Review Mode Set 2 – AZ-104 Azure Administrator Flashcards

1
Q

You are planning to migrate your on-premises media files to Azure.

You need to create a storage account named TutorialsDojoMedia that must meet the following requirements:

It must be able to tolerate the failure of a single datacenter in an Azure Region.

Replication must be synchronous.

How would you configure the storage account?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. Account Type
    A. General Purpose V2
    B. General Purpose V1
    C. BlobStorage
  2. Azure App Service
    A. Locally Redundant Storage (LRS)
    B. Zone Redundant Storage (ZRS)
    C. Geo Redundant Storage (GRZS)
    D. Read-access geo-zone redundant storage (RA-GZRS)
A
  1. A. General Purpose V2
  2. B. Zone Redundant Storage (ZRS)

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that is best for your applications. The types of storage accounts are:

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. It supports LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS replication options.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options
BlockBlobStorage accounts: Storage accounts with premium performance characteristics for block blobs and append blobs. Recommended for scenarios with high transaction rates, or scenarios that use smaller objects or require consistently low storage latency. Supports LRS, ZRS replication options
FileStorage accounts: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high-performance scale applications. Supports LRS, ZRS replication options
BlobStorage accounts: Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers four options for how your data is replicated:

Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability.
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability.
Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.
Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.

Therefore, you have to use the General-purpose V2 as your account type as it supports Zone-redundant storage (ZRS). Microsoft recommends that you use the General-purpose v2 option for new storage accounts.

Conversely, to achieve the fault-tolerance requirements, you need to utilize Zone-redundant storage (ZRS) as it copies your data synchronously across three Azure availability zones in the primary region.

The options that say: General-purpose V1 and Blob Storage are incorrect because these account types do not support Zone-redundant storage (ZRS).

The option that says: Locally redundant storage (LRS) is incorrect because it only copies your data synchronously three times within a single physical location in the primary region.

The options that say: Geo-zone-redundant storage (GZRS) and Read-access geo-zone-redundant storage (RA-GZRS) are incorrect because these exceed the requirements. Take note that the requirement is that your storage account must tolerate a single data center failure.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Locally Redundant Storage (LRS) vs. Zone-Redundant Storage (ZRS) vs. Geo-Redundant Storage (GRS):

https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You currently have an on-premises file server that contains a directory named E:\TutorialsDojoMedia.

There is a requirement to migrate the folder E:\TutorialsDojoMedia and its subdirectories to a public container in an Azure Storage Account named TutorialsDojoAccount.

Which of the following command should you run?

A. azcopy copy E:\TutorialsDojoMedia
https://TutorialsDojoAccount.blob.core.windows.net/public –recursive
B. azcopy copy https://TutorialsDojoAccount.blob.core.windows.net/public E:\TutorialsDojoMedia –recursive
C. azcopy copy E:\TutorialsDojoMedia
https://TutorialsDojoAccount.blob.core.windows.net/public
D. az storage blob copy start-batch E:\TutorialsDojoMedia https://TutorialsDojoAccount.blob.core.windows.net/public

A

A. azcopy copy E:\TutorialsDojoMedia
https://TutorialsDojoAccount.blob.core.windows.net/public –recursive

Explanation:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. You can also provide authorization credentials on your AzCopy command by using Azure Active Directory (AD) or by using a Shared Access Signature (SAS) token.

The Azure Storage platform is Microsoft’s cloud storage solution for modern data storage scenarios. Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.

Blob storage is designed for:

– Serving images or documents directly to a browser.

– Storing files for distributed access.

– Streaming video and audio.

– Writing to log files.

– Storing data for backup and restore disaster recovery and archiving.

– Storing data for analysis by an on-premises or Azure-hosted service.

The correct syntax in uploading files is: azcopy copy [source] [destination] [flags]

For example:

azcopy copy ‘C:\myDirectory\myTextFile.txt’ ‘https://mystorageaccount.blob.core.windows.net/mycontainer/myTextFile.txt’

Hence, the correct answer is: azcopy copy E:\TutorialsDojoMedia https://TutorialsDojoAccount.blob.core.windows.net/public –recursive

The option that says: azcopy copy https://TutorialsDojoAccount.blob.core.windows.net/public E:\TutorialsDojoMedia –recursive is incorrect because this command only downloads the contents from the storage account and not the folder. Remember that in order to upload a file to a storage account, you need to follow this syntax: azcopy copy [source] [destination] [flags].

The option that says: azcopy copy E:\TutorialsDojoMedia https://TutorialsDojoAccount.blob.core.windows.net/public is incorrect because the command will not include the subdirectories of the folder. You need to append the –recursive flag to upload files in all subdirectories.

The option that says: az storage blob copy start-batch E:\TutorialsDojoMedia https://TutorialsDojoAccount.blob.core.windows.net/public is incorrect because this command simply copies multiple blob files from a source container to the destination container.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Check out this Azure Blob Storage Cheat Sheet:

https://tutorialsdojo.com/azure-blob-storage/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have an Azure subscription that contains a virtual network named TDVNet1 with a subnet named TDSubnet1. Three virtual machines have been provisioned to TDSubnet1, each with a public IP address.

There are several applications that are hosted in your virtual machines that are accessible over port 443 (HTTPS) and 3389 (RDP) to users over the Internet.

You have extended your on-premises network to TDVNet1 using a site-to-site VPN connection.

Due to compliance requirements, you need to ensure that the Remote Desktop Protocol (RDP) connection is only accessible from the on-premises network. The solution must still allow internet users to access all the applications.

What should you do?

A. Detach the public IP address of the virtual machines
B. Change the address space of the local network gateway
C. Change the address space of TDSubnet1.
D. Add a rule to deny incoming RDP connection using network security group (NSG) which is linked to TDSubnet1

A

D. Add a rule to deny incoming RDP connection using network security group (NSG) which is linked to TDSubnet1

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Network Security Groups can be attached to subnets and/or network interfaces. Unless you have a specific reason to, it is recommended that you associate a network security group to a subnet or a network interface, but not both. Since rules in a network security group associated with a subnet can conflict with rules in a network security group associated with a network interface, you can have unexpected communication problems that require troubleshooting.

It’s important to note that security rules in an NSG associated with a subnet can affect connectivity between virtual machines within it. For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. Another rule would have to be added specifically to allow this.

Hence, the correct answer is: Add a rule to deny incoming RDP connection using network security group (NSG) which is linked to TDSubnet1.

The option that says: Detach the public IP address of the virtual machines is incorrect. Removing the public IP address of your virtual machines will also remove their ability to connect to the Internet. The requirement in this scenario states that the virtual machines must still be accessible by Internet users.

The option that says: Change the address space of the local network gateway is incorrect. Address space in the local network gateway refers to one or more IP address ranges (in CIDR notation) that define your on-premises address space. In this case, modifying the address space might also remove RDP access from your on-premises network to Azure.

The option that says: Change the address space of TDSubnet1 is incorrect because changing the address space of a subnet has no effect on restricting traffic going into it. If you change the address space of TDSubnet1, you also need to terminate or move the virtual machines that are associated with TDSubnet1. Instead, you can restrict traffic going into TDSubnet1 by associating it with a network security group.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Check out these Azure Networking Services Cheat Sheets:

https://tutorialsdojo.com/azure-cheat-sheets-networking-and-content-delivery/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your organization plans to create a storage account in your Azure subscription.

Due to compliance requirements, you need to deploy your storage account according to the following conditions:

Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

Block public access to all blobs or containers.

Disable shared key access.

Allows HTTPS traffic only to storage service.

Minimum TLS version – 1.1.

Cool tier must be the default access tier.

Solution: You deploy an ARM template with the following properties:
az104-2-04Does this meet the goal?

Yes
No
A

No

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that is best for your applications. The types of storage accounts are:

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. It supports LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS replication options.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options
BlockBlobStorage accounts: Storage accounts with premium performance characteristics for block blobs and append blobs. Recommended for scenarios with high transaction rates, or scenarios that use smaller objects or require consistently low storage latency. Supports LRS, ZRS replication options
FileStorage accounts: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high-performance scale applications. Supports LRS, ZRS replication options
BlobStorage accounts: Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

The question states several requirements. Let’s review each condition and determine if the ARM template satisfies the question requirements.

  1. Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

– The SKU specified is Standard_ZRS. This will only provide redundancy when an availability zone fails, but if the entire region fails, then your data will not be available.

– This does not satisfy the requirement.

  1. Block public access to all blobs or containers.

– There is no declared property for blocking public access. The default value is True.

– This does not satisfy the requirement.

  1. Disable shared key access.

– There is no declared property for shared key access. The default value is True.

– This does not satisfy the requirement.

  1. Allows HTTPS traffic only to storage service.

– There is no declared property requiring HTTPS traffic only to storage service. The default value is True.

– This does not satisfy the requirement.

  1. Minimum TLS version – 1.1.

– There is no declared property forcing minimum TLS requests to Azure storage. The default value is 1.0.

– This does not satisfy the requirement.

  1. Cool tier must be the default access tier.

– There is no declared default access tier. If the access tier is not explicitly stated, the default access tier will be the Hot tier.

– This does not satisfy the requirement.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Locally Redundant Storage (LRS) vs. Zone-Redundant Storage (ZRS) vs. Geo-Redundant Storage (GRS):

https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your organization plans to create a storage account in your Azure subscription.

Due to compliance requirements, you need to deploy your storage account according to the following conditions:

Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

Block public access to all blobs or containers.

Disable shared key access.

Allows HTTPS traffic only to storage service.

Minimum TLS version – 1.1.

Cool tier must be the default access tier.

Solution: You deploy an ARM template with the following properties:
az104-2-05Does this meet the goal?

Yes
No
A

No

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that is best for your applications. The types of storage accounts are:

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. It supports LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS replication options.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options
BlockBlobStorage accounts: Storage accounts with premium performance characteristics for block blobs and append blobs. Recommended for scenarios with high transaction rates, or scenarios that use smaller objects or require consistently low storage latency. Supports LRS, ZRS replication options
FileStorage accounts: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high-performance scale applications. Supports LRS, ZRS replication options
BlobStorage accounts: Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

The question states several requirements. Let’s review each condition and determine if the ARM template satisfies the question requirements.

  1. Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

– The SKU specified is Standard_ZRS. This will only provide redundancy when an availability zone fails, but if the entire region fails, then your data will not be available.

– This does not satisfy the requirement.

  1. Block public access to all blobs or containers.

– The property “allowBlobPublicAccess” has a value of false which disables any public access to all blobs or containers. This satisfies the requirement.

– This satisfies the requirement.

  1. Disable shared key access.

– The property “allowSharedKeyAccess” has a value of false which disables any shared access key authorization methods.

– This satisfies the requirement.

  1. Allows HTTPS traffic only to storage service.

– The property “supportsHttpsTrafficOnly” has a value of True, which requires all traffic connecting to the storage account to use HTTPS only.

– This satisfies the requirement.

  1. Minimum TLS version – 1.1.

– The property “minimumTlsVersion” has a value of 1_1 which only allows requests to storage with a minimum of TLS 1.1

– This satisfies the requirement.

  1. Cool tier must be the default access tier.

– There is no declared default access tier. If the access tier is not explicitly stated, then the default access tier will be the Hot tier.

– This does not satisfy the requirement.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Locally Redundant Storage (LRS) vs. Zone-Redundant Storage (ZRS) vs. Geo-Redundant Storage (GRS):

https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your organization plans to create a storage account in your Azure subscription.

Due to compliance requirements, you need to deploy your storage account according to the following conditions:

Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

Block public access to all blobs or containers.

Disable shared key access.

Allows HTTPS traffic only to storage service.

Minimum TLS version – 1.1.

Cool tier must be the default access tier.

Solution: You deploy an ARM template with the following properties:
az104-2-06Does this meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that is best for your applications. The types of storage accounts are:

General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. It supports LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS replication options.
General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options
BlockBlobStorage accounts: Storage accounts with premium performance characteristics for block blobs and append blobs. Recommended for scenarios with high transaction rates, or scenarios that use smaller objects or require consistently low storage latency. Supports LRS, ZRS replication options
FileStorage accounts: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high-performance scale applications. Supports LRS, ZRS replication options
BlobStorage accounts: Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

The question states several requirements. Let’s review each condition and determine if the ARM template satisfies the question requirements.

  1. Your data must be replicated to another region to ensure redundancy. Ensure costs are minimized whenever possible.

– We must implement a redundancy option that copies your data to a secondary region. We can opt for Geo-zone-redundant storage (GZRS) which provides maximum consistency and redundancy, but one of the requirements also states that we need to minimize costs whenever possible. The bare minimum to satisfy this requirement is to use Geo-redundant storage (GRS) or Standard_GRS.

– This satisfies the requirement.

  1. Block public access to all blobs or containers.

– The property “allowBlobPublicAccess” has a value of false which disables any public access to all blobs or containers. This satisfies the requirement.

– This satisfies the requirement.

  1. Disable shared key access.

– The property “allowSharedKeyAccess” has a value of false which disables any shared access key authorization methods.

– This satisfies the requirement.

  1. Allows HTTPS traffic only to storage service.

– The property “supportsHttpsTrafficOnly” has a value of True, which requires all traffic connecting to the storage account to use HTTPS only.

– This satisfies the requirement.

  1. Minimum TLS version – 1.1.

– The property “minimumTlsVersion” has a value of 1_1 which only allows requests to storage with a minimum of TLS 1.1

– This satisfies the requirement.

  1. Cool tier must be the default access tier.

–The property “accessTier” has a value of Cool which sets the default access tier of the storage account to the Cool tier

– This satisfies the requirement.

Hence, the correct answer is: Yes.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Locally Redundant Storage (LRS) vs. Zone-Redundant Storage (ZRS) vs. Geo-Redundant Storage (GRS):

https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Your virtual machines deployed to the 20.2.1.0/24 subnet will have access to the file shares in tdstorageaccount1.
    A. Always
    B. During backup
    C. Never
  2. The unmanaged disks of the virtual machines can be backed up to tdsotrageaccount1 by using Azure Backup.
    A. Always
    B. During backup
    C. Never
A
  1. Never
  2. Never

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Virtual Network service endpoint allows administrators to create network rules that allow traffic only from selected VNets and subnets, creating a secure network boundary for their data. Service endpoints extend your VNet private address space and identity to the Azure services, over a direct connection. This allows you to secure your critical service resources to only your virtual networks, providing private connectivity to these resources and fully removing Internet access. You need to explicitly specify which subnets can access your storage account.

Azure Backup can access your storage account in the same subscription for running backups and restores of unmanaged disks in virtual machines. To enable this, you need to tick the “Allow trusted Microsoft Services to access this storage account” box.

Take note that in the screenshot presented in the scenario, the following observations can be made:

  1. There are two subnets inside TDVnet1, 20.2.0.0/24 and 20.2.1.0/24. The only subnet included in the lists of allowed subnets to tdstorageaccount1 is 20.2.0.0/24. The virtual machines deployed to the subnet 20.2.1.0/24 will never have access to tdstorageaccount1.
  2. The “Allow trusted Microsoft Services to access this storage account” is not enabled. This means that Azure Backup will never have the capability to backup the unmanaged disks of the virtual machines to tdstorageaccount1.

Therefore, your virtual machines in 20.2.1.0/24 will Never have access to the file shares in tdstorageaccount1.

Conversely, Azure Backup will Never be able to backup unmanaged disks of the virtual machines.

References:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure blob storage account in your Azure subscription named TD1, located in the Southeast Asia region.
Due to compliance requirements, data uploaded to TD1 must be duplicated to the Australia Central region for redundancy. The solution must minimize administrative effort.

What should you do?

A. Configure object replication.
B. Configure firewalls and virtual networks.
C. Configure versioning.
D. Configure Geo-redundant storage (GRS).

A

A. Configure object replication.

Explanation:
Object replication asynchronously copies block blobs between a source storage account and a destination account. Some scenarios supported by object replication include:

  1. Minimizing latency. Object replication can reduce latency for read requests by enabling clients to consume data from a region that is in closer physical proximity.
  2. Increase efficiency for compute workloads. With object replication, compute workloads can process the same sets of block blobs in different regions.
  3. Optimizing data distribution. You can process or analyze data in a single location and then replicate just the results to additional regions.
  4. Optimizing costs. After your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies.

The requirement states that whenever data is uploaded to TD1 must be duplicated to Australia Central due to compliance requirements. Since the regional pair of Southeast Asia is East Asia, we won’t be able to use geo-redundant storage (GRS) as we cannot choose the secondary region due to regional pairs. Instead, we can use object replication to copy data from TD1 to a storage account in Australia Central region.

Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and page blobs aren’t supported.

Hence, the correct answer is: Configure object replication.

The option that says: Configure firewalls and virtual networks is incorrect because this feature only allows users of Azure storage accounts to block or allow specific traffic to your storage account. It does not have any capability to replicate data to another region.

The option that says: Configure versioning is incorrect because this allows you to automatically maintain previous versions of an object in a single storage account. Although, to use object replication, versioning must be enabled in the source and target storage accounts.

The option that says: Configure Geo-redundant storage (GRS) is incorrect because the data will automatically be stored in East Asia since it is the regional pair of Southeast Asia region. You don’t get to choose the secondary region when enabling geo-redundant storage. Instead, use object replication.

References:

https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-overview

https://learn.microsoft.com/en-us/azure/reliability/cross-region-replication-azure

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have an Azure subscription that contains a Windows virtual machine named TD1 with the following configurations:

Virtual network: TDVnet1

Public IP Address: 20.10.0.1

Private IP Address: 48.156.83.51

Location: Southeast Asia

You deploy the following Azure DNS zones:

az104-2-09 image
You need to determine which DNS zones can be linked to TDVnet1 and which DNS zones TD1 can be automatically registered.

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. TDVnet1 can be linked to the following DNS zones:
    A. Manila.com and Dagupan.com only
    B. Manila.com and Davao.com only
    C. Dagupan.com and Palawan.com only
    D. Davao.com only and Palawan.com only

TD1 can be automatically registered to the following DNS zones:
A. Davao.com only and Palawan.com only
B. Manila.com and Dagupan.com only
C. Dagupan.com and Palawan.com only
D. Manila.com and Davao.com only

A
  1. B. Manila.com and Davao.com only
  2. D. Manila.com and Davao.com only

Explanation:
Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today.

Using custom domain names helps you to tailor your virtual network architecture to best suit your organization’s needs. It provides name resolution for virtual machines (VMs) within a virtual network and between virtual networks. Additionally, you can configure zone names with a split-horizon view, which allows a private and a public DNS zone to share the name.

Once you create a private DNS zone in Azure, it is not immediately accessible from any virtual network. You must link it to a virtual network before a VM hosted in that network can access the private DNS zone.

When you create a link between a private DNS zone and a virtual network, you have an option to turn on autoregistration of DNS records for virtual machines. If you choose this option, the virtual network becomes a registration virtual network for the private DNS zone.

– A DNS record is automatically created for the virtual machines that you deploy in the network. DNS records are created for the virtual machines that you have already deployed in the virtual network.

– One private DNS zone can have multiple registration virtual networks, however, every virtual network can have exactly one registration zone associated with it.

When you create a virtual network link under a private DNS zone and choose not to enable DNS record autoregistration, the virtual network is treated as a resolution only virtual network.

– DNS records for virtual machines deployed in such networks will not be automatically created in the linked private DNS zone. However, the virtual machines deployed in such a network can successfully query the DNS records from the private DNS zone.

– These records may be manually created by you or may be populated from other virtual networks that have been linked as registration networks with the private DNS zone.

– One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it.

Take note that you can only link a virtual network and use the auto registration feature to a private DNS zone only.

Therefore, Manila.com and Davao.com only can be linked to TDVNet1 since they are both private DNS zones.

Conversely, TD1 can be automatically registered to Manila.com and Davao.com only because both DNS zones are private DNS zones provided that you enable the auto registration feature.

The following options are incorrect because Dagupan.com and Palawan.com are public DNS zones. You can not use public DNS zones as they do not have the capability to use virtual network links and the auto registration feature.

– Manila.com and Dagupan.com only

– Davao.com and Palawan.com

– Dagupan.com and Palawan.com only

References:

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

Check out this Azure DNS cheat sheet:

https://tutorialsdojo.com/azure-dns/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company has an Azure subscription that contains virtual networks named TDVnet1, TDVnet2, and TDVnet3.

You peer the virtual networks as shown in the following exhibit.

MultiVnetPeering

You need to identify if the packets can be routed between virtual networks.

What should you identify?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. TDVnet1 packets can be routed to:
    A. TDVnet3 only
    B. TDVnet2 and TDVnet 3
    C. TDVnet2 Only

TDVnet3 packets can be routed to:
A.TDVnet2 Only
B. TDVnet1 Only
C. TDVnet1 and TDVnet3 only

A
  1. B. TDVnet2 and TDVnet 3
  2. B. TDVnet1 Only

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Virtual network peering enables you to connect two or more Virtual Networks in Azure seamlessly. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed only through Microsoft’s private network.

In the image above, TDVnet1 is the hub while TDvnet2 and TDVnet3 are the spoke. TDVnet1 can route packets to TDVnet2 and TDVnet3 since they have their own respective peerings, while TDVnet3 can route packets to TDVnet1 only.

Take note that virtual network peerings are non-transitive, meaning virtual networks that are directly peered can only communicate with each other but can’t communicate with the peers of their peers. It would be best to create a peering connection between TDVnet2 and TDVnet3 to route packets with each other.

Therefore, TDVnet1 packets can be routed to TDVnet2 and TDVnet3 because they have their own peerings. TDVnet 2 peers to TDVnet1 and TDVnet3 peers to TDVnet1.

Conversely, TDVnet3 packets can be routed to TDVnet1 only because TDVnet1 has a peering connection with TDVnet3.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure subscription that contains a storage account named tdstorageaccount1.

You have 14 TB of files you need to migrate to tdstorageaccount1 using Azure Import/Export service.

You need to identify the two files you need to create before the preparation of the drives for journal file.

Which two files should you create?

A. Driveset CSV file
B. Dataset CSV File
C. ARM template
D. PowerShell PS1 file
E. WAImportExport file

A

A. Driveset CSV file
B. Dataset CSV File

Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files.

Consider using Azure Import/Export service when uploading or downloading data over the network is too slow or getting additional network bandwidth is cost-prohibitive. Use this service in the following scenarios:

– Data migration to the cloud: Move large amounts of data to Azure quickly and cost-effectively.

– Content distribution: Quickly send data to your customer sites.

– Backup: Take backups of your on-premises data to store in Azure Storage.

– Data recovery: Recover large amount of data stored in storage and have it delivered to your on-premises location.

The first step of an import job is the preparation of the drives. This is where you need to generate a journal file. The following files are needed before you create a journal file:

– The Dataset CSV File

– Dataset CSV file is the value of /dataset flag is a CSV file that contains a list of directories and/or a list of files to be copied to target drives. The first step to creating an import job is to determine which directories and files you are going to import.

– This can be a list of directories, a list of unique files, or a combination of those two. When a directory is included, all files in the directory and its subdirectories will be part of the import job.

– The Driveset CSV file

– The value of the /InitialDriveSet or /AdditionalDriveSet flag is a CSV file that contains the list of disks to which the drive letters are mapped so that the tool can correctly pick the list of disks to be prepared.

Hence, the correct answers are:

– Dataset CSV File

– Driveset CSV file

The following options are incorrect because an Azure Import/Export journal file only requires a driveset CSV file and dataset CSV File during the preparation of your drives.

– ARM template

– PowerShell PS1 file

– WAImportExport file

References:

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service

https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-data-to-files

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your company has an Azure subscription that has the following resources shown in the following table:

az104-2-12 image

You create an Azure file share named TDShare1 and an Azure Blob container named TDBlob1 using TDAccount1.

What resources can you backup using TDBackup1 and TDBackup2?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. TDBackup1 can backup:
    A. TD1Share, TD1, TDSQL1 and TDBlob
    B. TD1Share, TD1, and TDBlob
    C. TDShare1 only
    D. TD1 Only
  2. TDBackup2 can backup:
    A. TD1Share, TD1, TDSQL1 and TDBlob
    B. TD1 Only
    C. TDShare1 only
    D. TD1Share, TD1, and TDBlob
A

1.C. TDShare1 only
2. B. TD1 Only

Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.

Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. Configuration and scaling are simple, backups are optimized, and you can easily restore as needed.

As part of the backup process, a snapshot is taken, and the data is transferred to the Recovery Services vault with no impact on production workloads. The snapshot provides different levels of consistency, as described here.

Azure Backup also has specialized offerings for database workloads like SQL Server running in virtual machines and SAP HANA that is workload-aware, offers 15 minute RPO (recovery point objective), and allows backup and restore of individual databases.

In this scenario, there are two recovery services vaults located in different regions. Take note that you can not backup resources that are located in another region. It is not possible to backup Blob containers and Azure SQL Database using Azure Backup.

Therefore, you can backup TDShare1 only because it resides within the same region as TDBackup1 and you can backup an Azure FileShare using Azure Backup. Also, as you look at the table above, TDAccount1 or the Storage Account service is created in Southeast Asia.

Conversely, TDBackup2 can backup TD1 only because they are in the same region and you can backup Azure virtual machines using Azure Backup.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-overview

https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare

https://docs.microsoft.com/en-us/azure/backup/backup-afs

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an application that is hosted on an Azure App service named TDApp1.

You have a custom domain named tutorialsdojo.com that needs to be added to TDApp1.

What should you do first?

A. Add a DNS record
B. Create a Private Endpoint
C. Configure Vnet Integration
D. Modify the app settings

A

A. Add a DNS record

Explanation:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.tutorialsdojo.com or tutorialsdojo.com as a fully qualified domain name (FQDN).

To do this, you have to create three records:

– A root “A” record pointing to your domain.

– A root “TXT” record for verification

– A “CNAME” record for any subdomain name that your domain has.

Keep in mind that if you create an A record for a web app in Azure, the A record must be manually updated if the underlying IP address for the web app changes.

Hence, the correct answer is: Add a DNS record.

The option that says: Modify the app settings is incorrect because these are simply configurations passed as environment variables to the application code.

The option that says: Create a Private Endpoint is incorrect because this only allows clients located in your private network to securely access the app over a Private Link which helps you eliminate exposure from the public Internet.

The option that says: Configure Vnet integration is incorrect because this is just a feature that enables your apps to access resources in or through a VNet. This type of integration doesn’t enable your apps to be accessed privately. You use this if you want to privately connect to the resources inside a virtual machine.

References:

https://docs.microsoft.com/en-us/azure/app-service/overview

https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

Check out this Azure App Service Cheat Sheet:

https://tutorialsdojo.com/azure-app-service/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your company has an Azure subscription that contains the following resources:

az104-2-14 scenario image
You have an Azure Recovery Services vault named TDBackup1 that backs up TD1, TD2, and TD3 daily without an Azure Backup Agent.

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. You can execute a file recovery operation TD2 to:
    A. TD3 Only
    B. TD1, TD2, and TD3
    C. TD2 Only
    D. TD1 Only
  2. You can restore TD3 to:
    A. TD2 Only
    B. TD3 Only
    C. TD2 Only
    D. TD1 Only
A
  1. C. TD2 Only
  2. B. TD3 Only

Explanation
Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. Configuration and scaling are simple, backups are optimized, and you can easily restore as needed.

To recover a specific file, you must specify the recovery point of your backup and download a script that will mount the disks from the selected recovery point. After the script is successfully downloaded, make sure you have the right machine to execute this script.

When recovering files, you can’t restore files to a previous or future operating system version. For example, you can’t restore a file from a Windows Server 2016 VM to Windows Server 2012 or a Windows 8 computer. You can restore files from a VM to the same server operating system, or to the compatible client operating system.

You can restore a virtual machine with the following options:

– Create a new VM

– Restore Disk

– Replace existing disk (OLR)

As one of the restore options, you can replace an existing VM disk with the selected restore point. The current VM must exist. If it’s been deleted, this option can’t be used. Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify.

Existing disks connected to the VM are replaced with the selected restore point. The snapshot is copied to the vault and retained in accordance with the retention policy.

After the Replace Disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren’t needed.

Therefore, you can perform file recovery to TD2 only because the operating systems of TD1 and TD3 are not compatible with TD2. You need to ensure that the machine you are recovering the file to meets the requirements before executing the script.

Conversely, you can restore TD3 to TD3 only because you can not restore the disk of TD3 to TD1 and TD2. You can only restore a virtual machine by creating a new VM, restoring a disk, or replace the existing VM disk.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-overview

https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have an Azure subscription that contains a sync group named TDSync1 which has an associated cloud endpoint called TDCloud1. The file tutorials.docx is included in the cloud endpoint.

You have the following on-premises Windows Server 2019 file servers that you want to synchronize to Azure:

az104-2-15 scenario imageYou first registered FileServer1 as a server endpoint to TDSync1 and then registered FileServer2 as a server endpoint to TDSync1.

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Questions 	Yes 	No	
tutorials.docx on TDCloud1 will be overwritten by tutorials.docx from FileServer1 	
	
dojo.mp4 will be synced to FileServer1	
	
tutorials.docx on FileServer1 will be overwritten by tutorials.docx from TDCloud1
A

Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

Remember that whenever you make changes to any cloud endpoint or server endpoint in the sync group, it will be synced to the other endpoints in the sync group. If you make a change to the cloud endpoint (Azure file share) directly, changes first need to be discovered by an Azure File Sync change detection job. A change detection job is only initiated for a cloud endpoint once every 24 hours.

Take note that Azure does not overwrite any files in your sync group. Instead, it will keep both changes to files that are changed in two endpoints at the same time. The most recently written change keeps the original file name.

The older file (determined by LastWriteTime) has the endpoint name and the conflict number appended to the filename. For server endpoints, the endpoint name is the name of the server. For cloud endpoints, the endpoint name follows this taxonomy:

– <FileNameWithoutExtension>-<endpointName>[-#].<ext></ext></endpointName></FileNameWithoutExtension>

– For example, tutorials-FileServer1.docx

Azure File Sync supports 100 conflict files per file. Once the maximum number of conflict files has been reached, the file will fail to sync until the number of conflict files is less than 100.

Hence, this statement is correct: dojo.mp4 will be synced to FileServer1.

The following statements are incorrect because Azure File Sync will not overwrite any files in your endpoints. It will simply append a conflict number to the filename of the older file, while the most recent change will retain the original file name.

– tutorials.docx on FileServer1 will be overwritten by tutorials.docx from TDCloud1.

– tutorials.docx on TDCloud1 will be overwritten by tutorials.docx from FileServer1.

References:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

Check out this Azure Files Cheat Sheet:

https://tutorialsdojo.com/azure-file-storage/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your company has an Azure subscription named TDSubscription1. You have a line-of-business (LOB) application that is hosted on several virtual machines in an Azure virtual machine scale set named TDSet1.

You have an on-premises network that has a site-to-site VPN connection to your Azure environment that allows your users to access your application only.

You need to recommend a solution that will load balance the traffic to your virtual machines coming from the on-premises network.

What are the two possible Azure services that you can implement to satisfy the given requirements?

A. Public Load Balancer
B. Azure Front Door
C. Traffic Manager
D. Azure Application Gateway
E. Internal Load Balancer

A

D. Azure Application Gateway
E. Internal Load Balancer

Explanation:
The term load balancing refers to the distribution of workloads across multiple computing resources. Load balancing aims to optimize resource use, maximize throughput, minimize response time, and avoid overloading any single resource. It can also improve availability by sharing a workload across redundant computing resources.

Azure Application Gateway can be configured with an Internet-facing VIP or with an internal endpoint that is not exposed to the Internet, also known as an internal load balancer (ILB) endpoint. Configuring the gateway with an ILB is useful for internal line-of-business applications that are not exposed to the Internet.

It’s also useful for services and tiers within a multi-tier application that sits in a security boundary that is not exposed to the Internet but still requires round-robin load distribution, session stickiness, or Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination.

An internal load balancer distributes traffic to resources that are inside a virtual network. Azure restricts access to the frontend IP addresses of a virtual network that is load balanced. Front-end IP addresses and virtual networks are never directly exposed to an Internet endpoint. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources.

Take note that in this scenario, the line-of-business application is only accessed by your on-premises network that is connected by a site-to-site VPN connection. This means that access to your virtual machines must be intranet and must use a load balancing service that supports internal load balancing.

Hence, the correct answers are:

– Azure Application Gateway

– Internal Load Balancer

Traffic Manager is incorrect because it only allows you to distribute traffic to your public-facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness. You can not use this to load balance internal traffic to your virtual machines.

Public Load Balancer is incorrect because this simply balances the incoming Internet traffic to your virtual machines. Take note that you need to implement an internal load balancing solution since the on-premises network is connected by a site-to-site VPN connection, which is not directly accessible on the public Internet.

Azure Front Door is incorrect because it just enables you to define, manage, and monitor the global routing for your web traffic. Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.

References:

https://docs.microsoft.com/en-us/azure/load-balancer/components

https://docs.microsoft.com/en-us/azure/application-gateway/overview

Check out these Azure Networking Services Cheat Sheets:

https://tutorialsdojo.com/azure-load-balancer/

https://tutorialsdojo.com/azure-application-gateway/

Azure Load Balancer vs. Application Gateway vs. Traffic Manager vs. Front Door:

https://tutorialsdojo.com/azure-load-balancer-vs-app-gateway-vs-traffic-manager/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You purchased an Azure AD Premium P2 license.

You plan to add a local administrator to manage all the computers and devices that will join your domain.

What do you need to configure in Azure Active Directory to satisfy this requirement?

A. Require users to re-register for MFA.
B. Configure group naming policy.
C. Configure device settings.
D. Enable app registrations in user settings.

A

C. Configure device settings.

Explanation:
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources from external resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. It can also be used on internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

To add local administrators that will manage joined devices in Azure AD, you must configure the settings shown in the image above. You can select the users that are granted local administrator rights on a device. These users will be added to the Device Administrators’ role in Azure AD. By default, global administrators in Azure AD and device owners are granted local administrator rights. This configuration is a premium edition capability, and it is available through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).

Hence, the correct answer is: Configure device settings.

The option that says: Require users to re-register for MFA is incorrect because this approach is mainly used for troubleshooting MFA end-user issues. Also, this option won’t help you add local administrators to manage joined devices.

The option that says: Enable app registrations in user settings is incorrect. If this option is enabled, non-admin users can register custom-developed applications within the directory. This option is not needed. Take note that the requirement in the scenario is to add local administrators and not to register applications.

The option that says: Configure group naming policy is incorrect. This option only allows you to add a specific prefix or suffix to the group name and alias of any Microsoft 365 group created by users. Group naming policy is not needed in the scenario because you only need to add local administrators to your domain.

References:

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#manage-the-device-administrator-role

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You deployed an Ubuntu Server VM named TDAzureVM1.

You created a template based on the configuration of the TDAzureVM1 virtual machine and uploaded it to the Azure Resource Manager (ARM) Library.

You need to provision a new virtual machine named TDAzureVM2 using the same template in ARM.

What can be configured in this custom deployment process?

A. Resource group
B. Availability options
C. Operating system
D. Size of the virtual machine

A

A. Resource group

Explanation:
Azure Resource Manager (ARM) templates are primarily used to implement infrastructure as code for your Azure solutions. The template is a JavaScript Object Notation (JSON) file that defines your project’s infrastructure and configuration. The template uses declarative syntax, which lets you state what you intend to deploy without writing the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.

You can export the template of an existing virtual machine and save it in Azure Resource Manager. The exported template is composed of parameters and template JSON files. In custom deployment (as shown in the figure above), the only options that you can configure are Subscription, Resource Group, and Location.

Hence, the correct answer is: Resource group.

The following options are incorrect because you can only change the subscription, resource group, and location in the custom deployment process. Remember that the operating system, availability options, and size of VM are already configured in the ARM template.

– Operating system

– Availability options

– Size of the virtual machine

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-secured-vm-from-template

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview

Check out this Azure Global Infrastructure Cheat Sheet:

https://tutorialsdojo.com/azure-global-infrastructure/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You created a resource group and added the resources shown in the table below.
az104-2-19 image

The backup of VM1 is stored in RSV1.

You plan to delete the resource group after 30 days.

What should you do first to delete the resource group?

A. Stop the backup of VM1.
B. Delete VM1.
C. Delete storage1.
D. Restart VM1.

A

A. Stop the backup of VM1.

Explanation:
Azure Backup is a cost-effective, secure, one-click backup solution that’s scalable based on your backup storage needs. The centralized management interface makes it easy to define backup policies and protect a wide range of enterprise workloads, including Azure Virtual Machines, SQL and SAP databases, and Azure file shares.

You can’t delete a Recovery Services vault with any of the following dependencies:

– You can’t delete a vault that contains protected data sources.

– You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft-deleted state.

– You can’t delete a vault that contains backup data in the soft-deleted state.

– You can’t delete a vault that has registered storage accounts.

Based on the given scenario, the backup is still running. If you try to delete the vault without removing the dependencies, you will receive an error message “Failed to delete resource group.” To resolve this problem, you must stop the backup first, then disable soft delete and delete the resource group.

Hence, the correct answer is: Stop the backup of VM1.

The following options are incorrect because you need to stop the backup first before you can delete the resource group.

– Delete VM1.

– Delete storage1.

– Restart VM1.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

https://docs.microsoft.com/en-us/azure/backup/backup-overview

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

`

Your company has an Azure Log Analytics workspace in their Azure subscription.

You are instructed to find the error in the table named EventLogs.

Which log query should you run in the workspace?

A. search in (EventLogs) “error”
B. search “error”
C. EventLogs | take 10
D. EventLogs | sort by TimeGenerated desc

A

A. search in (EventLogs) “error”

Explanation:
Azure Monitor is a service in Azure that provides performance and availability monitoring for applications and services in Azure, other cloud environments, or on-premises. Azure Monitor collects data from multiple sources into a common data platform where it can be analyzed for trends and anomalies. Rich features in Azure Monitor assist you in quickly identifying and responding to critical situations that may affect your application.

To retrieve data in the Log Analytics workspace, you need to use a Kusto Query Language (KQL). Remember that there are different types of log queries in Azure Monitor. Based on the given question, you only need to find the “error” in the table named “EventLogs.”

With search queries, you can find the specific value that you need in your table. This query searches the “TableName” table for records that contains the word “value”:

search in (TableName) “value”

If you omit the “in (TableName)“ part and just run the search “value”, the search will go over all tables, which would take longer and be less efficient.

Hence, the correct answer is: search in (EventLogs) “error”.

The option that says: EventLogs | take 10 is incorrect because this option would only take 10 results in the EventLogs table. Remember that the requirement in the scenario is to show all the logs containing the word “error” in the table named EventLogs.

The option that says: search “error” is incorrect because this query would search “error” in all the tables. Take note that you only need to query the table EventLogs.

The option that says: EventLogs | sort by TimeGenerated desc is incorrect because this query will only sort the entire EventLogs table by the TimeGenerated column.

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-analytics-tutorial

Check out this Azure Monitor Cheat Sheet:

https://tutorialsdojo.com/azure-monitor/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You plan to use an Azure Resource Manager (ARM) template to create a virtual machine scale set that will launch five Ubuntu servers.

You need to make sure that NGINX is installed in all the virtual machines.

What should you use?

A. Azure Policy
B. Azure Custom Script Extension
C. Azure Service Bus
D. Azure Blueprints

A

B. Azure Custom Script Extension

Explanation:
Incorrect

Azure Virtual Machine Scale Sets let you create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.

You can use Custom Script Extension to download and execute scripts on Azure VMs. This extension is useful for post-deployment configuration, software installation, or any other configuration/management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run-time. The Custom Script extension integrates with Azure Resource Manager templates, and can also be used with the Azure CLI, Azure PowerShell, Azure portal, or the REST API.

Hence, the correct answer is: Azure Custom Script Extension.

Azure Blueprints is incorrect because you can’t use Blueprints to execute scripts and install NGINX in virtual machines. The Azure Blueprints service simply enables you to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. This service doesn’t execute custom scripts.

Azure Policy is incorrect because this service is mainly used to create, assign, and manage policies across your organization.

Azure Service Bus is incorrect because this is just a fully managed enterprise message broker with message queues and public-subscribe topics. This service is not capable of installing NGINX in virtual machines.

References:

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

Check out this Azure Virtual Machine Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

22
Q

You created a web app named tdwebapp-prod using Azure App Service.

Several users are complaining that they received HTTP 500 errors whenever they try to connect to tdwebapp-prod.

You must grant the developers real-time access to the application in order to view the connection error details.

What should you do?

A. Enable the Web Server Logging feature.
B. Enable the Application Logging feature.
C. Create a security playbook.
D. Create resource health alerts.

A

A. Enable the Web Server Logging feature.

Explanation:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

Since you are dealing with raw HTTP requests data, you need to enable Web Server Logging in Azure App Service. Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on. For web server logging, you can store the logs in a storage or file system and set the number of days the logs should be retained.

Hence, the correct answer is: Enable the Web Server Logging feature.

The option that says: Create a security playbook is incorrect because this is just a collection of procedures that can be run from Microsoft Sentinel in response to an alert. Take note that web server logging is not directly supported in Microsoft Sentinel.

The option that says: Enable Application Logging feature is incorrect because HTTP 500 is an internal server error. This means that there is a problem with the web server itself. To help you find the root cause, you can enable the Web Server Logging feature in Azure App Service.

The option that says: Create resource health alerts is incorrect because this option only sends resource health notifications. If you need to find information about HTTP requests in your web app, you need to enable web server logging.

References:

https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

https://azure.microsoft.com/en-in/services/app-service/

Check out this Azure App Service Cheat Sheet:

https://tutorialsdojo.com/azure-app-service/

23
Q

You deployed ten web servers that are running in Windows Server 2019 virtual machines behind an Azure load balancer. The virtual machines host a stateless web application.

You need to ensure that successive requests from the same client IP address and protocol will be handled by the same virtual machine.

What should you configure in the load balancer?

A. Enable floating IP.
B. Configure Client IP as the session persistence type.
C. Set the session persistence to Client IP and protocol.
D. Set idle timeout to the maximum available limit.

A

C. Set the session persistence to Client IP and protocol.

Explanation:
Azure Load Balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM. You define a front-end IP configuration that contains one or more public IP addresses. This front-end IP configuration allows your load balancer and applications to be accessible over the Internet.

To redirect the client request to the same virtual machine, you need to add a session persistence in the load balancing rule. Session persistence specifies that traffic from a client should be handled by the same virtual machine in the backend pool for the duration of a session.

There are three options in session persistence:

– None – specifies that successive requests from the same client may be handled by any virtual machine.

– Client IP – specifies that the same virtual machine will handle successive requests from the same client IP address.

– Client IP and protocol – specifies that the same virtual machine will handle successive requests from the same client IP address and protocol combination.

Since the requirement in the scenario is to handle the same client IP address and protocol, you need to set the Session Persistence to Client IP and protocol.

Hence, the correct answer is: Set the session persistence to Client IP and protocol.

The option that says: Configure Client IP as the session persistence type is incorrect because the requirement in the scenario is the same client IP address and protocol. This type of configuration is only applicable if you want to persist the same client IP address, excluding its protocol.

The option that says: Set idle timeout to the maximum available limit is incorrect because the maximum available limit in idle timeout is 30 minutes. Also, idle timeout is used to keep TCP or HTTP connections open without relying on clients to send keep-alive messages. You don’t need to set idle timeout because the only requirement is to redirect the same client IP address and protocol to the same virtual machine.

The option that says: Enable Floating IP is incorrect because this feature just changes the IP address mapping to the front-end IP of the load balancer. The Floating IP feature is not capable of handling sticky sessions.

References:

https://docs.microsoft.com/en-us/azure/load-balancer/manage

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

Check out this Azure Load Balancer Cheat Sheet:

https://tutorialsdojo.com/azure-load-balancer/

24
Q

You deployed a legacy application in a single Azure virtual machine. Due to its tightly-coupled dependencies, the application cannot be hosted on multiple virtual machines.

At the end of each month, the CPU Utilization of the virtual machine reaches its peak when the application processes the month-end data. To resolve this problem, you need to schedule a monthly runbook to improve the vCPU performance of the virtual machine.

Which of the following should you add to the runbook?

A. Add the Azure Performance Diagnostics VM Extension.
B. Scale up the virtual machine by changing its VM size property.
C. Add the virtual machine to a scale set.
D. Set the Desired State Configuration Extension.

A

B. Scale up the virtual machine by changing its VM size property.

Explanation:
Azure Automation delivers a cloud-based automation and configuration service that supports consistent management across your Azure and non-Azure environments. It comprises process automation, configuration management, update management, shared capabilities, and heterogeneous features. Automation gives you complete control during deployment, operations, and decommissioning of workloads and resources.

The requirement in the scenario is to improve the vCPU performance of the virtual machine at the end of each month. There are two options to improve the vCPU performance of the virtual machine. The first option is to scale up and the second option is to scale out. Since scale-out is not supported by the application, you would need to use the first option. Scaling up the virtual machine will increase its size in response to the workload.

Hence, the correct answer is: Scale up the virtual machine by changing its VM size property.

The option that says: Add the virtual machine to a scale set is incorrect because the application does not support multiple virtual machines. Take note that a VM scale set is a group of load-balanced VMs.

The option that says: Add the Azure Performance Diagnostics VM Extension is incorrect as this feature only collects performance diagnostic data from your Windows VM. This will not improve the CPU performance of your virtual machine.

The option that says: Set the Desired State Configuration Extension is incorrect because this option won’t help you increase the size of the VM. This feature only bootstraps a VM to the Azure Automation State Configuration (DSC) service and doesn’t upgrade the vCPU of the VM. You need to scale up the VM to improve its performance at the end of each month.

References:

https://docs.microsoft.com/en-us/azure/automation/shared-resources/schedules

https://docs.microsoft.com/en-us/azure/automation/start-runbooks

Check out this Azure Virtual Machine Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

25
Q

You are managing a business-critical application hosted in a virtual machine that is associated with your Azure subscription. The virtual machine has a managed disk and a network interface.

You are planning to make the following changes:

Create and attach a new disk.

Change the VM size.

Detach a network interface.

Move the VM to a new resource group.

Add a Desired State Configuration (DSC) extension.

Which of the following changes would cause system downtime?

A. Detaching a network interface.
B. Creating and attaching a new disk.
C. Changing the VM size.
D. Moving the VM to a new resource group.

A

C. Changing the VM size.

Explanation:
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment. An Azure VM gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks, such as configuring, patching, and installing the software that runs on it.

Based on the given scenario, the VM is currently running a business-critical application. There are two ways to change the size of a VM, the first option is to stop the VM, change the size of the VM in the size settings, and start the VM again. The second option is to resize the VM when the VM is in a running state. Take note that if the virtual machine is currently running, changing its size will cause it to be restarted and will result in system downtime.

Hence, the correct answer is: Changing the VM size.

The option that says: Creating and attaching a new disk is incorrect because adding a new disk to your virtual machine won’t cause system downtime. Take note that you can attach multiple disks while the virtual machine is running.

The option that says: Detaching a network interface is incorrect because if the virtual machine is in a running state, the detach network interface option in the networking settings is greyed out. You need to stop the virtual machine first before you can detach/attach a network interface.

The option that says: Move the VM to a new resource group is incorrect because this option also won’t cause downtime in your application. A resource group is simply a logical grouping of your VMs.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm

https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

26
Q

A company plans to deploy an Azure Virtual Machine with the following parameters:

Region: South Central US

OS disk type: Standard HDD

Ultra Disk compatibility: Disabled

Managed disks: Disabled

To prevent downtime, you need to make sure that the instance can be moved in different Availability Zones using Site Recovery.

Which parameter should be modified?

A. Managed disks
B. OS disk type
C. Ultra Disk compatibility
D. Region

A

A. Managed disks

Explanation:
Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to a secondary location, and access apps from there. After the primary location is running again, you can fail back to it.

Site Recovery can manage replication for:

– Azure VMs replicating between Azure regions
– Replication from Azure Public Multi-Access Edge Compute (MEC) to the region
– Replication between two Azure Public MECs
– On-premises VMs, Azure Stack VMs, and physical servers

Managed disks are designed to have a 99.999% uptime. Managed disks achieve this by storing three copies of your data, resulting in high durability. If one or two replicas fail, the remaining replicas help ensure data persistence and high failure tolerance.

With Azure Site Recovery, you can move single-instance VMs into Availability Zones in a target region. However, in order to move a VM to an Availability Zone, you must first ensure that the VM is using managed disks. You can also convert existing Windows VMs that use unmanaged disks to use managed disks.

Hence, the correct answer is: Managed disks.

Region is incorrect because South Central US already allows you to select Availability Zone as an option. This means that you can move the VM to different AZs. Take note that some Regions or locations don’t support AZs.

OS disk type is incorrect because it doesn’t matter what type of disk the VM is using, if you already enabled “use managed disks” in advanced disk configuration.

Ultra Disk compatibility is incorrect because the requirement is not related to data-intensive workloads. You only need to ensure that the VMs can be moved to a different AZ in the event of a disaster.

References:

https://learn.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

27
Q

Your company has an Azure subscription that is used by several departments. The resources in the subscription are listed in the table below.

az104-2-27

There’s another Azure Administrator who created several virtual machines and storage accounts using an ARM template. You need to find the template that was used to deploy the new resources.

From which blade can you view the newly created ARM template?

A. tutorialsdojoBC01
B. tutorialsdojoShare01
C. tutorialsdojoStorage01
D. tutorialsdojoRG01

A

D. tutorialsdojoRG01

Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization.

Generally, you should add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.

To view the ARM template that was used to deploy the resources, you can go to the resource group deployment settings and select the view template. If you select a template, you can check the inputs, outputs, and the template used during deployment. Remember that you can’t change the configuration of a template after you deployed it. Remember that in the ARM template of the virtual machine, you can find the resources associated with that specific virtual machine only.

Hence, the correct answer is: tutorialsdojoRG01.

The following options are incorrect because the ARM template that was used in the deployment can only be found in the resource group.

– tutorialsdojoBC01

– tutorialsdojoShare01

– tutorialsdojoStorage01

References:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview

Check out this Azure Global Infrastructure Cheat Sheet:

https://tutorialsdojo.com/azure-global-infrastructure/

Azure Global Infrastructure:

28
Q

Your company has an Azure subscription named TD-Sub1 that contains the resources shown in the table below.

az104-2-28You created a new Azure subscription named TD-Sub2.

You plan to move the resources from TD-Sub1 to TD-Sub2.

Which resources in TD-Sub1 can you move to the new subscription?

A. Virtual machine, Virtual network, Recovery Services vault, and Storage account
B. Virtual machine, Virtual network, and Storage account
C. Virtual machine, Virtual network, and Recovery Services vault
D. Virtual machine and Virtual network

A

A. Virtual machine, Virtual network, Recovery Services vault, and Storage account

Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.

If you need to move your resources to a new subscription or resource group under the same subscription, you can use Azure portal, Azure PowerShell, Azure CLI, or the REST API. Take note that when you move a resource to a new resource group or subscription, the location of the resource won’t change.

Hence, the correct answer is: Virtual machine, Virtual network, Recovery Services vault, and Storage account.

The following options are incorrect because you can move all these resources to a new subscription or resource group.

– Virtual machine, Virtual network, and Storage account

– Virtual machine, Virtual network, and Recovery Services vault

– Virtual machine and Virtual network

References:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Check out this Azure Global Infrastructure Cheat Sheet:

https://tutorialsdojo.com/azure-global-infrastructure/

Azure Global Infrastructure:

29
Q

You deployed a System Center Service Manager on your computer and a virtual machine in your Azure subscription.

You plan to create an alert for the Service Manager to notify you if the available memory on the virtual machine is less than 15%.

What should you create first?

A. Configure an automation runbook.
B. Create an IT Service Management Connector.
C. Set up a function app using Azure Functions.
D. Create a connection monitor.

A

B. Create an IT Service Management Connector.

Explanation:
IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service. The ITSM connector provides a connection between Azure and ITSM tools to help users resolve troubleshooting issues that are detected by Azure services, such as Azure Monitor and Log Analytics that reside in an ITSM service. ITSMC supports connections with the ITSM tools, such as ServiceNow, System Center Service Manager, Provance, and Cherwell.

With ITSMC, you can:

– Create work items in your ITSM tool, based on your Azure alerts (metric alerts, activity log alerts, and Log Analytics alerts).

– Sync your incident and change request data from your ITSM tool to an Azure Log Analytics workspace.

Before you can create a connection in ITSM, you must first install the ITSMC in the Azure Log Analytics workspace. To create work items in your ITSM tool based on Azure alerts, you’ll need to use the ITSM action in action groups. The action groups provide a modular and reusable way to trigger actions for your Azure alerts.

Hence, the correct answer is: Create an IT Service Management Connector.

The option that says: Set up a function app using Azure Functions is incorrect because the function app is not supported in Service Manager. You must use the ITSM connector in this scenario.

The option that says: Create a connection monitor is incorrect because you can’t create an alert in the connection monitor. This feature is primarily used to track connection reachability, latency, and topology changes of your network connection.

The option that says: Configure an automation runbook is incorrect because the automation runbook is not supported in Service Manager. This option only allows you to automate your Azure management tasks and orchestrate actions across external systems.

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-overview

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-connections

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Check out this Azure Monitor Cheat Sheet:

https://tutorialsdojo.com/azure-monitor/

30
Q

You are managing an Azure Active Directory (Azure AD) tenant and Microsoft 365 tenant.

You need to grant several users that must belong to the same Azure group temporary access to the Microsoft SharePoint document library. The group must automatically be deleted after 180 days for compliance purposes.

Which two actions could you perform?

A. Set up an assigned membership on Microsoft 365 groups.
B. Set up a dynamic membership on Microsoft 365 groups.
C. Set up an assigned membership on security groups.
D. Set up a dynamic membership on security groups.
E. Set up an external identity provider.

A

A. Set up an assigned membership on Microsoft 365 groups.
B. Set up a dynamic membership on Microsoft 365 groups.

Explanation:
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external (such as Microsoft 365, the Azure portal, and thousands of other SaaS applications) and internal resources (such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization).

When creating a new group in Azure Active Directory, you can select two types of membership.

-The assigned membership type lets you add specific users to be members of the group and to have unique permissions.

-While dynamic membership type lets you add and remove members automatically based on your dynamic membership rules (user attributes such as department, location, or job title).

Since you need to delete the groups automatically, you can set an expiration policy in Microsoft 365 groups. Take note that when a group expires, all of its associated services will also be deleted.

Hence, the correct answers are:

– Set up a dynamic membership on Microsoft 365 groups.

– Set up an assigned membership on Microsoft 365 groups.

The options that say: Set up an assigned membership on security groups and Set up a dynamic membership on security groups are incorrect because security groups can only be used for devices or users and not for groups.

The option that says: Set up an external identity provider is incorrect because external identities only allow users outside your organization to access your resources. This option won’t help you create an expiration policy.

References:

https://docs.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

31
Q

Your company has several client computers at the office headquarters. Two years ago, you migrated the on-premises directory to Azure AD.

To meet the compliance requirement, personal and corporate devices must be registered and joined to the Azure AD domain.

You received a report that a user cannot register her personal device to Azure AD. Upon checking, the user was able to register her other devices in the past. You also verified that all other users were able to join their devices to Azure AD last month.

You need to make sure that the user can access and join her new device to Azure AD.

What must be done to satisfy the above requirement?

A. Assign a new role to the user.
B. Modify the maximum number of devices per user in the device settings.
C. Move the user to a new group.
D. Add a custom domain name.

A

B. Modify the maximum number of devices per user in the device settings.

Explanation:
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external and internal resources.

The device settings in Azure AD allows you to customize the maximum number of devices per user. It can be 5, 10, 20, or unlimited. If the users reached the limit, they will not be allowed to add new devices until one or more devices have been removed.

Hence, the correct answer is: Modify the maximum number of devices per user in the device settings.

The option that says: Move the user to a new group is incorrect because even if you move the user to a different group, the user won’t be able to access Azure AD. You need to modify the maximum number of devices in the device settings.

The option that says: Add a custom domain name is incorrect because creating a new custom domain is not needed in the scenario. The user won’t still access Azure AD.

The option that says: Assign a new role to the user is incorrect because a new role won’t resolve the problem of the user. Remember that the user was able to register and join her other devices to Azure AD in the past. Therefore, the role associated with her doesn’t have any issues at all. You must modify the maximum number of devices in Azure AD.

References:

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

32
Q

You are managing an Azure subscription that contains the following resources:

az104-2-32 scenario image

You plan to configure a proximity placement group for the TD-VMSS1 virtual machine scale set.

Which of the following proximity placement groups should you use?

A. TD-Proximity1 and TD-Proximity3
B. TD-Proximity3
C. TD-Proximity1, TD-Proximity2, and TD-Proximity3
D. TD-Proximity2

A

B. TD-Proximity3

Explanation:
Azure virtual machine scale sets let you create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.

A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each other. Proximity placement groups are useful for workloads where low latency is a requirement. When you assign your virtual machines to a proximity placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications.

It is stated in the scenario that you must configure a placement group for TD-VMSS1. Among the given placement groups, you can only assign TD-Proximity3 since it belongs to the same region as TD-VMSS1. Remember that when you are configuring a proximity placement group for a virtual machine scale set. Both the placement group and scale set must be in the same region.

Hence, the correct answer is: TD-Proximity3.

The option that says: TD-Proximity2 is incorrect because TD-VMSS1 is located in East Asia and not in Australia East. Although both TD-VMSS1 and TD-Proximity2 belong to the same resource group, take note that the location of the resource group is irrelevant in this scenario. You should assign TD-VMSS1 to the TD-Proximity3 placement group to satisfy the requirement.

The option that says: TD-Proximity1 and TD-Proximity3 is incorrect. You can’t configure TD-Proximity1 for TD-VMSS1 since the location of TD-Proximity1 is in Southeast Asia while TD-VMSS1 is in Australia East. The region of the virtual machine scale set and the proximity placement group should be the same.

The option that says: TD-Proximity1, TD-Proximity2, and TD-Proximity3 is incorrect because you can only assign TD-VMSS1 in TD-Proximity3. In this scenario, both the virtual machine scale set and proximity placement group must be in the same region.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/proximity-placement-groups-portal

https://azure.microsoft.com/en-us/blog/announcing-the-general-availability-of-proximity-placement-groups/

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

33
Q
  1. Alert Rules
    A. 1
    B. 4
    C. 2
    D. 3
  2. Action Groups
    A. 2
    B. 1
    C. 3
    D. 4
A

B. 4
C. 3

Explanation:
Action rules help you define or suppress actions at any Azure Resource Manager scope (Azure subscription, resource group, or target resource). It has various filters that can help you narrow down the specific subset of alert instances that you want to act on.

An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. Various alerts may use the same action group or different action groups depending on the user’s requirements.

The requirement in the scenario is to identify how many alert rules and action groups should be created. Based on the given signal types, you should create four alert rules. Take note that you need to create one alert rule per signal type.

For the action groups, you only need to create 3 action groups because the users that will be notified for Availability and Create/Update Storage Account are the same (User 1, User 2, and User 3). Remember that action groups are created for each unique set of users that will be notified.

Therefore, the correct answers are:

– Alert rules = 4

– Action groups = 3

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Check out this Azure Monitor Cheat Sheet:

https://tutorialsdojo.com/azure-monitor/

34
Q

Questions Yes No
TD-User2 can add TD-Device1 to TD-SG1.

TD-User1 can add TD-Device2 to TD-SG1.

TD-User1 can add TD-Device2 to TD-SG2.

A

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external (such as Microsoft 365, the Azure portal, and thousands of other SaaS applications) and internal resources (such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization).

Azure Role-Based Access Control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don’t meet the specific needs of your organization, you can create your own Azure custom roles. For the given scenario, the Owner role has full access to manage all resources, including the ability to assign roles in Azure RBAC.

In the given scenario, there are three Azure AD roles:

  1. User Administrator role – can create users and manage all aspects of users with some restrictions, and can update password expiration policies. Additionally, users with this role can create and manage all groups.
  2. Cloud Device Administrator role – can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permission to manage any other properties on the device.
  3. Security Administrator role – has permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center.

To organize users or devices by geographic location, department, or hardware characteristics, you can create the following types of groups:

  1. Assigned – the Administrators can manually assign users or devices to this group, and manually remove users or devices.
  2. Dynamic – automatically add/remove users or devices to user groups or device groups based on an expression you create. For example, when a user is added with the manager title, the user is automatically added to an All managers users group. Or, when a device has the iOS/iPadOS device OS type, the device is automatically added to an All iOS/iPadOS devices group.

To get a device in Azure AD, you have multiple options:

  1. Azure AD registered – devices that are Azure AD registered are typically personally owned or mobile devices, and are signed in with a personal Microsoft account or another local account.
  2. Azure AD joined – devices that are Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist only in the cloud.
  3. Hybrid Azure AD joined – devices that are hybrid Azure AD joined are owned by an organization and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises.

The statement that says: TD-User1 can add TD-Device2 to TD-SG1 is correct because TD-User1 has the role of User Administrator and also the owner of TD-SG1. Since the membership type of TD-SG1 is assigned, TD-User1 would be able to add or assign TD-Device2 to the group.

The statement that says: TD-User2 can add TD-Device1 to TD-SG1 is incorrect. Take note that the Cloud Device Administrator role can only manage devices in Azure AD. The role does not have permission to manage a group like a User Administrator role. But if TD-User2 is the owner of TD-SG1, then it has the permission to add TD-Device1 to TD-SG1.

The statement that says: TD-User1 can add TD-Device2 to TD-SG2 is incorrect because TD-SG2 is a dynamic group. This means that users and devices are automatically added to the group. In short, TD-User1 can’t manually add or remove users and devices in TD-SG2.

References:

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Check out these Azure Active Directory and Azure RBAC Cheat Sheets:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

35
Q

You deployed an Ubuntu server using Azure Virtual Machine.

You received an email notification that your resources will be affected by the planned maintenance.

You need to migrate the virtual machine to a new Azure host.

Solution: Move the virtual machine to a new resource group.

Does the solution meet the goal?

A. Yes
B. No

A

B. No

Explanation:
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment. An Azure VM gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks, such as configuring, patching, and installing the software that runs on it.

The requirement in this scenario is to migrate the VM to a new Azure host. Moving the VM to a new resource group doesn’t mean that it is also moved to a new host. A resource group is just a container that holds related resources. Instead of moving the virtual machine to a new resource group, you must select the redeploy button in the Support + Troubleshooting section.

Take note that when you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on. This means that the virtual machine will be unavailable when the redeployment is in progress.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-linux

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-windows

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

36
Q

You deployed an Ubuntu server using Azure Virtual Machine.

You received an email notification that your resources will be affected by the planned maintenance.

You need to migrate the virtual machine to a new Azure host.

Solution: Redeploy the virtual machine.

Does the solution meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment. An Azure VM gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks, such as configuring, patching, and installing the software that runs on it.

When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on. This means that the virtual machine will be unavailable when the redeployment is in progress. Since the requirement in the scenario is to migrate the VM to a new Azure host then redeploying the virtual machine will satisfy the requirement.

Hence, the correct answer is: Yes.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-linux

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-windows

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

37
Q

You deployed an Ubuntu server using Azure Virtual Machine.

You received an email notification that your resources will be affected by the planned maintenance.

You need to migrate the virtual machine to a new Azure host.

Solution: Move the virtual machine to another subscription.

Does the solution meet the goal?

A. Yes
B. No

A

B. No

Explanation:
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment. An Azure VM gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it. However, you still need to maintain the VM by performing tasks, such as configuring, patching, and installing the software that runs on it.

Changing the associated subscription of your Azure Virtual Machines won’t cause any internal changes. Take note that when you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on. This means that the virtual machine will be unavailable when the redeployment is in progress.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-linux

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/redeploy-to-new-node-windows

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

38
Q

Note: This item is part of a series of case study questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.

Your company has an Azure subscription that contains a virtual network with a subnet named TDSub1 and a virtual machine named TD1 with a public IP address and is configured to allow Remote Desktop Connections.

TDSub1 is the subnet of TD1.

You created two network security groups named TDSG-TD1 attached to the network interface of TD1 and TDSG-TDSub1 attached to TDSub1.

TDSG-TDSub1 uses default inbound security rules while TDSG-TD1 has the default inbound security rules with a custom rule:

Name: RDP
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: ICMP
Action: Allow

You need to ensure that you can connect to TD1 from the Internet using Remote Desktop connections.

Solution: You add an inbound security rule to TDSG-TDSub1 with the following configuration:

Priority: 200
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: TCP
Action: Allow

Does this meet the goal?

A. Yes
B. No

A

B. No

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

The solution in this scenario states that you will add a new inbound security rule that allows port 3389 traffic from the Internet using TCP protocol to TDSG-TDSub1.

In the image above, the Remote Desktop connection will first be evaluated by the security rules in TDSG-TDSub1, since it is associated to TDSub1 and TD1 is in TDSub1. The connection is allowed and will be evaluated next by TDSG-TD1. The connection is then denied by TDSG-TD1 because the custom rule only allows port 3389 traffic from the Internet using ICMP protocol.

You should modify the current custom rule of TDSG-TD1 by changing the ICMP protocol to TCP protocol or you can create a new inbound security rule in TDSG-TD1 that allows port 3389 traffic from the Internet using TCP protocol.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

39
Q

Note: This item is part of a series of case study questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.

Your company has an Azure subscription that contains a virtual network with a subnet named TDSub1 and a virtual machine named TD1 with a public IP address and is configured to allow Remote Desktop Connections.

TDSub1 is the subnet of TD1.

You created two network security groups named TDSG-TD1 attached to the network interface of TD1 and TDSG-TDSub1 attached to TDSub1.

TDSG-TDSub1 uses default inbound security rules while TDSG-TD1 has the default inbound security rules with a custom rule:

Name: RDP
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: TCP
Action: Allow

You need to ensure that you can connect to TD1 from the Internet using Remote Desktop connections.

Solution: You add an inbound security rule to TDSG-TDSub1 with the following configuration:

Priority: 200
Source: Service tag
Source port range: Virtual Network
Destination: *
Destination port range: 3389
Protocol: TCP
Action: Allow

You disassociate TDSG-TD1 from the network interface of TD1.

Does this meet the goal?

A. No
B. Yes

A

A. No

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

In the image above, the Remote Desktop connection will first be evaluated by the security rules in TDSG-TDSub1, since it is associated to TDSub1 and TD1 is in TDSub1. Take note that TDSG-TDSub1 uses only the default security rules, the connection is denied by the DenyAllInbound default security rule, and never evaluated by TDSG-TD1 since TDSG-TD1 is associated to the network interface. If TDSG-TDSub1 has a security rule that allows port 3389 from the Internet, the traffic is then processed by TDSG-TD1.

It is recommended that you associate a network security group to a subnet or a network interface, but not both. Since rules in a network security group associated with a subnet can conflict with rules in a network security group associated with a network interface, you can have unexpected communication problems that require troubleshooting.

To allow port 3389 from the Internet to TD1, you create an inbound security rule to TDSG-TDSub1 that allows port 3389 from the Internet instead of the virtual network service tag and you disassociate TDSG-TD1 from the network interface of TD1.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Network Security Group (NSG) vs Application Security Group (ASG):

https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/

40
Q

Note: This item is part of a series of case study questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.

Your company has an Azure subscription that contains a virtual network with a subnet named TDSub1 and a virtual machine named TD1 with a public IP address and is configured to allow Remote Desktop Connections.

TDSub1 is the subnet of TD1.

You created two network security groups named TDSG-TD1 attached to the network interface of TD1 and TDSG-TDSub1 attached to TDSub1.

TDSG-TDSub1 uses default inbound security rules while TDSG-TD1 has the default inbound security rules with a custom rule:

Name: RDP
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: UDP
Action: Allow

You need to ensure that you can connect to TD1 from the internet using Remote Desktop connections.

Solution: You add an inbound security rule to TDSG-TDSub1 and TDSG-TD1 with the following configuration:

Priority: 200
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: Any
Action: Allow

Does this meet the goal?

A. Yes
B. No

A

A. Yes

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Take note that the solution in this scenario states that you will add a new inbound security rule that allows port 3389 traffic from the Internet using TCP protocol to TDSG-TDSub1 and TDSub1.

In the image above, the Remote Desktop connection will first be evaluated by the security rules in TDSG-TDSub1, since it is associated to TDSub1 and TD1 is in TDSub1. The connection is allowed and will be evaluated next by TDSG-TD1. The connection is then ALLOWED by TDSG-TD1 because the newly created custom rule allows port 3389 traffic from the Internet by using Any protocol. You will now be able to connect to TD1.

Hence, the correct answer is: Yes.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Network Security Group (NSG) vs Application Security Group (ASG):

https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/

41
Q

Your company has a subscription to Azure that has multiple virtual machines.

You have been tasked to manage all computing resources.

You must determine unattached disks that can be deleted in order to reduce costs.

Which of the following options should you use?

A. Use Azure Advisor to identify low usage virtual machines.
B. Use Azure Monitor VM insights.
C. Use Azure Cost Management to view Advisor recommendations.
D. Use Azure Cost Management cost analysis to download resources data.

A

C. Use Azure Cost Management to view Advisor recommendations.

Explanation:
Cost Management shows the organizational cost and usage patterns with advanced analytics. Reports in Cost Management show the usage-based costs consumed by Azure services and third-party Marketplace offerings. The reports help you understand your spending and resource use and can help find spending anomalies. Cost Management uses Azure management groups, budgets, and recommendations to show clearly how your expenses are organized and how you might reduce costs.

Advisor recommendations show how to optimize and improve efficiency by identifying idle and underutilized resources. Alternatively, they can display less expensive resource options. When you follow the advice, you change the way you use your resources to save money.

It is important to note that deleting the disk eliminates the possibility of recovery. Azure recommends taking a snapshot before deleting data or ensuring that the data on the disk is no longer required.

Hence, the correct answer is: Use Azure Cost Management to view Advisor recommendations.

The option that says: Use Azure Advisor to identify low usage virtual machines is incorrect because you only need to identify unattached disks and not the virtual machine usage.

The option that says: Use Azure Cost Management cost analysis to download resources data is incorrect because cost analysis only helps you view accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget.

The option that says: Use Azure Monitor VM insights is incorrect because you don’t need to monitor the health and performance of virtual machines just to identify unattached disks.

References:

https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations

https://learn.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview

Check out this Azure Pricing Cheat Sheet:

https://tutorialsdojo.com/azure-pricing/

42
Q

Your application is hosted in an Azure virtual machine named TD-Samar.

You configured Azure Monitor to collect events from virtual machines.

You plan to create an alert rule to notify the System Administrator whenever an error is logged in the system of TD-Samar.

Which of the following should you monitor in the alert rule?

A. Azure Disks
B. Azure Log Analytics workspace
C. Azure Storage Account
D. Azure Virtual Machine

A

B. Azure Log Analytics workspace

Explanation:
Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues that affect them and the resources they depend on.

A Log Analytics workspace is a unique environment for logging data from Azure Monitor as well as other Azure services such as Microsoft Sentinel and Microsoft Defender for Cloud. Although each workspace has its own data repository and configuration, data from different services can be combined.

You need a Log Analytics workspace if you collect data from:

-Azure resources in your subscription.

-On-premises computers monitored by System Center Operations Manager.

-Device collections from Configuration Manager.

-Diagnostics or log data from Azure Storage.

In this scenario, you’ll need to use alert conditions in order to trigger the alert rule whenever an error is logged in the virtual machine. When you create an alert rule and select the signal type log search, you must enter a log query in the Log Analytics workspace and configure the alert logic.

Hence, the correct answer is: Azure Log Analytics workspace.

Azure Virtual Machine is incorrect because you’ve already set up the collection of events. The log data is delivered to the Log Analytics workspace, where the alert rule will be triggered.

Azure Disk and Azure Storage Account are both incorrect because the logs are not sent in these Azure storage services. Also, when you create an alert rule for custom logs, it will automatically show the Log Analytics workspace.

References:

https://learn.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

Check out this Azure Monitor Cheat Sheet:

https://tutorialsdojo.com/azure-monitor/

43
Q

Your organization has an e-commerce application hosted in a virtual machine.

You need to create a protection using Azure Backup. The backup must be created daily at 6:00 and stored for at least 180 days.

What should you use?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. Storage
    A. Blob Storage
    B. Storage Account
    C. Recovery Services Vault
    D. Disk Storage
  2. Protection
    A. File Sync
    B. Batch Job
    C. Backup Policy
    D. Recovery Plan
A
  1. C. Recovery Services Vault
  2. C. Backup Policy

Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.

In this scenario, you’ll need to use Azure Backup to protect the application from any unexpected circumstances. Since the main requirement is to create a backup at a specific time and retain the data for a number of days, you can just configure a backup policy.

Therefore, the correct answers are:

– Storage = Recovery Services Vault

– Protection = Backup Policy

References:

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare

https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

44
Q

You have created a new Azure Active Directory user named TD-Juan.

You need to make sure that TD-Juan is able to assign an Azure policy to the root management group.

Which of following options should you do?

A. Create a management group and assign the role of Owner.
B. Create a management group and assign the role of Contributor.
C. Assign the role of Global Administrator and enable access management for Azure resources.
D. Assign the role of Owner and enable access management for Azure resources.

A

C. Assign the role of Global Administrator and enable access management for Azure resources.

Explanation:
Azure Active Directory (Azure AD) is a service for managing identity and access in the cloud. This service enables your employees to access external resources such as Microsoft 365, the Azure portal, and thousands of other SaaS apps. Azure Active Directory also allows them to access internal resources such as apps on your corporate intranet network, as well as any cloud apps developed specifically for your organization.

Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.

No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.

If you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don’t have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.

In this scenario, you need to have a role of Global Administrator and activate access management for Azure resources in Azure AD. After that, you should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you’ll notice that you have been assigned the User Access Administrator role at root scope.

Hence, the correct answer is: Assign the role of Global Administrator and enable access management for Azure resources.

The option that says: Create a management group and assign the role of Owner is incorrect because this option won’t still allow you to assign a policy to the tenant root group.

The option that says: Create a management group and assign the role of Contributor is incorrect. Just like the option above, even if you assign a Contributor role, you still need to enable access management for Azure resources.

The option that says: Assign the role of Owner and enable access management for Azure resources is incorrect because this role only has access to the subscription level. You can’t use this role to access the tenant root, management group.

References:

https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

45
Q

Your company has an app that is currently running in an Azure Kubernetes Service cluster called TD-Manila.

You have been assigned to configure cluster autoscaling.

Which of the two actions can you use?

A. Use az vmss scale.
B. Use Azure portal.
C. Use az group create.
D. Use kubectl commands.
E. Use az aks commands.

A

B. Use Azure portal.
E. Use az aks commands.

Explanation:
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

AKS clusters can scale in one of two ways:

The cluster autoscaler watches for pods that can’t be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes.
The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand.

If you need to create an AKS cluster, use the az aks create command. To enable and configure the cluster autoscaler on the node pool for the cluster, use the –enable-cluster-autoscaler parameter, and specify a node –min-count and –max-count. You can also enable autoscale in the Azure portal.

Hence, the correct answers are:

– Use az aks commands.

– Use Azure portal.

The option that says: Use az vmss scale is incorrect because this command is for virtual machine scale sets.

The option that says: Use kubectl commands is incorrect because you don’t need to configure horizontal pod autoscaling.

The option that says: Use az group create is incorrect because it is mainly used for creating resource groups.

References:

https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest

https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler

https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale?tabs=azure-cli

Check out this Azure Kubernetes Service Cheat Sheet:

https://tutorialsdojo.com/azure-kubernetes-service-aks/

46
Q

You have an Azure subscription with an Azure storage named TD1 that is encrypted at rest and it contains the following containers:
AZ104-2-46You need to create an encryption key that is dedicated only to TD3. The solution must minimize administrative effort.

What should you do?

A. Create a new encryption key and apply it to all containers.
B. Create a new key vault.
C. Apply an encryption scope to TD3.
D. Move TD3 to another storage account.

A

C. Apply an encryption scope to TD3.

Explanation:
Encryption scope enables you to manage encryption at the level of an individual blob or container. You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.

By default, a storage account is encrypted with a key that is scoped to the entire storage account. When you define an encryption scope, you specify a key that may be scoped to a container or an individual blob.

When the encryption scope is applied to a blob, the blob is encrypted with that key. When the encryption scope is applied to a container, it serves as the default scope for blobs in that container so that all blobs that are uploaded to that container may be encrypted with the same key.

The container can be configured to enforce the default encryption scope for all blobs in the container or to permit an individual blob to be uploaded to the container with an encryption scope other than the default.

Take note that one of the requirements states that you must minimize administrative effort.

Hence, the correct answer is: Apply an encryption scope to TD3.

The option that says: Move TD3 to another storage account is incorrect because you do not need to move data from TD3 to another storage account because you can satisfy the requirements by simply applying an encryption scope to TD3. Remember that one of the requirements is to minimize administrative effort.

The option that says: Create a new encryption key and apply it to all containers is incorrect because the encryption key for TD3 must be different from TD1 and TD2. With encryption scopes, you can create a separate key that is solely dedicated to TD3.

The option that says: Create a new key vault is incorrect. Although it is possible, creating a new key vault will require more administrative effort. You can instead use encryption scopes by using the same key vault that is used by TD1 and TD2.

References:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview

https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-overview

Check out this Azure Blob Storage Cheat Sheet:

https://tutorialsdojo.com/azure-blob-storage/

47
Q

A company has a storage account that contains a file share named Davao.

A user needs to mount Davao to their macOS device.

What outbound port should the user open to ensure a successful mount?

A. 22
B. 587
C. 445
D. 3306

A

C. 445

Explanation:
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

SMB communicates over TCP port 445. On your client machine (the Mac), check to make sure your firewall isn’t blocking TCP port 445. If your organization or ISP is blocking port 445, you may need to set up a VPN from on-premises to your Azure storage account with Azure Files exposed on your internal network using private endpoints so that the traffic will go through a secure tunnel as opposed to over the internet.

Hence, the correct answer is: 445.

22 is incorrect because this port is the default port for ssh client connections.

587 is incorrect because this port is mainly used for the secure submission of emails for delivery.

3306 is incorrect because this port is the default port for the classic MySQL protocol.

References:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-mac

Check out this Azure Files Cheat Sheet:

https://tutorialsdojo.com/azure-file-storage/

Azure Blob vs Disk vs File Storage:

https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/

48
Q

You have an Azure subscription that contains the following resources:
AZ104-2-48You created a network security group with default rules named Bilibid and associate it with TD1 and TD3.

You added a new security rule that allows TD1 and TD3 to communicate but prevents them from receiving traffic from Azure storage.

What should the source of the new security rule be set to?

A. My IP address
B. Any
C. Service tag
D. IP address

A

C. Service tag

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure, such as scale, availability, and isolation.

You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as Storage, in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service.

There are two requirements stated in the question:

  1. TD1 and TD3 must be able to communicate with each other.
  2. TD1 and TD3 must not receive traffic from Azure storage.

With the default security rules of Bilibid, the first requirement is already satisfied. The default security rule allows resources deployed to the same virtual network to communicate with one another unimpeded.

With service tags, you can restrict traffic from Azure storage. You need to create a rule in Bilibid, set the source to service tag, and the source service tag should be Storage, and set the action to Deny.

Hence, the correct answer is: Service tag.

Any is incorrect because this will also block the traffic between TD1 and TD3. You must only block traffic coming in from Azure storage.

IP Address is incorrect. Blocking IP addresses is always a tedious and ineffective task as IP addresses tend to change. You can instead use service tags as Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

My IP address is incorrect because this will only block your IP address. This action will not prevent TD1 and TD3 receiving traffic from Azure storage.

References:

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

49
Q

You have an Azure subscription named Boracay.
You plan on creating a storage account for your media files. The media files must be asynchronously copied to another storage account to minimize latency for your users.
What storage account type should the source and target account be?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

  1. Source account
    A. Premium Blob Block Only
    B. General Purpose V2
    C. General Purpose V2 or Premium Block Blob
    D. File Storage Only
  2. Target account
    A. Premium Blob Block Only
    B. General Purpose V2
    C. General Purpose V2 or Premium Block Blob
    D. File Storage Only
A
  1. C. General Purpose V2 or Premium Block Blob
  2. C. General Purpose V2 or Premium Block Blob

Explanation:
Object replication asynchronously copies block blobs between a source storage account and a destination account. Some scenarios supported by object replication include:

– Minimizing latency. Object replication can reduce latency for read requests by enabling clients to consume data from a region that is in closer physical proximity.

– Increase efficiency for compute workloads. With object replication, compute workloads can process the same sets of block blobs in different regions.

– Optimizing data distribution. You can process or analyze data in a single location and then replicate just the results in additional regions.

– Optimizing costs. After your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies.

Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs, and page blobs aren’t supported.

Object replication requires that blob versioning is enabled on both the source and destination accounts. When a replicated blob in the source account is modified, a new version of the blob is created in the source account that reflects the previous state of the blob before modification. The current version in the source account reflects the most recent updates. Both the current version and any previous versions are replicated to the destination account.

Therefore, for both the source and target storage accounts, you can only use general-purpose v2 or premium block blob storage accounts.

References:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview

https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-overview

Check out this Azure Blob Storage Cheat Sheet:

https://tutorialsdojo.com/azure-blob-storage/

50
Q

You have an Azure subscription that contains a storage account named Nido and a virtual machine named TD1.

Nido must be able to communicate with TD1. The traffic must traverse through the Azure backbone network.

What should you configure?

A. Azure Firewall
B. Site-to-site VPN connection
C. VNet peering
D. Service endpoint

A

D. Service endpoint

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network in that you’d operate in your data center but brings with it additional benefits of Azure’s infrastructure, such as scale, availability, and isolation.

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enable private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

Service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over the service endpoint.

Hence, the correct answer is: Service endpoint.

Site-to-site VPN connection is incorrect because used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

VNet peering is incorrect because only enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. This won’t force your traffic to use the Azure backbone network.

Azure Firewall is incorrect because this service is simply used for cloud-native and intelligent network firewall security service that provides the best-of-breed threat protection for your cloud workloads running in Azure.

References:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/