Microsoft AZ-104 Full Practice Tests 15.pdf Flashcards

1
Q

You have an Azure subscription that contains a resource group named RG1.
You have a group named Group1 that is assigned the Contributor role for RG1.
You need to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address.
What should you use to ensure that Group1 can establish an RDP connection to the virtual machines through a shared external IP address?

  1. Azure Policy
  2. Azure Bastion
  3. Virtual network service endpoints
  4. Azure Firewall
  5. Azure Web Application Firewall (WAF)
A

Azure Bastion

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual
machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal

INCORRECT ANSWERS:
Azure Policy – Azure policy is used to enforce organizational standards.
Virtual network service endpoints – Service endpoints are used to enable direct connectivity between Azure Service over Microsoft Backbone network.
Azure Firewall – Azure Firewall is to control inbound and outbound traffic.
Azure Web Application Firewall (WAF) – WAF is to protect web applications from common exploits and
vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have a resource group named RG1 that contains the following:
A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
An Azure Storage account named storageaccount1
An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that storageaccount1 is accessible from Subnet1 over the Azure backbone network.
What should you do?

  1. Modify the Firewalls and virtual networks settings for storageaccount1.
  2. Create a stored access policy for storageaccount1.
  3. Implement a virtual network service endpoint.
  4. Remove the Azure firewall.
A

Implement a virtual network service endpoint.

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

INCORRECT ANSWERS:
Modify the Firewalls and virtual networks settings for storageaccount1. – Modifying firewalls either allow or deny traffic.
Create a stored access policy for storageaccount1. – A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
Remove the Azure firewall – By removing the firewall, you are removing the control on inbound and outbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected. You need to capture a network trace on VM1.
What should you do?

  1. From the VM1 blade, configure Connection troubleshoot.
  2. From Diagnostic settings for VM1, configure the performance counters to include network counters.
  3. From the VM1 blade, install performance diagnostics and run advanced performance analysis.
  4. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
A

From the VM1 blade, install performance diagnostics and run advanced performance analysis.

The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
It Checks for known issues, analyzes best practices, and collects diagnostics data and captures a network trace and SMB counters.
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-
diagnostics#select-an-analysis-scenario-to-run

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your company has an Azure environment that will contain many subscriptions. You are creating an Azure Policy as part of a governance solution.
To which three scopes can you assign Azure Policy definitions?

management groups
subscriptions
Azure Active Directory (Azure AD) tenants
resource groups
Azure Active Directory (Azure AD) administrative units
compute resources

A

management groups
subscriptions
resource groups

An assignment is a policy definition or initiative that has been assigned to take place within a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment.
For example, at the subscription scope, you can assign a definition that prevents the creation of networking resources. You could exclude a resource group in that subscription that is intended for networking infrastructure. You then grant access to this networking resource group to users that you
trust with creating networking resources.
https://docs.microsoft.com/en-us/azure/governance/policy/overview

INCORRECT ANSWERS:
Azure Active Directory (Azure AD) tenants – You can assign Azure Policy to a management group, subscription or resource group.
Azure Active Directory (Azure AD) administrative units- You can assign Azure Policy to a management group, subscription or resource group.
compute resources- You can assign Azure Policy to a management group, subscription or resource group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are implementing self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD). You need to select authentication mechanisms that can be used for both MFA
and SSPR.
Which two authentication methods should you use?

  1. Short Message Service (SMS) messages
  2. Microsoft Authenticator App
  3. Email addresses
  4. Security questions
  5. App passwords
A

Short Message Service (SMS) messages
Microsoft Authenticator App

SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don’t need to know a username and password to access applications and services. The user instead enters their registered
mobile phone number, receives a text message with a verification code, and enters that in the sign-ininterface.
Users can also verify themselves using a mobile phone or office phone as secondary form ofauthentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

INCORRECT ANSWERS:
Email addresses – only used for SSPR
Security questions – only used for SSPR
App passwords – Can be used as primary authentication method for legacy apps, but cannot be used for both MFA & SSPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?

  1. Owner
  2. Virtual Machine Contributor
  3. Contributor
  4. Virtual Machine Administrator Login
A

Contributor

Contributor role allows you to manage both virtual machines and virtual networks.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

INCORRECT ANSWERS:
Owner – Owner role allows you to manage both virtual machines and virtual networks, however it is not a least privileged role.
Virtual Machine Contributor – Virtual Machine Contributor lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Virtual Machine Administrator Login – View Virtual Machines in the portal and login as administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1. You need to identify the storage services in storage1 to which you can copy the data.
What should you identify?

  1. blob, file, table, and queue
  2. blob and file only
  3. file and table only
  4. file only
  5. blob, table, and queue only
A

blob and file only

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

INCORRECT ANSWERS:
AzCopy does not support copying data to Table & Queue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?

  1. Azure Files
  2. Azure Blob storage
  3. Azure Queue storage
  4. Azure Table storage
A

Azure Files

Azure file shares can be used as persistent volumes for stateful containers. Containers deliver “build once, run anywhere” capabilities that enable developers to accelerate innovation. For the containers that access raw data at every start, a shared file system is required to allow these containers to access the file system no matter which instance they run on.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

INCORRECT ANSWERS:
Azure Blob storage – Blob storage is optimized for storing massive amounts of unstructured data.
Azure Queue storage – Queue storage is for storing messages in distributed applications.
Azure Table storage – Table storage is for storing semi-structured data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2.
You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hosting VM1 and VM2.
What should you include in the Availability Set?

  1. one update domain
  2. two fault domains
  3. one fault domain
  4. two update domains
A

two update domains

The hardware in a location is divided in to multiple update domains and fault domains. An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time. VMs in the same fault domain share common storage as well as a common power source and network switch.
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

INCORRECT ANSWERS:
one update domain – Adding VMs in the same update domain will not suffice the requirements since it shares same underlying physical hardware that can be rebooted at the same time.
two fault domains – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.
one fault domain – Fault domains define the group of virtual machines that share a common power source and network switch, it is group VMs for unplanned outages like power failures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)

You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which storage accounts can you use for the Azure Backup reports of Vault1?

  1. storage1 only
  2. storage2 only
  3. storage3 only
  4. storage1, storage2 and storage3
A

storage3 only

To create a vault to protect any data source, the vault must be in the same region as the data source.
Storage account must be in the same region as your Recovery Service Vault.
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault

INCORRECT ANSWERS:
storage1 only – storage1 and vault1 are not in same region.
storage2 only – storage2 and vault1 are not in same region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)

You plan to configure Azure Backup reports for Vault1.
You are configuring the Diagnostics settings for the AzureBackupReports log.
Which Log Analytics workspaces can you use for the Azure Backup reports of Vault1?

  1. Analytics1 only
  2. Analytics2 only
  3. Analytics3 only
  4. Analytics1, Analytics2 and Analytics3
A

Analytics1, Analytics2 and Analytics3

The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your vaults exist.
https://docs.microsoft.com/en-us/azure/backup/configure-reports

INCORRECT ANSWERS:
Analytics1 only – You can use any workspace
Analytics2 only – You can use any workspace
Analytics3 only – You can use any workspace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have an on-premises server that contains a folder named D:\Folder1.
You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named companydata.
Which command should you run?

  1. https://companydata.blob.core.windows.net/public
  2. azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
  3. azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive
  4. az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public
A

azcopy copy D:\folder1 https://companydata.blob.core.windows.net/public –recursive

The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Syntax is : azcopy copy ‘‘ ‘https://..core.windows.net/‘ –recursive
Append the –recursive flag to upload files in all subdirectories.
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs-upload

INCORRECT ANSWERS:
All incorrect answers does not match with azcopy syntax.
https://companydata.blob.core.windows.net/public
azcopy sync D:\folder1 https://companydata.blob.core.windows.net/public –snapshot
az storage blob copy start-batch D:\Folder1 https://companydata.blob.core.windows.net/public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table. (see image)
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2.
An administrator named Admin1 creates an Azure virtual machine named VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform?

  1. Detach VM1 network interface
  2. Attach a new network interface
  3. Move network interface to RG2
  4. Move VM1 to RG2
  5. Delete VM1
  6. Create a new virtual machine in VNet2
A

Delete VM1
Create a new virtual machine in VNet2

Microsoft does not support moving VM’s between virtual networks. So, we have delete the VM and create a new VM in target VNet.
Detailed steps are mentioned in the below article.
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-move-a-vm-to-a-different-vnet-on-
azure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?

  1. an Azure Key Vault and an access policy
  2. an Azure Storage account and an access policy
  3. a Recovery Services vault and a backup policy
  4. Azure Active Directory (AD) Identity Protection and an Azure policy
A

an Azure Key Vault and an access policy

When you create a virtual machine (VM). You need to provide the VM administrator username and password. Instead of providing the password, you can pre-store the password in an Azure key vault and then customize the template to retrieve the password from the key vault during the deployment.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault

INCORRECT ANSWERS:
an Azure Storage account and an access policy – Storage account is used to store the blobs. Not recommended to store sensitive data like passwords.
a Recovery Services vault and a backup policy – Recovery services vault is to store backups.
Azure Active Directory (AD) Identity Protection and an Azure policy – Identity protection is to detect and investigate identity based risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform?

  1. Upload a configuration script
  2. Create an automation account
  3. Create an Azure policy
  4. Modify the extensionProfile section of the Azure Resource Manager template
  5. Create a new virtual scale set in the Azure portal
A

Upload a configuration script

Modify the extensionProfile section of the Azure Resource Manager template

When you define a virtual machine scale set with an Azure template, the Microsoft.Compute/virtualMachineScaleSets resource provider can include a section on extensions.
The extensionsProfile details what is applied to the VM instances in a scale set. To use the Custom Script Extension, you specify a publisher of Microsoft.Azure.Extensions and a type of CustomScript.
The Custom Script Extension downloads and executes scripts on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

INCORRECT ANSWERS:
Create an automation account – Automation account is to automate azure management tasks.
Create an Azure policy – Azure policy is to enforce organizational standards.
Create a new virtual scale set in the Azure portal – You already have a virtual machine scale set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run?

  1. az aks install-cli
  2. docker aks install-cli
  3. msiexec.exe aks install-cli
  4. az /package install-cli
A

az aks install-cli

To install kubectl locally, use the az aks install-cli command
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

INCORRECT ANSWERS:
docker aks install-cli – No such command exists
msiexec.exe aks install-cli – msiexec.exe is to install windows installer packages
az /package install-cli – No such command exists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
What should you do first?

  1. From Plan1, scale up the App Service plan
  2. From webapp1, modify the Application settings
  3. From webapp1, add a custom domain
  4. From Plan1, scale out the App Service plan
A

From Plan1, scale up the App Service plan

The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn’t already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up

INCORRECT ANSWERS:
From webapp1, modify the Application settings – Slots are available based on app service plan, nothing to do with application settings.
From webapp1, add a custom domain – Slots are not dependent on custom domains.
From Plan1, scale out the App Service plan – scale out will increase the number of application instances. It will not create slots.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named http://www.preparationlabs.com to webapp1.
What should you do first?

Create a DNS record
Add a connection string
Upload a certificate.
Stop webapp1.

A

Create a DNS record

First purchase a domain name, and make sure you have access to the DNS registry for your domain provider. Then you can map the custom domain to your Azure web app. To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider.
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

INCORRECT ANSWERS:
Add a connection string – Custom domain is not related to application settings or connection strings.
Upload a certificate. – Uploading a certificate will make application to access on https protocol
Stop webapp1. – No need to stop the web site to add a custom domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
What should you identify?

  1. five Azure Application Gateways
  2. one App Service plan
  3. 10 App Service plans
  4. one Azure Traffic Manager
  5. one Azure Application Gateway
A

one App Service plan

You must create an app service plan before deploying web apps. One app service plan can have multiple web apps. To reduce the costs, create one app service and use it for 10 web apps.
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

INCORRECT ANSWERS:
five Azure Application Gateways – Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.
10 App Service plans – App service plan is mandatory to create a web app. However, 10 app service plans will increase the cost.
one Azure Traffic Manager – Traffic manager is also a load balancer, not a pre-requisite to create web apps.
one Azure Application Gateway – Application gateway is a traffic load balancer. It is not a pre-requisite to create web apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
Change the size to D8s v3.
Add a 500-GB managed disk.
Add the Puppet Agent extension.
Enable Desired State Configuration Management.
Which change will cause downtime for VM1?

Enable Desired State Configuration Management
Add a 500-GB managed disk
Change the size to D8s v3
Add the Puppet Agent extension

A

Change the size to D8s v3

After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. This can happen if the new size is not available on the hardware cluster that is currently hosting the VM. If the virtual machine is currently running, changing its size will cause it to be restarted.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm

INCORRECT ANSWERS:
Enable Desired State Configuration Management – VM restart is not required.
Add a 500-GB managed disk – You can add managed disks while VM is running.
Add the Puppet Agent extension – VM restart is not required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use?

the kubectl command
the az aks command
the Set-AzVm cmdlet
the Azure portal
the Set-AzAks cmdlet

A

the kubectl command
the az aks command\

The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front –cpu-percent=50 –min=3 –max=10
Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

INCORRECT ANSWERS:
the Set-AzVm cmdlet – This command sets VM as generalized
the Azure portal – Not a valid command
the Set-AzAks cmdlet – Creates or updates a Kubernetes cluster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You create the following resources in an Azure subscription:
An Azure Container Registry instance named Registry1
An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?

Run the docker push command.
Create an App Service plan.
Run the az acr build command.
the az aks create command.

A

Run the az acr build command.

You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
–image contoso-website \
–registry $ACR_NAME \
–file Dockerfile .
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app

INCORRECT ANSWERS:
Run the docker push command. – We can use docker push command to push an image. However, there is no mention of docker tag in the question. So, I will rule out this option.
Create an App Service plan. – No need of app service plan
the az aks create command. – This command creates a new managed Kubernetes cluster. We already have a cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?

  1. Yes
  2. No
A

No

Resource lock is used to avoid accidental deletion of Azure resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?

  1. Yes
  2. No
A

No

Instead, use Azure policy.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?

  1. Yes
  2. No
A

No

Built-in Azure policies does not provide the policy required for this requirement.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?

  1. Yes
  2. No
A

Yes

You can create a custom policy to block port 8080. Azure policy enables you to establish conventions for resources in your subscription by describing when the policy is enforced and what effect to take.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?

  1. IP flow verify
  2. Connection troubleshoot
  3. Connection monitor
  4. NSG flow logs
A

Connection monitor

Connection Monitor provides you RTT values on a per-minute granularity. The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring

INCORRECT ANSWERS:
IP flow verify — IP flow verify checks if a packet is allowed or denied to or from a virtual machine.
Connection troubleshoot — Enable you to troubleshoot network performance and connectivity issues in Azure
NSG flow logs — allows you to log information about IP traffic flowing through an NSG.

28
Q

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?

  1. Floating IP (direct server return) to Enabled
  2. Floating IP (direct server return) to Disabled
  3. A health probe
  4. Session persistence to Client IP and Protocol
A

Session persistence to Client IP and Protocol

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer for Sticky Sessions set Session persistence to Client IP.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode#configure-source-ip-affinity-settings

INCORRECT ANSWERS:
Floating IP (direct server return) to Enabled – Floating IP is used when applications require the same port to be used by multiple application instances on a single VM.
Floating IP (direct server return) to Disabled – Floating IP is used when applications require the same port to be used by multiple application instances on a single VM.
A health probe – health probes are used to detect the failure of an application on a backend endpoint

29
Q

Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:
A web app named webapp1
A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?

  1. an Azure Application Gateway
  2. an Azure Active Directory (Azure AD) Application Proxy
  3. an Azure Virtual Network Gateway
A

an Azure Virtual Network Gateway

A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

INCORRECT ANSWERS:
an Azure Application Gateway — Azure Application Gateway is a web traffic load balancer. It does not provide connectivity to on-premise resources
an Azure Active Directory (Azure AD) Application Proxy — Azure Active Directory’s Application Proxy provides secure remote access to on-premises web applications. It does not provide connectivity to on-premise file shares.

30
Q

You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require?

  1. Network Interfaces: 5
  2. Network Interfaces: 10
  3. Network Interfaces: 15
  4. Network Security Groups: 1
  5. Network Security Groups: 5
  6. Network Security Groups: 10
A

Network Interfaces: 5
Network Security Groups: 1

There are five VMs. So, five NICs
The rules are same for all VMs, so one NSG
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

31
Q

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?

  1. Download and re-install the VPN client configuration package on Client1.
  2. Select Allow gateway transit on VNet1.
  3. Select Allow gateway transit on VNet2.
  4. Enable BGP on VPNGW1
A

Download and re-install the VPN client configuration package on Client1.

Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Non-Windows clients can access directly peered VNets. Access is not transitive and is limited to only directly peered VNets.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

INCORRECT ANSWERS:
Select Allow gateway transit on VNet1.– Gateway Transit is a VNet Peering property that enables one virtual network to use the VPN gateway in the peered virtual network for cross-premises connectivity.
However, in this question, client is connected using point-to-site VPN.
Select Allow gateway transit on VNet2. – Gateway Transit is a VNet Peering property that enables one virtual network to use the VPN gateway in the peered virtual network for cross-premises connectivity.
However, in this question, client is connected using point-to-site VPN.
Enable BGP on VPNGW1 – BGP is for dynamic routing.

32
Q

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table. (see image)

You need to add the address space of 10.33.0.0/16 to VNet1. You need to ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence?

  1. Add the 10.33.0.0/16 address space to VNet1 Remove peering between VNet1 and VNet2 Recreate peering between VNet1 and VNet2
  2. Remove peering between VNet1 and VNet2 Add the 10.33.0.0/16 address space to VNet1 Recreate peering between VNet1 and VNet2
  3. Remove VNet1 Create VNet1 with new IP ranges Create peering between VNet1 and VNet2
A

Remove peering between VNet1 and VNet2 Add the 10.33.0.0/16 address space to VNet1 Recreate peering between VNet1 and VNet2

You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

33
Q

You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?

  1. Deploy an internal load balancer
  2. Peer VNET1 to another virtual network
  3. Connect webapp1 to VNET1
  4. Deploy an Azure Application Gateway
A

Connect webapp1 to VNET1

The VNet Integration feature enables your apps to access resources in or through a VNet. The VNet Integration feature has two variations:
· Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a dedicated subnet in the VNet you’re integrating with.
· Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

INCORRECT ANSWERS:
Deploy an internal load balancer – Internal load balancer is to load balance traffic.
Peer VNET1 to another virtual network – VNET peering enables to connect VNET1 to another virtual network.
Deploy an Azure Application Gateway – It is a web traffic load balancer

34
Q

You have a public load balancer that balances ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?

  1. a new public load balancer for VM3
  2. an inbound NAT rule
  3. a frontend IP configuration
  4. a load balancing rule
A

an inbound NAT rule

Port forwarding lets you connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number. To set up port forwarding on an Azure Load Balancer, you must create inbound NAT port-forwarding rules.
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal

INCORRECT ANSWERS:
a new public load balancer for VM3 – We already have a public load balancer.
a frontend IP configuration – Frontend IP configuration allows you to configure a public IP address for the load balancer.
a load balancing rule – A load balancer rule is used to define how incoming traffic is distributed to the all the instances within the backend pool.

35
Q

You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence?

  1. Create a DNS Server Create a VPN gateway Create a local gateway Create a VPN Connection
  2. Create a gateway subnet Create a VPN gateway Create a local gateway Create a VPN Connection
  3. Create a Virtual Network Create a VPN gateway Create a local gateway Create a VPN Connection
A

Create a gateway subnet
Create a VPN gateway
Create a local gateway
Create a VPN Connection

Virtual network already exists. So, we need to continue the steps from creating a gateway subnet.
Refer to the below link for detailed steps.
29/08/2022, 18:38 Microsoft AZ-104 Full Practice Tests - SkillCertPro
https://skillcertpro.com/az-104-exam-questions/ 25/55
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

36
Q

You have an Azure web app named webapp1.
Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error details.
What should you do first?

  1. From webapp1, enable Web server logging
  2. From Azure Monitor, create a workbook
  3. From Azure Monitor, create a Service Health alert
  4. From webapp1, turn on Application Logging
A

From webapp1, enable Web server logging

Web server logging – Raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code,
and so on.
https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

INCORRECT ANSWERS:
From Azure Monitor, create a workbook – Workbooks are for creating visual reports.
From Azure Monitor, create a Service Health alert – Service health alerts are to get up to date information and alerts on Azure issues like service outages and planned maintenances.
From webapp1, turn on Application Logging – Application logging is for Logs messages generated by your application code.

37
Q

Case study – Overview –
PreparationLabs, Ltd. is a manufacturing company that has offices worldwide. PreparationLabs works with partner organizations to bring products to market.
PreparationLabs products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment –
Currently, PreparationLabs uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named PreparationLabs.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements –
PreparationLabs identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question:
You need to implement a backup solution for App1 after the application is moved.
What should you create first?

  1. a recovery plan
  2. an Azure Backup Server
  3. a backup policy
  4. a Recovery Services vault
A

a Recovery Services vault

Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.
When you create an Azure Backup for virtual machines, you need to either create a Recovery services vault or select an existing Recovery services vault.
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

38
Q

Case study – Overview –
PreparationLabs, Ltd. is a manufacturing company that has offices worldwide. PreparationLabs works with partner organizations to bring products to market.
PreparationLabs products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment –
Currently, PreparationLabs uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named PreparationLabs.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements –
PreparationLabs identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question:
You need to move the blueprint files to Azure.
What should you do?

  1. Generate an access key. Map a drive, and then copy the files by using File Explorer.
  2. Use Azure Storage Explorer to copy the files.
  3. Use the Azure Import/Export service.
  4. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
A

Use Azure Storage Explorer to copy the files.

Scenario:
Planned Changes include: Move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

39
Q

Case study – Overview –
PreparationLabs, Ltd. is a manufacturing company that has offices worldwide. PreparationLabs works with partner organizations to bring products to market.
PreparationLabs products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment –
Currently, PreparationLabs uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named PreparationLabs.com. All servers and client
computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements –
PreparationLabs identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question:
You need to identify the storage requirements for PreparationLabs.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. PreparationLabs requires a storage account that supports Blob storage.
2. PreparationLabs requires a storage account that supports Azure Table storage.
3. PreparationLabs requires a storage account that supports Azure File Storage.

  1. Yes, Yes, Yes
  2. Yes, No, Yes
  3. Yes, No, No
  4. No, No, Yes
  5. No, Yes, No
A

Yes, No, No

Scenario:
PreparationLabs is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.
Ensure that the blueprint files are stored in the archive storage tier.
All of these requirements can be fulfilled using Azure blob storage. There is no requirements for Table and file storage.
https://docs.microsoft.com/en-au/azure/storage/blobs/storage-blobs-introduction

40
Q

Case study – Overview –
PreparationLabs, Ltd. is a manufacturing company that has offices worldwide. PreparationLabs works with partner organizations to bring products to market.
PreparationLabs products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment –
Currently, PreparationLabs uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named PreparationLabs.com. All servers and client
computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements –
Planned Changes –
PreparationLabs plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements –
PreparationLabs must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements –
PreparationLabs identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question:
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation?

  1. Number of virtual networks: 1
  2. Number of virtual networks: 2
  3. Number of virtual networks: 3
  4. Number of subnets per virtual network: 1
  5. Number of subnets per virtual network: 2
  6. Number of subnets per virtual network: 3
A

Number of virtual networks: 1
Number of subnets per virtual network: 3

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
-> A SQL database
-> A web front end
-> A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
-> Move all the virtual machines for App1 to Azure.
-> Minimize the number of open ports between the App1 tiers.
So, Ideally we should have separate subnet for each tier with in a virtual network.
Below link provides typical architecture for an n-tier application in Azure.
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

41
Q

You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 to add a backend pool to LB1?

  1. Contributor on LB1
  2. Network Contributor on LB1
  3. Network Contributor on RG1
  4. Owner on LB1
A

Network Contributor on RG1

The load balancer is of type Microsoft.Network/loadBalancers. The network contributor role allows you to manage networks. A network contributor can create and managed networks (Microsoft.Network/*).
Therefore, adding Admin1 as Network Contributor on resource group will suffice the requirement.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#networking
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-template

INCORRECT ANSWERS:
Contributor on LB1 – Does not follow the principle of least privilege
Network Contributor on LB1 – Does not has required privilege
Owner on LB1 – Does not follow the principle of least privilege

42
Q

You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 to add a health probe to LB2?

  1. Contributor on LB2
  2. Network Contributor on LB2
  3. Network Contributor on RG1
  4. Owner on LB2
A

Network Contributor on RG1

The load balancer is of type Microsoft.Network/loadBalancers. The network contributor role allows you to manage networks. A network contributor can create and managed networks (Microsoft.Network/*).
Therefore, adding Admin1 as Network Contributor on resource group will suffice the requirement.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#networking
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-template

INCORRECT ANSWERS:
Contributor on LB1 – Does not follow the principle of least privilege
Network Contributor on LB1 – Does not has required privilege
Owner on LB1 – Does not follow the principle of least privilege

43
Q

You have an Azure Active Directory (Azure AD) tenant named preparationlabs.com that contains the users shown in the following table: (see image 1)

User3 is the owner of Group1. Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit: (see image 2)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. User3 can perform an access review of User1
2. User3 can perform an access review of UserA
3. User3 can perform an access review of UserB

  1. Yes, Yes, Yes
  2. No, No, Yes
  3. Yes, No, Yes
  4. No, Yes, Yes
A

No, No, Yes

The access review Review1 is scoped only for Guest users in Group1.
1. User1 is not a guest users in Group1.So, the answer is No
2. Similarly, UserA is not a guest user. So, the answer is No.
3. UserB is a guest user and Group2 is a member of Group1. So, the group owner (User3) can perform access review for UserB.
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

44
Q

You have an Azure policy as shown in the following exhibit: (see image)

Parameters:
Not allowed resource types: Microsoft.Sql/servers
What is the effect of the policy?

  1. You are prevented from creating Azure SQL servers anywhere in the Free Trial Subscription.
  2. You can create Azure SQL servers in RG1 only.
  3. You are prevented from creating Azure SQL Servers in RG1 only.
  4. You can create Azure SQL servers in any resource group within Free Trial Subscription.
A

You can create Azure SQL servers in RG1 only.

The resource group RG1 is excluded from policy assignment. So, you can create Azure SQL Server in
RG1 only.
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
INCORRECT ANSWERS:
You are prevented from creating Azure SQL servers anywhere in the Free Trial Subscription. – RG1 is
excluded from policy.
You are prevented from creating Azure SQL Servers in RG1 only.
— RG1 is excluded from policy.
You can create Azure SQL servers in any resource group within Free Trial Subscription. – Only in RG1 it is
allowed.

45
Q

You have an Azure subscription named Subscription1 that contains the resources shown in the following table: (see image)

You create a new Azure subscription named Subscription2.
You need to identify which resources can be moved to Subscription2.
Which resources should you identify?

  1. VM1, storage1, VNET1, and VM1Managed only
  2. VM1 and VM1Managed only
  3. VM1, storage1, VNET1, VM1Managed, and RVAULT1
  4. RVAULT1 only
A

VM1, storage1, VNET1, VM1Managed, and RVAULT1

You can move a storage account, VM and its associated resources to a different subscription by using the Azure portal.
You can also move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

46
Q

You recently created a new Azure subscription that contains a user named Admin1.
Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template.
Admin1 deploys the template by using Azure PowerShell and receives the following error message:
“User failed validation to purchase resources. Error message: “Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.”
You need to ensure that Admin1 can deploy the Marketplace resource successfully.
What should you do?

  1. From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet
  2. From the Azure portal, register the Microsoft.Marketplace resource provider
  3. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet
  4. From the Azure portal, assign the Billing administrator role to Admin1
A

From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet

Run Set-AzMarketplaceTerms to accept the legal terms. Accept or reject terms for a given publisher id(Publisher), offer id(Product) and plan id(Name).
Please use Get-AzMarketplaceTerms to get the agreement terms.
https://docs.microsoft.com/en-us/powershell/module/az.marketplaceordering/set-azmarketplaceterms?
view=azps-4.1.0

INCORRECT ANSWERS:
From Azure PowerShell, run the Set-AzApiManagementSubscription cmdlet – This command sets the existing subscription details
From the Azure portal, register the Microsoft.Marketplace resource provider – This registers Microsoft.Marketplace resource provider in the subscription.
From the Azure portal, assign the Billing administrator role to Admin1 – This assigns billing administrator role to admin1 that is not required.

47
Q

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts.
You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?

  1. From the Licenses blade, assign a new license
  2. From the Directory role blade, modify the directory role
  3. From the Groups blade, invite the user account to a new group
A

From the Directory role blade, modify the directory role

To assign a role to a user –
1. Sign in to the Azure portal with an account that’s a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator.
4. Press Select to save.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal

INCORRECT ANSWERS:
From the Licenses blade, assign a new license – This steps adds a license to the user, not a role
From the Groups blade, invite the user account to a new group – This step add users to a group, not a role.

48
Q

You sign up for Azure Active Directory (Azure AD) Premium.
You need to add a user named admin1@preparationlabs.com as an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?

  1. Device settings from the Devices blade
  2. Providers from the MFA Server blade
  3. User settings from the Users blade
  4. General settings from the Groups blade
A

Device settings from the Devices blade

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:
· The Azure AD global administrator role
· The Azure AD device administrator role
· The user performing the Azure AD join
By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Currently, you cannot assign groups to an administrator role. Azure AD also adds the Azure AD device administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator.
2. Search for and select Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

INCORRECT ANSWERS:
Providers from the MFA Server blade – This is for MFA authentication providers
User settings from the Users blade – This is to edit user profile information
General settings from the Groups blade – This is to add/edit group memberships

49
Q

You have an Azure subscription that contains a resource group named ResourceGroup1.
ResourceGroup1is set to the West Europe location and is used to create temporary resources for a project.
ResourceGroup1contains the resources shown in the following table. (see image)

SQLD01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete ResourceGroup1.
What should you do first?

  1. Delete VM1
  2. Stop VM1
  3. Stop the backup of SQLD01
  4. Delete sa001
A

Stop the backup of SQLD01

You can’t delete a Recovery Services vault with any of the following dependencies:
· You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
· You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
· You can’t delete a vault that contains backup data in the soft deleted state.
· You can’t delete a vault that has registered storage accounts.
Therefore, resource group deletion will fail. You must stop the backup before initiating a delete.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

50
Q

You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence?

  1. Assign a tag to each resource From the Cost analysis blade, filter the view by tag Download the usage report
  2. Assign a tag to each resource group From the Cost analysis blade, filter the view by tag Download the usage report
  3. Open Resource Costs blade for each resource group Download the usage report Send to Finance team
A

Assign a tag to each resource From the Cost analysis blade, filter the view by tag Download the usage report

Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value.
From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
1. You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to export the view to a Comma-Separated Values (.csv) file.
Download the usage report https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started

51
Q

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table. (see image)

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?

  1. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
  2. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
  3. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
  4. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
A

The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.

Moving the web app does not have an impact on app service plan. The app service plan will remain in its source location or resource group. Since web app is moved to a different resource group, the policies in the target resource group will be applied.
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#move-an-app-to-a-different-
region

52
Q

You have an Azure subscription. Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The
users on the customer sites access the Azure resources by using site-to-site VPNs.
You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016.
You need to ensure that the connections to App1 are spread across all the virtual machines.
What are two possible Azure services that you can use?

  1. an internal load balancer
  2. a public load balancer
  3. an Azure Content Delivery Network (CDN)
  4. Traffic Manager
  5. an Azure Application Gateway
A

an internal load balancer
an Azure Application Gateway

As the App1 is used internally by employees from multiple locations, internal load balance is the perfect
choice. An Azure application gateway can be the other solution since the solution is not deployed across
regions.
https://docs.microsoft.com/en-us/azure/application-gateway/overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
INCORRECT ANSWERS:
a public load balancer – Since the application app1 is internal application, a public load balancer is not
required
an Azure Content Delivery Network (CDN) – Azure CDN caches the static objects, thus reduces the load
times and save bandwidth
Traffic Manager – It is used to distribute traffic across the Azure regions.

53
Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts.
Does that meet the goal?

Yes
No

A

Yes

Global administrator can add users to this tenant. To add or delete users you must be a User administrator or Global administrator.
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

54
Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com: (see image)

User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User4 to create the user accounts.
Does that meet the goal?

Yes
No

A

No

To add or delete users you must be a User administrator or Global administrator.
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

55
Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User3 to create the user accounts.
Does that meet the goal?

Yes
No

A

No

The new tenant external.preparationlabs.onmicrosoft.com will not have users from primary tenant until we add them.

56
Q

You have an Azure subscription that contains the following users in an Azure Active Directory tenant named preparationlabs.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.preparationlabs.onmicrosoft.com.
You need to create new user accounts in external.preparationlabs.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts.
Does that meet the goal?

Yes
No

A

Yes

Global administrator can add users to this tenant. To add or delete users you must be a User administrator or Global administrator.
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

57
Q

You have an existing Azure subscription that contains 10 virtual machines.
You need to monitor the latency between your on-premises network and the virtual machines.
What should you use?

Service Map
Connection troubleshoot
Network Performance Monitor
Effective routes

A

Network Performance Monitor

Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure
ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

INCORRECT ANSWERS:
Service Map — Service Map automatically discovers application components on Windows and Linux systems
Connection troubleshoot — enable you to troubleshoot network performance and connectivity issues in Azure
Effective routes – You can use effective routes to determine why you can’t connect to the VM

58
Q

You have an Azure subscription that contains 10 virtual machines on a virtual network.
You need to create a graph visualization to display the traffic flow between the virtual machines.
What should you do from Azure Monitor?

From Activity log, use quick insights.
From Metrics, create a chart.
From Logs, create a new query.
From Workbooks, create a workbook.

A

From Workbooks, create a workbook.

Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.
Workbooks are currently compatible with the following data sources:
Logs
Metrics
Azure Resource Graph
Alerts (Preview)
Workload Health
Azure Resource Health
Azure Data Explorer

https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview
Please note, you can also achieve this requirement using Logs by creating a new query. However, Microsoft provided workbooks as a way to go for visualizations.

INCORRECT ANSWERS:
From Activity log, use quick insights – Activity log provides activities performed on a resource
From Metrics, create a chart – Metrics provide usage metrics like CPU, Memory usage etc..
From Logs, create a new query – You can also achieve this requirement using Logs by creating a new query. However, Microsoft provided workbooks as a way to go for visualizations.

59
Q

You have a virtual network named VNet1 as shown below (see image)

No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?

Configure a service endpoint on VNet2.
Add a gateway subnet to VNet1.
Create a subnet on VNEt1 and VNet2.
Modify the address space of VNet1.

A

Modify the address space of VNet1.

VNet peering (or virtual network peering) enables you to connect virtual networks. A VNet peering connection between virtual networks enables you to route traffic between them privately through IPv4 addresses. Virtual machines in the peered VNets can communicate with each other as if they are within the same network. These virtual networks can be in the same region or in different regions.
Address spaces must not overlap to enable VNet Peering. The virtual networks you peer must have non-overlapping IP address spaces.
In this question, the IP address spaces are overlapping. So the first step is to modify the IP address range for VNet1.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#vnet-peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints

INCORRECT ANSWERS:
Configure a service endpoint on VNet2 – Service endpoints are used to connect Azure services directly using MS backbone
Add a gateway subnet to VNet1 – Gateway subnet is not required for VNET peering
Create a subnet on VNEt1 and VNet2 – Subnets are mandatory to create VNET peering.

60
Q

You have 10 Azure virtual machines on a subnet named Subnet1. Subnet1 is on a virtual network named VNet1. You plan to deploy a public Azure Standard Load Balancer named LB1 to the same Azure region as the 10 virtual machines.
You need to ensure that traffic from all the virtual machines to the internet flows through LB1. The solution must prevent the virtual machines from being accessible on the internet.
Which three actions should you perform? Each correct answer presents part of the solution.

  1. Add health probes to LB1.
  2. Add the network interfaces of the virtual machines to the backend pool of LB1.
  3. Add an inbound rule to LB1.
  4. Add an outbound rule to LB1.
  5. Associate a network security group (NSG) to Subnet1.
  6. Associate a user-defined route to Subnet1.
A

Add the network interfaces of the virtual machines to the backend pool of LB1.
Add an outbound rule to LB1.
Associate a network security group (NSG) to Subnet1.

A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses.
Standard Load Balancer is built on the zero trust network security model at its core. Standard Load Balancer secure by default and is part of your virtual network. The virtual network is a private and isolated network. This means Standard Load Balancers and Standard Public IP addresses are closed to inbound flows unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource.
Therefore, create a NSG and associate with Subent1, add an outbound rule and add VM’s to the backend pool.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
https://docs.microsoft.com/en-us/azure/load-balancer/outbound-rules

INCORRECT ANSWERS:
Add health probes to LB1 – Health probes are required to check the health status of backend pool machines.
Add an inbound rule to LB1 –Inbound rules are required if you need to send traffic to a specific VM Associate a user-defined route to Subnet1 – User defined routing is not required for a load balancer.

61
Q

You have an Azure subscription that contains the storage accounts shown in the following table. (see image)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. storage1 can host Azure file shares
2. There are six copies of the data in storage2.
3. storage3 can be converted to a GRS account.

  1. Yes, Yes, Yes
  2. Yes, No, Yes
  3. Yes, Yes, No
  4. No, Yes, Yes
A

No, Yes, Yes

  1. Azure file shares are deployed into storage accounts, which are top-level objects that represent a shared pool of storage. GPv2 storage accounts allow you to deploy Azure file shares on standard/hard disk-based (HDD-based) hardware. (Not on the premium tier).
  2. Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS. Along with the three copies of your data stored within a single region, a further three copies are stored in the twinned Azure region.
  3. You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. If you want to add or remove geo-replication or read access to the secondary region, you can use the Azure portal, PowerShell, or Azure CLI to update the replication
    setting.
    https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
    https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal
    https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
62
Q

You have an Azure subscription.
You create a custom role in Azure by using the following Azure Resource Manager template. (see image)

You assign the role to a user named User1.
Which action can User1 perform?

  1. Create virtual machines.
  2. Create resource groups.
  3. Delete virtual machines.
  4. Create support requests.
A

Create support requests.

This role has read permissions on storage, network, and start/restart permissions on Compute. Full access is provided on Microsoft.Support/*. So, User1 will be able to create support requests.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

INCORRECT ANSWERS:
Create virtual machines – The role has only read access on compute, so creating virtual machines is not possible.
Create resource groups – The role has only read access on resource groups, so creating resource groups is not possible.
Delete virtual machines – The role has only read access on compute, so deleting virtual machines is not possible.

63
Q

You have an Azure subscription that contains the resources shown in the following table. (see image)

In RG2, you need to create a new virtual machine named VM2 that will connect to VNET1, VM2 will use a network interface named VM2_interface.
In which region should you create VM2 and VM2_interface?

  1. VM2: West US
  2. VM2: East US
  3. VM2_interface: West US
  4. VM2_interface: East US
A

VM2: East US
VM2_interface: East US

Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
https://docs.microsoft.com/en-us/azure/virtual-machines/network-overview?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#network-interfaces

INCORRECT ANSWERS:
VM2: West US – The region does not match with VNET1 region
VM2_interface: West US – The region does not match with VNET1 region

64
Q

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named preparationlabs.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in preparationlabs.com.
You need to ensure that access to AKS1 can be granted to the preparationlabs.com users.
What should you do first?

  1. From preparationlabs.com, modify the Organization relationships settings.
  2. From preparationlabs.com, create an OAuth 2.0 authorization endpoint.
  3. Recreate AKS1.
  4. From AKS1, create a namespace.
A

From preparationlabs.com, create an OAuth 2.0 authorization endpoint.

All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users.
It is assumed that a cluster-independent service manages normal users in the following ways:
an administrator distributing private keys
a user store like Keystone or Google Accounts
a file with a list of usernames and passwords
In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests through authentication plugins.
OpenID Connect is a flavor of OAuth2 supported by some OAuth2 providers, notably Azure Active Directory, Salesforce, and Google. The protocol’s main extension of OAuth2 is an additional field returned with the access token called an ID Token. This token is a JSON Web Token (JWT) with well-known fields, such as a user’s email, signed by the server.
To identify the user, the authenticator uses the id
_
token (not the access
_
token) from the OAuth2 token
response as a bearer token.
https://docs.microsoft.com/en-us/azure/aks/concepts-identity#aks-service-permissions
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

65
Q

You have the Azure management groups shown in the following table: (see image 1)

You add Azure subscriptions to the management groups as shown in the following table: (see image 2)

You create the Azure policies shown in the following table: (see image 3)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. You can create a virtual network in Subscription1
2. You can create a virtual machine in Subscription2
3. You can add Subscription1 to ManagementGroup11

  1. No, Yes, No
  2. Yes, No, No
  3. Yes, No, Yes
  4. Yes, Yes, Yes
A

No, Yes, No

  1. The azure policy (not allowed resource types – Virtual networks) is inherited to Subscription1. So, Virtual networks are not allowed to create in Subscription1.
  2. Policy assignments get evaluated top-to-bottom. The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level. So the azure policy (not allowed resource types Virtual networks) will be applied to Subscription2. The deny policy is only for virtual networks. This allows to create a virtual machine by leveraging existing VNets.
  3. Each management group and subscription can only support one parent. Subscription1 is already part of a management group. We can’t add this to another management group though we can move.
    https://docs.microsoft.com/en-us/azure/governance/management-groups/overview