Microsoft AZ-104 Full Practice Tests 12.pdf Flashcards
You have an Azure subscription that contains the virtual machines shown in the following table: (see image)
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule: – Priority: 100
– Name: Rule1
– Port: 3389
– Protocol: TCP
– Source: Any
– Destination: Any
– Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. Please evaluate if the following statement is True or False.
From the Internet, you can connect to VM1 using Remote Desktop.
TRUE
FALSE
FALSE
VM1 is part of Subnet1 and NSG1 is applied at Subnet1 scope. NSG1 is using default inbound rules, which don’t allow RDP traffic. In order to allow RDP traffic, a custom inbound rule needs to be added. Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Quick Preview:
You have an Azure subscription that contains the virtual machines shown in the following table: (see image)
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule: – Priority: 100
– Name: Rule1
– Port: 3389
– Protocol: TCP
– Source: Any
– Destination: Any
– Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. Please evaluate if the following statement is True or False.
From the Internet, you can connect to VM2 using Remote Desktop.
TRUE
FALSE
TRUE
VM2 is part of Subnet2 and NSG2 is applied at Subnet2 scope. NSG2 is using default inbound rules and a custom inbound rule has been added as well. The custom inbound rule actually allows RDP traffic inbound, so you will be able to RDP to VM2.
NSG2 looks similar to the following network security group:
You have an Azure subscription that contains the virtual machines shown in the following table: (see image)
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1. The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule: – Priority: 100
– Name: Rule1
– Port: 3389
– Protocol: TCP
– Source: Any
– Destination: Any
– Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2. Please evaluate if the following statement is True or False.
From VM1, you can connect to VM2 by using Remote Desktop.
TRUE
FALSE
TRUE
VM1 and VM2 are deployed in the same VNET and traffic inside a VNET is permitted by the first rule declared in the default inbound port rules. This results in the statement being True.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Quick Preview:
You have a virtual network named VNET1 that contains the subnets shown in the following table: (see image1)
You have three Azure virtual machines that have the network configurations shown in the following table: (see image2)
For NSG1, you create the inbound security rule shown in the following table: (see image3)
For NSG2, you create the inbound security rule shown in the following table: (see image4)
Please evaluate if the following statement is True or False. VM2 can connect to TCP port 1433 services on VM1.
TRUE
FALSE
FALSE
TCP 1433 traffic originated from VM2 and going to VM1 is first evaluated by NSG1, applied at Subnet1 scope. NSG1 allows the traffic, so the traffic will next be evaluated by NSG2. NSG2 denies the traffic, so the statement is False.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Quick Preview:
You have a virtual network named VNET1 that contains the subnets shown in the following table: (see image1)
You have three Azure virtual machines that have the network configurations shown in the following table: (see image2)
For NSG1, you create the inbound security rule shown in the following table: (see image3)
For NSG2, you create the inbound security rule shown in the following table: (see image4)
Please evaluate if the following statement is True or False. VM1 can connect to the TCP port 1433 services on VM2.
TRUE
FALSE
TRUE
Traffic from VM1 going to VM2 would first be evaluated by an NSG applied at Subnet2 scope, because VM2 is attached to Subnet2. But these is no NSG applied at Subnet2, so traffic should then be evaluated by any NSG applied at VM2. No NSG is applied at VM2, so traffic can arrive at VM2.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Quick Preview:
You have a virtual network named VNET1 that contains the subnets shown in the following table: (see image1)
You have three Azure virtual machines that have the network configurations shown in the following table: (see image2)
For NSG1, you create the inbound security rule shown in the following table: (see image3)
For NSG2, you create the inbound security rule shown in the following table: (see image4)
Please evaluate if the following statement is True or False. VM2 can connect to the TCP port 1433 service on VM3.
TRUE
FALSE
TRUE
VM3 is attached to Subnet2.
No NSG is applied at either Subnet2 or VM3 scope, so traffic is allowed and the statement is true. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works Quick Preview:
You have the Azure virtual machines shown in the following table:
You have a Recovery Services vault that protects VM1 and VM2. You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?
- Create a new Recovery Services vault
- Create a storage account
- Configure the extensions for VM3 and VM4
- Create a new backup policy
- Create a new Recovery Services vault
The Recovery Services vault must be deployed in the same region where the VM that you want to protect is deployed. For this example, a new Recovery Services vault must be created in North Europe region.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault
Quick Preview:
Case study
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
– File servers
– Domain controllers
– Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
– A SQL database
– A web front end
– A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
– Move all the tiers of App1 to Azure.
– Move the existing product blueprint files to Azure Blob storage.
– Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups.
– Copy the blueprint files to Azure over the Internet.
– Ensure that the blueprint files are stored in the archive storage tier.
– Ensure that partner access to the blueprint files is secured and temporary.
– Prevent user passwords or hashes of passwords from being stored in Azure.
– Use unmanaged standard storage for the hard disks of the virtual machines.
– Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
– Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
– Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
– Designate a new user named Admin1 as the service admin for the Azure subscription.
– Admin1 must receive email alerts regarding service outages.
– Ensure that a new user named User3 can create network objects for the Azure subscription.
QUESTION 1
You need to implement a backup solution for App1 after the application is moved. What should you create first?
1. a recovery plan
2. an Azure Backup Server
3. a backup policy
4. a Recovery Services vault
- a Recovery Services vault
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
From the Scenario:
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups
Case study
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
– File servers
– Domain controllers
– Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
– A SQL database
– A web front end
– A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
– Move all the tiers of App1 to Azure.
– Move the existing product blueprint files to Azure Blob storage.
– Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups.
– Copy the blueprint files to Azure over the Internet.
– Ensure that the blueprint files are stored in the archive storage tier.
– Ensure that partner access to the blueprint files is secured and temporary.
– Prevent user passwords or hashes of passwords from being stored in Azure.
– Use unmanaged standard storage for the hard disks of the virtual machines.
– Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
– Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
– Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
– Designate a new user named Admin1 as the service admin for the Azure subscription.
– Admin1 must receive email alerts regarding service outages.
– Ensure that a new user named User3 can create network objects for the Azure subscription.
QUESTION 2
You need to move the blueprint files to Azure. What should you do?
- Generate an access key. Map a drive, and then copy the files by using File Explorer.
- Use Azure Storage Explorer to copy the files.
- Use the Azure Import/Export service.
- Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
- Use Azure Storage Explorer to copy the files.
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage. From the Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Case study
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
– File servers
– Domain controllers
– Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
– A SQL database
– A web front end
– A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
– Move all the tiers of App1 to Azure.
– Move the existing product blueprint files to Azure Blob storage.
– Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups.
– Copy the blueprint files to Azure over the Internet.
– Ensure that the blueprint files are stored in the archive storage tier.
– Ensure that partner access to the blueprint files is secured and temporary.
– Prevent user passwords or hashes of passwords from being stored in Azure.
– Use unmanaged standard storage for the hard disks of the virtual machines.
– Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
– Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
– Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
– Designate a new user named Admin1 as the service admin for the Azure subscription.
– Admin1 must receive email alerts regarding service outages.
– Ensure that a new user named User3 can create network objects for the Azure subscription.
QUESTION 3 – True or False
Contose requires a storage account that supports blob storage.
TRUE
FALSE
TRUE
From the Scenario:
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Case study
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
– File servers
– Domain controllers
– Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
– A SQL database
– A web front end
– A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
– Move all the tiers of App1 to Azure.
– Move the existing product blueprint files to Azure Blob storage.
– Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups.
– Copy the blueprint files to Azure over the Internet.
– Ensure that the blueprint files are stored in the archive storage tier.
– Ensure that partner access to the blueprint files is secured and temporary.
– Prevent user passwords or hashes of passwords from being stored in Azure.
– Use unmanaged standard storage for the hard disks of the virtual machines.
– Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
– Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
– Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
– Designate a new user named Admin1 as the service admin for the Azure subscription.
– Admin1 must receive email alerts regarding service outages.
– Ensure that a new user named User3 can create network objects for the Azure subscription.
QUESTION 4 – True or False
Contose requires a storage account that supports Azure table storage.
TRUE
FALSE
FALSE
From the Scenario:
Contoso is moving the existing product blueprint files to Azure Blob storage.
Ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.
What should you do?
- Create an NS record named research in the adatum.com zone
- Create an PTR record named research in the adatum.com zone
- Modify the SOA record of adatum.com
- Create an A record named *.research in the adatum.com zone
- Create an NS record named research in the adatum.com zone
You can use the Azure portal to delegate a DNS subdomain. For example, if you own
the adatum.com domain, you can delegate a subdomain called research to another, separate zone that you can administer separately from the adatum.com zone.
To delegate an Azure DNS subdomain, you must first delegate your public domain to Azure DNS, so this the adatum.com domain. Once your domain is delegated to your Azure DNS zone, you can delegate your subdomain, research.adatum.com.
You would first need to create a zone for your subdomain, then note the name servers, and last to create an NS record for the new research.adatum.com subdomain (research zone).
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
Quick Preview:
You have an Azure subscription that contains the storage accounts shown in the following exhibit: (see image)
Please select the answer choice that completes below statements, based on the information presented in the above exhibit (Select two).
You can create a premium file share in ………. .
You can use the Archive access tier in ………. .
- You can create a premium file share in - az104storage101 only
- You can create a premium file share in - az104storage104 only
- You can create a premium file share in - az104storage101 and az104storage104 only
- You can create a premium file share in - az104storage101, az104storage102 and az104storage104 only
- You can create a premium file share in - az104storage101, az104storage102, az104storage103 and az104storage104.
- You can use the Archive access tier in - az104storage101 or az104storage103 only
-2. You can create a premium file share in - az104storage104 only
-6. You can use the Archive access tier in - az104storage101 or az104storage103 only
Azure Files offers standard file shares which are hosted on hard disk-based (HDD-based) hardware, and premium file shares, which are hosted on solid-state disk-based (SSD-based) hardware.
Azure file shares are deployed into storage accounts, and depending on which type of storage account you create, you can deploy Azure file shares on standard HDD hardware or premium SSD hardware. Premium Azure file shares are available only on FileStorage Azure storage account types, so the only correct option for the first statement is az104storage104 only.
Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts don’t support tiering, nor does FileStorage storage account type.
For example, if you try to change the current tier to Archive tier for a GPv1 storage account, Azure will display the following information:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Quick Preview:
Case study
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market. Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
– File servers
– Domain controllers
– Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
– A SQL database
– A web front end
– A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only. Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
– Move all the tiers of App1 to Azure.
– Move the existing product blueprint files to Azure Blob storage.
– Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
– Move all the virtual machines for App1 to Azure.
– Minimize the number of open ports between the App1 tiers.
– Ensure that all the virtual machines for App1 are protected by backups.
– Copy the blueprint files to Azure over the Internet.
– Ensure that the blueprint files are stored in the archive storage tier.
– Ensure that partner access to the blueprint files is secured and temporary.
– Prevent user passwords or hashes of passwords from being stored in Azure.
– Use unmanaged standard storage for the hard disks of the virtual machines.
– Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
– Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
– Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
– Designate a new user named Admin1 as the service admin for the Azure subscription.
– Admin1 must receive email alerts regarding service outages.
– Ensure that a new user named User3 can create network objects for the Azure subscription.
QUESTION 3 – Please evaluate if the following statement is True or False :
Contoso requires a storage account that supports Azure File storage.
TRUE
FALSE
FALSE
From the Scenario:
Contoso is moving the existing product blueprint files to Azure Blob storage.
Ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User Administrator administrative role to AdminUser1. What should you do from the user account properties?
- From the Licenses blade, assign a new license
- From the Directory role blade, modify the directory role
- From the Groups blade, invite the user account to a new group
- From the Directory role blade, modify the directory role
Assign a role to a user
1. Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains 100 user accounts.
You purchase 10 Azure AD Premium P2 licenses for the tenant.You need to ensure that 10 users can use all the Azure AD Premium features.
What should you do?
- From the Licenses blade of Azure AD, assign a license
- From the Groups blade of each user, invite the users to a group
- From the Azure AD domain, add an enterprise application
- From the Directory role blade of each user, modify the directory role
- From the Licenses blade of Azure AD, assign a license
Azure AD Premium licenses need to be assigned to users (or groups of users).
You have an Azure subscription named Subscription1 and an on-premises deployment of Microsoft System Center Service Manager.
Subscription1 contains a virtual machine named VM1. You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.
What should you do first?
- Create an automation runbook
- Deploy a function app
- Deploy the IT Service Management Connector (ITSM)
- Create a notification
- Deploy the IT Service Management Connector (ITSM)
The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the Microsoft System Center Service Manager.
With ITSMC, you can create work items in ITSM tool, based on your Azure alerts (metric alerts, Activity Log alerts and Log Analytics alerts).
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview
Quick Preview:
You sign up for Azure Active Directory (Azure AD) Premium. You need to add a user named admin1@az104exam.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
- Device settings from the Devices blade
- Providers from the MFA Server blade
- User settings from the Users blade
- General settings from the Groups blade
- Device settings from the Devices blade
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
– The Azure AD global administrator role
– The Azure AD device administrator role
– The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
You have Azure Active Directory tenant named az104exam.com that includes following users: (see image1)
az104exam.com includes following Windows 10 devices: (see image2)
You create following security groups in az104exam.com: (see image3)
True or False.
User1 can add Device2 to Group1.
TRUE
FALSE
FALSE
User1 has Cloud Device Administrator role attached, User 1 is not owner on Group1, so can’t add devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Quick Preview:
az104exam.com that includes following users: (see image1)
az104exam.com includes following Windows 10 devices: (see image2)
You create following security groups in az104exam.com: (see image3)
True or False.
User2 can add Device1 to Group1.
TRUE
FALSE
TRUE
User2 is the owner of the “assigned group” Group1, and additionally User2 has User Administrator Role, so User2 has the appropriate role and assigned groups can be manually modified.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
az104exam.com that includes following users: (see image1)
az104exam.com includes following Windows 10 devices: (see image2)
You create following security groups in az104exam.com: (see image3)
True or False.
User2 can add Device2 to Group2.
TRUE
FALSE
FALSE
It is “not” possible to “manually” add users/devices to a “Dynamic group”.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule Quick Preview:
You have an Azure subscription that contains a resource group named RG26. RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table: (see image)
SQLD01 is backed up to RGV1. When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails. You need to delete RG26.
What should you do first?
1, Delete VM1
2. Stop VM1
3. Stop the backup of SQLD01
4. Delete sa001
- Stop the backup of SQLD01
RG26 delete will fail because of the Recovery Services vault, which will not get deleted. In order to have RGV1 deleted, you would need to first disable soft delete, stop backup and then initiate delete action. Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
Quick Preview:
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
– Reader
– Security Admin
– Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?
- Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
- Assign User1 the Owner role for VNet1.
- Remove User1 from the Security Reader and Reader roles for Subscription1.
- Assign User1 the Network Contributor role for RG1.
- Assign User1 the Owner role for VNet1.
Contributor role does not allow you to assign roles in Azure RBAC, you need to assign the Owner role. Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Quick Preview:
You have an Azure Active Directory (Azure AD) tenant named az104exam.onmicrosoft.com. Your company has a public DNS zone for x-a-a-s.com.
You add x-a-a-s.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
- MX
- NSEC
- PTR
- RRSIG
- MX
Both TXT and MX record types can be used for domain validation.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. Does this meet the goal?
Yes
No
No
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Quick Preview:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group. Does this meet the goal?
YES
NO
NO
Logic App Operator role doesn’t include the necessary permissions to create Azure Logic Apps, you would need the Logic App Contributor role.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Quick Preview:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
You have an Azure Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?
Yes
No
Yes
Contributor role will allow users in Developer group to create Azure Logic Apps. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Quick Preview:
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups. You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence?
1 – Assign a tag to each resource group
2 – Assign a tag to each resource
3 – Download the usage report
4 – From the Cost analysis blade, filter the view by tag
5 – Open the Resource costs blade of each resource group
- 2/4/3
- 1/4/3
- 5/4/3
- 4/5/3
- 2/4/3
Assign a tag to each resource:
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 50 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription. You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a Comma-Separated Values (.csv) file. Download the usage report
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources https://docs.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview Quick Preview:
You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error from a table named Event. Which query should you run in Workspace1?
- Get-Event Event | where {$_. EventType == “error”}
- Event | search “error”
- searchin(Event)*|whereEventType eq”error”
- Get-EventEvent|where{$_.EventTye eq”error”}
- Event | search “error”
The same query can be written in two forms Event | search “error” Or search in (Event) “error” Further Learning: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
Quick Preview:
You have an Azure subscription that contains the resources in the following table:
Store1 contains a file share named data. Data contains 5,000 files. You need to synchronize the files in the file share named data to an on-premises server named Server1.
Which three actions should you perform?
- Create a container instance
- Register Server1
- Install the Azure File Sync agent on Server1
- Download an automation script
- Create a sync group
A. 2. Register Server1
B. 3. Install the Azure File Sync agent on Server1
C. 5. Create a sync group
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.
Step 2: Register Server1 – Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure- portal%2Cproactive-portal
Quick Preview:
You have an Azure subscription that contains the resources shown in the following table: (see image1)
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit below: (see image2)
You assign the policy by using the following parameters: – Microsoft.ClassicNetwork/virtualNetworks
– Microsoft.Network/virtualNetworks
– Microsoft.Compute/virtualMachines
True or False.
An administrator can move VNET1 to RG2.
TRUE
FALSE
TRUE
The Not allowed resource types policy prevents users to deploy resources that are specified by the policy. However, the policy doesn’t prevent users from moving resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Quick Preview:
You have an Azure subscription that contains the resources shown in the following table: (see image1)
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit below: (see image2)
You assign the policy by using the following parameters: – Microsoft.ClassicNetwork/virtualNetworks
– Microsoft.Network/virtualNetworks
– Microsoft.Compute/virtualMachines
True or False.
The state of VM1 changed to deallocated.
TRUE
FALSE
FALSE
Started VM1 stays on after applying the policy. If you test the scenario in Azure Portal, you will be able to stop and start again.
The policy definition denies a user to deploy VNET and virtual machine resources, it will not affect the running state of VM1.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Quick Preview:
You have an Azure subscription that contains the resources shown in the following table: (see image1)
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit below: (see image2)
You assign the policy by using the following parameters: – Microsoft.ClassicNetwork/virtualNetworks
– Microsoft.Network/virtualNetworks
– Microsoft.Compute/virtualMachines
True or False.
An administrator can modify the address space of VNET2.
TRUE
FALSE
TRUE
Not Allowed resource types policy is preventing the resource types selected in the assignment from being deployed. But you can still update or delete previous existing resources of these types, and specifically you can modify address space from VNET2.
Policies do not apply over existing resources. If any existing resource is not compliant, it is marked as not compliant, and in some cases you can run a remediation task to automatically correct the not compliant resources. But in the case of the Not allowed resource types policy, the only possible remediation is to delete the resources that are not compliant .
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Quick Preview:
You have an Azure subscription that contains a storage account. You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data. You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the below actions?
(1) From the Azure portal, update the import job
(2) From the Azure portal, create an import job
(3) Attach an external disk to Server1 and then run waimportexport.exe
(4) Detach the external disks from Server1 and ship the disks to an Azure data center
- 3-2-1-4
- 3-2-4-1
- 2-3-1-4
- 2-3-4-1
- 3-2-4-1
At a high level, an import job involves the following steps:
Step 1: Attach an external disk to Server1 and then run waimportexport.exe Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage. Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job. Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center. Provide the return address and carrier account number for shipping the drives back to you. Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job. Update the delivery tracking number in the import job details and submit the import job. The drives are received and processed at the Azure data center. The drives are shipped using your carrier account to the return address provided in the import job. Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
Quick Preview:
You have an Azure subscription that includes the following Azure file shares: (see image1)
You have the following on-premises servers: (see image2)
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1. Please evaluate if the following statement is True or False.
Share2 can be added as a cloud endpoint for Group1.
TRUE
FALSE
FALSE
Group1 already has a cloud endpoint named Share1.
A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure- portal%2Cproactive-portal
Quick Preview:
You have an Azure subscription that includes the following Azure file shares: (see image1)
You have the following on-premises servers: (see image2)
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1. Please evaluate if the following statement is True or False.
E:\Folder2 on Server1 can be added as a server endpoint for Group1.
TRUE
FALSE
FALSE
Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, D:\Folder1 and E:\Folder2) and each endpoint is syncing to a unique sync group.
In the question s scenario, namespaces are not overlapping, but we are asking to sync with the same sync group, and that s not possible, so correct answer is false.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-server-endpoint https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure- portal%2Cproactive-portal
Quick Preview:
You have an Azure subscription that includes the following Azure file shares: (see image1)
You have the following on-premises servers: (see image2)
You create a Storage Sync Service named Sync1 and an Azure File Sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 in Sync1. You add D:\Folder1 on Server1 as a server endpoint of Group1. Please evaluate if the following statement is True or False.
D:\Data on Server2 can be added as a server endpoint
TRUE
FALSE
TRUE
Yes, one or more server endpoints can be added to the sync group.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure- portal%2Cproactive-portal
Quick Preview:
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit: (see image)
If Scale1 is utilized at 85% for 6 minutes after it is deployed, Scale1 will be running ………. .
- 2 virtual machines
- 4 virtual machines
- 6 virtual machines
- 10 virtual machines
- 20 virtual machines
- 6 virtual machines
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 VMs and rises to 6 VMS, when the 2 extra instances of VMs are added. Further Learning:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
Quick Preview:
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit: (see image)
If Scale1 is first utilized at 25% for 6 minutes after it is deployed, and then utilized at 50% for 6 minutes, Scale1 will be running ………. .
- 2 virtual machines
- 4 virtual machines
- 6 virtual machines
- 8 virtual machines
- 10 virtual machines
- 2 virtual machines
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus cannot be reduced to 0 as the minimum instances is set to 2. So the number of instances running is 2 after running for 6 minutes as 25%. Instances are only added when the CPU threshold reaches 80%, so 2 instances remain.
Further Learning:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale- overview
Quick Preview:
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform?
- Upload a configuration script
- Create an automation account
- Create an Azure policy
- Modify the extensionProfile section of the Azure Resource Manager template
- Create a new virtual scale set in the Azure portal
- Modify the extensionProfile section of the Azure Resource Manager template
- Create a new virtual scale set in the Azure portal
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to configure the VMs as they come online so they are running the production software.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc
Quick Preview:
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed. You need to install the kubectl client on Computer1.
Which command should you run? (SELECT TWO)
- (1) (2) install-cli
- (1) az
- (1) docker
- (1) msiexec.exe
- (1) Install-Module
- (2) aks
-2. (1) az
-6. (2) aks
To install kubectl locally, use the az aks install-cli command.
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Quick Preview:
You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine.
Template1 contains the following text: (see image1)
The variables section in Template1 contains the following text: “location”: “westeurope”. The resources section in Template1 contains the following text: (see image2)
You need to deploy the virtual machine to the West US location by using Template1. What should you do?
- Modify the location in the resource section to westus
- Select West US during the deployment
- Modify the location in the variables section to westus
- Modify the location in the resource section to westus
You create an App Service plan named Plan1 and an Azure web app named webapp1. You discover that the option to create a staging slot is unavailable. You need to create a staging slot for Plan1.
What should you do first?
- From Plan1, scale up the App Service plan
- From webapp1, modify the Application settings
- From webapp1, add a custom domain
- From Plan1, scale out the App Service plan
- From Plan1, scale up the App Service plan
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn’t already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging slots, autoscaling, and more.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
Quick Preview:
You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table: (see image1)
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table: (see image2)
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table: (see image3)
You apply RT1 to Subnet1 and Subnet2.
Please evaluate the scenario and decide if the following statement is True or False.
VM3 can establish a network connection to VM1.
TRUE
FALSE
TRUE
Let’s cover some context first.
IP forwarding enables the virtual machine to:
– Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
– Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
The routing table enables connections from VM1 to VM2 and VM2 to VM1, through VM3, as the next- hop. VM3 uses default routing and can connect to VM1, so the statement is True.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Quick Preview:
You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table: (see image1)
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table: (see image2)
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table: (see image3)
You apply RT1 to Subnet1 and Subnet2.
Please evaluate the scenario and decide if the following statement is True or False.
If VM3 is turned off, VM2 can establish a network connection to VM1.
TRUE
FALSE
FALSE
Let’s cover some context first.
IP forwarding enables the virtual machine to:
– Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
– Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Default routing has been modified for Subnet1 and Subnet2 and RT1 has been attached to these two subnets. The next-hop defined is VM3, so traffic will traverse VM3 between the two subnets. If VM3 is turned off, VM2 can’t establish a network connection to VM1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Quick Preview:
You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table: (see image1)
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table: (see image2)
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table: (see image3)
You apply RT1 to Subnet1 and Subnet2.
Please evaluate the scenario and decide if the following statement is True or False.
VM1 can establish a network connection to VM2.
TRUE
FALSE
TRUE
Let’s cover some context first.
IP forwarding enables the virtual machine to:
– Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
– Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Quick Preview:
Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources:
– A web app named webapp1
– A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1. What should you deploy?
- an Azure Application Gateway
- an Azure Active Directory (Azure AD) Application Proxy
- an Azure Virtual Network Gateway
- an Azure Virtual Network Gateway
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager- portal
Quick Preview:
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?
- the Publish-AzVMDscConfiguration cmdlet
- Azure Application Insights
- Azure Custom Script Extension
- the New-AzConfigurationAssignement cmdlet
- Azure Custom Script Extension
The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. Using a Custom Script Extension you can make sure that NGINX is installed once the VMs are deployed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
Quick Preview:
You have an Azure subscription named Sub1. You plan to deploy a multi-tiered application that will contain the tiers shown in the following table:
You need to recommend a networking solution to meets the following requirement:
– Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines
Which Azure resource should you recommend for the above requirement?
- an application gateway that uses the standard tier
- an application gateway that uses the WAF tier
- an internal load balancer
- a network security group (NSG)
- a public load balancer
- an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Quick Preview:
You have an Azure subscription named Sub1. You plan to deploy a multi-tiered application that will contain the tiers shown in the following table:
You need to recommend a networking solution to meets the following requirement: – Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for the above requirement?
- an application gateway that uses the Standard tier
- an application gateway that uses the WAF tier
- an internal load balancer
- a network security group (NSG)
- a public load balancer
- an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Quick Preview:
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered. You need to connect the datacenters to the subscription. The solution must minimize network latency between the data centers.
What should you create?
- three Azure Application Gateways and one On-premises data gateway
- two virtual hubs and one virtual WAN
- three virtual WANs and one virtual hub
- three On-premises data gateways and one Azure Application Gateway
- two virtual hubs and one virtual WAN
For this scenario, 2 virtual hubs would be needed to cover the two regions (East US and West US) and one virtual Wan.
Then we can create VPN connections from our on premises locations to our Virtual Hubs.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal Quick Preview:
You plan to deploy five virtual machines to a virtual network subnet. Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? (SELECT TWO)
- Minimum number of network interfaces - 5
- Minimum number of network interfaces - 10
- Minimum number of network interfaces - 15
- Minimum number of network interfaces - 20
- Minimum number of network security groups - 1
- Minimum number of network security groups - 2
- Minimum number of network interfaces - 5
- Minimum number of network security groups - 1
A public and a private IP address can be assigned to a single network interface, so we would need minimum 5 network interfaces.
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose, so minimum one network security group is needed. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Quick Preview:
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table:
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? (SELECT TWO)
- A records for VM1 - None
- A records for VM1 - Private IP address only
- A records for VM1 - Public IP address only
- A records for VM1 - Private IP address and public IP
- address A records for VM2 - None
- A records for VM2 - Private IP address only
-2. A records for VM1 - Private IP address only
-6. A records for VM2 - Private IP address only
The virtual machines are registered (added) to a private zone, so the A records will be pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
Quick Preview:
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.
What should you do? (SELECT TWO)
- Resource to create - An Azure Event Grid
- Resource to create - An Azure Log Analytics Workspace
- Resource to create - An Azure Storage account
- Resource on which to enable diagnostics - ILB1
- Resource on which to enable diagnostics - NSG1
- Resource on which to enable diagnostics - The Azure virtual machines
-3. Resource to create - An Azure Storage account
-5. Resource on which to enable diagnostics - NSG1
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.
Although you may be tempted to choose iLB1, diagnostic logs for a basic load balancer do not include the IP addresses of inbound connections. Flow logs do, and those get attached to the network security group.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal? toc=/azure/virtual-network/toc.json
Quick Preview:
You have the Azure virtual networks shown in the following table: (see image)
To which virtual networks can you establish a peering connection from VNET1?
- VNET2 and VNET3
- VNET2 only
- VNET3 and VNET4
- VNET2, VNET3 and VNET4
- VNET3 and VNET4
The address space of VNET2 overlaps with VNET1, therefore a peering can’t be established between VNET2 and VNET1. As you can see below, there could be VMs running in both VNETs, with the same IP address, for example 10.11.0.1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
Quick Preview:
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
– The NVAs must run in an active-active configuration that uses automatic failover.
– The NVA must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform?
- Deploy a basic load balancer
- Deploy a standard load balancer
- Add two load balancing rules that have HA Ports and Floating IP enabled
- Add two load balancing rules that have HA Ports enabled and Floating IP disabled
- Add a frontend IP configuration, a backend pool, and a health probe
- Add a frontend IP configuration, two backend pools, and a health probe
-2. Deploy a standard load balancer
-3. Add two load balancing rules that have HA Ports and Floating IP enabled
-6. Add a frontend IP configuration, two backend pools, and a health probe
HA ports need are not supported by a basic load balancer, so we would need a Standard Load Balancer. You need a floating IP address for the active-active configuration to switch over quickly and two backend pools are needed for the two different services.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview Quick Preview:
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site- to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1. You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
- Download and re-install the VPN client configuration package on Client1
- Select Allow gateway transit on VNet1
- Select Allow gateway transit on VNet2
- Enable BGP on VPNGW1
- Download and re-install the VPN client configuration package on Client1
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
First, the point-to-site VPN was up and running from Client1 to VNet1 and then a change was implemented : the peering was created between VNET1 and VNET2. For this reason, the the VPN client package must be downloaded and installed again in order to gain connectivity to VNET2.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site- routing#multipeered
Quick Preview:
You have an on-premises network that you plan to connect to Azure by using a site-to-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24. You need to create a site-to- site VPN to Azure.
Which four actions should you perform in sequence?
(1) Create a local gateway
(2) Create a VPN gateway
(3) Create a gateway subnet
(4) Create a custom DNS server
(5) Create a VPN connection
(6) Create an Azure Content Delivery Network (CDN) profile
- 3-2-1-5
- 3-1-2-5
- 2-3-1-5
- 3-2-5-1
- 3-2-1-5
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager- portal
Quick Preview:
You have an Azure subscription that contains the resources in the following table: (see image1)
VM1 and VM2 are deployed from the same template and host line-of-business applications. You configure the network security group (NSG) as shown in the exhibit below: (see image2)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?
- Disassociate the NSG from a network interface
- Change the Port_80 inbound security rule.
- Associate the NSG to Subnet1
- Change the DenyWebSites outbound security rule
- Associate the NSG to Subnet1
You can associate or dissociate a network security group from a network interface or subnet. The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with
Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Quick Preview:
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a
different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named
VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named
VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
- Move VM1 to Subscription2
- Move VNet1 to Subscription2
- Modify the IP address space of VNet2
- Provision virtual network gateways
- Provision virtual network gateways
The virtual networks can be in the same or different regions, and from the same or different
subscriptions. When connecting VNets from different subscriptions, the subscriptions do not need to be
associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual
network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to
creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN
gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when
communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify
additional address space for the local network gateway in order to route traffic.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-
portal
Quick Preview:
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the exhibit
below: (see image1)
The planned disk configurations for VM1 are shown in the following exhibit: (see image2)
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
- Use managed disks
- OS disk type
- Availability options
- Size
- Image
-1. Use managed disks
-3. Availability options
Your VMs should use managed disks if you want to move them to an Availability Zone by using Site
Recovery.
When you create a VM for an Availability Zone, Under Settings > High availability, select one of the
numbered zones from the Availability zone dropdown menu: (see image1)
Also, in order for the VM to be deployed into an Availability zone, Availability options should be changed
to Availability Zone, so that an Availability Zone could be selected below: (see image2)
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
Quick Preview: (see image3)
You manage two Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following virtual networks: (see image1)
The virtual networks contain the following subnets: (see image2)
Subscription2 contains the following virtual network:
– Name: VNETA
– Address space: 10.10.128.0/17
– Location: Canada Central
VNETA contains the following subnets: (see image3)
Please evaluate the following statements and select True if the statement is true, otherwise, select False:
1. A site-to-site connection can be established between VNET1 and VNET2.
2. VNET1 and VNET2 can be peered.
3. VNET1 and VNETA can be peered.
- 1 - True, 2 - True, 3 - False
- 1 - True, 2 - True, 3 - True
- 1 - True, 2 - False, 3 - True
- 1 - False, 2 - True, 3 - True
- 1 - True, 2 - True, 3 - True
Azure virtual networks can be connected together by using either VPNs or virtual network peerings.
VPNs represent encrypted communication channels that you establish between remote virtual networks, while vnet peerings are not encrypted but are still private. Traffic within vNET peerings use the
Microsoft backbone infrastructure, so the traffic doesn’t go over the public internet.
First thing to check when you need to connect vNETs is if the virtual networks’ IP addressing space
overlap. You can’t connect two virtual networks with overlapping IP address space.
Statement1 – True – A site-to-site connection can be established between VNET1 and VNET2.
VNET1 and VNET2 IP addressing space doesn’t overlap, and there is no restriction to connect VNETs
deployed in different Azure regions. (See image1)
Statement2 – True – VNET1 and VNET2 can be peered.
The same applies for VNET1 and VNET2 peering. No IP address space overlap, vnet peering can be defined between the two VNETs.
Statement3 – True – VNET1 and VNETA can be peered.
This one may be a bit tricky, if you don’t have some experience already with IPv4 addressing subnetting.
VNET1 address space is 10.10.10.0/24: (see image2)
and we can see the useable IP addresses in the 4th column.
VNET2 address space is 10.10.128.0/17: (see image3)
and we can see the useable IP addresses in the 4th column.
In order for the two vNETs to be eligible for vNET peering, there has to be no overlap between the two,
so the range of addresses – 3rd column or useable IPs – 4th column, must not overlap. As you can see
in the two tables, so two IP address ranges do not overlap, so the two vNETs can be peered together.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-
portal
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Quick Preview: (see image4)
You have an Azure subscription. You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod. For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?
- kubenet
- Azure Container Networking Interface (CNI)
- Hybrid Connection endpoints
- Azure Private Link
- Azure Container Networking Interface (CNI)
AKS only supports kubenet networking and Azure Container Networking Interface (CNI) networking, so
options C and D are incorrect.
The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes
get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically
different address space to the Azure virtual network subnet of the nodes.
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. As the
question states that the on-premises clients connect to App1 by using the IP address of the pod, Azure
CNI is the correct option for this scenario.
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network
Quick Preview: (see image)
