MS AZ-104 WL.pdf

Question 1

Question 2
Domain: Manage Azure identities and governance
Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups:
Name || Region || Lock type
rg-staging-1 || West Europe || None
rg-staging-2 ||West Europe || Read-only

The company has deployed a storage account stwhizlabs to the rg-staging-1 resource group.
The “Production” subscription has the following resource groups.

Name || Region || Lock type
rg-production-3 || East Asia || Delete
rg-production-4 || Central US || None

Would you be able to move stwhizlabs resource to the rg-production-3 resource group?

Yes
No

Answer 1

Yes

We can move resources from one resource group to another, and in this case the source resource group does not have any lock defined and receiving
resource group has got delete lock, which stops from deleting of resources. Below is the further explanation of what delete lock does.
Delete lock on a resource group means that any resource which is contained by a resource group cannot be deleted. The idea behind delete lock is to
avoid any resource deletion even by mistake. A resource group can be deleted by a user by mistake, in case, there is no lock on the resource group. A
malicious user can also delete a group, without delete lock. This can cause serious problem in production system, and may even impact the end user.
Delete lock puts no other restrictions. Resources can always be added to a resource group with delete lock.
From this explanation it is clear that A (yes) is the correct answer, all other answers are wrong.
Note - below screenshots are added for reference purposes.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Question 2

Question 2
Domain: Manage Azure identities and governance
Company WhizLabs has 2 Azure subscriptions named “Staging” and “Production”.
The “Staging” subscription has the following resource groups:
Name || Region || Lock type
rg-staging-1 || West Europe || None
rg-staging-2 ||West Europe || Read-only

The company has deployed a web application (app-whizlabsweb) within the App Service plan (ASP-whizlabsrg1-ba8c) to the resource group (rg- staging-1).

The “Production” subscription has the following resource groups.

Name || Region || Lock type
rg-production-3 || East Asia || Delete
rg-production-4 || Central US || None

Also, the company provisioned a web application (app-prod-web) in the resource group (rg-production-4). Would you be able to move App Service resources from rg-staging-1 to the rg-production-4 resource group?

Yes
No

Answer 2

No

Moving a resource from one Resource Group results in metadata changes, and it does not have any effect on resources. Both rg-staging-1 & rg- production-4 do not have any locks. But, we still cannot move App Service resources from resource group”rg-staging-1” to the target resource group “rg-production-4” because it already contains web resources.
The destination resource group must not have any existing App Service resources. App Service resources include Web Apps, App Service plans, etc. Here, rg-staging-1 –> has web application (app-whizlabsweb) with the App Service plan (ASP-whizlabsrg1-ba8c), and the target resource group (rg-
production-4) —> has a web application (app-prod-web).
As per Microsoft Documentation, Web resources in the destination group violate the rules for moving App Service resources from one subscription to
another.
It is clear that B is the correct answer and A is the wrong answer.
For more information on resource locks, please visit the following URL-
Move Azure App Service resources across resource groups or subscriptions - Azure Resource Manager | Microsoft Docs

Question 3

Question 4
Domain: Implement and manage storage
Whizlabs Inc. is a multinational company having offices in multiple countries. The company is planning on moving their on-premises file servers to Azure Files. While setting up identity-based access for Azure Files, which of the following mechanism enforces granular access control for files and directories within a share?

A. Azure Active Directory Domain Services
B. Role-Based Access Control (RBAC) right
C. Shared Key Authentication
D. Virtual Network Service Endpoints

Answer 3

B. Role-Based Access Control (RBAC) right C. Shared Key Authentication

Role-Based Access Control (RBAC) for Azure Files allows you to manage and control access to your Azure File shares and their associated resources in a fine-grained manner. RBAC is a crucial component of Azure’s access control and authorization system, and it helps ensure that users and services have the right permissions to perform specific actions within Azure Files.
Option A is incorrect because Azure Active Directory Domain Services (Azure AD DS) is a managed domain service that integrates with Azure AD for identity and authentication in Azure environments.
Option B is correct because Role-Based Access Control (RBAC) for Azure Files allows you to manage and control access to your Azure File shares in a granular level and their associated resources in a fine-grained manner.
Option C is incorrect because Shared Key Authentication is a method to authenticate access to Azure Storage resources using an account’s access key securely.
Option D is incorrect because Virtual Network Service Endpoints in Azure extend private network connectivity to Azure services, enabling secure access without public internet exposure, enhancing security, and reducing latency.
Reference: Control access to Azure file shares by assigning share-level permissions | Microsoft Learn

Question 4

Question 7
Domain: Manage Azure identities and governance
Your company has a Microsoft Entra tenant named whizlabs.com.
The following users are defined in the tenant.
Name || Role
whizlabusr1 || Cloud device administrator
whizlabusr2 || User administrator

The tenant also consists of the following Windows 10 devices.
Name || Join type
whizlabvm1 || Microsoft Entra ID registered
whizlabvm2 || Microsoft Entra ID joined

The tenant also has the following groups defined.
Name || Join Type || Owner
whizlabgrp1 || Assigned || whizlabusr1
whizlabgrp2 || Dynamic Device || whizlabusr2
Would the user whizlabusr2 be able to add the device whizlabvm1 to the group whizlabgrp1?

Yes
No

Answer 4

Yes

Since whizlabusr2 holds the role of “User Administrator” he/she can update the membership of any assigned group, regardless of whether they are the owner of the group or not because of the role associated with it. He/She can add users, and devices, to any assigned group in Microsoft Entra ID.
References:
Manage devices in Microsoft Entra ID using the Microsoft Entra admin center | Microsoft Learn

Question 5

Question 8
Domain: Manage Azure identities and governance
Your company has a Microsoft Entra tenant named whizlabs.com.
The following users are defined in the tenant.
Name || Role
whizlabusr1 || Cloud device administrator
whizlabusr2 || User administrator

The tenant also consists of the following Windows 10 devices.
Name || Join type
whizlabvm1 || Microsoft Entra ID registered
whizlabvm2 || Microsoft Entra ID joined

The tenant also has the following groups defined.
Name || Join Type || Owner
whizlabgrp1 || Assigned || whizlabusr1
whizlabgrp2 || Dynamic Device || whizlabusr2

Would the user whizlabusr2 be able to add the device whizlabvm2 to the group whizlabgrp2?

Yes
No

Answer 5

No

Since the group is Dynamic in nature, you won’t be able to add users or devices to a group manually. Device whizlabvm2 shall be governed by Rules and automatically removed or added dynamically.

Membership types:

Assigned: Lets you add specific users as members of a group and have unique permissions.
Dynamic user: Lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Dynamic device: Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Important
You can create a dynamic group for either devices or users, but not for both. You can’t create a device group based on the device owners’ attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see Create a dynamic group and check status

The device WhizlabVM2 is already “Microsoft Entra ID joined”. Hence WhizlabVM2 will be governed by the AD rule

References:
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#group-and-membership-types
https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups
https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule

Question 6

Question 9
Domain: Implement and manage virtual networking
A company has deployed the following Azure Load Balancer resources to their Azure subscription

Name || SKU
whizlabload1 || Basic
whizlabload2 || Standard

Each load balancer would have to load balance requests across three virtual machines.
You want to ensure that whizlabload1 can load balance requests across the three virtual machines. Which of the following has to be implemented?
A. Ensure the virtual machines are created in the different regions.
B. Ensure the virtual machines are created in the same resource group.
C. Ensure the virtual machines are created in the same virtual network.
D. Ensure the virtual machines are created in the same availability set or virtual machine scale set

Answer 6

D. Ensure the virtual machines are created in the same availability set or virtual machine scale set

You look at the comparison between the Standard and the Basic Load Balancer in the Microsoft documentation. It clearly mentions that the virtual machines need to be part of an availability set or a virtual machine scale set.

Since this is clearly mentioned in the documentation, all other options are incorrect. For more information on the Azure Load Balancer, please visit the following URL-
What is Azure Load Balancer? - Azure Load Balancer | Microsoft Learn Azure Load Balancer SKUs | Microsoft Learn

Question 7

Question 10
Domain: Implement and manage virtual networking
A company has deployed the following Azure Load Balancer resources to their Azure subscription

Name || SKU
whizlabload1 || Basic
whizlabload2 || Standard

Each load balancer would have to load balance requests across three virtual machines.
You want to ensure that whizlabload2 can load balance requests across the three virtual machines. Which of the following has to be implemented?
A. Ensure the virtual machines are created in the different regions.
B. Ensure the virtual machines are created in the same resource group.
C. Ensure the virtual machines are created in the same virtual network.
D. Ensure the virtual machines are created in the same availability set or virtual machine scale set

Answer 7

C. Ensure the virtual machines are created in the same virtual network.

You look at the comparison between the Standard and the Basic Load Balancer in the Microsoft documentation. It clearly mentions that the virtual machines need to be part of a single virtual network.
Since this is clearly mentioned in the documentation, all other options are incorrect. For more information on the Azure Load Balancer, please visit the following URL-
https://docs.microsoft.com/en-us/azure/load-balancer/skus

Question 8

Question 13
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)

The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsecnic in the wl-rg2 resource group and the West US region. Would this fulfill the requirement?

Yes
No

Answer 8

Yes

In order to attach a network interface to a virtual machine, it must be created in the same region as the virtual machine. It also is a part of the same virtual network hosting the virtual machine.
Hence here, the requirements for ensuring the network interface can be attached to the virtual machine are met.
Below is an excerpt from the Microsoft documentation on the creation of a network interface.
For more information on network interfaces, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Question 9

Question 14
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)

The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsecnic in the wl-rg1 resource group and the West US region. Would this fulfill the requirement?

Yes
No

Answer 9

Yes

First, we need to understand the difference between data and metadata. Metadata is not the actual data, but additional useful information about the data. A resource group contains metadata regarding azure resources, not the actual resources. A resource group contains the list of resources and some additional useful information like the region in which resources exist., components of each resource, etc… In view of this, a resource group and actual resources contained by the resource group can be in a different regions. The basic constraint here is that a VM and all its components should be in the same network and in the same region.
In the given scenario, we are asked to create a new network interface wlsecnic and attached it to wlvm1, which resides in wl-network2. Since all these resources are in the West US region, it is possible to do so although wl-rg2 is a separate region (West Europe)
Here it should be noted that it is a good practice to create a resource group and its resources, in the same region. Sometimes, data residency and compliance requirements will also force us to create both in the same region.

Question 10

Question 15
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription.(see image)

The virtual machine wlvm1 is part of a virtual network named wl-network2. The virtual machine has a network interface named wlnic attached to it. You need to create a new network interface named wlsecnic and later attached it to the virtual machine.
You decide to create wlsenic in the wl-rg2 resource group and in Central US region. Would this fulfill the requirement?

Yes
No

Answer 10

No

In order to attach a network interface to a virtual machine, it must be created in the same region as the virtual machine. It also is a part of the same virtual network hosting the virtual machine.
Here the virtual machine is in the West US region and the network interface is being created in the Central US region. For more information on network interfaces, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Question 11

Question16
Domain: Monitor and maintain Azure resources
A company has the following resources defined as part of its Azure subscription. (see image)

A blob container named “whizlabdata” and a file share named “whizlabfiledata” are created in the storage account whizlabstore1. Which of the following resources can be backed up with the help of the recovery services vault whizlabvault1?

A. whizlabvm1 only
B. whizlabvm1 and whizlabfiledata only
C. whizlabvm1 and whizlabdb only
D. whizlabvm1, whizlabstore1 and whizlabdb
E. whizlabvm1, whizlabdata, whizlabfiledata and whizlabdb

Answer 11

A. whizlabvm1 only

Here the recovery services vault (whizlabvault1) is located in the Central US region. This means that only resources in this region can be backed up in the recovery services vault. And for this, we have only the virtual machine located in this region.
Since this is the only approach for backing up data in the recovery services vault, all other options are incorrect. For more information on the recovery services vault, please visit the following URLs-
https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare

Question 12

Question17
Domain: Monitor and maintain Azure resources
A company has the following resources defined as part of its Azure subscription. (see image)

A blob container named “whizlabdata” and a file share named “whizlabfiledata” are created in the storage account whizlabstore1 . Which of the following resources can be backed up with the help of the recovery services vault whizlabvault2?

A. whizlabstore1 only
B. whizlabfiledata only
C. whizlabvm1 and whizlabfiledata only
D. whizlabdata and whizlabfiledata only
E. whizlabstore1 and whizlabdb only

Answer 12

B. whizlabfiledata only

In Azure recovery service vault (RSV), we can backup only those resources, which are in same region as of RSV region. In the current scenario the RSV (whizlabvault2) region is west us. Storage account whizlabstore1 is also in the same region. Whizlabstore1 have two resource — A blob container named “whizlabdata” and a file share named “whizlabfiledata”. Azure blob data cannot be backup in RSV (it requires a backup vault). In RSV, However, azure file share can be backup. There are no other resources in the same region other than these two.
It is clear that B is the correct answer and all other answers are wrong.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

Question 13

Question 18
Domain: Manage Azure identities and governance
A company has a Microsoft Entra ID that contains the following users. (see image)

The Microsoft Entra Tenant has the following device settings. Users can join devices to Microsoft Entra ID.

Additional local administrators on Microsoft Entra joined devices are set to None.
The user whizlabusr1 goes ahead and joins a Windows 10 computer to the Microsoft Entra tenant.
You need to identify those users that would be added to the local Administrators group on the computer.

A. whizlabusr1 only
B. whizlabusr2 only
C. whizlabusr1, whizlabusr2 and whizlabusr3 only
D. whizlabusr1 and whizlabusr2 only
E. whizlabusr1, whizlabusr2, whizlabusr3 and whizlabusr4

Answer 13

D. whizlabusr1 and whizlabusr2 only

When a device is joined to Microsoft Entra ID, the user who joins the computer to the domain is added as the local administrator. Also, the Global Administrator will be added as an administrator to the system.
Hence D is the correct answer and all other answers are wrong. This is also mentioned in the Microsoft documentation.
How it works
At the time of Microsoft Entra join, we add the following security principals to the local administrators group on the device:
*The Microsoft Entra Global Administrator role
*The Microsoft Entra Joined Device Local Administrator role
*The user performing the Microsoft Entra join

Note
This is done during the join operation only. If an administrator makes changes after this point they will need to update the group membership on the device.

Note: Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID
For more information on managing the local administrators in the Microsoft Entra join process, please visit the following URL-
How to manage local administrators on Microsoft Entra joined devices | Microsoft Learn Microsoft Entra built-in roles | Microsoft Learn

Question 14

Question 19
Domain: Deploy and manage Azure compute resources
You need to increase the number of CPU cores and memory for running Azure Container Instance.
What 2 steps do you take to carry out this task?

A. Stop the ACI
B. Redeploy ARM ACI deployment template
C. In Azure portal, select the Scale up for ACI container
D. Update Dockerfile
E. Delete the ACI

Answer 14

B. Redeploy ARM ACI deployment template
E. Delete the ACI

Unfortunately, Azure does not allow to scale Azure Container Instances. You need to delete the current ACI and create a new instance with the new resource requirements. The most convenient way is to reuse and run the ARM template from the previous ACI deployment. You can find the template under the Deployments section on the ACI’s resource group blade. When you select the deployment template and click on the Redeploy button on the top bar, the Azure portal opens the Custom deployment screen (Number 1). Here you click on the “Edit Parameters (Number 2) and can change the number of CPU cores, memory, restart policy, etc. (Number 4). If you have not deleted the previous ACI and keep the same name for the new instance (Number 3), you will get a deployment failed error when you click on the Create button after a review.

you must delete the old ACI or change the name of the new ACI.
All other options are incorrect.
For more information about creating and updating the ACI using the ARM templates, please visit the below URLs:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-update#properties-that-require-container-delete https://docs.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-template

Question 15

Question 20
Domain: Deploy and manage Azure compute resources You create an ACI multi-container group.
Please select three correct statements about the ACI group.

A. ACI group is similar to the AKS node
B. Containers in the ACI group share the same resources
C. You can add new containers to the already running ACI group
D. You can select different VM size for each container in a group
E. ACI group can include the init containers
F. You can create multi-container ACI groups on Linux only

Answer 15

B. Containers in the ACI group share the same resources
C. You can add new containers to the already running ACI group
E. ACI group can include the init containers

 You can create the groups of the ACI containers. These ACI groups are similar to AKS pods. The group is a collection of containers that runs or schedules on the same host machine. It shares the host’s resources, local network, and storage volumes. You can deploy the multi-container group only on Linux using ARM templates, YAML scripts, or Docker Compose. Option B is correct because the containers in the ACI group share the same resources of the host machine. The containers share not only the same resources but also local network and storage volumes. Option E is correct because the ACI group can include the init containers. This container type prepares the run of your application. They set up accounts, databases, or running scripts. Only after the init containers finish their jobs the application containers start. Option F is correct because currently, you can create multi-container ACI groups on Linux only. Option A is incorrect because the ACI group is similar to the AKS pods but not to the AKS nodes. Option C is incorrect because you need to delete the old ACI group and create a new one with additional containers. Usually, you can deploy a multi-container group using ARM templates or YAML scripts. The Docker Compose can also be used. Option D is incorrect because the ACI multi-container group shares the same host machine, and you cannot dedicate any VMs to a particular container. For more information about Azure Container Instance groups, please visit the below URLs: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups https://docs.microsoft.com/en-us/azure/container-instances/container-instances-multi-container-group https://docs.microsoft.com/en-us/azure/container-instances/container-instances-init-container

Question 16

Question 21
Domain: Implement and manage storage

Whizlabs Inc. is an accounting company and have cloud-only infrastructure. They use Azure storage to retain their business-critical data. The company would like to put their data in a WORM (Write Once, Read Many) state. Which of the two following features you must enable to support the WORM functionality?

A. Enable version-level immutability
B. Enable soft delete
C. Enable blob versioning
D. Enable point-in-time restore

Answer 16

A. Enable version-level immutability right
C. Enable blob versioning right

Immutable storage functionality for Azure Blob Storage empowers users to securely store vital business data in a Write Once, Read Many (WORM) states. When data is in the WORM state, it remains impervious to modifications or deletions for a duration specified by the user. By establishing immutability policies for blob data, you establish a safeguard against unintended overwrites and deletions.
In order to set up retention policies based on versions and time, it’s necessary to have blob versioning activated for the respective storage account. It’s important to note that enabling blob versioning could potentially have an impact on billing.
Option A is correct because version level immutability provides functionality of writing once and read many. This protects data from being altered. Option B is incorrect because soft-delete keeps the data for another 14 days which protect resources from accidental deletion by retaining the
data for the extended period.
Option C is correct because one of the prerequisites for enabling version immutability is to have blob versioning enabled for the storage account.
Option D is incorrect Point-in-time restore offers a safety net against inadvertent deletions or corruption by granting you the capability to revert block blob data to a previous state. This feature proves invaluable in situations where data has been unintentionally deleted by a user or application, or in cases where data corruption results from application errors.
Reference:
Configure immutability policies for blob versions - Azure Storage | Microsoft Learn

Question 17

Question 23
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)

The administrator has enabled self-service password reset (SSPR) for all users.

The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3

The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?

Would whizlabadmin1 be required to answer the security question “In what city was your first job?” to reset their password?
A. Yes
B. No

Answer 17

No

For administrators, the password reset policy is different, wherein they are not asked for security questions. The Microsoft documentation mentions the following.

Administrator reset policy differences
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID.
A two-gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Microsoft Entra Joined Device Local Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator

For more information on the password reset policy for administrators, please visit the following URL-
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Question 18

Question 24
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)

The administrator has enabled self-service password reset (SSPR) for all users.

The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3

The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?

Would whizlabadmin2 be required to answer the security question “What was the name of the first school you attended?” to reset their password?
A. Yes
B. No

Answer 18

No

For administrators, the password reset policy is different, wherein they are not asked for security questions. The Microsoft documentation mentions the following.

Administrator reset policy differences
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID.
A two-gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Microsoft Entra Joined Device Local Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator

For more information on the password reset policy for administrators, please visit the following URL-
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Question 19

Question 25
Domain: Manage Azure identities and governance
A company has an Azure AD tenant. They have users that are also synced with their on-premise environment. The domain contains the following users. (see image)

The administrator has enabled self-service password reset (SSPR) for all users.

The administrator has enabled the following SSPR settings.
Number of methods required to reset – 2
Methods available to users – Mobile phone and Security questions Number of questions to register – 3
Number of questions to reset – 3

The following security questions are chosen.
In what city was your first job?
What was the name of the first school you attended? What was your first job?

Would whizlabusr be required to answer the security question “In what city was your first job?” to reset their password?
A. Yes
B. No

Answer 19

Yes

Since self-service password reset (SSPR) has been enabled for all users. The user would need to answer the security-related question to reset their password.
Microsoft Entra Self-Service Password Reset (SSPR) provides users with the ability to change or reset their password, without administrator or help desk involvement. If a user’s account is locked or they forget their password, they can unblock themselves and follow the prompts to get back to work.
For more information on how password reset works, please visit the following URL-
Self-service password reset deep dive | Microsoft Learn

Question 20

Question 26
Domain: Deploy and manage Azure compute resources
Please select four true statements that apply to the use of Azure Disk Encryption (ADE) for Azure VM disk protection.

A. ADE supports the encryption of Basic tier VMs
B. ADE encrypted VM must be backed up to the Recovery Service Vault
C. ADE is integrated with Azure Key Vault
D. ADE uses BitLocker for Windows VM-controlled disks
E. ADE uses DM-Crypt for Linux-based VMs

Answer 20

B. ADE encrypted VM must be backed up to the Recovery Service Vault
C. ADE is integrated with Azure Key Vault
D. ADE uses BitLocker for Windows VM-controlled disks
E. ADE uses DM-Crypt for Linux-based VMs

Azure Backup supports the backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE).
Azure Disk Encryption for Windows virtual machines (VMs) uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disk.
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription
Azure Disk Encryption uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs)k encryption keys and secrets.

References:
Back up and restore encrypted Azure VMs - Azure Backup | Microsoft Docs
Azure Disk Encryption scenarios on Windows VMs - Azure Virtual Machines | Microsoft Docs Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines | Microsoft Docs Enable Azure Disk Encryption for Linux VMs - Azure Virtual Machines | Microsoft Docs

Question 21

Question 27
Domain: Deploy and manage Azure compute resources
A company has the following resources defined as part of its Azure subscription. (see image)

Currently, the whizlabvm1 virtual machine resides in the whizlabnetwork1 virtual network.
You need to ensure that the virtual machine resides in the whizlabnetwork2 virtual network.
You decide to create a new network interface and then add the network interface to the whizlabvm1 virtual machine. Would this fulfill the requirement?
A. Yes
B. No

Answer 21

No

In order to add the virtual machine to the virtual network, the virtual machine needs to be in the same region as the virtual network, which is not the case over here.
The virtual machine is in the West US region and the whizlabnetwork2 virtual network is in the East Asia region. For more information on virtual networks and virtual machines, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Question 22

Question 30
Domain: Implement and manage virtual networking
Your company has the following resources deployed to Azure. (See image1)

You install a DNS service on the virtual machine whizlabvm1.
The DNS server settings are then configured for each virtual network, as shown below. (see image2)

You have to ensure that all virtual machines can resolve DNS names by using the DNS service on the virtual machine whizlabvm1. Which of the following would you implement for this requirement?

A. Add service endpoints for the virtual network whizlabnetwork2 and whizlabnetwork3.
B. Add a service endpoint for the virtual network whizlabnetwork1.
C. Configure a conditional forwarder for the whizlabvm1 virtual machine.
D. Configure virtual network peering connections between all virtual networks.

Answer 22

D. Configure virtual network peering connections between all virtual networks.

Since the networks are isolated from each other, you still need to ensure that the machines can communicate across the virtual networks. And this can be accomplished with the help of the virtual network peering connections.
Options A and B are incorrect since service endpoints should be used when you want to connect virtual networks securely to other Azure-based services.
Option C is incorrect since this should be used when you want to forward DNS requests to the Azure DNS servers. For more information on virtual network peering connections, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Question 23

Question 35
Domain: Deploy and manage Azure compute resources
Whizlabs Inc. has cloud only infrastructure. Below are the resources that are deployed in the azure cloud in Australia Southeast: (see image)

Company is now moving their headquarters to Japan. One of the cost saving method is to migrate their resources to the closest Azure region in Japan. Which of the above resources can be moved to Japan region?

A. Standard Virtual Machines
B. Virtual Machine Scale Set
C. Low Priority Virtual Machines
D. Virtual Network

Answer 23

D. Virtual Network

Option A is incorrect because Prod VMs can be moved, however, since it hosts scale set as well, it cannot be moved as scale set with standard load balancer cannot be migrated.
Option B is incorrect because virtual machines scale sets with standard load balancer cannot be migrated. See the limitations. Option C is incorrect because low priority VMs cannot be migrated across regions.
Option D is correct because virtual networks can be moved across as long as their peering is disabled.
References:
Move Azure VMs to new subscription or resource group - Azure Resource Manager Move Azure Networking resources to new subscription or resource group Announcing low-priority VMs on scale sets now in public preview

Question 24

Question 36
Domain: Implement and manage storage
Whizlabs Inc. is an US based company having an office in New York. Company has only cloud-based infrastructure. Company has multiple storage accounts in Azure and is planning on enabling blob versioning for containers.
Choose two of the most appropriate actions/outcomes related to blob versioning from the options below:

A. Blob versioning allows you to create distinct snapshots of the entire storage account at specific points in time
B. Blob versioning can be selectively applied to individual blobs within a container, allowing fine-grained control over version retention
C. Blob versioning provides protection against accidental or malicious modifications, but it doesn’t affect the performance or availability of the storage account
D. Blobs with different versions can have different access controls and lifecycles applied to them

Answer 24

B. Blob versioning can be selectively applied to individual blobs within a container, allowing fine-grained control over version retention
D. Blobs with different versions can have different access controls and lifecycles applied to them

Explanation:
Correct Answers: B and D
The given statement is correct. Blob versioning in Azure Blob Storage can be selectively applied to individual blobs within a container, allowing fine- grained control over version retention. This means that you can enable versioning for specific blobs in a container while leaving others unaffected. Each blob with versioning enabled will maintain its own version history, and you can control how many versions to retain, making it a flexible and granular feature for managing data retention and history for your objects within a container.
Option A is incorrect because Blob versioning does not allow creating distinct snapshots of the entire storage account at specific points in time. Blob versioning is a feature in Azure Blob Storage that allows you to maintain multiple versions of a blob (object) within a container, but it does not apply to the entire storage account.
Option B is correct because the given statement is correct. This means that you can enable versioning for specific blobs in a container while leaving others unaffected. Each blob with versioning enabled will maintain its own version history, and you can control how many versions to retain, making it a flexible and granular feature for managing data retention and history for your objects within a container.
Option C is incorrect because Enabling blob versioning has minimal impact on storage account performance and availability, as it doesn’t duplicate blobs but internally tracks versions. While it maintains high availability and performance, it increases storage consumption and may raise costs due to retained versions. Consider egress costs for frequent older version access. Thus, it is not most appropriate option.
Option D is correct because the statement is correct. In Azure Blob Storage with blob versioning enabled, blobs with different versions can indeed have different access controls and lifecycles applied to them.
Reference:
Blob versioning - Azure Storage | Microsoft Learn

Question 25

Question 37
Domain: Deploy and manage Azure compute resources
You want to protect your web app using Microsoft Entra ID (formerly known as Azure Active Directory) authentication and limit access to the app only to the users in your organization.
Please select three steps that you need to take.

A. Configure Conditional Access
B. Register an app in Microsoft Entra ID (formerly known as Azure Active Directory)
C. Set App Service authentication settings
D. Create Microsoft Entra ID (formerly known as Azure Active Directory) Service principal
E. Select an Identity Provider

Answer 25

B. Register an app in Microsoft Entra ID (formerly known as Azure Active Directory)
C. Set App Service authentication settings
E. Select an Identity Provider

After you create your web app, you can use two options on the App service blade under the Settings section: Authentication or Authentication (classic). If you decide to use the Authentication (classic), the Azure portal will ask you to convert to the current Identity Provider Authentication that Authentication provides.
When you open the Authentication, you need to choose an Identity provider for your web app authentication. There are several options to select from: Microsoft (including Microsoft Entra Identities), Facebook, Google, and Twitter. For the Microsoft Entra ID (formerly known as Azure Active Directory) identities, choose Microsoft (Number 1). (see image1)

After you select Microsoft as the identity provider (Number 1), the new screen asks you to register your app within the Microsoft Entra ID (formerly known as Azure Active Directory) (Number 2) and define the App Service authentication settings to require authentication (Number 3). (see image2)

After pushing the Add button, only users of your organization can access your web app. You can verify that if you open the app as a Microsoft Entra ID (formerly known as Azure Active Directory) registered app (Number 1). (see image3)
All other options are incorrect.
Note: Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID
For more information about App Service security, please visit the below URLs:
https://docs.microsoft.com/en-us/azure/app-service/overview-security https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service

Question 26

Question 38
Domain: Deploy and manage Azure compute resources
You need to create a scheduled backup for your App service app using Azure CLI.
Please select three commands you need to run to achieve your goal.

A. az storage container create
B. az webapp config backup update
C. az appservice plan create
D. az storage container add
E. az webapp config backup create
F. az storage account create

Answer 26

A. az storage container create
B. az webapp config backup update
F. az storage account create

Explanation:
Correct Answers: A, B and F
right
You can create a manual or scheduled backup for your web application and use the backup to restore your app. There are three main steps to create a web app backup:
Create a storage account Create a storage container Create a web app backup
To create a storage account using Azure CLI, you need to run az storage account create command and provide the account name, resource group, location, and account type and redundancy in the form of SKU:
az storage account create –name yourstoragename –resource-group yourrgname –location yourlocation –sku Standard_LRS
Next, you need to create a storage container using az storage container create command:
az storage container create –account-name yourstoragename –name yourcontainername
After creating a container, you need to construct the URL for the container using the SAS token, like this:
sasurl=https://yourstoragename.blob.core.windows.net/yourcontainername?$sastoken
You can generate the SAS token by using az storage container create generate-sas command.
And finally, you can run the az webapp config backup update command, like this for a backup every 3 days and 21 days of retention:
az webapp config backup update –resource-group yourrgname –webapp-name yourwebappname –container-url $sasurl –frequency 3d
You can back up not only your web app but also the database that it uses. However, the total size of your web app backup, including the database, should not exceed 10 GB. The backups are stored as .zip files in a storage container. The database backup is stored in the root of the zip file.
All other options are incorrect.
For more information about App Service app backups, please visit the below URLs:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
https://docs.microsoft.com/en-us/azure/app-service/scripts/cli-backup-scheduled?toc=/cli/azure/toc.json

Question 27

Question 43
Domain: Implement and manage virtual networking
You have to create an Azure Command Line Interface script that would carry out the following tasks
Create a new Azure virtual network with an address space of 10.2.0.0/16
The virtual network needs to have a subnet with an address space of 10.2.0.0/24
Create a new private DNS zone named whizlab.local
Create a virtual network link for the virtual network with the DNS Zone
You have to complete the below CLI script for these requirements (see image)

Which of the following should go into Slot 1?
A. az network private-dns zone
B. az network vnet
C. az dns-zone link
D. az network private-dns link vnet
E. az group create

Answer 27

B. az network vnet

Explanation:
Answer – B
First, we need to create a virtual network. (see image)

All other options are incorrect. For more information on working with Private DNS, please visit the following URL https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-cli

Question 28

Question 44
Domain: Implement and manage virtual networking
You have to create an Azure Command Line Interface script that would carry out the following tasks
Create a new Azure virtual network with an address space of 10.2.0.0/16
The virtual network needs to have a subnet with an address space of 10.2.0.0/24
Create a new private DNS zone named whizlab.local
Create a virtual network link for the virtual network with the DNS Zone
You have to complete the below CLI script for these requirements (see image)

Which of the following should go into Slot 2?

A. az network private-dns zone
B. az network vnet create
C. az dns-zone link
D. az network private-dns link vnet
E. az network dns record-set

Answer 28

A. az network private-dns zone

Explanation:
right
Answer – A
Next, we have to go ahead and create the private dns zone

For more information on working with Private DNS, please visit the following URL
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-cli

Question 29

Question 45
Domain: Implement and manage virtual networking
You have to create an Azure Command-Line Interface script that would carry out the following tasks.
Create a new Azure virtual network with an address space of 10.2.0.0/16.
The virtual network needs to have a subnet with an address space of 10.2.0.0/24.
Create a new private DNS zone named whizlab.local
Create a virtual network link for the virtual network with the DNS Zone.

You have to complete the below CLI script for these requirements.
Which of the following should go into Slot 3?

A. az network private-dns zone
B. az network vnet create
C. az dns-zone link
D. az network private-dns link
E. az network dns record-set

Answer 29

D. az network private-dns link

Explanation:
Correct Answer – D
right
Slot 3 will be az network private-dns link
We have to create a virtual network link for the zone. See the example given below.
Below example creates a virtual network named myAzureVNet. Then it creates a DNS zone named private.whizlabs.com in
the MyAzureResourceGroup resource group, links the DNS zone to the MyAzureVnet virtual network, and enables automatic registration.
az network vnet create \
–name myAzureVNet \
–resource-group MyAzureResourceGroup \ –location eastus \
–address-prefix 10.2.0.0/16 \ –subnet-name backendSubnet \ –subnet-prefixes 10.2.0.0/24
az network private-dns zone create -g MyAzureResourceGroup \ -n private.whizlabs.com
az network private-dns link vnet create -g MyAzureResourceGroup -n MyDNSLink \ -z private.whizlabs.com -v myAzureVNet -e true
All other options are incorrect.
For more information on working with Private DNS, please visit the following URL-
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-cli https://docs.microsoft.com/en-us/cli/azure/network/private-dns/link/vnet?view=azure-cli-latest

Question 30

Question 47
Domain: Implement and manage virtual networking
Your company has an Azure subscription that has the following providers registered.
Authorization Automation Resources Compute Network Storage Billing
Web
You have a virtual machine named whizlabvm that has the following configuration.
Private IP address – 10.1.0.4
Network Security Group – whizlabnsg Public IP Address – None
Subnet – 10.1.0.0/24
Location – East US
The Network Watcher was created and enabled automatically with the creation of the virtual network.
You have to record all of the successful and failed connection attempts to the virtual machine.
Which of the following actions would you implement for this requirement? Choose 3 answers from the options given below.

A. Ensure to register the Microsoft.Insights resource provider.
B. Ensure to add the Network Watcher connection monitor.
C. Enable the Azure Network Watcher service in the West US region.
D. Create a storage account.
E. Enable the Azure Network Watcher flow logs.

Answer 30

A. Ensure to register the Microsoft.Insights resource provider.
D. Create a storage account.
E. Enable the Azure Network Watcher flow logs.

Explanation:
Answer – A, D, and E
To record the successful and failed connection requests, we should use Azure Network Watcher flow logs. The Network Watcher is already enabled in the region, and we can utilize the Network Watcher NSG’s flow log functionality. For that, we need to register the microsoft.insights resource provider and create a storage account for storing the flow logs.
The Microsoft documentation mentions the following. (see image)

Since this approach is given in the documentation, all other options are incorrect.
For more information on Azure Network Watcher flow logs, please visit the following URL-
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

Question 31

Question 48
Domain: Implement and manage storage
Whizlabs Inc. is an international IT company. The company has multiple storage accounts in Microsoft Azure. The company would like to utilize soft delete, Azure File share backup, disaster recovery, and snapshot functionalities available in Azure Files. Match the appropriate actions to their corresponding features of Azure Files.

For the identified action:
1. Restore a previous version of a file
2. Automatically retain deleted files
3. unplanned service outages
4. Configure alerts for backup and restore failures

Match the correct answers:
A. Azure file share backup
B. Disaster Recovery
C. Soft Delete
D. Snapshot

Answer 31

Correct Answer: 1-D, 2-C, 3-B and 4-A

Snapshot – Restore a previous version of a file.
Soft Delete – Automatically retain deleted files.
Disaster recovery – Unplanned service outages.
Azure file share backup – Configure alerts for backup and restore failures.
Azure Files offers soft delete for file shares so that you can more easily recover your data when it’s mistakenly deleted by an application or other storage account user. A share snapshot is a point-in-time, read-only copy of your data. Share snapshot capability is provided at the file share level. Individual file retrieval is supported to facilitate the restoration of specific files. You have the flexibility to restore an entire file share through various methods, including SMB, the REST API, the Azure portal, the client library, or PowerShell/CLI.
Azure File Share Backup is a local, cloud-based backup solution that protects your data in the cloud and eliminates the additional management overheads associated with on-premises backup solutions. Microsoft strives to ensure that Azure services are always available. However, unplanned service outages can happen, and you need to have a disaster recovery (DR) plan in place to handle a regional service outage.
Restore a previous version of a file. - This can only be done by snapshot. You can restore an earlier version of a file or restore the complete file share by copying file by file from the share snapshot.
Automatically retain deleted files - Azure Files offers soft delete for file shares so that you can automatically retain data and recover them more easily when it’s mistakenly deleted by an application or other storage account user.
Unplanned service outages - However, unplanned service outages can happen, and you need to have a disaster recovery (DR) plan in place to handle a regional service outage. An important part of disaster recovery planning is preparing to fail over to a secondary endpoint in the event that the primary endpoint becomes unavailable.
Configure alerts for backup and restore failures (Alerting and reporting): You can configure alerts for backup and restore failures and use the reporting solution provided by Azure Backup to get insights on backups across your file shares.
References:
Enable soft delete - Azure file shares | Microsoft Learn Overview of share snapshots for Azure Files | Microsoft Learn Disaster recovery and failover for Azure Files | Microsoft Learn About Azure file share backup - Azure Backup | Microsoft Learn

Question 32

Question 49
Domain: Deploy and manage Azure compute resources
Scenario: Your manager wants to handle background processing jobs and event-driven processing use cases that host microservices and containerized applications on a serverless platform.
Which of the following services can you suggest to your manager?

A. Azure Container Apps
B. Azure Container Registry
C. Azure Container Instances
D. All of the above

Answer 32

A. Azure Container Apps

Explanation:
Correct Answer – A
Azure Container Apps is a fully managed environment that enables you to run microservices and containerized applications on a serverless platform. Common uses of Azure Container Apps are as follows:
Deploying API endpoints
Hosting background processing jobs Handling event-driven processing Running microservices
Since this is clearly given in the Microsoft documentation, all other options are incorrect.
Option B is incorrect: Azure Container Registry lets you build, store, and manage container images and artifacts in a private registry for all types of container deployments.
Option C is incorrect: Azure Container Instances is a solution for any instance that can operate in isolated containers, without orchestration. Run event- driven applications, quickly deploy from your container development pipelines, and run data processing and build jobs.
Reference: Azure Container Apps overview | Microsoft Learn

Question 33

Question 50
Domain: Implement and manage virtual networking
Whizlabs Inc. has a domain forest named whizlabs.com. The domain has multiple resources in Azure. Company is utilizing private endpoints to utilize various Microsoft services. A new private endpoint named myPrivateEndpointConnection in the resource group named myResourceGroup was created, however, the connection failed to establish. Which of the following CLI commands needs to be run to establish the connection?
A. az network private-endpoint-connection show \ –name myPrivateEndpointConnection \ –resource-group myResourceGroup
B. az network private-endpoint-connection approve \ –name myPrivateEndpointConnection \ –resource-group myResourceGroup
C. az network private-endpoint-connection reject \ –name myPrivateEndpointConnection \ –resource-group myResourceGroup
D. az network private-endpoint-connection delete \ –name myPrivateEndpointConnection \ –resource-group myResourceGroup

Answer 33

B. az network private-endpoint-connection approve \ –name myPrivateEndpointConnection \ –resource-group myResourceGroup

Connection from the private endpoint needs to be approved either automatically or manually, unless it is approved connection cannot be established.
Option A is incorrect because the command only shows the private endpoint connections.
Option B is correct because the command approves the private endpoint connection.
Option C is incorrect because the command rejects the private endpoint connection which will cause the connection to fail. Option D is incorrect because the command will delete the connection.
Reference:
Manage Azure Private Endpoints - Azure Private Link | Microsoft Learn

Question 34

Question 51
Domain: Monitor and maintain Azure resources
Whizlabs Inc. is a multinational company. Mr. A is hired as a cloud administrator. They have a cloud-only infrastructure. Company has 10 virtual machines hosting business critical data. One of these servers keeps shutting down every now and then.
Company would like to monitor the server for availability. Mr. A is creating a monitoring rule, the steps are listed below, arrange them in correct order:

A. Set the alert rule conditions
B. In the azure portal, select Monitor > Alerts > Create Alert Rule
C. Set the alert rule scope
D. Create tags for the alert rule
F. Set the alert rule actions
E. Set the alert rule details
G. Finish creating the Rule

Answer 34

Correct Answer: B, C, A, F, E, D and G

B. In the azure portal, select Monitor > Alerts > Create Alert Rule
C. Set the alert rule scope
A. Set the alert rule conditions
F. Set the alert rule actions
E. Set the alert rule details
D. Create tags for the alert rule
G. Finish creating the Rule
When a new alert rule is created, we first need to define the scope of the alerts, put the conditions for the alerting, put the actions, put the details about the rule and set the tags, now alert is ready for created.
Reference:
Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn

Question 35

Question 52
Domain: Deploy and manage Azure compute resources
View Case Study (see image)

As a part of technical requirements, Database servers of the headquarters will be migrated as a Virtual Machine. Virtual Machine disk size is 40 TB and throughput should be needed is 800 MB/s. Which of the following managed disk type should be chosen for migrating the database server in a cost- effective manner?

A. Ultra disk
B. Standard SSD
C. Premium SSD
D. Premium SSD v2

Answer 35

D. Premium SSD v2

Explanation:
Correct Answer: D

Premium SSD v2 offers higher performance than Premium SSDs while also generally being less costly. You can individually tweak the performance (capacity, throughput, and IOPS) of Premium SSD v2 disks at any time, allowing workloads to be cost efficient while meeting shifting performance needs.
Maximum throughput 1,200 MB/s Maximum disk size 65,536 GiB (see image)

Option A is incorrect because ultra disk will be least cost-effective and will be more than the required performance type. Option B is incorrect because Standard SSD’s maximum throughput speed is 750 MB/s so not ideal for the given scenario.
Option C is incorrect because while the throughput speed is ideal at 900 MB/s, however the disk size limit is 32,767 GiB while the requirement is for 40 TB.
Option D is correct because Premium SSD v2 supports upto 65,536 GiB of disk and throughput is higher than 800 MB/s. Reference:
Select a disk type for Azure IaaS VMs - managed disks - Azure Virtual Machines

Question 36

Question 53
Domain: Implement and manage storage

You have to implement the security objective for the below case study requirement.
Overview
Whizlabs is an online training company. They currently have on-premise workloads which they want to migrate to Azure. They have offices in Mumbai and Hyderabad. They also use Microsoft Exchange Online for email.
On-premise environment
* They have a VMWare vSphere infrastructure that is used to host virtual machines
* The virtual machines themselves run Windows Server 2016
* The virtual machines are members of an Active Directory forest named whizlab.com
* The Mumbai office has an IP address space of 10.0.0.0/16 and the Hyderabad office has an IP address space of 10.10.0.0/16
* The offices connect by using a VPN.
* Each office also has one Azure ExpressRoute circuit that gives access to Azure services and Microsoft Online services.
* Routing is implemented by using Microsoft Peering
Azure Environment
The Azure environment has the following infrastructure (see image)

• The whizlabgateway1 has two backend pools named whizlabpool1 and whizlabpool2.
• The whizlabgateway2 has two backend pools named whizlabpool3 and whizlabpool4.
• The company plans to migrate the virtual machines from the Mumbai office to the East US region by using Azure Site Recovery Requirements
• A new web application named whizlabapp1 needs to be deployed. This web application will process all course purchases. Inbound and Outbound communications to this application must be controlled via Network Security Groups.
• A storage account named whizlabappstore would be created. This storage account only needs to be accessed from the virtual network hosting the virtual machines.
• A Kubernetes cluster would also need to be deployed which would be used to deploy new container-based applications. The Kubernetes cluster would need to have monitoring enabled.
• The Azure application gateways must load balance traffic in the following manner
  o Traffic to http://whizlabs.com/video/* needs to be load balanced across the whizlabpool1 pool
  o Traffic to http://whizlabs.com/images/* needs to be load balanced across the whizlabpool2 pool
  o Traffic to http://course-whizlab.com needs to be load balanced across the whizlabpool3 pool
  o Traffic to http://quiz-whizlab.com needs to be load balanced across the whizlabpool4 pool

A storage account named whizlabappstore would be created. This storage account only needs to be accessed from the virtual network hosting the virtual machines.
You decide to enable virtual network peering. Would this fulfill the requirement?
A. Yes
B. No

Answer 36

No

Explanation:
Answer - B
For this requirement, you have to create a service endpoint and configure network access to the storage account. For more information on service endpoints, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Question 37

Question 54
Domain: Implement and manage storage View Case Study
You have to implement the security objective for the below case study requirement.

Overview
Whizlabs is an online training company. They currently have on-premise workloads which they want to migrate to Azure. They have offices in Mumbai and Hyderabad. They also use Microsoft Exchange Online for email.
On-premise environment
* They have a VMWare vSphere infrastructure that is used to host virtual machines
* The virtual machines themselves run Windows Server 2016
* The virtual machines are members of an Active Directory forest named whizlab.com
* The Mumbai office has an IP address space of 10.0.0.0/16 and the Hyderabad office has an IP address space of 10.10.0.0/16
* The offices connect by using a VPN.
* Each office also has one Azure ExpressRoute circuit that gives access to Azure services and Microsoft Online services.
* Routing is implemented by using Microsoft Peering
Azure Environment
The Azure environment has the following infrastructure (see image)

• The whizlabgateway1 has two backend pools named whizlabpool1 and whizlabpool2.
• The whizlabgateway2 has two backend pools named whizlabpool3 and whizlabpool4.
• The company plans to migrate the virtual machines from the Mumbai office to the East US region by using Azure Site Recovery
  Requirements
• A new web application named whizlabapp1 needs to be deployed. This web application will process all course purchases. Inbound and Outbound communications to this application must be controlled via Network Security Groups.
• A storage account named whizlabappstore would be created. This storage account only needs to be accessed from the virtual network hosting the virtual machines.
• A Kubernetes cluster would also need to be deployed which would be used to deploy new container-based applications. The Kubernetes cluster would need to have monitoring enabled.
• The Azure application gateways must load balance traffic in the following manner
  o Traffic to http://whizlabs.com/video/* needs to be load balanced across the whizlabpool1 pool
  o Traffic to http://whizlabs.com/images/* needs to be load balanced across the whizlabpool2 pool
  o Traffic to http://course-whizlab.com needs to be load balanced across the whizlabpool3 pool
  o Traffic to http://quiz-whizlab.com needs to be load balanced across the whizlabpool4 pool

A storage account named whizlabappstore would be created. This storage account only needs to be accessed from the virtual network hosting the virtual machines.
You decide to enable service endpoints. Would this fulfill the requirement?

A. Yes
B. No

Answer 37

Yes

Explanation:
Answer – A
Yes, this would fulfill the requirement.
First, you should add a service endpoint for the virtual network. (see image)

And then ensure to limit the traffic from the virtual network in the storage account. For more information on service endpoints, please visit the following URL-
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Question 38

Question 55 Correct
Domain: Implement and manage virtual networking
Which of the following are the key benefits of the Virtual Network service endpoints? [Select THREE]

A. Improved security for Azure service resources
B. Optimal routing for Azure service traffic from virtual network
C. Establish network segmentation boundaries
D. Simple to set up with less management overhead

Answer 38

A. Improved security for Azure service resources
B. Optimal routing for Azure service traffic from virtual network
D. Simple to set up with less management overhead

Explanation:
Correct Answers: A, B and D
In Azure, virtual networks establish clear network boundaries. They enable the isolation of resources into defined compartments, each with specific IP ranges and subnets. This segregation supports tailored security measures, controlled traffic via Network Security Groups, and links to on-premises networks. This fundamental feature allows for the creation of secure, organized, and scalable cloud solutions while ensuring effective communication control and data protection. Service endpoints do not network define boundaries. (see image)

Option A is correct because it improves the security as it is not exposed to the internet and connects only point to point and serves specific purposes.
Option B is correct because if your virtual network routes guide internet traffic to on-premises or virtual appliances, the same route is imposed on Azure service traffic. Service endpoints optimize the routing of Azure traffic.
Option C is incorrect because virtual network creates network segmentation, service endpoints allow to secure critical Azure service resources to only your virtual networks.
Option D is correct because service endpoints doesn’t need public IPs for securing Azure resources via IP firewall in your virtual networks. No NAT or gateway devices needed for service endpoint setup.
Reference:
Azure virtual network service endpoints | Microsoft Learn

Question 39

Domain: Deploy and manage Azure compute resources
You create an App Service plan B1 for your web app. You want Azure to be able to add up to 10 VM instances to run your app automatically during the
highest traffic on your site.
What are two configuration options you should implement to achieve your goal in the most cost-effective way?

A. Scale up based on a schedule
B. Scale out the service plan to S1
C. Scale out based on a metric
D. Scale up the service plan to P1
E. Scale out based on a schedule
F. Scale up the service plan to S1
G. Scale up based on a metric
H. Scale out the service plan to P1

Answer 39

C. Scale out based on a metric
F. Scale up the service plan to S1

Suppose you want Azure to add resources for your web app automatically. First, you need to evaluate your App Service plan and then configure the
conditions for the app scaling. The automatic process of adding the VM resources is called autoscaling.
The App Service plan provides the VM configuration (CPU, memory, disk space), custom domains, certificates, autoscaling, etc. You can change the plan
tier if you need more memory or CPU or a number of additional VM instances to run your app. Changing the App Service plan and scaling the resources
mentioned above is called Scale up.
When you need to add more VM instances to run your app based on the metric or schedule, this scaling is called Scale out.
The shared compute tier (Free and Basic tiers) of the App Service plan does not provide the autoscaling functionality. You can scale your app resources
manually up to 3 VM instances, if they are available, only in the Basic (B1, B2, and B3) tier. The Free tier does not have this ability. Starting from the
Standard tier (S1, S2, S3) and up, the App Service plans provide the autoscaling functionality with up to 30 VM instances in the Premium (P1, P2, P3) tier. The
Scale up to S1 tier provides the autoscale functionality with up to 10 VM instances.

For more information about scaling settings in App Service Plan, please visit the below URLs:
Question 2
Domain: Manage Azure identities and governance
A company has an Azure subscription that contains the following resource groups.
Name Location
https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
https://docs.microsoft.com/en-us/learn/modules/app-service-scale-up-scale-out/2-scale-a-web-app-manually

Question 40

Domain: Manage Azure identities and governance
A company has set up an Azure subscription. They have provisioned a storage account and are currently using the BLOB service. They want to assign
permissions to 3 user groups.
You need to assign the relevant Role-Based Access Control, ensuring the privilege of least access.
Which of the following would you assign to GroupC?

GroupA – This group should have the ability to manage the storage account.
GroupB – This group should be able to manage containers within a storage account.
GroupC – This group should be given full access to Azure Storage blob containers and data, including assigning POSIX access control.

A. Owner
B. Contributor
C. Storage Account Contributor
D. Storage Blob Data Contributor
E. Storage Blob Data Owner

Answer 40

E. Storage Blob Data Owner

his can be accomplished with the Storage Blob Data Owner. The Microsoft documentation mentions the following. (see image)

Options A and B are incorrect since these would provide more permissions than required.
Options C and D are incorrect since these roles don
’t have the required permissions.
For more information on built-in roles, please visit the below URL-

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question 41

Domain: Deploy and manage Azure compute resources
Your company is using Azure Container Apps to manage automatic horizontal scaling through a set of declarative scaling rules. Your manager asked
you to Scale a container app and what are the prerequisites for this? [Select all the apply]

A. GitHub Account
B. Azure account
C. Azure CLI
D. All of the above

Answer 41

D. All of the above

Explanation:
Correct Answer: D
Azure container apps perform automatic horizontal scaling through a set of declarative scaling rules. As the container app scales out, new instances of
the container app are created on demand. These instances are called replicas.
Prerequisites:
1. GitHub Account
2. Azure account
3. Azure CLI
Hence, all the options are correct.
This is clearly provided in the Microsoft documentation.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Source: Tutorial: Scale an Azure Container Apps application | Microsoft Learn

Question 42

Domain: Deploy and manage Azure compute resources
A company is planning to deploy an application to a set of Virtual Machines in an Azure network. The company needs to have an SLA of 99.99% for the
application hosted on the Virtual machines. Which of the following should be implemented to guarantee an SLA of 99.99% on the infrastructure level?

A. Make the virtual machines part of an availability set.
B. Deploy the virtual machines across availability zones.
C. Assign a standard public IP address to the virtual machines.
D. Deploy single virtual machines across multiple regions.

Answer 42

B. Deploy the virtual machines across availability zones.

You can achieve 99.99% SLA on your virtual machines
‘ infrastructure level by deploying them across availability zones.
The Microsoft documentation mentions the following.
Option A is incorrect since availability sets can only guarantee an SLA of 99.95%.
Option C is incorrect since this will not help ensure 99.99% availability for the architecture.
Option D is incorrect since this is normally used for disaster recovery purposes.
For more information on availability zones, please visit the below URL-

https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

Question 43

Domain: Deploy and manage Azure compute resources
A company has the following set of Virtual Machines defined in the Azure account.

Name || Region
whizlabs-vm1 || East US
whizlabs-vm2 || Central US

The company wants to move whizlabs-vm1 to another subscription. Which of the following can be implemented to fulfill this requirement?

A. Move the Virtual Machine to the Central US region first.
B. You cannot move the Virtual Machine across subscriptions. You would need to delete and recreate the VM in the new subscription.
C. Use the Move-AzResource powershell command to move the Virtual Machine.
D. Use the Move-VMResource powershell command to move the Virtual Machine.

Answer 43

C. Use the Move-AzResource powershell command to move the Virtual Machine.

Explanation:
Correct Answer – C
You can move Azure resources across subscriptions using the Move-AzResource PowerShell command. There are just some restrictions when moving
Virtual Machines.
Below is the command provided in the Microsoft documentation.
Option A is incorrect since you don
’t need to move the Virtual machine to any specific region before moving it to the destination.
Option B is incorrect since you can move resources across subscriptions.
Option D is incorrect since the right command is Move-AzResource.
Reference: Move resources to a new subscription or resource group - Azure Resource Manager | Microsoft

Question 44

Domain: Monitor and maintain Azure resources
A multinational software development company has its head office in Virginia, US, and branch office in Houston, US. The company has 100 Virtual
machines running on-premises. The company has configured Azure Site recovery in Azure Cloud for their business continuity plan. The network connectivity is lost due to the cyclone at the head office region. Put the following in the correct sequence to failover the systems to the azure cloud.

A. Select the VM and Click on Failover
B. Commit
C. Go to Recovery Services Vault > Replicated Items
D. Choose the Recovery Point and Shutdown the source server

Answer 44

C. Go to Recovery Services Vault > Replicated Items
A. Select the VM and Click on Failover
D. Choose the Recovery Point and Shutdown the source server
B. Commit
To failover the servers over to azure, we first need to browse Recovery Services Vault and choose the Replicated Items, select the VM which you would
like to failover and click on Failover option.
You will be provided with the option of choosing Recovery Point that you would like to restore from the server.
At this point you are ready to shut down the source server. Once you are ready and have tested the failover, please click on Commit.
Reference:

https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-failover-failback

Question 45

You have an Azure storage account in place. You are planning to enable Microsoft Entra ID Authentication for the storage account. You want to provide
a set of user’s specific permissions to access file shares using Microsoft Entra ID authentication. Below are the requirements for the users.
wluserA – Here, the user should be given access to read file shares over SMB
wluserB – Here, the user should be given access to read, write, delete, and modify NTFS permissions in Azure Storage file shares over SMB.
You need to provide the right permissions, which ensure that the least privileged access is given.
Which of the following RBAC role should be assigned to wluserB?

A. Storage File Data SMB Share Reader
B. Storage File Data SMB Share Writer
C. Storage File Data SMB Share Contributor
D. Storage File Data SMB Share Elevated Contributor

Answer 45

D. Storage File Data SMB Share Elevated Contributor

We can provide the Storage File Data SMB Share Elevated Contributor Role Based Access Control (RBAC) role for this level of access.
Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol
through the following methods:

On-premises Active Directory Domain Services (AD DS)
Microsoft Entra Domain Services
Microsoft Entra Kerberos for hybrid user identities

Reference: Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB | Microsoft Learn

Question 46

Domain: Implement and manage storage
Your company has an Azure storage account named storewl8080, which has the following properties.
Location: West US
Performance: Standard
Access Tier: Cool
Account type: General-purpose v2
Replication: Read-access geo-redundant storage
Advanced Thread protection: Enabled
The company wants to change the replication type of storage account from Read-access geo-redundant storage to Zone redundant storage by
requesting Azure support for live migration. Which of the following must be carried out first to fulfill this requirement?

A. Ensure to change the performance of the storage account.
B. Ensure to change the Access tier of the storage account.
C. Ensure to change the Account kind of the storage account.
D. Ensure to change the Replication technique of the storage account.

Answer 46

Explanation:
Answer – D
The Microsoft documentation clearly states, that the replication type of the storage account, can be changed to Zone redundant storage, only, if the
current replication technique is either LRS or GRS.

Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS then you need to first change your account’s replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only endpoint provided by RA-GRS before migration.

Hence, D is the correct answer and all other answers are wrong.
For more information on migrating the replication technique, please visit the following URL-
https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal

Question 47

Domain: Manage Azure identities and governance
You are the Azure administrator for a company. You have to create a custom role based on the Virtual Machine Contributor role. You have to complete the following PowerShell script. Which of the following would come in SLOT 2?

A. Get-AzRoleDefinition
B. New-AzRoleDefinition
C. Set-AzRoleDefinition
D. Create-AzRoleDefinition

Answer 47

B. New-AzRoleDefinition

Explanation:
Answer – B
After we created a new role definition for “Virtual Machine Reader” based on “Virtual Machine Contributor”, we can commit a new role definition.
All other options are incorrect.
For more information on creating a custom role, please visit the below URL-

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell

Question 48

Domain: Monitor and maintain Azure resources

Whizlabs is an online training company. They have an on-premise data center and an Azure subscription. The subscription is linked to a tenant named whizlabs.com.
Overview
Whizlabs is an online training company. They have an on-premise data center and an Azure subscription. The subscription is linked to a tenant named whizlabs.com.
Requirements
They want to deploy the following resources to Azure
* A new Azure virtual network with an address space of 10.0.0.0/16. The virtual network is located in the West US region.
* Two Azure Windows virtual machines to host the web tier of an application named whizlabapp.
* Two Azure Windows virtual machines to host the database tier of an application named whizlabapp.
* Use an Azure Bastion Host for RDP connectivity to the virtual machines.
* They want to deploy the Azure Firewall service for inspecting the traffic that flows out of the web tier.
* They also want to ensure daily backups are taken for the Azure virtual machines. The daily retention period for the web servers would be one week and for the database servers, 15 days.
The Azure virtual network contains the following subnets
Name || Address space
Webtier || 10.0.0.0/24
Databasetier || 10.0.1.0/24
Below are the security requirements
* A user of a particular Azure AD group should be able to join their devices to the Azure AD tenant.
* Users who join their devices should use an additional authentication method during the process of joining devices.
* The database servers should only allow traffic from the web servers.
* The security events log for all virtual machines need to be sent to a Log Analytics workspace. The overview of the Log Analytics workspace created for this purpose is shown in the image.

Can you send the security events of the virtual machines to the Log Analytics workspace?

Yes
No

Answer 48

Yes

Answer – A
Yes, you can. Even though the virtual machines and the Log Analytics workspace are in separate locations, you can still connect the virtual machines to
the workspace.
For more information on collecting data into a Log Analytics workspace, please visit the following URL-

https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

Question 49

Domain: Implement and manage virtual networking
A company has an application deployed across a set of virtual machines. Users connect to the application either using point-to-site VPN or site-to-site
VPN connections. You need to ensure that connections to the application are spread across all of the virtual machines. Which of the following could you
set up for this requirement? Choose 2 answers from the options given below.

A. A Public Load Balancer
B. An Internal Load Balancer
C. A Traffic Manager Profile
D. An Azure Content Delivery Network
E. An Azure Application Gateway

Answer 49

B. An Internal Load Balancer right
E. An Azure Application Gateway

Since we need to distribute traffic across the virtual machines, we can use either the Load Balancer or Application Gateway service.
The Microsoft documentation mentions the following on these services. (see image)

All of the other options are incorrect since the users access the Azure virtual machines via the private IP addresses. This is because the users are
connecting via VPN’s. So we need to use internal load balancing solutions.
For more information on the load balancer and the application gateway, please visit the below URL-

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/application-gateway/overview

Question 50

Domain: Deploy and manage Azure compute resources
You create an AKS cbkubecluster cluster. Here is a snapshot from the Networking section of the Kubernetes service overview. (see image)

You need to select the type of network model to use for the AKS cluster. Please select the correct network model from the options below to fulfill the
question requirement

A. VPN Gateway
B. Kubenet
C. Express Route
D. Azure CNI
E. VNet Peering

Answer 50

B. Kubenet

When you create an AKS cluster, you have two choices of the network models for Azure virtual networking: Kubenet and Azure Container Networking
Interface (CNI). The main difference between the two models is in providing IP addresses to the pods. The Kubenet (Number 3) is the basic networking
model that receives the IP addresses for the nodes from the Azure Vnet subnet, but the pods are served with logically different IP address space: Pod
CIDR (Number 4). The pods cannot communicate directly with each other. They have to use Network Address Translation (NAT) to reach any resources
on the VNet. In the Azure CNI (Number 1), the pods directly receive IP addresses from the subnet pool. Therefore, there is no value for the Pod CIDR
(Number 2). For CNI, you need to plan your address space beforehand to avoid running out of the subnet addresses if you have many pods.
The Kubenet creates an internal Kubernetes virtual network. The Pod CIDR assigns the /24 address space for each node in the cluster. The first node has
an internal space of 10.244.0.0/24, then — 10.244.1.0/24 for the next node, and so on (Number 1). And the routing table connects the pods with the Vnet (Number 2 and 3). (see image1)

The pods IP addresses for the first node will start from 10.244.0.1 and for the second node — from 10.244.1.1, etc. (see image2)

All other options are incorrect.
For more information about AKS networking, please visit the below URLs:
https://docs.microsoft.com/en-us/azure/aks/concepts-network
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet#create-an-aks-cluster-in-the-virtual-network
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni

Question 51

Domain: Implement and manage storage
Your company wants to provision an Azure storage account. The storage account needs to meet the following requirements.

Should be able to support hot, cool, and archive blob tiers.
Should be able to provide fault tolerance if a disaster hits the Azure region, which has the storage account.
Should minimize on costs.

You need to complete the below command to create the storage account.

az storage account create -g whizlabrg -n whizlabstore –kind {SLOT1} –sku {SLOT2}

Which of the following would go into Slot2?

A. Standard_GRS
B. Standard_LRS
C. Standard_RAGRS
D. Premium_LRS

Answer 51

A. Standard_GRS

Standard_GRS, which is geo-redundant storage would ensure that data is available in a secondary region if the primary region goes down.
The Microsoft documentation mentions the following.

Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region. GRS offers durability for storage resources of at least 99.99999999999999% (16 9’s) over a given year.
A write operation is first committed to the primary location and replicated using LRS. The update is then replicated asynchronously to the secondary region. When data is written to the secondary location, it’s also replicated within that location using LRS.

Options B and D are incorrect since these don
’t guarantee that data will be available if a region goes down.
Option C is incorrect since the costs would be more than Standard
_
GRS.
For more information on geo-redundant storage, please visit the below URL-
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs

Question 52

Domain: Deploy and manage Azure compute resources
Which of the following should be used to guarantee SLA of at least 99.5% for the availability of the Virtual Machines? Choose 2 answers from the options
given below.

A. Azure Managed Disks
B. Azure Network Interfaces
C. Azure Availability sets
D. Azure scale sets

Answer 52

A. Azure Managed Disks
C. Azure Availability sets

Answer – A and C
Managed Disks and Availability Sets can guarantee at least 99.5% of the Virtual Machines availability.
The Microsoft documentation mentions the following.

For any Single Instance Virtual Machine using Standard SSD Managed Disks for Operating System Disk and Data Disks, we guarantee you will have
Virtual Machine Connectivity of at least 99.5%.
For all Virtual Machines with two or more instances deployed in the same Availability Set or the same Dedicated Host Group, we guarantee you will
have Virtual Machine Connectivity to at least one instance 99.95% of the time.

Option B is incorrect. Having multiple network interfaces can be used to recover applications on virtual machines since you can move network
interfaces across virtual machines. But then here to ensure that you are guaranteed an SLA of 99.5% uptime, you should use Azure Managed Disks and/or
Azure Availability Sets.
Option D is incorrect since this can be used to scale your application and can be used for high availability.
For more information on managing availability for Virtual Machines, one can go to the below URLs-
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1
_
9/

Question 53

Domain: Implement and manage virtual networking
You provide custom Azure services for your customers. They need to access the services from their own virtual networks in a secure manner avoiding any internet connections. Match the four components that you and your customers need to set up to utilize Azure custom services with the appropriate definition.

1. Azure Load Balancer
2. Private Link Service
3. Private Link
4. Private Endpoint

A. Your service that is running behind Azure Standard Load Balancer can be enabled for Private Link access so that consumers to your
service can access it privately from their own VNets.
B. A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects
you privately and securely to a service that’s powered by Azure Private Link.
C. Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network.
D. Now you don’t access the Azure resource using a public IP address. Instead, you use a private IP address that Azure assigns to the resource from the address space of your subnet.

Answer 53

1 - C
2 - A
3 - D
4 - B

Azure Private Link helps users connect the Azure resources to their virtual networks without using the internet and public IPs. Instead of the internet, the
customers use the Microsoft Azure backbone network. Instead of using public IP addresses for resource access, the resources are using the private IP
addresses that Azure assigns to them using their virtual network’
s subnets in the private link services.
For customers utilizing your Azure services from their virtual networks, you need to create an Azure Private Link. This link connects the Private Endpoint
that customers add to their virtual network and the Private Link Service that you add to connect to your services running behind the Standard Azure
Load Balancer.
For more information about Azure Load Balancer, Private Endpoint, Private Link, and Private Link Service, please visit the below URLs:

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#securebydefault
https://docs.microsoft.com/en-us/learn/modules/introduction-azure-private-link/3-how-azure-private-link-works
https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview

Question 54

Domain: Implement and manage virtual networking
A company currently has the following networks defined in Azure.
Name Address space
whizlab-vnet1 10.1.0.0/16
whizlab-vnet2 10.2.0.0/16
whizlab-vnet3 10.3.0.0/16
All virtual networks are hosting virtual machines with varying workloads. A virtual machine named whizlab-detect hosted in whizlab-vnet2. This virtual
machine will have an intrusion detection software installed on it. All traffic on all virtual networks must be routed via this virtual machine(intrusion-
based device).
You need to complete the required steps for implementing this requirement.

Which of the following would you need to create additional to ensure that traffic is sent via the virtual machine hosting the intrusion software?

A. A new route table
B. Add an address space
C. Add DNS servers
D. Add a service endpoint

Answer 54

A. A new route table

In order to ensure that traffic is routed via the intrusion-based device, you need to set up a route table and add the route table to the subnets in the other virtual networks.
The diagram of the hub and spoke model also includes the use of a User-defined route (UDR), which is nothing but a custom route table.

Since this is clearly given in the Microsoft documentation, all other options are incorrect.
For more information on working with route tables, please visit the below URLs-

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva

Question 55

Domain: Monitor and maintain Azure resources
A company has the following resources defined as part of its Azure subscription.

Name Type Location Resource Group
rg-whizlabs-1 Resource group East US Not applicable
rg-whizlabs-2 Resource group West US Not applicable
vaultwhizlab Recovery services vault West Europe rg-whizlabs-1
storewl2070 Storage account East US rg-whizlabs-2
storewl2080 Storage account West US rg-whizlabs-1
storewl2090 Storage account West Europe rg-whizlabs-2
log-wl-1 Log Analytics workspace East US rg-whizlabs-1
log-wl-2 Log Analytics workspace West US rg-whizlabs-2
log-wl-3 Log Analytics workspace West Europe rg-whizlabs-3

The company is planning to configure the Diagnostic settings for the Recovery Services vault to store the Azure Backup Reports.
Which of the following Log Analytics workspaces can be used to store the backup reports?

A. log-wl-1 only
B. log-wl-2 only
C. log-wl-3 only
D. log-wl-1, log-wl-2 and log-wl-3

Answer 55

D. log-wl-1, log-wl-2 and log-wl-3

The Log Analytics workspace can be in any region. It does not need to be in the same region as the recovery services vault.

For more information on configuring Azure Backup reports, please visit the following URL-
https://docs.microsoft.com/en-us/azure/backup/configure-reports