Part 1 Azure

Question 1

What are two characteristics of the public cloud? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers:
Dedicated hardware.
Unsecured connections.
Limited storage.
Metered pricing.
Self-service management.

Answer 1

Metered pricing.
Self-service management.

Advantages of public clouds:

Lower costs-no need to purchase hardware or software, and you pay only for the service you use.

No maintenance-your service provider provides the maintenance.

Near-unlimited scalability-on-demand resources are available to meet your business needs.

High reliability-a vast network of servers ensures against failure.

Question 2

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct.

When planning to migrate a public website to Azure, you must plan to ** PAY MONTHLY USAGE ** costs.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers:
No change is needed.
Deploy a VPN.
Pay to transfer all the website data to Azure.
Reduce the number of connections to the website.

Answer 2

No change is needed.

Azure doesn’t directly bill based on the resource cost. Charges for a resource are calculated by using one or more meters. Meters are used to track a resource’s usage throughout its lifetime. These meters are then used to calculate the bill.
For example, when you create a single Azure resource, like a virtual machine, it has one or more meter instances created. Meters are used to track the usage of the resource over time. Each meter emits usage records that are used by Azure to calculate the bill.

For example, a single virtual machine (VM) created in Azure may have the following meters created to track its usage:

Compute Hours, IP Address Hours, Data Transfer In, Data Transfer Out, Standard Managed Disk, Standard Managed Disk Operations, Standard IO-Disk, Standard IO-Block Blob Read, Standard IO-Block Blob Write, Standard IO-Block Blob Delete

Question 3

Your company plans to migrate all its data and resources to Azure.

The company’s migration plan states that only platform as a service (PaaS) solutions must be used in Azure.
You need to deploy an Azure environment that supports the planned migration.

Solution: You create an Azure App Service and Azure SQL databases.

Does this meet the goal?

Answers:
Yes.
No.

Answer 3

Yes

Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection.

Like IaaS, PaaS includes infrastructure-servers, storage and networking-but also middleware, development tools, business intelligence (BI) services, database management systems and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing and updating.

PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators such as Kubernetes or the development tools and other resources. You manage the applications and services you develop and the cloud service provider typically manages everything else.

Question 4

Your company hosts an accounting named App1 that is used by all the customers of the company.

App1 has low usage during the first three weeks of each month and very high usage during the last week of each month.

Which benefit of Azure Cloud Services supports cost management for this type of usage pattern?

Answers:
High availability.
High latency.
Elasticity.
Load balancing.

Answer 4

Elasticity

Elastic computing is the ability to quickly expand or decrease computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak usage. Typically controlled by system monitoring tools, elastic computing matches the amount of resources allocated to the amount of resources actually needed without disrupting operations. With cloud elasticity, a company avoids paying for unused capacity or idle resources and doesn’t have to worry about investing in the purchase or maintenance of additional resources and equipment.

While security and limited control are concerns to take into account when considering elastic cloud computing, it has many benefits. Elastic computing is more efficient than your typical IT infrastructure, is typically automated so it doesn’t have to rely on human administrators around the clock, and offers continuous availability of services by avoiding unnecessary slowdowns or service interruptions.

Question 5

You plan to migrate a web application to Azure. The web application is accessed by external users.

You need to recommend a cloud deployment solution to minimize the amount of administrative effort used to manage the web application.

What should you include in the recommendation?

Answers:
Software as a service (SaaS).
Platform as a service (PaaS).
Infrastructure as a service (IaaS).
Database as a service (DaaS).

Answer 5

Platform as a service (PaaS).

IaaS (Information as a Service). IaaS is the most basic level of cloud-based solutions, which refers to renting an IT infrastructure as a fully outsourced service. In this category, the cloud provider lets you rent servers, VMs, storage, network and operating systems on a pay-as-you-go basis.

Examples: Amazon EC2 and S3, Google Compute Engine, Windows Azure.

PaaS (Platform as a Service). PaaS is the cloud solution where, apart from providing an infrastructure, cloud providers also issue an on-demand computing environment to develop, test, run and collaborate with components such as web servers, database management systems, and software development kits (SDKs) for various programming languages.

Examples: AWS Elastic Beanstalk, Heroku, Windows Azure, Force.com, Google App Engine.

SaaS (Software as a Service). SaaS providers offer fully functional web-based application softwares tailored to a variety of business needs such as project tracking, web conferencing, marketing automation or business analytics.

Examples: Google Apps, Microsoft Office 365, Gmail, Yahoo and Facebook.

Question 6

You have an on-premises network that contains 100 servers.

You need to recommend a solution that provides additional resources to your users. The solution must minimize capital and operational expenditure costs.

What should you include in the recommendation?

Answers:
A complete migration to the public cloud.
An additional data center.
A private cloud.
A hybrid cloud.

Answer 6

A private cloud.

Private cloud is a type of cloud computing that delivers similar advantages to public cloud, including scalability and self-service, but through a proprietary architecture. Unlike public clouds, which deliver services to multiple organizations, a private cloud is dedicated to the needs and goals of a single organization.

As a result, private cloud is best for businesses with dynamic or unpredictable computing needs that require direct control over their environments, typically to meet security, business governance or regulatory compliance requirements.

Question 7

What are three general cloud deployment models:

Answer 7

public, private and hybrid.

A public cloud is where an independent, third-party provider, such as Amazon Web Services (AWS) or Microsoft Azure, owns and maintains compute resources that customers can access over the internet. Public cloud users share these resources, a model known as a multi-tenant environment.

By comparison, a private cloud is created and maintained by an individual enterprise. The private cloud might be based on resources and infrastructure already present in an organization’s on-premises data center or on new, separate infrastructure. In both cases, the enterprise itself owns and operates the private cloud.

A hybrid cloud is a model in which a private cloud connects with public cloud infrastructure, allowing an organization to orchestrate workloads across the two environments. In this model, the public cloud effectively becomes an extension of the private cloud to form a single, uniform cloud. A hybrid cloud deployment requires a high level of compatibility between the underlying software and services used by both the public and private clouds.

Question 8

You plan to deploy several Azure virtual machines.

You need to ensure that the services running on the virtual machines are available if a single data center fails.

Solution: You deploy the virtual machines to two or more scale sets.

Does this meet the goal?

Answers:
Yes.
No.

Answer 8

No

Azure virtual machine scale sets let you create and manage a group of identical, load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.

To provide redundancy and improved performance, applications are typically distributed across multiple instances. Customers may access your application through a load balancer that distributes requests to one of the application instances. If you need to perform maintenance or update an application instance, your customers must be distributed to another available application instance. To keep up with additional customer demand, you may need to increase the number of application instances that run your application.

Question 9

You plan to map a network drive from several computers that run Windows 10 to Azure Storage. You need to create a storage solution in Azure for the planned mapped drive.

What should you create?

Answers:
An Azure SQL database.
A virtual machine data disk.
A Files service in a storage account.
A Blobs service in a storage account.

Answer 9

A Files service in a storage account.

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

Azure Files:

Extend your servers to Azure with Sync for on-premises performance and capability.

Secure data at rest and in-transit using SMB 3.0 and HTTPS.

Simplify cloud file share management using familiar tools.

Create high-performance file shares using the Premium Files storage tier.

Question 10

Your company plans to deploy an Artificial Intelligence (AI) solution in Azure.

What should the company use to build, test, and deploy predictive analytics solutions?

Answers:
Azure Logic Apps.
Azure Machine Learning Studio.
Azure Batch.
Azure Cosmos DB.

Answer 10

Azure Machine Learning Studio.

Machine Learning Studio is a powerfully simple browser-based, visual drag-and-drop authoring environment where no coding is necessary. Go from idea to deployment in a matter of clicks.

Azure Machine Learning is designed for applied machine learning. Use best-in-class algorithms and a simple drag-and-drop interface-and go from idea to deployment in a matter of clicks.

Question 11

** AZURE POLICIES PROVIDE ** a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers:
No change is needed.
Resource groups provide.
Azure Resource Manager provides.
Management groups provide.

Answer 11

Azure Resource Manager provides.

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription. You can use its access control, auditing, and tagging features to secure and organize your resources after deployment.

When you take actions through the portal, PowerShell, Azure CLI, REST APIs, or client SDKs, the Azure Resource Manager API handles your request. Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools. All capabilities that are available in the portal are also available through PowerShell, Azure CLI, REST APIs, and client SDKs.

Question 12

Your company has several business units.

Each business unit requires 20 different Azure resources for daily operation. All the business units require the same type of Azure resources.

You need to recommend a solution to automate the creation of the Azure resources.

What should you include in the recommendations?

Answers:
Azure Resource Manager templates.
Virtual machine scale sets.
The Azure API Management service.
Management groups.

Answer 12

Azure Resource Manager templates.

Azure Resource Manager Template defines the resources you need to deploy for your solution. First of all, you must know that an Azure Resource Manager Template is a just a simple JSON file. JSON is an open-standard file format derived from JavaScript. Note that a JSON file is a collection of name/value pairs.

Question 13

Which Azure service should you use to correlate events from multiple resources into a centralized repository?

Answers:
Azure Event Hubs.
Azure Analysis Services.
Azure Monitor.
Azure Log Analytics.

Answer 13

Azure Log Analytics.

Log Analytics is a web tool used to write and execute Azure Monitor log queries. Open it by selecting Logs in the Azure Monitor menu. It starts with a new blank query.

Question 14

You have an Azure environment. You need to create a new Azure virtual machine from an Android laptop.

Solution: You use PowerShell in Azure Cloud Shell.

Does this meet the goal?

Answers:
Yes.
No.

Answer 14

Yes

PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.

PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell includes a rich expression parser and a fully developed scripting language.

Question 15

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct.

An Azure region ** CONTAINS ONE OR MORE DATA CENTERS ** that are connected by using a low-latency network.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers:
No change is needed.
Is found in each country where Microsoft has a subsidiary office.
Can be found in every country in Europe and the Americas only.
Contains one or more data centers that are connect by using a high-latency network.

Answer 15

No change is needed

Understand Azure global infrastructure:

A region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. With more global regions than any other cloud provider, Azure gives customers the flexibility to deploy applications where they need to. Azure is generally available in 46 regions around the world, with plans announced for 8 additional regions.

A geography is a discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries. Geographies allow customers with specific data-residency and compliance needs to keep their data and applications close. Geographies are fault-tolerant to withstand complete region failure through their connection to our dedicated high-capacity networking infrastructure.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. Availability Zones allow customers to run mission-critical applications with high availability and low-latency replication.

Question 16

You plan to deploy 20 virtual machines to an Azure environment. To ensure that a virtual machine named VM1 cannot connect to the other virtual machines, VM1 must ** BE DEPLOYED TO A SEPARATE VIRTUAL NETWORK **.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers
No change is needed.
Run a different operating system than the other virtual machines.
Be deployed to a separate resource group.
Have two network interfaces.

Answer 16

No change is needed.

Question 17

A support engineer plans to perform several Azure management tasks by using the Azure CLI.

You install the CLI on a computer.

You need to tell the support engineer which tools to use to run the CLI.

Which two tools should you instruct the support engineer to use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers:
Command Prompt.
Azure Resource Explorer.
Windows PowerShell.
Windows Defender Firewall.
Network and Sharing Center.

Answer 17

Command Prompt.
Windows PowerShell.

For Windows the Azure CLI is installed via an MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell. When installing for Windows Subsystem for Linux (WSL), packages are available for your Linux distribution.

The Azure CLI is a command-line tool providing a great experience for managing Azure resources. The CLI is designed to make scripting easy, query data, support long-running operations, and more.

Question 18

You plan to store 20 TB of data in Azure. The data will be accessed infrequently and visualized by using Microsoft Power BI.

You need to recommend a storage solution for the data.

Which two solutions should you recommend? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers:
Azure Data Lake.
Azure Cosmos DB.
Azure SQL Data Warehouse.
Azure SQL Database.
Azure Database for PostgreSQL.

Answer 18

Azure Data Lake.
Azure SQL Data Warehouse.

Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists, and analysts to store data of any size, shape, and speed, and do all types of processing and analytics across platforms and languages.

Azure SQL Data Warehouse is a fully managed cloud data warehouse for enterprises of any size that combines lightning-fast query performance with industry-leading data security. Optimise workloads by elastically scaling your resources in minutes. Get unlimited storage, automated administration and built-in auditing and threat detection.

Question 19

You have a virtual machine named VM1 that runs Windows Server 2016. VM1 is in the East US Azure region.

Which Azure service should you use from the Azure portal to view service failure notifications that can affect the availability of VM1?

Answers:
Azure Service Fabric.
Azure Monitor.
Azure virtual machines.
Azure Advisor.

Answer 19

Azure Monitor.

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs. Metrics are numerical values that describe some aspect of a system at a particular point in time. They are lightweight and capable of supporting near real-time scenarios. Logs contain different kinds of data organized into records with different sets of properties for each type. Telemetry such as events and traces are stored as logs in addition to performance data so that it can all be combined for analysis.

Question 20

An Azure administrator plans to run a PowerShell script that creates Azure resources.

You need to recommend which computer configuration to use to run the script.

Solution: Run the script from a computer that runs Linux and has the Azure CLI tools installed.

Does this meet the goal?

Answers:
Yes.
No.

Answer 20

No

Install Azure CLI on Linux manually

If there’s no package for the Azure CLI for your distribution, install the CLI manually by running a script.

Question 21

You have an Azure environment that contains 10 virtual networks and 100 virtual machines.

You need to limit the amount of inbound traffic to all the Azure virtual networks.

What should you create?

Answers:
One network security group (NSG).
10 virtual network gateways.
10 Azure ExpressRoute circuits.
One Azure firewall.

Answer 21

One Azure firewall.

Azure Firewall: Cloud-native network security to protect your Azure Virtual Network resources

Question 22

You have an Azure environment that contains multiple Azure virtual machines.

You plan to implement a solution that enables the client computers on your on-premises network to communicate to the Azure virtual machines.

You need to recommend which Azure resources must be created for the planned solution.

Which two Azure resources should you include in the recommendation? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Answers:
A virtual network gateway.
A load balancer.
An application gateway.
A virtual network.
A gateway subnet.

Answer 22

A virtual network.
A gateway subnet.

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet you create, which is called the gateway subnet. The VMs that are located in the gateway subnet are created when you create the virtual network gateway. Virtual network gateway VMs are configured to contain routing tables and gateway services specific to the gateway. You can’t directly configure the VMs that are part of the virtual network gateway and you should never deploy additional resources to the gateway subnet.

VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

Question 23

Your company plans to move several servers to Azure.

The company’s compliance policy states that a server named FinServer must be on a separate network segment.

You are evaluating which Azure services can be used to meet the compliance policy requirements.

Which Azure solution should you recommend?

Answers:
A resource group for FinServer and another resource group for all the other servers.
A virtual network for FinServer and another virtual network for all the other servers.
A VPN for FinServer and a virtual network gateway for each other server.
One resource group for all the servers and a resource lock for FinServer.

Answer 23

A virtual network for FinServer and another virtual network for all the other servers.

Best practice: Create network access controls between subnets. Routing between subnets happens automatically, and you don’t need to manually configure routing tables. By default, there are no network access controls between the subnets that you create on an Azure virtual network.

Question 24

Your company has an Azure environment that contains resources in several regions.

A company policy states that administrators must only be allowed to create additional Azure resources in a region in the country where their office is located.

You need to create the Azure resource that must be used to meet the policy requirement.

What should you create?

Answers:
A read-only lock.
An Azure policy.
A management group.
A reservation.

Answer 24

An Azure policy.

Question 25

You need to configure an Azure solution that meets the following requirements:.

Secures websites from attacks.

Generates reports that contain details of attempted attacks.

What should you include in the solution?

Answers:
Azure Firewall.
A network security group (NSG).
Azure Information Protection.
DDoS protection.

Answer 25

DDoS protection.

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Question 26

Your company plans to migrate all on-premises data to Azure. You need to identify whether Azure complies with the company’s regional requirements.

What should you use?

Answers:
The Knowledge Center.
Azure Marketplace.
The Azure portal.
The Trust Center.

Answer 26

The Trust Center.

The Azure Security Information site on Azure.com gives you the information you need to plan, design, deploy, configure, and manage your cloud solutions securely. With the Microsoft Trust center, you also have the information you need to be confident that the Azure platform on which you run your services is secure.

Compliance: Microsoft helps organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data.

Question 27

Your company plans to automate the deployment of servers to Azure.

Your manager is concerned that you may expose administrative credentials during the deployment.

You need to recommend an Azure solution that encrypts the administrative credentials during the deployment.

What should you include in the recommendation?

Answers:
Azure Key Vault.
Azure Information Protection.
Azure Security Center.
Azure Multi-Factor Authentication (MFA).

Answer 27

Azure Key Vault.

Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Question 28

If a resource group named RG1 has a delete lock, ** ONLY A MEMBER OF THE GLOBAL ADMINISTRATORS GROUP ** can delete RG1.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers:
No change is needed.
The delete lock must be removed before an administrator.
An Azure policy must be modified before an administrator.
An Azure tag must be added before an administrator.

Answer 28

The delete lock must be removed before an administrator.

Question 29

Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers:
A Canadian government contractor.
A European government contractor.
A United States government entity.
A United States government contractor.
A European government entity.

Answer 29

A United States government entity.
A United States government contractor.

In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only).

Question 30

You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password.

Which Azure service should you use?

Answers:
Azure AD Connect Health.
Azure AD Privileged Identity Management.
Azure Advanced Threat Protection (ATP).
Azure AD Identity Protection.

Answer 30

Azure AD Identity Protection.

Azure Active Directory Identity Protection enables organizations to configure automated responses to detected suspicious actions related to user identities.

Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory Identity Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.

Question 31

To what should an application connect to retrieve security tokens?

Answers:
An Azure Storage account.
Azure Active Directory (Azure AD).
A certificate store.
An Azure key vault.

Answer 31

Azure Active Directory (Azure AD).

Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that developers have built. It’s a full-featured platform that consists of an OAuth 2.0 and OpenID Connect standard-compliant authentication service, open-source libraries, application registration and configuration, robust conceptual and reference documentation, quickstart samples, code samples, tutorials, and how-to guides.

Question 32

** RESOURCE GROUPS ** provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers:
No change is needed.
Management groups.
Azure policies.
Azure App Service plans.

Answer 32

Azure policies.

Question 33

Your network contains an Active Directory forest. The forest contains 5,000 user accounts.

Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.

You need to recommend a solution to minimize the impact on users after the planned migration.

What should you recommend?

Answers:
Implement Azure Multi-Factor Authentication (MFA).
Sync all the Active Directory user accounts to Azure Active Directory (Azure AD).
Instruct all users to change their password.
Create a guest user account in Azure Active Directory (Azure AD) for each user.

Answer 33

Sync all the Active Directory user accounts to Azure Active Directory (Azure AD).

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access External and Internal Resources.

Question 34

Which Azure service should you use to store certificates?

Answers:
Azure Security Center.
An Azure Storage account.
Azure Key Vault.
Azure Information Protection.

Answer 34

Azure Key Vault.

Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:

Cryptographic keys, secrets, certificates and azure storage accounts.

Question 35

What can Azure Information Protection encrypt?

Answers:
Network traffic.
Documents and email messages.
An Azure Storage account.
An Azure SQL database.

Answer 35

Documents and email messages.

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

After your content is classified (and optionally protected), you can then track and control how it is used. You can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, prevent data leakage or misuse, and so on.

Question 36

What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?

Answers
The Knowledge Center website.
The Advisor blade from the Azure portal.
Compliance Manager from the Security Trust Portal.
The Security Center blade from the Azure portal.

Answer 36

The Security Center blade from the Azure portal.

Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Azure Security Center is enabled with your Microsoft Azure subscription and accessed from the Azure portal. (Sign in to the portal, select Browse, and scroll to Security Center).

Question 37

Your company implements ** AZURE POLICIES ** to automatically add a watermark to Microsoft Word documents that contain credit card information.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers
No change is needed.
DDoS protection.
Azure Information Protection.
Azure Active Directory (Azure AD) Identity Protection.

Answer 37

Azure Information Protection.

An Azure Information Protection policy contains many elements that you can configure such as labels, tooltips, titles, etc.

Question 38

From ** AZURE MONITOR **, you can view which user turned off a specific virtual machine during the last 14 days.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers
No change is needed.
Azure Event Hubs.
Azure Activity Log.
Azure Service Health.

Answer 38

Azure Activity Log.

The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions.

Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties.

Question 39

You have an Azure virtual network named VNET1 in a resource group named RG1.

You assign an Azure policy specifying that virtual networks are not an allowed resource type in RG1. VNET1 ** IS DELETED AUTOMATICALLY **.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

Answers
No change is needed.
Is moved automatically to another resource group.
Continues to function normally.
Is now a read-only object.

Answer 39

No change is needed.

In Azure Policy, we offer several built-in policies that are available by default. For example:

Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny all resources that aren’t part of this defined list.

Not allowed resource types: Prevents a list of resource types from being deployed.

Question 40

Your company plans to purchase Azure.

The company’s support policy states that the Azure environment must provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy requirement.

Solution: Recommend a Basic support plan.

Does this meet the goal?

Answers
Yes.
No.

Answer 40

No

BASIC: No Technical Support.

DEVELOPER: Business hours access to Support Engineers via email

STANDARD, PROFESSIONAL DIRECT, PREMIER: 24x7 access to Support Engineers via email and phone

Question 41

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.

Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.

You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

Answers:
TXT.
SRV.
DNSKEY.
NSEC.
RRSIG.
PTR.

Answer 41

TXT.

To do this, you have to create three records:

• A root “A” record pointing to contoso.com

A root “TXT” record for verification

A “CNAME” record for the www name that points to the A record

Question 42

Your company has 10 offices. You plan to generate several billing reports from the Azure portal. Each report will contain the Azure resource utilization of each office.

Which Azure Resource Manager feature should you use before you generate the reports?

Answers:
Tags
Templates
Locks
Policies

Answer 42

Tags

Question 43

Choose all that apply:

Answers:
Data that is copied to an Azure Storage account is maintained automatically in at least three copies.
All data that is copied to an Azure Storage account is backed up automatically to another Azure data center.
An Azure Storage account can contain up to 2 TB of data and up to one million files.
Choose all that apply:

Answer 43

Data that is copied to an Azure Storage account is maintained automatically in at least three copies.

Question 44

Choose all that apply:

Answers:
If you have Azure resources deployed to every region, you can implement availability zones in all regions.
Only virtual machines that run Windows Server can be created in availability zones.
Availability zones are used to replicate data and applications to multiple regions.
None of the above

Answer 44

None of the above

Availability Zone - Unique physical locations within a region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking.

Question 45

Your company registers a domain name of contoso.com.

You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10.

You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address.

You need to resolve the name resolution issue.

Solution: You create a PTR record for www in the contoso.com zone.

Does this meet the goal?

Answers:
Yes.
No.

Answer 45

No

Question 46

You have an Azure subscription that contains the resources in the following table.

Name: VNet1,??????????????????Type: Virtual network,????????Details: Not applicable

Name: Subnet1,????????????????Type: Subnet,?????????????????Details: Hosted on VNet1

Name: VM1,????????????????????Type: Virtual machine,????????Details: On Subnet1

Name: VM2,????????????????????Type: Virtual machine,????????Details: On Subnet1

VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop.

You need to prevent users of VM2 and VM2 from accessing websites on the Internet over TCP port 80.

What should you do?

Answers:
Change the DenyWebSites outbound security rule.
Change the Port_80 inbound security rule.
Disassociate the NSG from a network interface.
Associate the NSG to Subnet1.

Answer 46

Associate the NSG to Subnet1.

You can associate or dissociate a network security group from a network interface or subnet.

The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.

Question 47

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.

On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.

You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

What should you do?

Answers:
Select Allow gateway transit on VNet2.
Enable BGP on VPNGW1.
Select Allow gateway transit on VNet1.
Download and re-install the VPN client configuration package on Client1.

Answer 47

Download and re-install the VPN client configuration package on Client1.

If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

Question 48

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Network Watcher, you create a packet capture.

Does this meet the goal?

Answers:
Yes.
No.

Answer 48

No

Use the Connection Monitor feature of Azure Network Watcher.

Question 49

You plan to use the Azure Import/Export service to copy files to a storage account.

Which two files should you create before you prepare the drives for the import job?

Answers:
A driveset CSV file.
A JSON configuration file.
A PowerShell PS1 file.
An XML manifest file.
A dataset CSV file.

Answer 49

A driveset CSV file.

A dataset CSV file.

Question 50

You create an Azure Storage account named contosostorage.

You plan to create a file share named data.

Users need to map a drive to the data file share from home computers that run Windows 10.

Which outbound port should you open between the home computers and the data file share?

Answers:
80.
443.
445.
3389.

Answer 50

445.

Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked. You can check to see if your firewall is blocking port 445 with the Test-NetConnection cmdlet.