Review Mode Set 3 – AZ-104 Azure Administrator Flashcards
Your company has an existing subscription in Azure.
You provisioned an Azure Storage account named TutorialsDojoAccount and then created a file share named TDShare.
You need to create a script that will allow you to connect to your file share.
What is the UNC path of the file share?
A. \TutorialsDojoAccount.TDShare\file.core.windows.net
B. \TutorialsDojoAccount.file.core.windows.net\TDShare
C. \file.core.windows.net.TutorialsDojoAccount\TDShare
D. \TDShare.file.core.windows.net\TutorialsDojoAccount
B. \TutorialsDojoAccount.file.core.windows.net\TDShare
Explanation:
Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.
One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.
File shares can be used for many common scenarios:
- Many on-premises applications use file shares. This feature makes it easier to migrate those applications that share data to Azure. If you mount the file share to the same drive letter that the on-premises application uses, the part of your application that accesses the file share should work with minimal, if any, changes.
- Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them and that they use the same version.
- Resource logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.
About Azure file share backup - Azure Backup | Microsoft Docs
Azure Files is Microsoft’s easy-to-use cloud file system. Azure file shares can be seamlessly used in Windows and Windows Server.
In order to use an Azure file share outside of the Azure region it is hosted in, such as on-premises or in a different Azure region, the OS must support SMB 3.0. You can use Azure file shares on a Windows installation that is running either in an Azure VM or on-premises.
The Azure File Share UNC path format is:
\<storageAccountName>.file.core.windows.net\<File></File></storageAccountName>
For example:
\StoragePhilippines.file.core.windows.net\ElNidoPalawanFileShare
Hence, the correct answer is:
\TutorialsDojoAccount.file.core.windows.net\TDShare
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
Check out this Azure Files Cheat Sheet:
https://tutorialsdojo.com/azure-file-storage/
Your company has an Azure Subscription that contains an Azure Container named TDContainer.
There is a requirement to launch a new Azure container instance that uses a docker image named TDImage. The container image contains a Microsoft SQL Server instance that requires persistent storage.
You need to create a storage service that will meet the requirements for TDContainer.
What should you use?
A. Azure Blob storage
B. Azure Table storage
C. Azure Files
D. Azure Queue storage
C. Azure Files
Explanation:
Containers are becoming the preferred way to package, deploy, and manage cloud applications. Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.
Azure Container Instances is a solution for any scenario that can operate in isolated containers, without orchestration. Run event-driven applications, quickly deploy from your container development pipelines, and run data processing and build jobs.
Containers offer significant startup benefits over virtual machines (VMs). Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs.
Bring Linux or Windows container images from Docker Hub, a private Azure container registry, or another cloud-based docker registry. Azure Container Instances caches several common base OS images, helping speed deployment of your custom application images.
By default, Azure Container Instances are stateless. If the container crashes or stops, all of its states are lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. Azure Container Instances can mount an Azure file share created with Azure Files.
Azure Files offers fully managed file shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol. Using an Azure file share with Azure Container Instances provides file-sharing features similar to using an Azure file share with Azure virtual machines.
Azure Disks or Files are commonly used to provide persistent volumes for Azure Container Instances and Azure VMs.
Hence, the correct answer is: Azure Files.
Azure Queue Storage is incorrect because this service is simply used for storing large numbers of messages to enable communication between components of a distributed application.
Azure Table Storage and Azure Blob Storage are both incorrect because Azure Container Services does not support direct integration of these services.
References:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-overview
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files
Check out this Azure Container Instances Cheat Sheet:
https://tutorialsdojo.com/azure-container-instances-aci/
Azure Blob vs. Disk vs. File Storage:
https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/
Your company has an Azure subscription that contains an Azure Storage account named tutorialsdojoaccount.
There is a requirement to copy a virtual machine image to a container named tdimage from your on-premises datacenter. You need to provision an Azure Container instance to host the container image.
Which AzCopy command should you run?
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
- AzCopy
A. Sync
B. Make
C. Copy - “https://tutorialsdojoaccount.____.core.windows.net/tdimage”
A. file
B. queue
C. table
D. blob
- B. Make
- D. blob
Explanation:
The Azure Storage platform is Microsoft’s cloud storage solution for modern data storage scenarios. Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.
Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.
Blob storage is designed for:
– Serving images or documents directly to a browser.
– Storing files for distributed access.
– Streaming video and audio.
– Writing to log files.
– Storing data for backup and restore disaster recovery, and archiving.
– Storing data for analysis by an on-premises or Azure-hosted service.
A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs. VHD files can be used to create custom images that can be stored in an Azure Blob container, which are used to provision virtual machines.
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. The azcopy make command is commonly used to create a container or a file share.
The correct syntax in creating a blob container is:
azcopy make “https://[account-name].blob.core.windows.net/[top-level-resource-name]”
For example:
azcopy make “https://myaccount.blob.core.windows.net/mycontainer/myblob”
Therefore, the correct answers are:
AzCopy = Make
https://tutorialsdojoaccount.____.core.windows.net/tdimage = Blob
Copy is incorrect because it simply copies source data to a destination location.
Sync is incorrect because it only replicates the source location to the destination location.
File is incorrect because when you execute this command, it will create a file share. Take note that it is mentioned in the scenario that container images and instances are used.
Table is incorrect because this is just a NoSQL data store that accepts authenticated calls from inside and outside the Azure cloud which allows you to store large amounts of structured data.
Queue is incorrect because this simply provides cloud messaging between application components that allows you to decouple your applications so that they can scale independently.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make
Check out this Azure Storage Overview Cheat Sheet:
https://tutorialsdojo.com/azure-storage-overview/
Azure Blob vs Disk vs File Storage:
https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/
You have the following virtual networks in your Azure subscription.
AZ104-3-04 scenario imageWhich of the following virtual networks can you establish a virtual network peering from TDVnet1?
A. TDVnet2 only
B. TDVnet2 and TDVnet3 only
C. TDVnet3 and TDVnet4 only
D. TDVnet2, TDVnet3 and TDVnet4
C. TDVnet3 and TDVnet4 only
Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.
Azure supports the following types of peering:
– Virtual network peering: Connect virtual networks within the same Azure region.
– Global virtual network peering: Connecting virtual networks across Azure regions.
Take note, the virtual networks you peer with must have non-overlapping IP address spaces.
Hence, the correct answer is: TDVnet3 and TDVnet4 only.
The following options are incorrect because the address space 10.1.0.0/17 of TDVnet2 overlaps with the address space 10.1.0.0/16 of TDVnet1. You need to plan ahead when you create your virtual network address spaces in the event that you will need to peer your virtual networks. You can always change the address space of a virtual network, but you need to make sure that the subnets within it must be contained to the new address space of your virtual network.
– TDVnet2 only
– TDVnet2, TDVnet3 and TDVnet4
– TDVnet2 and TDVnet3 only
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet/
Your company has an Azure subscription named TDSubcription1. It contains the following resources:
az104-3-05 scenario imageWhich subnet/s can you associateTDNSG1with?
A. You can associate it to the subnet of TDVnet1 only.
B. You can associate it to the subnets of TDVnet1 and TDVnet2 only.
C. You can associate it to the subnet of TDVnet2 only.
D. You can associate it to the subnet of TDVnet3 only.
D. You can associate it to the subnet of TDVnet3 only.
Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
You can only associate a network security group to a subnet or network interface within the same region as the network security group. So if your network security is in the Azure security groups, it can’t be moved from one region to another. However, you can use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. You can then stage the resource in another region by exporting the NSG to a template, modifying the parameters to match the destination region, and then deploying the template to the new region.
Hence, the correct answer is: You can associate it to the subnet of TDVnet3 only.
The following options are incorrect because TDVnet1 and TDVnet2 are located in Southeast Asia. You can only associate a network security group to a subnet within the same region as the network security group.
– You can associate it to the subnets of TDVnet1 and TDVnet2 only
– You can associate it to the subnet of TDVnet1 only
– You can associate it to the subnet of TDVnet2 only
References:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal
Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet/
Your company has a virtual network named TDVnet1 and a policy-based virtual network gateway named TD1 in your Azure subscription.
You have users that need to access TDVnet1 from a remote location.
Which two actions should you do so your users can establish a point-to-site connection to TDVnet1?
A. Deploy a gateway subnet
B. Reset TD1
C. Download and install the VPN client configuration file
D. Delete TD1
E. Deploy a route-based VPN gateway
D. Delete TD1
E. Deploy a route-based VPN gateway
Explanation:
Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.
When you configure a point-to-site VPN connection, you must use a route-based VPN type for your gateway. Policy-based VPN type for point-to-site VPN connection is not supported by Azure.
If you create a policy-based VPN type as your gateway, you need to delete it and deploy a route-based VPN gateway instead.
Hence, the correct answers are:
– Delete TD1
– Deploy a route-based VPN gateway
The option that says: Deploy a gateway subnet is incorrect. A gateway subnet is a prerequisite when you create a point-to-site VPN connection and since there is already an existing point-to-site VPN connection in your Azure subscription, you don’t have to deploy one again.
The option that says: Reset TD1 is incorrect. Resetting TD1 will not work since it is a policy-based VPN type. Take note that you need a route-based VPN type for point-to-site VPN connections.
The option that says: Download and install the VPN client configuration file is incorrect. Even if you have downloaded and installed the VPN client configuration file, the users still won’t be able to connect to TDVnet1 because TD1 is a policy-based VPN type. You have to delete TD1 first and deploy a new route-based VPN gateway.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Check out this Azure VPN Gateway Cheat Sheet:
https://tutorialsdojo.com/azure-vpn-gateway/
Your company has an Azure subscription named TDSubscription1.
You plan to host your media assets to a storage account.
You created an Azure storage account named tutorialsdojostorage using the following parameters:
azure_create_storage_account
Select the correct answer from the drop-down list of options. Each correct selection is worth one point.
- How many copies of your data will be maintained by the Azure storage account at the minimum?
A. 3
B.5
C. 4
D. 6 - The files that you will host in tutorialsdojostorage are frequently accessed files. What setting should you modify?
A. Versioning
B. Account Kind
C. Access Tier
D. Performance
- D. 6
- C. Access Tier
Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.
Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers four options for how your data is replicated:
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability. Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability. Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region. Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.
Take note that Geo-redundant storage (GRS) maintains six copies total, including three copies in the primary region and three copies in the secondary region.
Azure storage offers different access tiers, allowing you to store blob object data in the most cost-effective manner. Available access tiers include:
Hot – Optimized for storing data that is accessed frequently. Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days. Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours.
Therefore, you will have a total of 6 copies maintained because its replication setting is Geo-redundant storage (GRS). This storage option copies your data asynchronously across 3 Azure availability zones in your primary region and 3 copies in the secondary region, for a total of 6 copies.
Conversely, if you will store frequently accessed files, you must modify the access tier to hot tier from cool tier.
The option that says: 3 is incorrect because only Locally redundant storage (LRS) and Zone-redundant storage (ZRS) maintains a total of 3 copies of data.
The options that say: 4 and 5 are incorrect because there is no Azure Storage redundancy type that maintains 4 and 5 copies of data. Only 3 for LRS and GRS and 6 for GRS and GZRS.
Account Kind is incorrect because this simply offers several types of storage accounts such as StorageV2, Storage, and BlobStorage. Each type supports different features and has its own pricing model.
Versioning is incorrect because this feature is for automatically maintaining the previous versions of an object. When blob versioning is enabled, you can restore an earlier version of a blob to recover your data if it is erroneously modified or deleted.
Performance is incorrect because this tiering system is primarily used for determining the speed capability of your storage account. There are two types of performance tiers: Standard: optimized for high capacity/throughput and Premium: optimized for high transaction rates and single-digit consistent storage latency.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
Check out this Azure Storage Overview Cheat Sheet:
https://tutorialsdojo.com/azure-storage-overview/
Locally Redundant Storage (LRS) vs Zone-Redundant Storage (ZRS) vs Geo-redundant storage (GRS):
https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/
No
You have an Azure subscription named TDSubscription1 that contains the following resources:
az104-3-09 scenario imageTD1 is associated with TDSubnet1 which is connected to TDVnet1. For data security, the TDNSG1 network security group is associated with TD1.
TDASG1 must be integrated directly to TD1.
What should you do?
A. Remove TDNSG1 from TD1 and attach TDASG1 to TD1.
B. Attach a new network interface to TD1 and attach it to TDASG1.
C. Attach TDASG1 to the network interface of TD1
D. Attach ASG1 to TDSubnet1.
C. Attach TDASG1 to the network interface of TD1
Explanation:
Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.
Take note of the following application security group constraints:
– You can specify one application security group as the source and destination in a security rule. You cannot specify multiple application security groups in the source or destination.
– All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
– If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network.
Hence, the correct statement is: Attach TDASG1 to the network interface of TD1.
The statement that says: Remove TDNSG1 from TD1 and attach TDASG1 to TD1 is incorrect because you do not need to remove TDNSG1 to attach TDASG1. A network security group and application security group can co-exist. Remember that an application security group is only a logical grouping of virtual machines. You still need to use a network security group to route traffic to an application security group.
The statement that says: Attach a new network interface to TD1 and attach it to TDASG1 is incorrect because you do not need to create another network interface so you can attach TDASG1 to TD1. You can just use the original network interface of TD1 and attach TDASG1.
The statement that says: Attach ASG1 to TDSubnet1 is incorrect because you can not attach an application security group to a subnet. You can only attach an application security group to the network interface of a virtual machine.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
Azure Network Security Group (NSG) vs Application Security Group:
https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/
You have an Azure virtual network named TDVnet1 that contains the following subnets shown below:
az104-3-10 scenario imageYou plan to create a network security group for your virtual machines.
Due to regulatory compliance, you must meet the following requirements:
Virtual machines in TDSub2 and TDSub3 must have HTTPS traffic from the Internet. Remote Desktop connections from the public Internet must only access TD1. All traffic between TD1 and TD2 must be allowed. Restrict all other external network traffic from accessing TDVnet1.
What is the minimum number of network security groups that you should provision to satisfy the requirements above?
A. 1
B. 3
C. 6
D. 5
A. 1
Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Network Security Groups can be attached to multiple subnets and/or network interfaces. Unless you have a specific reason to, it is recommended that you associate a network security group to a subnet or a network interface, but not both.
In the image above, the requirements of the scenario are fully satisfied. You only need to create one network security group with multiple rules and associate it with TDSub1, TDSub2, and TDSub3.
- Virtual machines in TDSub2 and TDSub3 must have HTTPS traffic from the Internet.
– You can whitelist the address spaces of TDSub2 and TDSub3 in the destination IP addresses/CIDR ranges of an inbound security rule. This will force HTTPS traffic to only those subnets without allowing HTTPS traffic to TDSub1. See priority 100 in the image above.
- Remote Desktop connections from the Internet must access TD1.
– Since there are two virtual machines in TDSub1 and the requirement states that only TD1 must have Remote Desktop connection, you cannot whitelist the address space of TDSub1 in the destination IP addresses.
– An alternative to this is whitelisting the IP address of TD1 to the destination IP addresses when you create an inbound security rule. See priority 110 in the image above.
- All traffic between TD1 and TD2 must be allowed.
– When you create a network security group, the default rules of a network security group always allow traffic coming from WITHIN the virtual network. No action is needed from your side.
- Restrict all other external network traffic from accessing TDVnet1.
– The default rules of a network security group explicitly deny all incoming traffic. No action is needed from your side.
Hence, the correct answer is: 1.
3, 5, and 6 are incorrect because you only need to create one network security group with multiple rules to satisfy the requirements of the scenario.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet/
Your company has an Azure subscription that has the following resources deployed:
az104-3-11 scenario image
There is a requirement that requires you to configure Azure Backup reports using TDBackup1 to determine which backup items consume the most storage.
Which Log Analytics workspace can you use to store the backup reporting data?
A. TDAnalytics1 only
B. TDAnalytics2 only
C. TDAnalytics1, TDAnalytics2, and TDAnalytics3
D. TDAnalytics3 only
C. TDAnalytics1, TDAnalytics2, and TDAnalytics3
Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.
Azure Backup report provides a reporting solution that uses Azure Monitor logs and Azure workbooks. These resources help you get rich insights on your backups across your entire backup estate. Backup Reports serve as a one-stop destination for tracking usage, auditing of backups and restores, and identifying key trends at different levels of granularity.
A common requirement for backup admins is to obtain insights on backups based on data that spans a long period of time. Use cases for such a solution include:
– Allocating and forecasting of cloud storage consumed.
– Auditing of backups and restores.
– Identifying key trends at different levels of granularity.
By default, the data in a Log Analytics workspace is retained for 30 days. To see data for a longer time horizon, change the retention period of the Log Analytics workspace.
Take note that when you create a Log Analytics workspace, it does not matter if the vault is located in a different region or subscription.
Hence, the correct answer is: TDAnalytics1, TDAnalytics2, and TDAnalytics3.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-overview
https://docs.microsoft.com/en-us/azure/backup/configure-reports
Check out this Azure Virtual Machines Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-machines/
Your company has an Azure subscription that contains a virtual machine named TD1 and a virtual network named TDVnet1.
You have an on-premises Server Message Block (SMB) file server named FileServer1.
There is a requirement to connect TD1 to FileServer1.
What should you create?
A. Create an Azure virtual network peering
B. Create an Azure AD Connect sync
C. Create an Azure Virtual Network Gateway
D. Create an Azure Application Gateway
C. Create an Azure Virtual Network Gateway
Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
An Azure Virtual Network Gateway or VPN Gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.
Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
A site-to-site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
Hence, the correct answer is: Create an Azure Virtual Network Gateway.
The option that says: Create an Azure virtual network peering is incorrect as this only enables you to seamlessly connect two or more Virtual Networks in Azure. Take note that in this scenario, you need to connect your on-premises network to Azure.
The option that says: Create an Azure AD Connect sync is incorrect because this service is simply the main component of Azure AD Connect. This service synchronizes information held in the on-premises Active Directory to Azure AD. For example, if you provision or deprovision groups and users on-premises, these changes propagate to Azure AD. You can not use this to synchronize FileServer1 to TD1 since the file server is not an Active Directory.
The option that says: Create an Azure Application Gateway is incorrect because this service is just a web traffic load balancer that enables you to manage traffic to your web applications.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Check out this Azure VPN Gateway Cheat Sheet:
https://tutorialsdojo.com/azure-vpn-gateway/
Your company has an Azure subscription named TDSubscription1 that contains the following resources:
az104-3-13 scenario image
You recently added a new address space 10.30.0.0/16 to TDVnet1.
What should you do next?
A. Delete the peering between TDVnet1 and TDVnet2.
B. Re-create the peering between TDVnet1 and TDVnet2.
C. Sync the peering between TDVnet1 and TDVnet2.
D. Delete TDVnet2.
C. Sync the peering between TDVnet1 and TDVnet2.
Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.
You can resize the address space of Azure virtual networks that are peered without incurring any downtime on the currently peered address space. This feature is useful when you need to resize the virtual network’s address space after scaling your workloads. After resizing the address space, all that is required is for peers to be synced with the new address space changes. Resizing works for both IPv4 and IPv6 address spaces.
Addresses can be resized in the following ways:
– Modifying the address range prefix of an existing address range (For example, changing 10.1.0.0/16 to 10.1.0.0/18).
– Adding address ranges to a virtual network.
– Deleting address ranges from a virtual network.
– Resizing of address space is supported cross-tenant.
Hence, the correct answer is: Sync the peering between TDVnet1 and TDVnet2.
The statement that says: Delete TDVnet2 is incorrect because you can add an address space to your virtual network without deleting it.
The following statements are incorrect because you do not need to delete and re-create the peering when you add an address space to an existing virtual network peering. All you have to do is sync the peering after you have added an address space.
– Delete the peering between TDVnet1 and TDVnet2
– Re-create the peering between TDVnet1 and TDVnet2
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet/
Your Azure subscription contains a fleet of virtual machines.
You recently deployed an Azure bastion named TD1 with an SKU of Basic and a subnet size of /26.
There is a requirement that more than 90 users will concurrently use TD1. You need to be able to accommodate the number of users that will be accessing TD1. The solution must minimize administrative effort.
What should you do first?
A. Deploy a new bastion server with an SKU of Standard
B. Increase the server size of TD1.
C. Increase the instance count of TD1.
D. Upgrade the SKU of TD1
D. Upgrade the SKU of TD1
Explanation:
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, virtual machines don’t need a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world while providing secure access using RDP/SSH.
Two instances are created when you configure Azure Bastion using the Basic SKU. Using the Standard SKU, you can specify the number of instances. This is called host scaling.
Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. The number of connections per instance depends on your actions when connected to the client VM. For example, if you are doing something data-intensive, it creates a more significant load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.
Remember that you can only use host scaling if your bastion server has an SKU of Standard
To accommodate additional concurrent client connections, first, you need to upgrade the SKU of TD1 from Basic to Standard(after upgrading to Standard, you can not revert back to Basic SKU) After that, you can increase the instance count of TD1 to whatever number of servers are required to accommodate the 90 users.
Hence, the correct answer is: Upgrade the SKU of TD1.
The option that says: Deploy a new bastion server with an SKU of Standard is incorrect because there is no need to deploy a new bastion server with an SKU of Standard. You can upgrade the SKU of TD1 to Standard. One of the requirements is that your solution must minimize administrative effort.
The option that says: Increase the instance count of TD1 is incorrect because you will only be able to increase the instance count if TD1 is already using an SKU of Standard. Take note that the question asks what you will do first.
The option that says: Increase the server size of TD1 is incorrect because there is no option to increase the server size of a bastion server. If you need more computing power, you can increase the instance count of the bastion server. Remember that you need to use an SKU of Standard before being able to use host scaling.
References:
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
c