contains the following alert processing rule: * Name: Rule1 * Scope: Sub1 * Rule type: Suppress notications * Apply the rule: On a specic time o Start: August 10, 2022 o End: August 13, 2022 If you create a resource group in Sub1 on August 11, 2022, Alert1 is listed in the Azure portal. If you create a resource group in Sub1 on August 12, 2022, an email message is sent to admin1@contoso.com. If you add a tag to RG1 on August 15, 2022, an email message is sent to admin1@contoso.com.

If you create a resource group in Sub1 on August 11, 2022, Alert1 is listed in the Azure portal. - Yes, "alert is listed" does not mean a notification If you create a resource group in Sub1 on August 12, 2022, an email message is sent to admin1@contoso.com. - No If you add a tag to RG1 on August 15, 2022, an email message is sent to admin1@contoso.com. - Yes

You have an Azure subscription that contains a storage account named storage1 in the North Europe Azure region. You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize administrative effort. What should you congure? A. operational backup B. object replication C. geo-redundant storage (GRS) D. a lifecycle management rule

B. object replication With GRS you can't choose the Destination region and for North Europe the paired region is West Europe so correct answer Object replication.

You have an Azure subscription that contains two Log Analytics workspaces named Workspace1 and Workspace2 and 100 virtual machines that run Windows Server. You need to collect performance data and events from the virtual machines. The solution must meet the following requirements: * Logs must be sent to Workspace1 and Workspace 2. * All Windows events must be captured. * All security events must be captured. What should you install and congure on each virtual machine? A. the Azure Monitor agent B. the Windows Azure diagnostics extension (WAD) C. the Windows VM agent

A. the Azure Monitor agent https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

You have an Azure subscription that contains a virtual machine named VM1 and an Azure function named App1. You need to create an alert rule that will run App1 if VM1 stops. What should you create for the alert rule? A. an application security group B. a security group that has dynamic device membership C. an action group D. an application group

C. an action group An action group is a collection of actions that are triggered by an Azure alert. In this scenario, you need to create an alert rule that will run App1 if VM1 stops, and for this purpose, you need to create an action group. An action group defines the set of actions to be taken when an alert is triggered, such as running an Azure function, sending an email, or creating an Azure ticket. By creating an action group and associating it with the alert rule, you can automate the process of running App1 if VM1 stops, without the need for manual intervention. This helps ensure that critical systems, such as App1, are automatically activated when necessary, improving the overall reliability and availability of your Azure services.

You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses two ExpressRoute circuits that connect to two separate on-premises datacenters. You need to create a dashboard to display detailed metrics and a visual representation of the network topology. What should you use? A. Azure Monitor Network Insights B. a Data Collection Rule (DCR) C. Azure Virtual Network Watcher D. Log Analytics

A. Azure Monitor Network Insights https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview Azure Monitor Network Insights provides a comprehensive and visual representation through topologies, of health and metrics for all deployed network resources, without requiring any configuration. It also provides access to network monitoring capabilities like Connection Monitor, flow logging for network security groups (NSGs), and Traffic Analytics. And it provides other network diagnostic features.

You deploy Azure virtual machines to three Azure regions. Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology. Each subnet contains a network security group (NSG) that has defined rules. A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region. Which two options can you use to diagnose the issue? A. Azure Virtual Network Manager B. IP flow verify C. Azure Monitor Network Insights D. Connection troubleshoot E. elective security rules

B. IP flow verify D. Connection troubleshoot https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

You have an Azure subscription. You need to receive an email alert when a resource lock is removed from any resource in the subscription. What should you use to create an activity log alert in Azure Monitor? A. a resource, a condition, and an action group B. a resource, a condition, and a Microsoft 365 group C. a Log Analytics workspace, a resource, and an action group D. a data collection endpoint, an application security group, and a resource group

A. a resource, a condition, and an action group https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule You create an alert rule by combining: - The resources to be monitored. - The signal or telemetry from the resource. - Conditions. Then you define these elements for the resulting alert actions by using: - Alert processing rules - Action groups

You have an Azure subscription that contains the alerts shown in the following exhibit. Total alerts: 4 Critical: 0 Error: 0 Warning: 0 Informational: 0 Verbose: 4 Name Severity Alert condition User response Fired time Alert2 4-Verbose Fired New 4/29/2022, 2:09 PM Alert2 4-Verbose Fired New 4/29/2022, 2:09 PM Alert1 4-Verbose Fired Closed 4/29/2022, 2:04 PM Alert1 4-Verbose Fired Closed 4/29/2022, 2:04 PM Dropdowns: For Alert1, User response [answer choice]: - cannot be changed - can be changed to New only - can be changed to Acknowledged only - can be changed to New or Acknowledged For Alert2, User response [answer choice]: - cannot be changed - can be changed to Acknowledged only - can be changed to closed only - can be changed to Acknowledged or Closed | 4 - Verbose

For Alert1, User response [answer choice]: cannot be changed For Alert2, User response [answer choice]: can be changed to Acknowledged or Closed

You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit: Policy name: Policy1 Backup schedule Frequency Time Timezone Daily 11:00pm UTC Instant Restore: retain instant recovery snapshots for [2] days Retention range Daily: 11:00pm for 30 days Weekly: on Sunday at 11:00pm for 10 weeks Monthly: on 1 at 11:00pm for 36 months Yearly: in March on 1 at 11:00pm for 10 years Dropdowns: The backup that occurs on Sunday, March 1, will be retained for [answer choice]. The backup that occurs on Sunday, November 1, will be retained for [answer choice]. - 30 days - 10 weeks - 36 months - 10 years

The backup that occurs on Sunday, March 1, will be retained for [answer choice]: - 10 years The backup that occurs on Sunday, November 1, will be retained for [answer choice]. - 36 months

You have an Azure subscription that contains the vaults shown in the following table. Name Type Recovery1 Recovery Services vault Backup1 Azure Backup vault You deploy the virtual machines shown in the following table. Name Operating system Security Configuration VM1 Windows Server Azure Disk Encryption VM2 Linux Trusted launch You have the backup policies shown in the following table. Name Type In vault Policy1 Standard Recovery1 Policy2 Enhanced Recovery2 Policy3 Not applicable Backup1 Yes/No: VM1 can be backed up by using Policy1. VM2 can be backed up by using Policy3. VM2 can be backed up by using Policy2.

VM1 can be backed up by using Policy1. - Yes VM1 is a Windows Server, and Policy1 is in the Recovery Services Vault (Recovery1). This is compatible for backing up VM1. VM2 can be backed up by using Policy3. - No Azure Backup vaults is not support backup Azure virtual machines *Azure Backup vaults can protect the follwing types of datasource: 1- Azure Disks 2- Azure Blobs (Azure Storage) 3- Azure database for PostgreSQL server 4- Kubernetes services VM2 can be backed up by using Policy2. - Yes(?) (even though Recovery2 doesn't exist?) Enhanced support Trusted Launch. You must enable backup of Trusted Launch VM through enhanced policy only. https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-enhanced-policy?tabs=azure-portal

You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1. You plan to congure Azure Monitor for VM Insights. You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1. What should you create rst? A. a data collection rule (DCR) B. a Log Analytics workspace C. an Azure Monitor Private Link Scope (AMPLS) D. a private endpoint

C. an Azure Monitor Private Link Scope (AMPLS) With Private Link you can: -Connect privately to Azure Monitor without opening up any public network access. -Ensure your monitoring data is only accessed through authorized private networks. -Prevent data exfiltration from your private networks by defining specific Azure Monitor resources that connect through your private endpoint. -Securely connect your private on-premises network to Azure Monitor by using Azure ExpressRoute and Private Link. -Keep all traffic inside the Azure backbone network. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security#advantages The first thing you need to create is an Azure Monitor Private Link Scope (AMPLS). This will define the scope of the Azure Monitor resources that the virtual machines in VNet1 will be able to communicate with. Once you have created the AMPLS, you can create a private endpoint for VNet1 to connect to Azure Monitor. The private endpoint will allow the virtual machines in VNet1 to communicate with Azure Monitor directly, without having to go through the public internet. Finally, you can create a data collection rule (DCR) to enable VM Insights on the virtual machines in VNet1. The DCR will tell Azure Monitor to collect data from the virtual machines and send it to the Log Analytics workspace.

You have an Azure subscription that contains the vaults shown in the following table. Name Type Backup1 Backup vault Recovery1 Recovery Services vaoult You create a storage account that contains the resources shown in the following table. Name Type cont1 Blob container share1 File share To which vault can you back up cont1 and share1? cont1: ... share1: ... - Backup1 only - Recovery1 only - Backup1 or Recovery1 - Cannot be backed up to Backup1 or Recovery1

cont1: - Backup1 only share1: - Recovery1 only Blob containers are backed up to Azure Backup vaults Azure Files are backed up to Azure Recovery Services vaults https://learn.microsoft.com/en-us/answers/questions/405915/what-is-difference-between-recovery-services-vault

You have an Azure subscription that contains an Azure Stream Analytics job named Job1. You need to monitor input events for Job1 to identify the number of events that were NOT processed. Which metric should you use? A. Out-of-Order Events B. Output Events C. Late Input Events D. Backlogged Input Events

D. Backlogged Input Events Number of input events that are backlogged. A nonzero value for this metric implies that your job can't keep up with the number of incoming events. If this value is slowly increasing or is consistently nonzero, you should scale out your job. To learn more, see Understand and adjust streaming units. Out-of-Order Events Number of events received out of order that were either dropped or given an adjusted time stamp, based on the event ordering policy. This metric can be affected by the configuration of the Out-of-Order Tolerance Window setting. Output Events Amount of data that the Stream Analytics job sends to the output target, in number of events. Late Input Events Events that arrived later than the configured tolerance window for late arrivals. Learn more about Azure Stream Analytics event order considerations. Reference: https://learn.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-metrics

You have an Azure subscription that contains an Azure SQL database named DB1. You plan to use Azure Monitor to monitor the performance of DB1. You must be able to run queries to analyze log data. Which destination should you configure in the Diagnostic settings of DB1? A. Send to a Log Analytics workspace. B. Archive to a storage account. C. Stream to an Azure event hub.

A. Send to a Log Analytics workspace. This option allows you to send the diagnostic logs to a Log Analytics workspace, which serves as a central repository for log data. You can then run queries and perform analysis on the log data using Azure Monitor Logs.

You have an Azure subscription. The subscription contains virtual machines that run Windows Server. You have a data collection rule (DCR) named Rule1. You plan to use the Azure Monitor Agent to collect events from Windows System event logs. You only need to collect system events that have an ID of 1001. Which type of query should you use for the data source in Rule1? A. SQL B. XPath C. KQL

B. XPath Whilst you can use KQL to filter for events with ID 101, this implies that the Data Collection Rule ingests all events into the Log Analytics Workspace, thus driving up costs. This question specifically asks for the data source configuration as part of creating Rule1. If you are only interested in Event ID 1001 you should filter it from the start, when configuring the Data Collection Rule. To do that, you must use an XPath query. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#filter-events-using-xpath-queries

You have an Azure subscription that contains a virtual machine named VM1. You have an on-premises datacenter that contains a domain controller named DC1. ExpressRoute is used to connect the on-premises datacenter to Azure. You need to use Connection Monitor to identify network latency between VM1 and DC1. What should you install on DC1? A. the Azure Connected Machine agent for Azure Arc-enabled servers B. the Azure Network Watcher Agent virtual machine extension C. the Log Analytics agent D. an Azure Monitor agent extension

D. an Azure Monitor agent extension

You have an Azure subscription that has Traffic Analytics configured. You deploy a new virtual machine named VM1 that has the following settings: * Region: East US * Virtual network: VNet1 * NIC network security group: NSG1 You need to monitor VM1 traffic by using Traffic Analytics. Which settings should you congure? A. Diagnostic settings for VM1 B. NSG flow logs for NSG1 C. Diagnostic settings for NSG1 D. Insights for VM1

B. NSG flow logs for NSG1 NSG flow logs are a feature of Azure Network Watcher that allows logging of information about IP traffic flowing through a network security group. This data can be used by Traffic Analytics to analyze network traffic in your environment. By enabling NSG flow logs for NSG1, the Network Security Group associated with VM1, you would be able to monitor the traffic of VM1 using Traffic Analytics https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial

You have an Azure subscription. The subscription contains 10 virtual machines that run Windows Server. Each virtual machine hosts a website in IIS and has the Azure Monitor Agent installed. You need to collect the IIS logs from each virtual machine and store them in a Log Analytics workspace. What should you configure first? A. a data collection endpoint B. an Azure Monitor Private Link Scope (AMPLS) C. Diagnostic settings D. VM insights E. a private endpoint

C. Diagnostic settings Data Collection Endpoint: Used for custom data collection endpoints. Diagnostic Settings: Used to configure the collection of logs and metrics from virtual machines. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal "Logs and metrics to route: For logs, either choose a category group or select the individual checkboxes for each category of data you want to send to the destinations specified later. The list of categories varies for each Azure service. Select AllMetrics if you want to store metrics in Azure Monitor Logs too."

You have an Azure subscription that contains two storage accounts named contoso101 and contoso102. The subscription contains the virtual machines shown in the following table. Name Connected to Public IP address SKU VM1 VNET1/Subnet1 Basic VM2 VNET1/Subnet2 Standard VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.) VNet1 | Service endpoints Service Subnet Status Locations Microsoft.AzureActiveDirectory Subnet2 Succeeded * Microsoft.Storage Subnet1 Succeeded * The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.) Create a service endpoint policy [Review + create] Basics Subscription: Azure Pass - Sponsorship Resource group: RG1 Region: East US Name: Policy1 Resources Microsoft.Storage: contoso101 (Storage account) Yes/No VM1 can access contoso102. VM2 can access contoso101. VM2 uses a private IP address to access Azure AD.

VM1 can access contoso102. - No VM1 in VNET1/Subnet1 traffic is limited by the endpoint policy to ONLY the constoso101.(see Ref1) VM2 can access contoso101. - Yes VM2 in subnet 2, there's no sevice enpoint for subnet2 so it will reach out to it through the service Public IP, there's no mention that storage accounts are configuired to limit traffic to the VNET1 address space so we assume it's not configured. VM2 uses a private IP address to access Azure AD. - No it uses public IP, Microsoft.AzureActiveDirectory is used only for supporting data late storages not for connecting to AzureAD/Entra doesn't support Service endpoints. Ref1: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#configuration Ref2: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#limitations From Ref2 : "The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively. " From Ref1: "When Service Endpoint policies are applied on a subnet, the Azure Storage Service Endpoint scope gets upgraded from regional to global. This process means that all the traffic to Azure Storage is secured over service endpoint thereafter. The Service endpoint policies are also applicable globally. Any storage accounts that aren't explicitly allowed are denied access. You can apply multiple policies to a subnet. When multiple policies are associated to the subnet, virtual network traffic to resources specified across any of these policies are allowed. Access to all other service resources, not specified in any of the policies, are denied."

You have an Azure subscription that contains multiple virtual machines in the West US Azure region. You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic. Which two resources should you create? A. a Log Analytics workspace B. an Azure Monitor workbook C. a storage account D. a Microsoft Sentinel workspace E. a Data Collection Rule (DCR) in Azure Monitor

A. a Log Analytics workspace - yes C or E C. a storage account E. a Data Collection Rule (DCR) in Azure Monitor E. A Data Collection Rule (DCR) in Azure Monitor - You need to create a Data Collection Rule within Azure Monitor to specify what data should be collected and sent to the Log Analytics workspace, including the network traffic data for Traffic Analytics. azure subscription has already VM -> so it has already storage account - ??? To use Traffic Analytics in Azure Network Watcher, you need to create a Log Analytics workspace and a storage account. A Log Analytics workspace is a cloud-based repository that collects and stores data from various sources, such as NSG flow logs. A storage account is a container that provides a unique namespace to store and access your data objects in Azure Storage. You need to enable NSG flow logs and configure them to send data to both the Log Analytics workspace and the storage account. Traffic Analytics analyzes the NSG flow logs and provides insights into traffic flow in your Azure cloud.