Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZURE > Az-104 - Question set 5 > Flashcards

Az-104 - Question set 5 Flashcards

1
Q

Question 1: Part 4 in Notion

A

Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.

Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. Application gateway which uses WAF tier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?

A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway

A

B. three virtual hubs and one virtual WAN

https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question 2: Part 4 in Notion

A

Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM’s NIC, you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the private IP.

Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question 3: Part 4 in Notion

A

A. a frontend IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question 4: Part 4 in Notion

A

Correct Answer:

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).

Reference:

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question 5: Part 4 in Notion

A

Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions.

Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.

We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn’t include the connectivity workflow. So, we need to use NSG to meet the mentioned requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question 6: Part 4 in Notion

A

C. VNet3 and VNet4 only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Deploy a basic load balancer
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
E. Add a frontend IP configuration, a backend pool, and a health probe
F. Add a frontend IP configuration, two backend pools, and a health probe

A

B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
F. Add a frontend IP configuration, two backend pools, and a health probe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?

A. Download and re-install the VPN client configuration package on Client1.
B. Select Allow gateway transit on VNet1.
C. Select Allow gateway transit on VNet2.
D. Enable BGP on VPNGW1

A

A. Download and re-install the VPN client configuration package on Client1

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question 7: Part 4 in Notion

A

All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2 and VM3 will auto-register their host records to contoso.com.

None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com)

Box 1: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 2: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 3: No
None of the VM will auto-register to the public Azure DNS zone named adatum.com

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question 8: Part 4 in Notion

A

D. the subnets on VNet3 only

All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question 9: Part 4 in Notion

A

Step 1: Remove peering between Vnet1 and VNet2
You can’t add address ranges to or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.

Step 2: Add the 10.33.0.0/16 address space to VNet1

Step 3: Recreate peering between VNet1 and VNet2

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question 10: Part 4 in Notion

A

Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate the Storage Account.

Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example, you must also move the virtual machine, and other virtual machine-related resources.

Box 3: No
You can move IP2 to RG1, as it isn’t associated with any other resource, however it stayed in the East US region. The location will not change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?

A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway

A

C. Connect webapp1 to VNET1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question 11: Part 4 in Notion

A

B. Start VM1.

The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
The VM needs to be started.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?

A. Floating IP (direct server return) to Disabled
B. Session persistence to None
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP

A

D. Session persistence to Client IP

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For
Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
On the following image you can see sticky session configuration:
Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
Community vote distribution

17
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?

A. Yes
B. No

A

A. Yes

18
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389

Protocol: UDP -

✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.
Does this meet the goal?

A. Yes
B. No

A

The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

19
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?

A. Yes
B. No

A

A. Yes

The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

20
Q

Question 12: Part 4 in Notion

A

1.add an address space
VNET1 has AddressSpace/AddressPrefixes:10.2.0.0/16. To recive an IP from 192.168.1.0/24 subnet, frist you must define new AddressSpace/AddressPrefixes:192.168.0.0/16 with subnet 192.168.1.0/24
2.add a subnet
VNET1 has AddressSpace/AddressPrefixes:10.2.0.0/16 with subnet 10.2.0.0/24. To recive an address from 10.2.1.0/24 you must define new subnet 10.2.1.0/24

21
Q

Question 13: Part 4 in Notion

A

A. 1

NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose.

So, you can create 1 NSG and associate it with all 3 Subnets.

  • Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses.
  • Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG.
  • Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
  • Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.
22
Q

Question 14: Part 4 in Notion

A

A. Remove Microsoft.Compute/virtualMachines from the policy.

The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.
Virtual Networks and Virtual Machines are prohibited.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

23
Q

Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console
✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?

A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console

A

A. Azure CLI

https://docs.microsoft.com/en-us/azure/dns/dns-import-export
- Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.

PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new

24
Q

You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?

A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule

A

A. an inbound NAT rule

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-load-balancer-for-rds/

25
Q

Question 15: Part 4 in Notion

A

Box 1: Yes
VM1 and VM are in the Availability Set.
Box 2: No
Both VMs are not part of any Availability Set or Scale Set.
Box 3: No
Both VMs are not part of any Availability Set or Scale Set.

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview

26
Q

Question 16: Part 4 in Notion

A

Correct Answer:

Box 1: Private
Box 2: Private

You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set.
To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

27
Q

Question 17: Part 4 in Notion

A

Create a gateway subnet
Create a VPN gateway
Create a local gateway
Create a VPN connection

Always work from the Azure side first, it’s a dependency. Dependency is the key to all order obviously…

1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created next.

2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what is available for answers, the prem side is now configured)

Now for the premice side.

  1. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
28
Q

Question 18: Part 4 in Notion

A

C. Associate the NSG to Subnet1

You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

29
Q

You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?

A. Move VM1 to Subscription2.
B. Move VNet1 to Subscription2.
C. Modify the IP address space of VNet2.
D. Provision virtual network gateways.

A

D. Provision virtual network gateways

There is no overlap between the VNets:
VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255
VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255

Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can’t be connected.

You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don’t need to be associated with the same Active Directory tenant.

Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

30
Q

Question 19: Part 4 in Notion

A

A. Use managed disks
C. Availability options

31
Q

Question 20: Part 4 in Notion

A

Box 1: RG1, RG2, or RG3
The resource group stores metadata about the resources. When you specify a location for the resource group, you’re specifying where that metadata is stored. The location of the RG doesn’t influence the choice of the location of VM. best practice would be to create the VM1 in the RG1 because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same resource lifecycle.

Box 2: West US only
You can add the virtual machine to a scale set in the same region, zone, and resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes

32
Q

Question 21: Part 4 in Notion

A

VNet1: Peered with VNet2 and VNet3
VNet2: Peered with VNet1
VNet3: Peered with VNet1

Box 1. VNET2 and VNET3
VNet1 is peered with VNet2 and VNet3. Also Gateway transit is disabled.

Box 2: VNET1 only
Gateway transit is disabled, so it can only communicate with the connected VNET1.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

33
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
Does this meet the goal?

A. Yes
B. No

A

B. No

Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

34
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You join Computer2 to Azure Active Directory (Azure AD).
Does this meet the goal?

A. Yes
B. No

A

B. No
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

35
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?

A. Yes
B. No

A

B. No

You need to use a custom policy definition, because there is not a built-in policy and Resource Lock is an irrelevant solution.

Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

36
Q

Question 22: Part 4 in Notion

A

D. Start VM1

Αny resource with a dynamically assigned public IP address will display the ‘name’ you gave it when the resource it is assigned to is offline. A static address will be shown regardless of the resource state. This means that we need to start the VM1.

A: RDP rule has the highest priority. priority.
B: The network interface has already been added to VM1.
C: DenyAllInBound has really low priority.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

37
Q

Question 23: Part 4 in Notion

A

D. Configure peering between VNET1, VNET2, and VNET3

Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

38
Q

Question 24: Part 4 in Notion

A

Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.

Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2. We can understand for sure, that it is not applied to VM1.

Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

39
Q

You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?

A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1

A

B. Create a deny rule in a network security group (NSG) that is linked to Subnet1

You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You don’t have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

AZURE (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions