LearnMicrosoft - AZ 500 Practice Exam Flashcards
Your company has an Azure subscription and an Amazon Web Services (AWS) account. You plan to deploy Kubernetes to AWS. You need to ensure that you can use Azure Monitor insights to monitor container workload performance. What should you deploy first?
A. AKS Engine
B. Azure Arc-enabled Kubernetes
C. Azure Container Instances
D. Azure Kubernetes Service (AKS)
E. Azure Stack HCI
B. Azure Arc-enabled Kubernetes
Explanation:
Azure Arc-enabled Kubernetes is the only configuration that includes Kubernetes and can be deployed to AWS.
You have an Azure subscription that contains a virtual machine named VM1. VM1 is configured with just-in-time (JIT) VM access.
You need to request access to VM1.
Which PowerShell cmdlet should you run?
Select only one answer.
A. Add-AzNetworkSecurityRuleConfig
B. Get-AzJitNetworkAccessPolicy
C. Set-AzJitNetworkAccessPolicy
D. Start-AzJitNetworkAccessPolicy
D. Start-AzJitNetworkAccessPolicy
Explanation:
The start-AzJitNetworkAccesspolicy PowerShell cmdlet is used to request access to a JIT-enabled virtual machine. Set-AzJitNetworkAccessPolicy is used to enable JIT on a virtual machine. Get-AzJitNetworkAccessPolicy and Add-AzNetworkSecurityRuleConfig are not used to start a request access.
You have an Azure subscription.
You plan to use the az aks create command to deploy an Azure Kubernetes Service (AKS) cluster named AKS1 that has Microsoft Entra integration.
You need to ensure that local accounts cannot be used on AKS1.
Which flag should you use with the command?
Select only one answer.
A. disable-local-accounts
B. generate-ssh-keys
C. kubelet-config
D. windows-admin-username
A. disable-local-accounts
Explanation:
When deploying an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Microsoft Entra integration, –admin access still exists essentially as a non-auditable backdoor option. To disable local accounts on an AKS cluster, you should use the –disable-local-accounts flag with the az aks create command. The remaining options do not remove local accounts.
You need to enable encryption at rest by using customer-managed keys (CMKs).
Which two services support CMKs? Each correct answer presents a complete solution.
Select all answers that apply.
A. Azure Blob storage
B. Azure Disk Storage
C. Azure Files
D. Azure NetApp Files
E. Log Analytics workspace
A. Azure Blob storage
C. Azure Files
Explanation:
Blob storage and Azure Files both support customer managed keys. Azure Disk Storage, Azure NetApp Files and Data Lake Storage do not support customer managed keys
You have a storage account that contains multiple containers, blobs, queues, and tables.
You need to create a key to allow an application to access only data from a given table in the storage account.
Which authentication method should you use for the application?
Select only one answer.
A. SAS
B. shared
C. service SAS
D. user delegation SAS
C. service SAS
Explanation:
A SAS service is the only type of authentication that provides control at the table level. User delegation SAS is only available for Blob storage. SAS and shared allow access to the entire storage account.
You have a Microsoft Entra tenant that syncs with the on-premises Active Directory Domain Service (AD DS) domain and uses Microsoft Entra Domain Services.
You have an application that runs on user devices by using the credentials of the signed-in user. The application accesses data in Azure Files by using REST calls.
You need to configure authentication for the application in Azure Files by using the most secure authentication method.
Which authentication method should you use?
Select only one answer.
A. Microsoft Entra
B. SAS
C. shared key
D. on-premises Active Directory Domain Service (AD DS)
B. SAS
Explanation:
A SAS is the most secure way to access Azure Files by using REST calls. A shared key allows any user with the key to access data. Microsoft Entra and Active Directory Domain Service (AD DS) are unsupported for REST calls.
You need to implement access control for Azure Files. The solution must provide the highest level of security.
What should you use?
Select only one answer.
A. Microsoft Entra
B. a storage account key
C. SAS
A. Microsoft Entra
Explanation:
Entra is supported by Azure Files and follows the principle of least privilege. SAS is unsupported by Azure Files. A storage account key is supported by Azure Files, but it does not follow the principle of least privilege
You have an Azure Storage account.
You plan to prevent the use of shared keys by using Azure Policy.
Which two access methods will continue to work? Each correct answer presents a complete solution.
Select all answers that apply.
A. SAS account SAS
B. service SAS
C. Storage Blob Data Reader role
D. user delegation
C. Storage Blob Data Reader role
D. user delegation
Explanation:
The Storage Blob Data Reader role uses Microsoft Entra to authenticate. User delegation SAS is a method that uses Entra to generate a SAS. Both methods work whether the shared keys are allowed or prevented. Service SAS and account SAS use shared keys to generate
You need to allow only Microsoft Entra-authenticated principals to access an existing Azure SQL database.
Which three actions should you perform? Each correct answer presents part of the solution.
Select all answers that apply.
A. Add a Microsoft Entra administrator.
B. Assign your account the SQL Security Manager built-in role.
C. Connect to the database by using Microsoft SQL Server Management Studio (SSMS).
D. Connect to the database by using the Azure portal.
E, Select Support only Microsoft Entra authentication for this server.
A. Add a Microsoft Entra administrator.
B. Assign your account the SQL Security Manager built-in role.
D. Connect to the database by using the Azure portal.
Explanation:
Adding a Microsoft Entra administrator and assigning your account the SQL Security Manager built-in role are prerequisites for enabling Microsoft Entra-only authentication. Selecting Support only Microsoft Entra authentication for this server enforces the Azure SQL logical server to use Microsoft Entra authentication. A connection to the data plane of the logical server is not needed.
You have an Azure SQL database that contains sensitive information.
You need to ensure that when sensitive information is queried by operators, the data is not fully displayed.
What should you enable for the database?
Select only one answer.
A. Always Encrypted
B. dynamic data masking
C. symmetric key encryption
D. Transparent Data Encryption (TDE)
B. dynamic data masking
Explanation:
Dynamic data masking masks the data from users. TDE still allows users managing the database to see the data. Always Encrypted saves the encrypted data and only the client driver can decrypt it. Symmetric key encryption uses keys stored in a SQL database, not the client application
You plan to provide connectivity between Azure and your company’s datacenter.
You need to define how to establish the connection. The solution must meet the following requirements:
All traffic between the datacenter and Azure must be encrypted.
Bandwidth must be between 10 and 100 Gbps.
What should you use for the connection?
Select only one answer.
A. Azure VPN Gateway
B. ExpressRoute Direct
C. ExpressRoute with a provider
D. VPN Gateway with Azure Virtual WAN
B. ExpressRoute Direct
Explanation:
ExpressRoute Direct can have up to 100 Gbps and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps.
You have an Azure virtual network named VNet1. VNet1 is in a resource group named RG1. VNet1 contains the following two subnets:
Subnet1: 10.0.1.0/24
Subnet2: 10.0.2.0/24
You need to configure access to a storage account named sa1 in a resource group named RG2. The solution must ensure that sa1 can only be accessed from Subnet2.
What should you run?
Select only one answer.
A. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘’ –direction Outbound –access Allow –protocol Tcp
B. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘’ –direction Outbound –access Allow –protocol Udp
C. az storage account network-rule add –resource-group “RG1” –account-name “SA1” –ip-address “10.0.2.0”
D. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2
D. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2
Explanation:
The correct CLI command adds a rule to allow access from the 10.0.2.0/24 subnet to the storage account. The resource group should be for RG2, not RG1. The CLI commands that create network security group (NSG) rules simply allow the entire virtual network to send requests to all storage endpoints.
You are operating in a cloud-only environment. Users have computers that run either Windows 10 or 11. The users are located across the globe.
You need to secure access to a point-to-site (P2S) VPN by using multi-factor authentication (MFA).
Which authentication method should you implement?
Select only one answer.
A. Authenticate by using Active Directory Domain Services (AD DS).
B. Authenticate by using native Microsoft Entra authentication.
C. Authenticate by using native Azure certificate-based authentication.
D. Authenticate by using RADIUS.
B. Authenticate by using native Microsoft Entra authentication.
Explanation:
With Microsoft Entra authentication, you can configure a Conditional Access policy that grants access and requires MFA. During authentication, Azure VPN Gateway acts as a pass-through and forwards authentication messages back and forth between the authentication server and the connecting device. Azure certificate-based authentication does not include interactive authentication.
You have an Azure subscription that contains the following resources:
A virtual machine named VM1 that has a network interface named NIC1
A virtual network named VNet1 that has a subnet named Subnet1
A public IP address named PubIP1
A load balancer named LB1
You create a network security group (NSG) named NSG1.
To which two resources can you associate NSG1? Each correct answer presents a complete solution.
Select all answers that apply.
A. LB1
B. NIC1
C. PubIP1
D. Subnet1
E. VM1
F. VNet1
B. NIC1
D. Subnet1
Explanation:
You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.
You have an Azure subscription that contains the following resources:
Storage accounts
Virtual machines
Azure Firewall
Azure Key Vault
Azure SQL databases
Which three resources support service endpoints? Each correct answer presents a complete solution.
Select all answers that apply.
A. Azure Firewall
B. Azure Key Vault
C. Azure SQL databases
D. storage accounts
E. virtual machines
B. Azure Key Vault
C. Azure SQL databases
D. storage accounts
Explanation:
You can configure service endpoints for Azure Storage, Key Vault, and Azure SQL Database. You cannot configure service endpoints for virtual machines and Azure Firewall.
ou have an Azure subscription that contains the following resources:
Two virtual networks
VNet1: Contains two subnets
VNet2: Contains three subnets
Virtual machines: Connected to all the subnets on VNet1 and VNet2
A storage account named storage1
You need to identify the minimal number of service endpoints that are required to meet the following requirements:
Virtual machines that are connected to the subnets of VNet1 must be able to access storage1 over the Azure backbone.
Virtual machines that are connected to the subnets of VNet2 must be able to access Microsoft Entra tenant over the Azure backbone.
How many service endpoints should you recommend?
Select only one answer.
A. 2
B. 3
C. 4
D. 5
D. 5
Explanation:
A service endpoint is configured for a specific server at the subnet level. Based on the requirements, you need to configure two service endpoints for Microsoft.Storage on VNet1 because VNet1 has two subnets and three service endpoints for Microsoft.AzureActiveDirectory on VNet2 because VNet2 has three subnets. The minimum number of service endpoints that you must configure is five.
You have an Azure subscription that contains a virtual machine named VM1 and a storage account named storage1.
You need to ensure that VM1 can access storage1 over the Azure backbone network.
What should you implement?
Select only one answer.
A. a subnet
B. a VPN gateway
C. private endpoints
D. service endpoints
D. service endpoints
Explanation:
Service endpoints route the traffic inside of Azure backbone, allowing access to the entire service, for example, all Microsoft SQL servers or the storage accounts of all customers. Private endpoints provide access to a specific instance. A subnet does not allow isolation or route traffic to the Azure backbone. A VPN gateway does not allow traffic isolation to all resources.
You have an Azure subscription that contains the following resources:
A web app named WebApp1 in the West US Azure region
A virtual network named VNet1 in the West US 3 Azure region
You need to integrate WebApp1 with VNet1.
What should you implement first?
Select only one answer.
A. a service endpoint
B. a VPN gateway
C. Azure Front door
D. peering
B. a VPN gateway
Explanation:
WebApp1 and VNet1 are in different regions and cannot use regional integration; you can use only gateway-required virtual network integration. To be able to implement this type of integration, you must first deploy a virtual network gateway in VNet1.
You have an Azure App Service web app named App1.
You need to configure network controls for App1. App1 must only allow user access through Azure Front Door.
Which two components should you implement? Each correct answer presents part of the solution.
Select all answers that apply.
A. access restrictions based on service tag
B. access restrictions based on the IP address of Azure Front Door
C. application security groups
D. header filters
A. access restrictions based on service tag
D. header filters
Explanation:
Traffic from Front Door to the app originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. This includes every Front Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique HTTP header that Front Door sends.