test 19 Flashcards
You need to use traffic analytics to analyze NSG flow logs in Azure Network Watcher to gain insights into traffic flow in your virtual network, vnet01. Which of the following is NOT a prerequisite resource for you to create?
A. Data Collection Rule
B. Network Security Group
C. Storage Account
D. Log Analytics workspace
A. Data Collection Rule
Explanation:
Why A is correct:
Data Collection Rule (DCR) is not a prerequisite for enabling traffic analytics in Azure Network Watcher. Traffic analytics uses Log Analytics workspace, NSG flow logs, and a storage account to store and analyze data.
DCR is used to manage and configure data ingestion into Azure Monitor, but it is not required specifically for analyzing NSG flow logs with traffic analytics.
Why the other options are wrong:
B. Network Security Group (NSG):
NSGs are required because NSG flow logs record the inbound and outbound traffic that is allowed or denied by the NSG rules. Without NSGs, there would be no flow logs to analyze.
C. Storage Account:
NSG flow logs must be stored in a storage account. Traffic analytics pulls these logs from the storage account for analysis.
D. Log Analytics workspace:
Traffic analytics requires a Log Analytics workspace to process and visualize the flow logs. This workspace provides the insights into traffic flow and security.
You have three resource groups in your Azure subscription. You deploy Azure Virtual Machine and its related resources in the rg-dev-01 resource group. Given below are two statements based on the above information. Select Yes if the statement is correct. Else select No.
A. Yes, No
B. No, Yes
C. Yes, Yes
D. No, No
Following are the resources deployed in your Azure subscription.
a. An App Service app running in an App Service plan.
b. The virtual network vnet01 with subnet01.
c. Azure Firewall (with a public IP configuration) deployed in an AzureFirewallSubnet in vnet01.
Select and place the steps you would perform so that all outbound traffic from the app is inspected by the Azure Firewall and the traffic is allowed/blocked based on the firewall rules.
A. Delegate the subnet to Microsoft.web/serverfarms
B. Create a route table
C. Add a route to route the traffic from subnet01 to Azure Firewall
D. Associate the route table with subnet01
You are planning to create an internal load balancer in Azure for your workloads. Which of the following resources needs to be compulsorily created while/before creating the load balancer?
A. Public IP address
B. Backend pool
C. Virtual Network
D. A load balancer rule
Using Azure Bicep, you need to create a resource group and deploy an Azure Virtual Network to the resource group. In Visual Studio Code, you have two Bicep files: X] A main.bicep file defines a resource group. Y] A vnet.bicep file defines a virtual network that’s deployed to the resource group. As shown above, the main.bicep file defines a module that references the vnet.bicep file. What property would you add to the module to fix the error?
A. Params
B. Properties
C. dependsOn
D. Scope
Why D (Scope) is correct:
In Azure Bicep, a module is used to deploy resources defined in a separate Bicep file. When deploying a module, if the resources in the module target a specific resource group or subscription that is different from the parent template, you must specify the scope for the module.
Since the main.bicep file defines a resource group, and the vnet.bicep file deploys a virtual network to that resource group, you need to set the scope property for the module in the main.bicep file to the appropriate resource group.
For example:
bicep
Copy code
module vnet ‘vnet.bicep’ = {
name: ‘vnetModule’
scope: resourceGroup(‘your-resource-group-name’)
…
}
There are three blob containers source1, source2, and source3 with a Public access level of Container, Blob, and Private, respectively, in the strdev011 storage account. There are another two blob containers target1 and target2, with a Public access level of Container and Private, respectively, in the strdev012 storage account. There is a backup file in all the source containers. Which of the following azcopy commands helps you copy the backup file to either target1 or target2? Select two options.
A. azcopy copy ‘[MASKED].windows.net/source1’ ‘[MASKED].windows.net/target1«SAS token»’ –recursive
B. azcopy copy ‘[MASKED].windows.net/source2«SAS token»’ ‘[MASKED].windows.net/target1’ –recursive
C. azcopy copy ‘[MASKED].windows.net/source2/bak.exe’ ‘[MASKED].windows.net/target2«SAS token»’ –recursive
D. azcopy copy ‘[MASKED].windows.net/source2’ ‘[MASKED].windows.net/target2«SAS token»’ –recursive
User One with the Azure RBAC role Contributor at the resource group scope can access data in Azure blobs using the storage account key via shared key authorization in the Azure portal. Select and place (in any order) the steps you would perform to: 1. Disable key-based authorization only for User One. 2. Enable read access to data in Azure blobs via Microsoft Entra ID authentication in the Azure portal for User One.
A. Enable Default to Microsoft Entra authorization in the Azure portal
B. Assign the Storage Blob Data Reader role
C. Disable Allow storage account key access
D. Remove the Contributor role
You are planning to create an internal load balancer in Azure for your workloads. Which of the following resources needs to be compulsorily created while/before creating the load balancer?
A. Public IP address
B. Backend pool
C. Virtual Network
D. A load balancer rule
Why C (Virtual Network) is correct:
A Virtual Network (VNet) is a mandatory resource for creating an internal load balancer in Azure. An internal load balancer is deployed within a VNet to provide load balancing for resources inside the VNet, such as virtual machines or other services.
Without a VNet, there is no network in which the internal load balancer can function or connect to the backend resources.
Why the other options are wrong:
A. Public IP address:
A Public IP address is not required for an internal load balancer. Internal load balancers use a private IP address from the VNet to provide services within the internal network.
B. Backend pool:
A Backend pool is required to associate resources (e.g., virtual machines) with the load balancer, but it is not required before creating the load balancer. You can create a backend pool as part of the load balancer configuration or after the load balancer is created.
D. A load balancer rule:
A load balancer rule defines how traffic is distributed to the backend pool. However, it is not required to create the load balancer. You can add rules after the load balancer is created.
You have two virtual machines, vm01 & vm02, connected to two different subnets in a virtual network in the East US region. A SQL Server hosting a SQL database is also deployed in the same region. Users connect to the VMs using the Azure Bastion service. The VMs do not have any instance-level public IP address. You need to allow traffic to SQL Server only from the private IP of vm01. Solution: You configure the SQL Server firewall to: a. Allow only the private IP of vm01. b. Enable Allow Azure services and resources to access this server. Does the solution meet the stated goal?
A. Yes
B. No
B. No
Why the solution does not meet the goal:
Allow only the private IP of vm01:
Configuring the SQL Server firewall to allow only the private IP of vm01 is a valid step. This ensures that SQL Server can accept traffic from vm01’s private IP.
Enable “Allow Azure services and resources to access this server”:
Enabling this setting allows all Azure services within the same subscription to access the SQL Server. This broadens access far beyond just vm01, which contradicts the requirement to restrict traffic to only vm01.
Issues with this configuration:
The “Allow Azure services and resources to access this server” option creates a wide-open firewall rule that permits traffic from any service in Azure, including services unrelated to your workload. This compromises the goal of restricting access only to vm01.
How to meet the goal:
To ensure that SQL Server traffic is allowed only from vm01:
Configure the SQL Server firewall rule to allow the private IP of vm01.
Do not enable the “Allow Azure services and resources to access this server” setting, as it allows broader access than required.
You have two virtual machines, vm01 & vm02, connected to two different subnets in a virtual network in the East US region. A SQL Server hosting a SQL database is also deployed in the same region. Users connect to the VMs using the Azure Bastion service. The VMs do not have any instance-level public IP address. You need to allow traffic to SQL Server only from the private IP of vm01. Solution: You configure the virtual network service endpoint for Microsoft.Sql service on the subnet of vm01. Does the solution meet the stated goal?
A. Yes
B. No
A. Yes
Why the solution meets the goal:
Virtual Network Service Endpoint for Microsoft.Sql:
Configuring a service endpoint for the Microsoft.Sql service on the subnet of vm01 allows traffic from the subnet’s resources (including vm01) to securely communicate with Azure SQL Server.
This method restricts access to Azure SQL Server to resources in the specified subnet of the virtual network, which aligns with the goal of allowing traffic only from the private IP of vm01.
Traffic Restrictions:
When the service endpoint is enabled, Azure SQL Server recognizes traffic from vm01’s subnet as originating from within the allowed VNet, without requiring a public IP or broad permissions like enabling “Allow Azure services and resources to access this server.”
Since vm01 is the only machine in the subnet allowed through the service endpoint, traffic from vm02 or other sources is excluded.
How the Service Endpoint Achieves the Goal:
By enabling the Microsoft.Sql service endpoint for the specific subnet:
You ensure that only resources within that subnet (including vm01) can access the SQL Server.
Azure SQL Server is protected from traffic originating outside the virtual network or from other subnets unless explicitly allowed.
You have two virtual machines, vm01 & vm02, connected to two different subnets in a virtual network in the East US region. A SQL Server hosting a SQL database is also deployed in the same region. Users connect to the VMs using the Azure Bastion service. The VMs do not have any instance-level public IP address. You need to allow traffic to SQL Server only from the private IP of vm01. Solution: You configure a private endpoint for Azure SQL Server in subnet01. Does the solution meet the stated goal?
A. Yes
B. No
B. No
Why the solution does not meet the goal:
Private Endpoint Behavior:
A private endpoint for Azure SQL Server creates a private IP address within the subnet (subnet01) that allows secure access to the SQL Server from resources inside the virtual network.
While a private endpoint ensures that traffic to SQL Server remains private and within the virtual network, it does not inherently restrict access to only the private IP of vm01. Instead, any resource in subnet01 can potentially access SQL Server through the private endpoint.
Requirement to Restrict Access to vm01:
The goal is to restrict SQL Server traffic to only the private IP of vm01. Configuring a private endpoint in subnet01 does not restrict traffic to vm01 specifically; it only confines access to the subnet.
How to Achieve the Goal:
To meet the requirement of restricting SQL Server access only to vm01:
Use Network Security Groups (NSGs) on subnet01 to enforce a rule that allows only vm01’s private IP to communicate with the SQL Server private endpoint.
Alternatively, if using service endpoints, configure SQL Server firewall rules to allow traffic only from vm01’s private IP.
Why Other Approaches Work Better:
Without additional controls (e.g., NSGs), a private endpoint allows access from all resources in the associated subnet (subnet01). This is broader than the requirement to restrict access to vm01 specifically.
From Visual Studio Code, you publish the below app to the App Service app with two deployment slots: Production, and Staging. From the client manager, you receive a request to add one more line as shown below: After you swap the staging slot with the production slot, you realize that the update is not successful in production, and you need to get your “last known good site” back. Which of the following actions offer the best/easiest solution?
A. Create another deployment slot and deploy the app to the slot
B. Swap the slot with source: staging and target: production
C. Redeploy the app
D. Swap the slot with source: production and target: staging
D. Swap the slot with source: production and target: staging
Why this is correct:
Deployment Slots in App Service:
Deployment slots allow you to deploy updates to a staging environment without affecting the production site. After verifying that the update works as expected in staging, you can swap the slots to promote the update to production.
Rolling Back with Slot Swapping:
If an update deployed to staging and swapped to production causes an issue, the easiest way to roll back is to swap the slots again (with the previous production content in the staging slot). This effectively restores the “last known good site” to production without needing to redeploy the app.
Key Point:
When you swap slots, the content and configuration of the two slots are exchanged. Swapping back will reverse this and restore the previous state.
Why the other options are incorrect:
A. Create another deployment slot and deploy the app to the slot:
Creating a new slot and redeploying the app is not necessary and adds unnecessary complexity. The issue can be resolved much faster by simply swapping the slots back.
B. Swap the slot with source: staging and target: production:
This is essentially what caused the problem in the first place. Repeating this swap will not help restore the “last known good site” because the updated (problematic) code will still be in the production slot.
C. Redeploy the app:
Redeploying the app to production is unnecessary when the “last known good site” is already available in the staging slot. Redeploying takes additional time and effort compared to a simple slot swap.
You have a virtual machine and its related resources in a resource group. A daily job backs up the VM to a Recovery Services Vault. After a few months, you no longer require the VM, so you delete the backup data in the vault and try to delete the resource group and all its resources. You were able to delete all resources in the resource group, except the vault. What necessary sequence of steps you would follow to delete the group and the vault?
A. Delete the backup policy, Disable soft delete for backups, Delete backup data, Delete resource group
B. Undelete the restore points, Disable soft delete for backups, Delete backup data, Delete resource group
C. Disable soft delete for backups, Delete the backup policy, Delete backup data, Delete resource group
D. Undelete the restore points, Delete backup data, Disable soft delete for backups, Delete resource group
You need to publish two Azure App Service apps, one with a runtime stack ASP.NET v4.8 and another running on Python 3.12. Further, the apps should meet the following requirements: Can autoscale based on rules, Allows daily backups, Provides at least four staging slots. Based on the given information, answer the below two questions:
A. 1, Standard S1
B. 1, Basic B1
C. 2, Basic B1
D. 2, Standard S1
You have two resource groups in different locations in your Azure subscription. Two Azure Private DNS zones, bigstuff.com, and birdsource.com, are created in each resource group. Also, two virtual networks, one in the South Central US and the other in North Europe location are deployed. Finally, the two private DNS zones are linked with the two VNets as shown below: Given below are two statements based on the above information. Select Yes if the statement is correct. Else select No.
A. Yes, No
B. Yes, Yes
C. No, No
D. No, Yes
You have three VMs, two Windows and one Linux, deployed across two VNets in your Azure subscription. A private Azure DNS zone named bigstuff.com is linked to the two virtual networks, vnet01 and vnet02, with auto-registration enabled and disabled, respectively. Given below are three statements based on the above information. Select Yes if the statement is correct. Else select No.
A. No, No, No
B. No, Yes, Yes
C. Yes, No, Yes
D. Yes, Yes, No
In your Microsoft Entra ID tenant, you have to add nearly 100 users. You plan to use the bulk create operation feature. Which of the following user attributes are NOT mandatory to include while uploading the CSV file? Select two options.
A. Name
B. First Name
C. Usage location
D. Block sign in
Below are two statements based on associating Azure public IP addresses with an Azure Firewall. Select Yes if the statement is correct. Else select No.
A. Yes, No
B. Yes, Yes
C. No, Yes
D. No, No
You have four virtual machines, two running and two deallocated in the East US and North Europe locations as shown below. Further, there are two Azure Recovery Services Vaults in the East US region. The virtual machine vm03 is already protected with daily backups to the Recovery Services Vault, vault02. Which of the given VMs can you back up to vault01?
A. Only vm01
B. Only vm01 and vm03
C. Only vm01, vm02 and vm04
D. Only vm01 and vm04
You have three VMs across two subnets in your Azure virtual network. Each VM accepts and/or denies a different type of traffic. At any point in time, only one VM is in a running status. Based on this information, answer the below two questions:
A. 1,3
B. 1,1
C. 3,1
D. 3,3
