test16 Flashcards

Question 1

Q

Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?

A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
which option is correct? why correct?

Answer

A

C. an Azure Virtual Network Gateway
Why C is Correct:
SMB Share Connectivity:
SMB (Server Message Block) shares typically exist on-premises and require a secure network connection for access.
To enable your Azure resources (like the webapp1) to access on-premises resources (Share1), you need to set up a hybrid connectivity solution.
Azure Virtual Network Gateway:
An Azure Virtual Network Gateway enables secure communication between your Azure Virtual Network (VNET1) and your on-premises network via a VPN connection (Site-to-Site VPN or Point-to-Site VPN).
This ensures that webapp1, which is connected to VNET1, can route traffic to your on-premises SMB share (Share1).
Integration Path:
webapp1 → VNET1 → Virtual Network Gateway → On-premises network → SMB Share (Share1)
SMB Protocol Compatibility:
SMB relies on private IP connectivity, which requires a secure tunnel or VPN connection.
Azure Virtual Network Gateway provides this tunnel, enabling communication between Azure and your on-premises network.
Why the Other Options are Incorrect:
A. Azure Application Gateway
Purpose: Azure Application Gateway is a Layer 7 load balancer for HTTP/HTTPS traffic.
Why Incorrect: SMB operates at a lower level (Layer 4 - transport layer, using TCP port 445), not HTTP/HTTPS. It is not designed for accessing SMB shares.
B. Azure Active Directory (Azure AD) Application Proxy
Purpose: Azure AD Application Proxy is used to publish web applications (e.g., HTTP/HTTPS) that are hosted on-premises.
Why Incorrect: SMB shares are file shares, not web applications. Azure AD Application Proxy does not support SMB protocol or file-based resources.

Question 2

Q

You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:
Policy name *
Policy1
Backup schedule
Frequency * Time * Timezone *
Daily 11:00 PM (UTC) Coordinated Universal Time
Instant Restore
Retain instant recovery snapshot(s) for
2 Day(s)
Retention range
Retention of daily backup point.
At For Day(s)
11:00 PM 30
Retention of weekly backup point.
On * At For Week(s)
Sunday 11:00 PM 10
Retention of monthly backup point.
Week Based Day Based
On * At For Month(s)
1 11:00 PM 36
Retention of yearly backup point.
Week Based Day Based
In * On * At For Year(s)
March 1 11:00 PM 10
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Answer Area
The backup that occurs on Sunday, March 1, will be retained for [answer choice].
30 days
10 weeks
36 months
10 years
The backup that occurs on Sunday, November 1, will be retained for [answer choice].
30 days
10 weeks
36 months
10 years
Which one is correct in per question on answer area? why?

Answer

A

Analyzing the Policy1 Configuration

Daily Backup:

Time: 11:00 PM UTC

Retention: 30 Days

Weekly Backup:

Day: Sunday

Time: 11:00 PM UTC

Retention: 10 Weeks

Monthly Backup:

Day of Month: 1

Time: 11:00 PM UTC

Retention: 36 Months

Yearly Backup:

Month: March

Day of Month: 1

Time: 11:00 PM UTC

Retention: 10 Years

Determining Retention Periods

Backup on Sunday, March 1:

Analysis: This backup meets all conditions: it’s a daily backup, it’s a Sunday so it’s also a weekly backup, it’s the 1st day of the month, and it’s March 1st so it’s also a yearly backup. The longest matching retention period of 10 years will be applied, so the backup will be kept for 10 years.

Answer: 10 years

Backup on Sunday, November 1:

Analysis: This backup meets the daily and weekly conditions, but not the monthly or yearly conditions. Therefore, the retention period from the weekly policy will be applied, meaning the backup will be retained for 10 weeks.

Answer: 10 weeks

Answer Area:

The backup that occurs on Sunday, March 1, will be retained for: 10 years

The backup that occurs on Sunday, November 1, will be retained for: 10 weeks

Question 3

Q

You have an Azure subscription.
You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict network traffic between the pods.
What should you configure on the AKS cluster?

A. the Azure network policy
B. the Calico network policy
C. pod security policies
D. an application security group

Answer

A

I think the correct answer is B.
The question describes “the pods will use kubernet networking.”

To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).

Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet (Linux).

Hence, the correct answer is B.

Question 4

Q

You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a wildcard certificate for contoso.com.

You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1.

You need to configure App1 to use the wildcard certificate of KV1.

What should you do first?

A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
B. Assign a managed user identity to App1.
C. Configure KV1 to use the role-based access control (RBAC) authorization system.
D. Create an access policy for KV1 and assign the policy to User1.
which one is correct? why correct?

Answer

A

The correct answer is B. Assign a managed user identity to App1.
Explanation:
To configure App1 to use the wildcard certificate stored in KV1, you need to ensure that App1 has the necessary permissions to access KV1. The best practice for this scenario is to use a managed identity for App1. Managed identities provide an automatically managed identity in Azure AD for applications to use when connecting to resources that support Azure AD authentication, such as Azure Key Vault.
Once you assign a managed identity to App1, you can then create an access policy in KV1 to grant the managed identity the necessary permissions to access the certificate. This approach is more secure and manageable compared to assigning permissions directly to a user.
Steps:
Assign a managed user identity to App1.
Create an access policy for KV1 and assign the managed identity of App1 to the policy with the necessary permissions (e.g., get, list).
This ensures that App1 can securely access the wildcard certificate in KV1.

Question 5

Q

Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files.
Which of the following is TRUE in this scenario?

A. You can only recover the files to the infected VM.
B. You can recover the files to any VM within the company’s subscription.
C. You can only recover the files to a new VM.
D. You will not be able to recover the files.
which one is correct? why correct?

Answer

A

Analyzing the Situation

Azure VMs: The company uses Azure VMs running Windows Server 2016.

Daily Backups: One VM is backed up daily with Azure Backup Instant Restore.

Ransomware Infection: The VM is infected, and file recovery is needed.

Determining the Correct Statement

Let’s evaluate each option:

A. You can only recover the files to the infected VM.

Analysis: This is incorrect. While you can recover files to the original VM, you can also restore to an alternative virtual machine.

B. You can recover the files to any VM within the company’s subscription.

Analysis: This is the correct statement. You can recover files to a different Azure virtual machine (as long as it is in the same region), as the process mounts the disk to the target VM.

C. You can only recover the files to a new VM.

Analysis: This option is incorrect, as you can restore to the existing virtual machine as well as a new virtual machine.

D. You will not be able to recover the files.

Analysis: The backup has been performed and there is no indication that the backup has been corrupted, therefore the files can be recovered. This option is incorrect.

The Correct Statement

The correct statement is: You can recover the files to any VM within the company’s subscription.

Answer:

B. You can recover the files to any VM within the company’s subscription.

Question 6

Q

You have an Azure subscription.

You plan to migrate 50 virtual machines from VMware vSphere to the subscription.

You create a Recovery Services vault.

What should you do next?

A. Configure an extended network.
B. Create a recovery plan.
C. Deploy an Open Virtualization Application (OVA) template to vSphere.
D. Configure a virtual network.
which one is correct? why correct?

Answer

A

Understanding Azure Site Recovery for VMware

Azure Site Recovery (ASR): An Azure service used for disaster recovery and migration of virtual machines, including VMware vSphere VMs to Azure.

Recovery Services Vault: A container for managing ASR operations.

Configuration Server: A virtual machine (VM) that is deployed on vSphere that configures the environment, performs replication, and allows communication to the Recovery Services vault. The configuration server is deployed using the Open Virtualization Application (OVA) template.

Extended network: A network that extends from on-premises to Azure, which is not the correct term.

Recovery Plan: An orchestration plan for failover/failback, usually created after the resources are set up and protected.

Virtual Network: A basic requirement for Azure resources, but it will be created as part of the replication process.

Analyzing the Requirements

Migration from vSphere: We need to migrate 50 VMware VMs to Azure.

Recovery Services Vault Created: A vault already exists, and is the central point of management for the migration.

Determining the Correct Next Step

Let’s evaluate the options:

A. Configure an extended network.

Analysis: This is incorrect. An extended network is not a term that is used in the Azure environment. This does not represent a required configuration.

B. Create a recovery plan.

Analysis: While a recovery plan will be needed for the final failover step, it is not required before configuring the migration. Therefore, this is not the next step.

C. Deploy an Open Virtualization Application (OVA) template to vSphere.

Analysis: This is the correct next step. Before virtual machines can be replicated to Azure, a configuration server must be deployed on the on-premises vSphere environment. This configuration server provides the connection to the Azure environment, and enables replication of the virtual machines. The configuration server is deployed using the provided OVA template.

D. Configure a virtual network.

Analysis: While a virtual network will be needed, this is created as part of the replication configuration, so is not the next action to perform. This action is not correct.

The Correct Next Step

The correct next step is to Deploy an Open Virtualization Application (OVA) template to vSphere.

Answer:

C. Deploy an Open Virtualization Application (OVA) template to vSphere.

Question 7

Q

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
Create a virtual machine
PROJECT DETAILS

Subscription: MyDev-Test Subscription
Resource group: RG1
(Create new)
INSTANCE DETAILS

Virtual machine name: VM1

Region: (US) West US 2

Availability options: No infrastructure redundancy required

Image: Windows Server 2016 Datacenter
(Browse all public and private images)

Azure Spot instance: No

Size: Standard DS1 v2

Top notification
“⚠ Changing Basic options may reset selections you have made. Review all options prior to creating the virtual machine.”

The planned disk configurations for VM1 are shown in the following exhibit.
Disks
Description:
“Azure VMs have one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. The size of the VM determines the type of storage you can use and the number of data disks allowed. Learn more”

Disk options

OS disk type: Standard HDD
(The selected VM size supports premium disks. We recommend Premium SSD for high IOPS workloads. Virtual machines with Premium SSD disks qualify for the 99.9% connectivity SLA.)

Enable Ultra Disk compatibility (Preview):

Yes
No (selected)
(Ultra Disks are only available when using Managed Disks.)
Data disks

“You can add and configure additional data disks for your virtual machine or attach existing disks. This VM also comes with a temporary disk.”
(Note: Adding unmanaged data disks is currently not supported at the time of VM creation. You can add them after the VM is created.)
Advanced

Use managed disks:

No (selected)
Yes
Storage account:

You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Use managed disks
B. OS disk type
C. Availability options
D. Size
E. Image
which option is correct? why correct?

Answer

A

The correct answers are A and C:
A. Use managed disks
C. Availability options
Here’s why these are the correct answers:
Use managed disks (A):
Availability Zones require managed disks
The current configuration shows “Use managed disks: No”
Unmanaged disks are not supported in Availability Zones
You must change this to “Yes” to enable Availability Zone support [1]
Availability options (C):
Current setting shows “No infrastructure redundancy required”
To use Availability Zones, you need to change this setting to specify an Availability Zone [2]
This setting must be modified to select a specific Availability Zone for the VM
Why the other options are incorrect:
B. OS disk type:
While Premium SSD is recommended for better performance, the disk type itself doesn’t affect Availability Zone compatibility
Standard HDD can work with Availability Zones as long as it’s managed
D. Size:
The current size (Standard DS1 v2) supports Availability Zones
VM size doesn’t determine Availability Zone compatibility
E. Image:
Windows Server 2016 Datacenter is supported in Availability Zones
The image selection doesn’t affect Availability Zone compatibility
Key requirements for Availability Zones:
Must use managed disks [3]
Must explicitly select an Availability Zone in the availability options
Must be in a region that supports Availability Zones
Therefore, to enable VM1 to be created in an Availability Zone, you need to:
Change “Use managed disks” from No to Yes
Modify “Availability options” to select a specific Availability Zone

Question 8

Q

You have the Azure virtual machines shown in the following table:

You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?
Name Azure region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe
A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy
which option is correct? why correct?

Answer

A

The correct answer is A: Create a new Recovery Services vault.
Here’s why:
Recovery Services Vault Regional Limitations:
Recovery Services vaults are region-specific
A single vault can only protect resources within the same region
VM1 and VM2 are in West Europe and are protected by an existing vault
VM3 and VM4 are in North Europe (different region)
Why a new vault is needed:
You cannot use the existing vault in West Europe to protect VMs in North Europe
Each region requires its own Recovery Services vault
This is a fundamental architectural requirement for Azure Backup
Why other options are incorrect:
B. Create a storage account
Storage accounts are not a prerequisite for Azure Backup [1]
The Recovery Services vault manages the backup storage automatically [2]
This is not the first step in protecting new VMs
C. Configure the extensions for VM3 and VM4
Extensions can’t be configured without a vault in place
This is a subsequent step after creating the vault
The backup extension is automatically managed by Azure Backup
D. Create a new backup policy
Backup policies are created within a Recovery Services vault [3]
You can’t create a policy without first having a vault
This would be a later step in the process
The correct sequence of steps would be:
Create a new Recovery Services vault in North Europe
Configure backup policies in the new vault
Enable protection for VM3 and VM4
Configure any necessary extensions
Therefore, creating a new Recovery Services vault is the first and necessary step to protect VM3 and VM4, as they are in a different region from the existing vault.

Question 9

Q

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
— —
Name Type
storagel Azure Storage account
VNET1 Virtual network
VM1 Azure virtual machine
VM1Managed Managed disk for VM1
RVAULT1 Recovery Services vault for the site recovery of VM1
— —
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?

A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only

Name | Type |

Answer

A

Understanding Azure Resource Moves

Cross-Subscription Moves: Moving resources to a different Azure subscription is possible for many resource types.

Resource Dependencies: Some resources have dependencies on other resources, which must be moved together, or in the correct order.

Resource Types: Not all resource types support cross-subscription moves.

Virtual Machines: Virtual machines depend on multiple resources such as their disks, network interface and virtual network.

Managed Disk: Managed disks do not depend on the virtual machine and can be moved independently.

Recovery service vault: These resources are not tied to other resources.

Analyzing the Resources

storage1: Azure Storage account.

VNET1: Virtual network.

VM1: Azure virtual machine.

VM1Managed: Managed disk for VM1.

RVAULT1: Recovery Services vault for the site recovery of VM1.

Determining Movable Resources

Let’s analyze which resources can be moved to AZPT2 and if they have dependencies:

storage1: Storage accounts can be moved to a different subscription.

VNET1: Virtual networks can be moved to a different subscription, but a virtual machine cannot be moved to a different subscription if its virtual network remains behind.

VM1: Virtual machines can be moved to a different subscription if all its associated resources are also moved, such as disks and network interfaces.

VM1Managed: Managed disks can be moved independently of the virtual machine.

RVAULT1: Recovery Services vaults can be moved to a different subscription, and they are not tied to a specific virtual machine.

The Correct Set of Resources to Move

Based on the analysis, the resources that can be moved to AZPT2 are: VM1, storage1, VNET1, VM1Managed, and RVAULT1

Answer:

C. VM1, storage1, VNET1, VM1Managed, and RVAULT1

Question 10

Q

You have the Azure virtual machines shown in the following table:

Name Azure region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?

A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy

Answer

A

Understanding Azure Recovery Services Vaults

Recovery Services Vaults: Used for backing up Azure virtual machines and other workloads.

Region Scope: A Recovery Services vault can only protect resources in the same Azure region.

VM Protection: To protect a VM using Recovery Services, it must be in the same region as the Recovery Services vault.

Analyzing the Situation

VM1 and VM2: Located in West Europe, protected by a Recovery Services vault.

VM3 and VM4: Located in North Europe, needing protection.

Current Vault: A vault already exists in West Europe that does not contain the VMs.

Determining the First Action

Let’s evaluate the options:

A. Create a new Recovery Services vault

Analysis: This is the correct first action. Since VM3 and VM4 are in North Europe, you need to create a new Recovery Services vault in the North Europe region, as the current vault is in West Europe.

B. Create a storage account

Analysis: A storage account is required for some backups, but is not the first step in this process. This step is incorrect.

C. Configure the extensions for VM3 and VM4

Analysis: Extensions are related to VM configuration and are not necessary to be configured before creating a new vault for the virtual machines. This option is incorrect.

D. Create a new backup policy

Analysis: A backup policy is required, but a vault must be created before policies can be created. This option is incorrect.

The Correct First Step

The correct first action is to create a new Recovery Services vault in the North Europe region.

Answer:

A. Create a new Recovery Services vault

Question 11

Q

You deploy the virtual machines shown in the following table.

You have the backup policies shown in the following table.

NOTE: Each correct selection is worth one point.
Answer Area

Statements Yes No
VM1 can be backed up by using Policy1.
VM2 can be backed up by using Policy3.
VM2 can be backed up by using Policy2.

| Name | Type |

Name | Operating system | Security Configuration |
|—|—|—|
| VM1 | Windows Server | Azure Disk Encryption |
| VM2 | Linux | Trusted launch |

Answer

A

Understanding Azure Backup Policies and Vaults

Recovery Services Vault: The original type of vault for protecting Azure virtual machines, SQL servers and file shares.

Azure Backup Vault: A newer type of vault that is used to protect virtual machines, Azure databases and other resources.

Backup Policies: Define how backups are performed (frequency, retention).

Standard Policy: A policy for VMs that do not require enhanced features.

Enhanced Policy: A newer type of policy that provides enhanced features, such as trusted launch.

Azure Disk Encryption (ADE): A feature which provides disk encryption for virtual machines, and needs to be considered when creating backup policies.

Trusted Launch: A secure method of booting virtual machines.

Analyzing the Resources

Recovery1: Recovery Services vault, contains Policy1 (Standard).

Backup1: Azure Backup vault, contains Policy3 (Not applicable).

Policy2: Enhanced policy, in Recovery2 which is not in the table.

VM1: Windows Server with Azure Disk Encryption (ADE).

VM2: Linux VM with Trusted launch.

Analyzing the Statements

“VM1 can be backed up by using Policy1.”

Analysis: Policy1 is a standard policy in a Recovery Services vault. Standard policies are designed for protecting virtual machines which may not use advanced configurations. Azure Disk Encryption is supported by standard policies. Therefore, VM1 can be backed up using Policy1.

Answer: Yes

“VM2 can be backed up by using Policy3.”

Analysis: Policy3 is in an Azure Backup vault. Azure Backup vaults cannot back up standard virtual machines, and therefore Policy3 is not compatible with VM2.

Answer: No

“VM2 can be backed up by using Policy2.”

Analysis: Policy2 is an Enhanced policy, which are designed to be used for virtual machines with trusted launch and other newer features. Therefore, Policy2 is compatible with VM2. However, Policy2 is in Recovery2 which is not shown in the table, meaning that VM2 cannot use Policy2 as it is in a different vault. There is also no indication which type of vault Recovery2 is, which would determine if it is compatible with VM2.

Answer: No

Answer Area

Statements Yes No
VM1 can be backed up by using Policy1. Yes
VM2 can be backed up by using Policy3. No
VM2 can be backed up by using Policy2. No

Question 12

Q

HOTSPOT -
You have two Azure App Service apps named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table:

App Backup Every Start backup schedule from Retention (Days) Keep at least one backup
App1 1 Days January 6, 2021 0 Yes
App2 1 Days January 6, 2021 30 Yes
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hot Area:

Answer Area

Statements Yes No
On January 15, 2021, App1 will have only one backup in storage. ( ) ( )
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021. ( ) ( )
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot. ( ) ( )

Answer

A

Understanding Azure App Service Backups

Backup Configuration: Defines how often backups are created, when they start, and how long they are retained.

Retention (Days): Specifies how long a backup is retained before being deleted.

Keep at Least One Backup: Ensures that the most recent backup is never deleted, regardless of the retention period.

Deployment Slots: Can be backed up separately, including both production and test slots.

Analyzing the Backup Configurations

App1 Production Slot:

Backup Every: 1 Day

Start Date: January 6, 2021

Retention: 0 Days

Keep at Least One Backup: Yes

App2 Production Slot:

Backup Every: 1 Day

Start Date: January 6, 2021

Retention: 30 Days

Keep at Least One Backup: Yes

Analyzing the Statements

“On January 15, 2021, App1 will have only one backup in storage.”

Analysis: App1 has a retention period of 0 days, with the ‘Keep at least one backup’ option enabled. This means that the previous backups are immediately deleted, and there will only ever be one backup at a time. As the backups run once a day, there will always be one backup available.

Answer: Yes

“On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021.”

Analysis: The provided backup configuration is only for the production slots, there is no mention of backups of the test slots. Also, a specific backup of the test slot has not been configured, so we can assume that test slots are not backed up.

Answer: No

“On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot.”

Analysis: The daily backups of App2 will all be available. When the restore process is performed, the required date can be chosen. The restore can also be performed on a different slot from which the backup was made. As the backup of January 6 exists, it can be restored to the test slot.

Answer: Yes

Answer Area

Statements Yes No
On January 15, 2021, App1 will have only one backup in storage. Yes
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021. No
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot.

Question 13

Q

Answer

A

Understanding Azure Backup and Recovery Services Vaults

Recovery Services Vault: A container for backups, where you manage the protection of Azure resources.

Backup Policies: Define the backup schedule, retention, and other backup settings for different types of resources.

Resource Location: Azure resources can only be backed up to a Recovery Services vault within the same region.

Resource Types: Different types of resources (VMs, file shares) may use different backup policies.

Vault and Policy Combinations: The number of vaults and policies depends on the location of resources and the desired backup frequency.

Azure File Share Backups: File share backups can be created to the same or another recovery services vault as virtual machines.

Analyzing the Resources

File Shares:

sharea (in storage1): West US

shareb and sharec (in storage2): East US

shared (in storage4): Central US

Virtual Machines:

VM1 and VM2: West US

VM3: Central US

VM4: West US

VM5: East US

Determining Minimum Number of Vaults and Policies

Recovery Services Vaults:

We need at least one Recovery Services vault for the West US region to back up VM1, VM2, VM4, and sharea.

We need at least one Recovery Services vault for the East US region to backup VM5, shareb and sharec.

We need at least one Recovery Services vault for the Central US region to back up VM3 and shared.

Therefore, we need a minimum of 3 Recovery Services vaults.

Backup Policies:

We can use one policy for all file shares which are supported by Recovery Services Vaults.

We can use one policy for all virtual machines which are supported by Recovery Services Vaults.

There is not any indication that different backup policies need to be used for each virtual machine or file share based on this scenario.

Therefore, we need a minimum of 2 backup policies (one for file shares and one for virtual machines).

Answer Area:

Recovery Services vaults:
3

Backup policies:
2

Question 14

Q

Name | Type |

Answer

A

Understanding Azure Resource Moves

Cross-Subscription Moves: Moving resources to a different Azure subscription is possible for many resource types.

Resource Dependencies: Some resources have dependencies on other resources, which must be moved together, or in the correct order.

Resource Types: Not all resource types support cross-subscription moves.

Virtual Machines: Virtual machines depend on multiple resources such as their disks, network interface and virtual network.

Managed Disk: Managed disks do not depend on the virtual machine and can be moved independently.

Recovery service vault: These resources are not tied to other resources.

Analyzing the Resources

storage1: Azure Storage account.

VNET1: Virtual network.

VM1: Azure virtual machine.

VM1Managed: Managed disk for VM1.

RVAULT1: Recovery Services vault for the site recovery of VM1.

Determining Movable Resources

Let’s analyze which resources can be moved to AZPT2 and if they have dependencies:

storage1: Storage accounts can be moved to a different subscription.

VNET1: Virtual networks can be moved to a different subscription, but a virtual machine cannot be moved to a different subscription if its virtual network remains behind.

VM1: Virtual machines can be moved to a different subscription if all its associated resources are also moved, such as disks and network interfaces.

VM1Managed: Managed disks can be moved independently of the virtual machine.

RVAULT1: Recovery Services vaults can be moved to a different subscription, and they are not tied to a specific virtual machine.

The Correct Set of Resources to Move

Based on the analysis, the resources that can be moved to AZPT2 are: VM1, storage1, VNET1, VM1Managed, and RVAULT1

Answer:

C. VM1, storage1, VNET1, VM1Managed, and RVAULT1

Question 15

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to meet the user requirement for Admin1.

What should you do?

From the Subscriptions blade, select the subscription, and then modify the Properties.
From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
From the Azure Active Directory blade, modify the Properties.
From the Azure Active Directory blade, modify the Groups.

Answer

A

Understanding Azure Roles and Subscriptions

Service Administrator: A legacy role that has full access to all resources within a subscription. This role is not recommended to be used.

Azure Role-Based Access Control (RBAC): A more granular method for managing access to Azure resources using roles and scopes.

Subscription Scope: RBAC roles can be assigned at different levels of scope (management group, subscription, resource group, or resource level).

Access Control (IAM): The correct area to set user permissions to Azure resources.

Analyzing the Requirements

Admin1: Needs to be the service administrator of the Azure subscription.

User Requirements: Admin1 must also receive email alerts regarding service outages.

Analyzing the Options

Let’s evaluate each option:

From the Subscriptions blade, select the subscription, and then modify the Properties.

Analysis: Modifying subscription properties does not grant users administrative permissions. This option is incorrect.

From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.

Analysis: This is the correct approach. The Access control (IAM) settings for a subscription allow you to grant roles to users, groups, and service principals. The owner role will provide the required access, and will also grant access to email alerts regarding service outages.

From the Azure Active Directory blade, modify the Properties.

Analysis: Modifying the Azure AD properties does not provide access to Azure subscriptions. This option is incorrect.

From the Azure Active Directory blade, modify the Groups.

Analysis: Modifying groups in Azure AD does not grant administrative access to the Azure subscriptions. This is not the correct action. This option is incorrect.

The Correct Solution

The correct solution is to modify the Access control (IAM) settings of the Azure subscription. You can then assign the owner role to User Admin1.

Answer:

From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.

Question 16

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to move the blueprint files to Azure.

What should you do?

Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
Use the Azure Import/Export service.
Generate an access key. Map a drive, and then copy the files by using File Explorer.
Use Azure Storage Explorer to copy the files.

Answer

A

Understanding Azure Storage Upload Options

Azure Blob Storage: Service for storing large amounts of unstructured data, such as the blueprint files.

Shared Access Signature (SAS): A URI that grants delegated access to Azure Storage resources for a specified time.

Access Keys: Provide full access to a storage account. Should be avoided for external access.

Azure Storage Explorer: A client application that allows you to browse and manage Azure Storage resources.

Azure Import/Export Service: A service to send large amounts of data to a Microsoft Data Center using a hard drive.

Analyzing the Requirements

Blueprint Files to Blob Storage: Move blueprint files to Azure Blob storage.

Over the Internet: Use an internet connection for the transfer.

Blueprint files: These are normal files that can be copied via many methods.

Analyzing the Options

Let’s evaluate the options:

Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.

Analysis: While you can use a SAS to access the blob storage, you cannot use map a drive directly, and copy files by using file explorer. This approach is not suitable. This option is incorrect.

Use the Azure Import/Export service.

Analysis: This is a method that involves sending hard drives to a Microsoft data center, and it is designed for transferring large amounts of data when internet speeds are a constraint. The requirements state that the data should be copied over the internet. This option is incorrect.

Generate an access key. Map a drive, and then copy the files by using File Explorer.

Analysis: Using an access key to map a drive is a security risk and should not be used. Also, this is not the recommended method to copy the data to blob storage. This method is incorrect.

Use Azure Storage Explorer to copy the files.

Analysis: This is the correct approach. Azure Storage Explorer provides a graphical interface to easily upload files to Azure Blob storage over the internet, and it can use both SAS tokens and storage account keys. It is the easiest way to move the required files.

The Correct Action

The most efficient and secure method to move the files to Azure is to use Azure Storage Explorer to copy the files.

Answer:

Use Azure Storage Explorer to copy the files.

Question 17

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to implement a backup solution for App1 after the application is moved.

What should you create first?

a recovery plan
an Azure Backup Server
a backup policy
a Recovery Services vault

Answer

A

Understanding Azure Backup

Azure Backup: A service for protecting Azure virtual machines, databases, and other workloads.

Recovery Services Vault: A container for managing backups and restores.

Backup Policy: Defines the schedule, retention, and other settings for a backup.

Azure Backup Server: An on-premises solution for backing up data and workloads that are not in Azure.

Recovery plan: Recovery plans are used for disaster recovery, and this is not part of the requirements.

Analyzing the Requirements

Backup Solution: App1 (comprising virtual machines) needs to be protected using backups.

Azure Backup: The planned solution is Azure Backup.

Determining the First Step

Let’s evaluate the options:

a recovery plan

Analysis: Recovery plans are for disaster recovery orchestration and are not required to be created before the backup vault, and are therefore not the first step in a backup process. This is incorrect.

an Azure Backup Server

Analysis: Azure Backup Server is an on-premises solution, and will not allow backups of the Azure based virtual machines. This option is incorrect.

a backup policy

Analysis: Backup policies are required but cannot be created without the existence of the Recovery services vault. Therefore, this option is incorrect.

a Recovery Services vault

Analysis: This is the correct first step. You need to create the Recovery Services vault before you can configure backup policies and back up the virtual machines. It is the main container for performing the required action.

The Correct First Step

The correct first step is to create a Recovery Services vault.

Answer:

a Recovery Services vault

Question 18

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

HOTSPOT

You need to recommend a solution for App1. The solution must meet the technical requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Number of virtual networks:
1
2
3
Number of subnets:
1
2
3

Answer

A

Understanding the Requirements

App1 Tiers: App1 consists of three tiers: a SQL database, a web front end, and a processing middle tier.

Minimize Open Ports: The solution must minimize open ports between the App1 tiers. This means that network isolation must be implemented for each tier.

Virtual Machines: Each tier is comprised of virtual machines.

Analyzing the Network Configuration Options

Virtual Networks:

Virtual networks provide a logical boundary for network resources.

Using a single VNet simplifies management.

Using multiple virtual networks adds security complexity, but it is not required to meet the requirement of minimizing the ports between the App1 tiers.

Subnets:

Subnets segment a virtual network, enabling you to control traffic flow with network security rules.

Separate subnets per tier can minimize the number of open ports by limiting access to each layer with NSGs.

Determining the Correct Configuration

Number of Virtual Networks:

1: A single virtual network is sufficient to meet the requirements. While multiple virtual networks could be used, this would not be the most optimal solution based on the given requirements. Using a single virtual network simplifies management without sacrificing security.

2 or 3 - These options would add more complexity than required, and are not the most cost-effective solution.

Number of Subnets:

3: Using three subnets (one for each tier) allows us to isolate each tier, and reduces the number of open ports between the tiers. A network security group could be created to only allow the ports required between the tiers.

1 or 2 - These options would not allow for isolation between the tiers.

Answer Area:

Number of virtual networks:

1

Number of subnets:

3

Question 19

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.
You are planning the move of App1 to Azure.

You create a network security group (NSG).

You need to recommend a solution to provide users with access to App1.

What should you recommend?

Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

Answer

A

Understanding Network Security Groups (NSGs)

NSG Rules: Control inbound and outbound traffic to Azure resources.

Priority: Rules are evaluated in order of priority (lower number = higher priority).

Action: Each rule has an action (Allow or Deny).

Protocol and Port: Rules specify the protocol (TCP, UDP, etc.) and port.

Source and Destination: Rules specify the source and destination of the traffic.

Inbound Rules: Control traffic entering resources.

Outbound Rules: Control traffic leaving resources.

Scope: NSGs can be applied to subnets or network interfaces.

Analyzing the Requirements

App1 Access: Users access the web front-end of App1 using HTTPS only (port 443).

NSG Purpose: We need to control traffic to App1 using network security groups.

Security Principle: Only necessary traffic should be allowed.

Analyzing the Options

“Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.”

Analysis: This is incorrect because users initiate the connection to the web application (inbound), not the other way around. Outgoing rules control traffic leaving the virtual machines. Also associating the NSG to all subnets when only the web servers need to be exposed is incorrect.

“Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.”

Analysis: This is better, but it would make all subnets accessible to traffic, not just the web servers. You should restrict the rule to the subnet of the web servers. This is incorrect.

“Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.”

Analysis: This is the correct solution. It allows HTTPS traffic from the internet to reach the web front end, and it applies the rule only to the specific subnet where the web servers are located. This is the most optimal approach.

“Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.”

Analysis: This option is incorrect as the users are trying to connect to the web servers and not from the web servers. Outbound rules control traffic leaving the virtual machines.

The Correct Recommendation

The most secure and appropriate solution is to create an incoming rule for port 443 from the internet, and only apply the rule to the subnet that contains the web servers.

Answer:

Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

Question 20

Q

Overview

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment

Currently, Contoso uses multiple types of servers for business operations, including the following:

✑ File servers

✑ Domain controllers

✑ Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App 1.

App1 is comprised of the following three tiers:

✑ A SQL database

✑ A web front end

✑ A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements

Planned Changes

Contoso plans to implement the following changes to the infrastructure:

✑ Move all the tiers of App1 to Azure.

✑ Move the existing product blueprint files to Azure Blob storage.

✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Move all the virtual machines for App1 to Azure.

✑ Minimize the number of open ports between the App1 tiers.

✑ Ensure that all the virtual machines for App1 are protected by backups.

✑ Copy the blueprint files to Azure over the Internet.

✑ Ensure that the blueprint files are stored in the archive storage tier.

✑ Ensure that partner access to the blueprint files is secured and temporary.

✑ Prevent user passwords or hashes of passwords from being stored in Azure.

✑ Use unmanaged standard storage for the hard disks of the virtual machines.

✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

✑ Minimize administrative effort whenever possible.

User Requirements

Contoso identifies the following requirements for users:

✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.

✑ Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to identify the storage requirements for Contoso.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Statements
Contoso requires a storage account that supports
Blob storage.
Contoso requires a storage account that supports
Azure Table storage.
Contoso requires a storage account that supports
Azure File Storage.

Answer

A

Understanding the Requirements

Blueprint Files: Contoso needs to move their product blueprint files to Azure. These files will be stored in the archive storage tier and require secure, temporary access for partners.

Virtual Machine Storage: The virtual machines for App1 will use unmanaged standard storage for their hard disks.

No Direct User Requirement for Table or File Storage: The requirements do not mention other user related storage requirements.

Analyzing Storage Options

Blob Storage: Blob storage is ideal for storing unstructured data like text or binary data. In this case, the blueprint files fall under unstructured data, making Blob storage a good fit. Additionally, the requirement to use the archive tier is something that only blob storage can provide.

Table Storage: Table storage is a NoSQL key-value datastore, suitable for structured data. There’s no indication that Contoso needs this for their blueprints or virtual machine disks.

File Storage: File storage provides fully managed file shares in the cloud. The requirements focus on moving blueprint files to Azure blob storage, no requirement for a managed file share.

Answering the Statements:

Contoso requires a storage account that supports Blob storage. - Yes. The blueprint files must be stored in Blob storage, making this requirement essential.

Contoso requires a storage account that supports Azure Table storage. - No. There is no indication in the requirements that they require Table storage.

Contoso requires a storage account that supports Azure File Storage. - No. They must move blueprints to blob storage and no requirements dictate the need for Azure File storage.

Final Answer:

Statement Answer
Contoso requires a storage account that supports Blob storage. Yes
Contoso requires a storage account that supports Azure Table storage. No
Contoso requires a storage account that supports Azure File Storage. No

Question 21

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

HOTSPOT

You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

container1:
storage2 only
storage2 and storage3 only
storage1, storage2, and storage3 only
storage2, storage3, and storage4 only
storage1, storage2, storage3, and storage4
share1:
storage2 only
storage4 only
storage2 and storage4 only
storage1, storage2, and storage4 only
storage1, storage2, storage3, and storage4

Answer

A

Understanding the Requirements

container1: This is a blob container, so it must reside in a storage account that supports blob storage.

share1: This is a file share, so it must reside in a storage account that supports file storage.

Cool Storage Tier: Both container1 and share1 should use the Cool storage tier.

Existing Storage Accounts: We need to examine the existing storage accounts to determine which can meet the requirements.

Analyzing the Storage Accounts

Here’s a breakdown of each storage account:

storage1:

Kind: Storage (general purpose v1)

Location: West US

File share: sharea

Identity-based access: Azure AD DS

Analysis: General purpose v1 can host both blob containers and file shares. However it does not support the Cool storage tier.

storage2:

Kind: StorageV2 (general purpose v2)

Location: East US

File share: shareb, sharec

Identity-based access: Disabled

Analysis: General purpose v2 accounts can host both blob containers and file shares, it also supports the Cool storage tier

storage3:

Kind: BlobStorage

Location: East US 2

File share: Not applicable

Identity-based access: Not applicable

Analysis: Supports only Blob storage and also supports the cool tier.

storage4:

Kind: FileStorage

Location: Central US

File share: shared

Identity-based access: Azure AD DS

Analysis: Supports only File shares. Also supports the Cool tier.

Determining the Correct Storage Accounts

container1:

Can use storage2 as it supports general purpose v2, cool storage and blob containers. It can also use storage3 as it supports the cool tier and is a blob storage account.

storage1 is not applicable, as it does not support the cool tier.

storage4 is not applicable, as it only supports file shares.

Therefore, the correct options are storage2 and storage3 only.

share1:

Can use storage2 as it supports general purpose v2, cool storage and file shares. It can also use storage4 as it is a FileStorage account and supports the cool tier.

storage1 is not applicable as it does not support the cool tier.

storage3 is not applicable as it only supports blob storage.

Therefore, the correct options are storage2 and storage4 only.

Answer:

container1: storage2 and storage3 only
share1: storage2 and storage4 only

Question 22

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

HOTSPOT

You need to create storage5. The solution must support the planned changes.

Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Account kind:
BlobStorage
BlockBlobStorage
Storage (general purpose v1)
StorageV2 (general purpose v2)
Destination:
Storage1
Storage2
Storage3
Storage4

Answer

A

Understanding Azure Storage Account Types

General-purpose v1: Legacy storage account type supporting blobs, tables, queues, and files.

General-purpose v2: The recommended type for most scenarios, supporting blobs, tables, queues, and files. It offers lower storage costs.

BlobStorage: Designed solely for storing blobs.

FileStorage: Designed solely for storing Azure file shares.

Storage Replication: Replicates data to protect against outages, and this is specifically required for storage5.

Blob Service: Storage replication is specific to blob storage.

Analyzing the Requirements

storage5: Must support storage replication for the Blob service.

Planned changes: Specifically mentions the need for blob replication for this storage account.

Determining Correct Account Kind and Destination

Let’s evaluate the options:

Account kind:

BlobStorage: This is a valid option as it is a storage account designed for storing blobs, and it also supports the blob storage replication requirement.

BlockBlobStorage: This is not a valid storage account type. This option is incorrect.

Storage (general purpose v1): While a general purpose v1 account can store blobs, it does not support blob storage replication, and is a legacy storage account. This option is incorrect.

StorageV2 (general purpose v2): This is a valid option as it is a general purpose storage account, and it supports the blob storage replication requirement.

Destination: The destination options refer to other existing storage accounts, rather than to a replication destination. As per the requirements, storage5 is the storage account that needs to have replication configured. As we are configuring blob storage replication, this is not a required setting. The option must be storage5 which is not included as an option.

Therefore, the only correct option for the destination is “None of the above”, which is not a selectable option, therefore that part of the question will not be answerable.

Answer:

Account kind: StorageV2 (general purpose v2)
BlobStorage

Destination: None of the above (Not a selectable option)

Destination: “storage2”

Question 23

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

HOTSPOT

You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.

Which role should you assign to each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

User1:
Contributor for RG1
Contributor for Sub1
Security Admin for RG1
Resource Policy Contributor for Sub1
User4:
Contributor for RG2
Contributor for Sub1
Security Admin for Sub1
Resource Policy Contributor for RG2

Answer

A

User1:
Resource Policy Contributor for Sub1

User4:
Resource Policy Contributor for RG2

Question 24

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to ensure that you can grant Group4 Azure RBAC read-only permissions to all the A2ure file shares.

What should you do?

On storagel and storage4, change the Account kind type to StorageV2 (general purpose v2).
Recreate storage2 and set Hierarchical namespace to Enabled.
On storage2, enable identity-based access for the file shares.
Create a shared access signature (SAS) for storagel, storage2, and storage4.

Answer

A

Understanding Azure File Shares and RBAC

Azure File Shares: Managed file shares hosted in Azure storage accounts.

Azure RBAC: Azure role-based access control provides fine-grained access management for Azure resources.

Identity-Based Access: RBAC on file shares requires identity-based access, where permissions are granted to Azure AD identities (users, groups).

Shared Access Signature (SAS): SAS provides temporary, delegated access to storage resources, but it is not an RBAC method.

Hierarchical Namespace: A feature of Azure Data Lake Storage Gen2, which is not necessary for RBAC for Azure File shares.

Analyzing the Options

“On storage1 and storage4, change the Account kind type to StorageV2 (general purpose v2).”

Analysis: Changing to StorageV2 is not required to enable RBAC on storage accounts, though Storage v2 is the recommended storage account type. This is not the correct option to apply RBAC to file shares.

“Recreate storage2 and set Hierarchical namespace to Enabled.”

Analysis: Hierarchical namespace is a feature of Azure Data Lake Storage Gen2, and is not required to apply RBAC to Azure file shares. Recreating the storage account is not the right action.

“On storage2, enable identity-based access for the file shares.”

Analysis: This is the correct approach. Enabling identity-based access is required to use RBAC to grant permissions to groups. Once enabled, you can use RBAC to grant permissions to Group4.

“Create a shared access signature (SAS) for storage1, storage2, and storage4.”

Analysis: SAS provides temporary, delegated access. It does not allow granting permissions using Azure RBAC for a group. This option is incorrect.

The Correct Solution

To grant Group4 read-only permissions to Azure file shares using RBAC, we must enable identity-based access for the file shares. We can then grant the appropriate RBAC permissions to Group4.

Answer:

On storage2, enable identity-based access for the file shares.

Question 25

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

HOTSPOT

You implement the planned changes for NSG1 and NSG2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Statements
From VM1, you can establish a Remote Desktop session to VM2.
From VM2, you can ping VM3.
From VM2, you can establish a Remote Desktop session to VM3.

Answer

A

Understanding Network Security Groups (NSGs)

NSG Rules: Control inbound and outbound traffic to Azure resources.

Priority: Rules are evaluated in order of priority (lower number = higher priority).

Action: Each rule has an action (Allow or Deny).

Protocol and Port: Rules specify the protocol (TCP, UDP, etc.) and port.

Source and Destination: Rules specify the source and destination of the traffic.

Default Rules: NSGs have default rules allowing outbound traffic, and blocking all inbound from the internet.

Network Interface Association: NSGs can be associated with a network interface or a subnet.

Analyzing the Resources

VM1:

IP address: 10.0.1.4

Location: West US

Connected to: VNET1/Subnet1

NSG: NSG1 (associated to the network interface)

VM2:

IP address: 10.0.2.4

Location: West US

Connected to: VNET1/Subnet2

NSG: NSG2 (associated to the subnet)

VM3:

IP address: 172.16.1.4

Location: Central US

Connected to: VNET2/Subnet1

NSG: None

NSG1: Applied to the network interface of VM1

Inbound Rules:

Priority 500: Deny TCP 3389 from 10.0.2.0/24 to any destination.

Priority 1000: Allow ICMP from any source to the virtual network.

NSG2: Applied to VNET1/Subnet2

Outbound Rules:

Priority 200: Deny TCP 3389 from 10.0.0.0/16 to any virtual network destination.

Priority 400: Allow ICMP from 10.0.2.0/24 to 10.0.1.0/24.

Analyzing the Statements

“From VM1, you can establish a Remote Desktop session to VM2.”

Analysis: VM1 is connected to Subnet1, which does not have an NSG associated. VM2 is connected to Subnet2 and has an NSG associated. VM1 would initiate an outbound RDP connection to VM2. As NSG2 is an outbound rule, it will not affect traffic to the VM, and the outbound default allow rule will allow traffic to VM2. The NSG applied to the network interface of VM1 denies inbound traffic from 10.0.2.0/24 on port 3389. This means that the traffic from VM2 will be denied at the VM1 network interface. The default rules of the network security group allow outbound traffic, and therefore VM1 can reach VM2. However, inbound traffic will be blocked on VM1. Therefore VM1 will not be able to establish a remote desktop session.

Answer: No

“From VM2, you can ping VM3.”

Analysis: VM2 is on Subnet2, and has NSG2 associated with the subnet. The allow rule for ICMP is for traffic from 10.0.2.0/24 (Subnet2), and to 10.0.1.0/24, which is not VM3, so ping will be blocked. Also, VM3 is in a separate virtual network, and not peered to VNET1, so communication will not be possible. Therefore, VM2 cannot ping VM3.

Answer: No

“From VM2, you can establish a Remote Desktop session to VM3.”

Analysis: VM2 is on Subnet2, and has NSG2 associated with the subnet. The deny rule for RDP is from 10.0.0.0/16, which means that VM2 would be denied as well, also VM3 is in a different virtual network which is not connected to VNET1 or Subnet2, so access is not possible. Therefore, VM2 cannot access VM3.

Answer: No

Answer Area:

Statements Yes No
From VM1, you can establish a Remote Desktop session to VM2. No
From VM2, you can ping VM3. No
From VM2, you can establish a Remote Desktop session to VM3. No

Question 26

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to add VM1 and VM2 to the backend poo! of LB1.

What should you do first?

Create a new NSG and associate the NSG to VNET1/Subnet1.
Connect VM2 to VNET1/Subnet1.
Redeploy VM1 and VM2 to the same availability zone.
Redeploy VM1 and VM2 to the same availability set.

Answer

A

Understanding Azure Load Balancers

Basic Load Balancer: A basic load balancer is used for basic traffic distribution. This type of load balancer does not require the virtual machines to be in the same availability set or availability zone.

Backend Pool: The group of virtual machines to which the load balancer distributes traffic.

Availability Sets: A logical grouping of VMs that protects your application from planned and unplanned maintenance.

Availability Zones: Physically separate locations within an Azure region that provide high availability and fault tolerance for applications.

Virtual Machine Placement: Virtual machines must be in the same region as the load balancer.

Analyzing the Situation

LB1: An internal Basic Azure Load Balancer, connected to VNET1/Subnet1.

VM1: In West US, connected to VNET1/Subnet1.

VM2: In West US, connected to VNET1/Subnet2.

Determining the First Step

Let’s evaluate the options:

“Create a new NSG and associate the NSG to VNET1/Subnet1.”

Analysis: NSGs are related to security, and are not required to connect virtual machines to a load balancer’s backend pool. While this may be a step you would take in a production environment, it is not the first step to add VMs to a load balancer, so this option is incorrect.

“Connect VM2 to VNET1/Subnet1.”

Analysis: This is the correct first step. The Basic Load Balancer must have the virtual machines within the same virtual network and subnet. Both virtual machines must be within the same subnet in order to be added to the load balancer.

While a basic load balancer does not have any requirements of using a specific availability set or zone, having a single subnet is required.

“Redeploy VM1 and VM2 to the same availability zone.”

Analysis: A basic load balancer does not have any requirements to have the virtual machines on the same availability zone. Therefore this is not the correct first step. This option is incorrect.

“Redeploy VM1 and VM2 to the same availability set.”

Analysis: A basic load balancer does not have any requirements to have the virtual machines on the same availability set. Therefore this is not the correct first step. This option is incorrect.

The Correct First Step

The correct first step to take is to connect VM2 to VNET1/Subnet1.

Question 27

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements.

Which storage account should you identify?

storage4
storage1
storage2
storage3

Answer

A

Understanding Azure Network Watcher Flow Logs

NSG Flow Logs: Capture IP traffic information for a network security group (NSG).

Storage Account: NSG flow logs are stored in an Azure Storage account.

Retention Policy: The storage account must be able to retain logs for a specific period (8 months).

NSG and Storage Account Location: The NSG and storage account do not need to be in the same location, as there is no technical constraint to store the NSG flow logs outside of the region where the network security group has been created.

Analyzing the Requirements

Flow Logs for VM5: We need to enable flow logging for the network traffic of VM5.

Retention: The flow logs must be retained for eight months.

Storage Account: We need to identify a suitable storage account.

Analyzing the Storage Accounts

storage1:

Kind: Storage (general purpose v1)

Location: West US

Analysis: General purpose v1 storage accounts can be used for storing NSG flow logs, but are a legacy type of storage account.

storage2:

Kind: StorageV2 (general purpose v2)

Location: East US

Analysis: General purpose v2 storage accounts can be used for storing NSG flow logs, and are a newer type of storage account, and are the preferred storage account type.

storage3:

Kind: BlobStorage

Location: East US 2

Analysis: Blob storage accounts can be used for storing NSG flow logs.

storage4:

Kind: FileStorage

Location: Central US

Analysis: File storage accounts are not designed to store flow logs, and therefore is incorrect.

Determining the Correct Storage Account

The requirements do not state any other limitations to the storage account, other than being able to store NSG flow logs. The correct type of storage account will be able to store NSG flow logs.

storage1, storage2, and storage3 are all technically valid options.

storage4 is not a valid option.

The Best Option

While any of storage1, storage2 and storage3 would meet the technical requirements, storage2 is the best option, as it is a general purpose v2 storage account, and is a modern type of storage account.

Answer:

storage2

Question 28

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

DRAG DROP

You need to configure the alerts for VM1 and VM2 to meet the technical requirements.

Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.

Actions
Configure the Diagnostic settings.
Collect Windows performance counters from the Log Analytics agents.
Create an alert rule.
Create an Azure SQL database.
Create a Log Analytics workspace.

Answer Area
1:
2:
3:

Answer

A

Understanding Azure Alerts and Monitoring

Azure Monitor: A service for collecting and analyzing telemetry data, including logs and metrics, and setting up alerts.

Log Analytics Workspace: A repository for collecting and analyzing log data from Azure resources.

Diagnostic Settings: Diagnostic settings must be configured to send logs from resources to a destination, such as a storage account or Log Analytics workspace.

Alert Rules: Define the conditions that trigger a notification when certain criteria are met.

Windows Performance Counters: Provide information about the operating system’s performance, such as disk space usage.

Analyzing the Requirements

Alert Trigger: An alert should be triggered when the free disk space on volume C is less than 20 GB for either VM1 or VM2.

Alert Type: Requires a metric alert which will be created from log analytics.

Log Destination: A log analytics workspace will be used as the destination for the log data.

Determining the Correct Sequence

Here’s the logical order of actions:

Create a Log Analytics workspace.

Explanation: Before you can collect any data or set up alerts, you need a Log Analytics workspace to store the data. This is a key step to setting up monitoring.

Configure the Diagnostic settings.

Explanation: Diagnostic settings define which logs and metrics will be collected, and where they will be stored. The diagnostics settings must be configured before collecting data.

Create an alert rule: Once the required logs are available in log analytics, an alert rule can be created to notify when the specified thresholds are reached.

Explanation: The alert rules are configured to notify on specific conditions. Once the data has been made available to Azure Monitor, then the alert rule can be configured.

Analyzing the Actions

Configure the Diagnostic settings: This action will enable the correct logs and metrics to be collected from the virtual machine.

Collect Windows performance counters from the Log Analytics agents: The log analytics agents are automatically installed when configuring the diagnostic settings. This is therefore not a separate step.

Create an alert rule: This action must be performed after the logs have been made available, in a Log Analytics workspace.

Create an Azure SQL database: Creating an Azure SQL database is not relevant to the requirements of monitoring disk space for virtual machines.

Create a Log Analytics workspace: This is a required first step before collecting log data.

Correct Sequence of Actions:

Create a Log Analytics workspace.

Configure the Diagnostic settings.

Create an alert rule.

Answer Area:

Create a Log Analytics workspace.

Configure the Diagnostic settings.

Create an alert rule.

Question 29

Q

Overview

General Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment

Existing Environment

Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-premises Active Directory domain that syncs to the Azure AD tenant.

The Azure AD tenant contains the users shown in the following table.
Name Type Role
User1 Member None
User2 Guest None
User3 Member None
User4 Member None
Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the
following table.
Name Subnet Peered with
VNET1 Subnet1, Subnet2 VNET2
VNET2 Subnet1 VNET1, VNET3
VNET3 Subnet1 VNET2
VNET4 Subnet1 None
User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table
Name IP address Location Connected to
VM1 10.0.1.4 West US VNET1/Subnet1
VM2 10.0.2.4 West US VNET1/Subnet2
VM3 172.16.1.4 Central US VNET2/Subnet1
VM4 192.168.1.4 West US VNET3/Subnet1
VM5 10.0.22.4 East US VNET4/Subnet1
No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.
Name Kind Location File share Identity-based
access for file share
storage1 Storage (general purpose v1) West US sharea Azure Active Directory Domain Services (Azure AD DS)
storage2 StorageV2 (general purpose v2) East US shareb, sharec Disabled
storage3 BlobStorage East US 2 Not applicable Not applicable
storage4 FileStorage Central US shared Azure Active Directory Domain Services (Azure AD DS)

Requirements

Planned Changes

Contoso plans to implement the following changes:

✑ Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

✑ Create a storage account named storage5 and configure storage replication for the Blob service.

✑ Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
500 3389 TCP 10.0.2.0/24 Any Deny
1000 Any ICMP Any Virtual Network Allow
Associate NSG1 to the network interface of VM1.
Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.
Priority Port Protocol Source Destination Action
200 3389 TCP 10.0.0.0/16 Virtual Network Deny
400 Any ICMP 10.0.2.0/24 10.0.1.0/24 Allow

Associate NSG2 to VNET1/Subnet2.

Technical Requirements

Contoso must meet the following technical requirements:

✑ Create container1 and share1.

✑ Use the principle of least privilege.

✑ Create an Azure AD security group named Group4.

✑ Back up the Azure file shares and virtual machines by using Azure Backup.

✑ Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.

✑ Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.

✑ Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

✑ Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

✑ Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

HOTSPOT

You need to configure Azure Backup to back up the file shares and virtual machines.

What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer Area
Recovery Services vaults:
1
2
3
4
7
Backup policies:
1
2
3
4
5
6

Answer

A

Understanding Azure Backup and Recovery Services Vaults

Recovery Services Vault: A container for managing backups and restores, and policies.

Backup Policies: Define the schedule, retention, and other backup settings.

Resource Location: An Azure resource can only be backed up to a Recovery Services vault that is located in the same region.

Resource Types: Different types of resources (VMs, file shares) may use different backup policies, and use different backup engines.

Vault and Policy Combinations: The number of vaults and policies depends on the location of resources and the desired backup strategy.

Azure File Share Backups: File share backups can be created to the same or another recovery services vault as virtual machines.

Analyzing the Resources

File Shares:

sharea (in storage1): West US

shareb and sharec (in storage2): East US

shared (in storage4): Central US

Virtual Machines:

VM1 and VM2: West US

VM3: Central US

VM4: West US

VM5: East US

Determining Minimum Number of Vaults and Policies

Recovery Services Vaults:

We need at least one Recovery Services vault for the West US region to back up VM1, VM2, VM4, and sharea.

We need at least one Recovery Services vault for the East US region to back up VM5, shareb and sharec.

We need at least one Recovery Services vault for the Central US region to back up VM3 and shared.

Therefore, we need a minimum of 3 Recovery Services vaults.

Backup Policies:

We can use one policy for all file shares which are supported by Recovery Services Vaults.

We can use one policy for all virtual machines which are supported by Recovery Services Vaults.

There is not any indication that different backup policies need to be used for each virtual machine or file share based on this scenario.

Therefore, we need a minimum of 2 backup policies (one for file shares and one for virtual machines).

Answer Area:

Recovery Services vaults:

3

Backup policies:

2

Question 30

Q

HOTSPOT

You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1.

VM1 has the following configurations:

✑ Subnet: 10.0.0.0/24

✑ Availability set: AVSet

✑ Network security group (NSG): None

✑ Private IP address: 10.0.0.4 (dynamic)

✑ Public IP address: 40.90.219.6 (dynamic)

You deploy a standard, Internet-facing load balancer named slb 1.

You need to configure slb1 to allow connectivity to VM 1.

Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Before you create a backend pool on slb1, you must:
Create and assign an NSG to VM1
Remove the public IP address from VM1
Change the private IP address of VM1 to static

Before you can connect to VM1 from slb1, you must:
Create and configure an NSG
Remove the public IP address from VM1
Change the private IP address of VM1 to static

Answer

A

Understanding Azure Load Balancer

Standard Load Balancer: A type of load balancer in Azure that provides advanced features, including health probes, load balancing rules and backend pools, and availability zone support.

Internet-facing Load Balancer: A load balancer that uses a public IP address and is accessible from the internet.

Backend Pool: A group of virtual machines that receive traffic from the load balancer.

Availability Set: Distributes VMs across multiple fault and update domains to protect against hardware failures and planned reboots, but is not a requirement for a load balancer,

NSG: While not a requirement of a load balancer, a network security group is used to restrict traffic to virtual machines.

Private IP Address: The private IP address must be static for virtual machines that are in the backend pool.

Analyzing VM1 Configuration

Subnet: 10.0.0.0/24

Availability Set: AVSet

NSG: None

Private IP: 10.0.0.4 (dynamic)

Public IP: 40.90.219.6 (dynamic)

Analyzing the Requirements

slb1 Connectivity: VM1 needs to be reachable through the load balancer.

Standard Load Balancer: A standard load balancer has certain requirements to function correctly with VMs in the backend pool.

Determining Required Changes

Let’s evaluate the options:

Before you create a backend pool on slb1, you must:

“Create and assign an NSG to VM1”: While creating an NSG is good practice, it is not required to add a VM to a backend pool. This option is incorrect.

“Remove the public IP address from VM1”: This is correct. When using a load balancer, the public ip address of the virtual machine must be removed, as the traffic should be managed by the load balancer.

“Change the private IP address of VM1 to static”: This is a correct action. The virtual machines private IP must be static when being used in a backend pool of a standard load balancer.

Before you can connect to VM1 from slb1, you must:

“Create and configure an NSG”: While NSGs are recommended to secure traffic, they are not required to connect to VM1, therefore this is incorrect.

“Remove the public IP address from VM1”: This is a correct action as the public IP is not required as the connection is managed by the load balancer.

“Change the private IP address of VM1 to static”: This is a correct action. The standard load balancer requires the virtual machines to have static private IP addresses.

Answer Area:

Before you create a backend pool on slb1, you must:

Remove the public IP address from VM1

Before you can connect to VM1 from slb1, you must:

Change the private IP address of VM1 to static

Question 31

Q

You have an Azure subscription that contains a virtual network named VNET1.

VNET1 contains the subnets shown in the following table.

Name Connected virtual machines
Subnet1 VM1, VM2
Subnet2 VM3, VM4
Subnet3 VM5, VM6

Each virtual machine uses a static IP address.

You need to create network security groups (NSGs) to meet following requirements:

Allow web requests from the internet to VM3, VM4, VM5, and VM6.
Allow all connections between VM1 and VM2.
Allow Remote Desktop connections to VM 1.
Prevent all other network traffic to VNET 1.

What is the minimum number of NSGs you should create?

1
3
4
12

Answer

A

Understanding Network Security Groups (NSGs)

NSG Scope: NSGs can be associated with subnets or network interfaces of virtual machines.

NSG Rules: Control inbound and outbound traffic based on port, protocol, source, and destination.

Rule Priority: Rules are evaluated in order of priority (lower number = higher priority).

Default Rules: NSGs have default rules (allow outbound and block all inbound from the internet).

Analyzing the Requirements

Web Access: Allow web requests from the internet (port 80 and 443) to VM3, VM4, VM5, and VM6.

VM1 and VM2 Connectivity: Allow all connections between VM1 and VM2

RDP to VM1: Allow RDP connections to VM1.

Prevent All Other Traffic: Block all other traffic to VNET1.

Determining the Minimum Number of NSGs

Let’s evaluate the placement of NSGs to meet the requirements:

Subnet NSGs:

We can use one NSG on Subnet2 to allow web requests from the internet to VM3 and VM4, as these two virtual machines are in the same subnet.

We can use one NSG on Subnet3 to allow web requests from the internet to VM5 and VM6, as these two virtual machines are in the same subnet.

We can use one NSG on Subnet1 to control traffic to VM1 and VM2. This rule can allow all connectivity between the two virtual machines, and to also allow access to RDP for VM1.

VM NSGs: We do not need to apply any additional network security groups to the network interface of the virtual machines.

The Minimum Number of NSGs

Based on the analysis, the minimum number of NSGs needed to meet all the requirements is 3 NSGs.
One NSG applied to Subnet1, one to Subnet2, and another to Subnet3.

Answer:

3

Question 32

Q

You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.

The virtual machines host several applications that are accessible over port 443 to user on the Internet.

Your on-premises network has a site-to-site VPN connection to VNet1.

You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.

You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.

What should you do?

Modify the address space of the local network gateway.
Remove the public IP addresses from the virtual machines.
Modify the address space of Subnet1.
Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Answer

A

Understanding Network Security

Public IP Addresses: Allow direct access to Azure resources from the internet.

RDP (Remote Desktop Protocol): Port 3389 (TCP), commonly used for remote administration of Windows servers.

HTTPS: Port 443 (TCP), used for secure web traffic.

Site-to-Site VPN: Provides a secure connection between an on-premises network and an Azure virtual network.

Network Security Groups (NSGs): Control inbound and outbound traffic to Azure resources.

Subnet Association: NSGs can be associated with subnets to apply security rules.

Deny Rules: Rules that explicitly block traffic from a specific source or destination.

Analyzing the Requirements

Block RDP from Internet: RDP access from the internet to the VMs must be blocked.

Allow RDP from On-Premises: RDP access to the VMs should still be possible from the on-premises network.

HTTPS Access: HTTPS access from the internet to the web applications on port 443 must remain available.

Subnet Scope: The solution must apply to all VMs on Subnet1.

Analyzing the Options

Let’s evaluate each option:

Modify the address space of the local network gateway.

Analysis: The local network gateway is used for the site to site VPN connection and is not related to RDP access from the internet. This will not address the requirements, and this option is incorrect.

Remove the public IP addresses from the virtual machines.

Analysis: Removing the public IP addresses would prevent all access from the internet, including HTTPS access to the applications. This does not meet all requirements, and therefore is incorrect.

Modify the address space of Subnet1.

Analysis: Modifying the address space of the subnet will not block RDP access, and will not address the requirements. This option is incorrect.

Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Analysis: This is the correct solution. By associating an NSG to Subnet1 and creating a deny rule to block all RDP traffic from the internet, but allowing traffic from the on-premises IP address range, we can achieve the requirements. The NSG should allow HTTPS from the internet to allow access to the applications.

The Correct Solution

The correct solution is to create a deny rule in a network security group (NSG) that is linked to Subnet1 to block RDP from the internet. The rule should allow RDP from the on-premises network.

Answer:

Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Question 33

Q

You have an Azure subscription that contains two virtual machines named VM1 and VM2. You create an Azure load balancer.

You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.

Which two additional load balance resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution. MOTL Each correct selection 5 worth one point.

a frontend IP address
a backend pool
a health probe
an inbound NAT rule
a virtual network

Answer

A

Understanding Azure Load Balancer Components

Load Balancing Rule: Defines how traffic is distributed to the backend pool.

Frontend IP Address: The public or private IP address that the load balancer uses to receive traffic.

Backend Pool: The group of virtual machines that receive the load-balanced traffic.

Health Probe: A check that determines the health and availability of the backend VMs.

Inbound NAT Rule: Used to forward traffic from a frontend IP address to a specific port on a backend VM.

Virtual Network: The virtual network is a pre-requisite for the virtual machines and the load balancer, not for the load balancing rule.

Analyzing the Requirements

HTTPS Traffic: The load balancer should be used for HTTPS traffic (port 443).

Load Balance Between VMs: Load balance traffic between VM1 and VM2.

Determining Required Resources

Let’s go through each resource option:

a frontend IP address: This is correct. A frontend IP address is required so that the traffic is sent to the load balancer.

a backend pool: This is correct. The load balancer distributes traffic to virtual machines contained in the backend pool. Therefore this is required.

a health probe: This is correct. A health probe monitors the health of the virtual machines in the backend pool, and ensures traffic is not sent to unhealthy virtual machines.

an inbound NAT rule: Inbound NAT rules are required when trying to RDP or SSH to a particular virtual machine, but are not needed for load balancing rules. This option is not required.

a virtual network: The virtual network is a prerequisite for a virtual machine or load balancer, it is not necessary to configure to create the load balancing rule.

Correct Resources to Create

The two required load balancer resources are:

A frontend IP address

A backend pool

A health probe.

Answer:

a frontend IP address
a backend pool
a health probe

Question 34

Q

HOTSPOT

You plan to use Azure Network Watcher to perform the following tasks:

Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
Task2: Validate outbound connectivity from an Azure virtual machine to an external host

Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Task1:
IP flow verify
Next hop
Packet capture
Security group view
Traffic Analytics
Task2:
Connection troubleshoot
IP flow verify
Next hop
NSG flow logs
Traffic Analytics

Answer

A

Understanding Azure Network Watcher

Azure Network Watcher: A service for monitoring, diagnosing, and gaining insights into your network in Azure.

IP Flow Verify: Verifies if a packet is allowed or denied based on the configuration of Network Security Groups (NSGs).

Next Hop: Determines the next hop for traffic going from a virtual machine.

Packet Capture: Captures network traffic to a storage account. Useful for advanced troubleshooting.

Security Group View: Allows you to see the applied NSGs to a network interface or a subnet.

Traffic Analytics: Processes NSG flow logs to provide insights into network traffic patterns.

Connection Troubleshoot: Troubleshoots connectivity from one resource to another.

NSG Flow Logs: Allows capture of traffic information to a storage account.

Analyzing the Requirements

Task1: Identify a security rule preventing a packet from reaching a VM.

Task2: Validate outbound connectivity from a VM to an external host.

Determining Correct Features

Let’s evaluate the options for each task:

Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine

IP flow verify: This is the correct tool. It directly analyzes the NSG rules to determine whether a given network packet is allowed or denied based on a defined configuration.

Next hop: This is used to determine the next hop in the network and not the NSG that is blocking the traffic.

Packet capture: While a packet capture could help identify a blocked packet, it is not the tool for this specific task.

Security group view: Allows you to see the applied NSGs to a network interface or a subnet, but this doesn’t tell you if the traffic will be allowed or denied based on the rule configuration.

Traffic Analytics: Traffic analytics is for analyzing network traffic patterns, and is not the correct tool to determine if a specific packet is blocked by an NSG.

Task2: Validate outbound connectivity from an Azure virtual machine to an external host

Connection troubleshoot: This is the correct tool. It directly tests connectivity between two endpoints, providing results of successful or failed connection, and the routing used to reach the endpoint.

IP flow verify: This is used to verify NSG rules and not connectivity.

Next hop: This is used to determine the next hop in the network and not connectivity.

NSG flow logs: NSG Flow Logs captures IP traffic, but does not directly validate outbound connectivity.

Traffic Analytics: Traffic analytics is for analyzing network traffic patterns, and is not the correct tool to validate connectivity.

Answer Area:

Task1:
IP flow verify

Task2:
Connection troubleshoot

Question 35

Q

HOTSPOT

You have an Azure subscription that contains a virtual network named VNet1.

VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table.

|————–|——————–|
| Subnet0 | 10.0.0.0/24 |
| Subnet1 | 10.0.1.0/24 |
| Subnet2 | 10.0.2.0/24 |
| GatewaySubnet | 10.0.254.0/24 |

Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.

You need to route all inbound traffic to VNet1 through VM1.

How should you configure RT1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer Area

Address prefix:

10.0.0.0/16
10.0.1.0/24
10.0.254.0/24

Next hop type:

Virtual appliance
Virtual network
Virtual network gateway

Assigned to:

GatewaySubnet
Subnet0
Subnet1 and Subnet2

Name | IP address range |

Answer

A

Understanding Azure Routing

Routing Table: Contains rules to route network traffic within a virtual network.

User-Defined Routes (UDRs): Custom routes that can be applied to subnets to override default Azure routing.

Address Prefix: Defines the destination IP address range that the route applies to.

Next Hop Type: Specifies where the traffic should be routed.

Virtual Appliance: A virtual machine that acts as a router or firewall.

Virtual Network: Traffic is routed to another virtual network.

Virtual Network Gateway: Traffic is routed to an Azure VPN gateway.

Analyzing the Requirements

All Inbound Traffic: All inbound traffic to VNet1 must go through VM1.

VM1: A virtual appliance on Subnet1 that is used as the router.

VNet1: A virtual network which requires a UDR.

Determining the Correct Configuration

Let’s evaluate the options:

Address prefix: The address prefix refers to the destination IP addresses that the routing table applies to.

10.0.0.0/16: This is the correct address prefix. All inbound traffic to VNet1 is within the 10.0.0.0/16 address space, and this will allow traffic for the entire virtual network.

10.0.1.0/24 - While VM1 is on this subnet, the requirement is to route all inbound traffic, not traffic to this subnet.

10.0.254.0/24 - This is the address range for the gateway subnet, and is not relevant in this scenario.

Next hop type:

Virtual appliance: This is the correct option. We are routing the traffic to a VM, so this is the appropriate option.

Virtual network: This is used when sending traffic to another virtual network, this option is incorrect.

Virtual network gateway: This is used when routing traffic to a virtual network gateway, this option is incorrect.

Assigned to:

Subnet1 and Subnet2: This is the correct option. As all traffic must go through VM1, the routing table must be applied to all subnets except for the one that contains the router. The routing table must be applied to all subnets to be routed via VM1. All subnets must have this UDR applied, except for Subnet1, otherwise it would result in a routing loop.

GatewaySubnet - This subnet does not contain virtual machines and therefore does not need to have a UDR applied to it.

Subnet0 - The UDR needs to be applied to all subnets except the one where the virtual appliance is, and this option does not include all the required subnets.

Answer Area:

Address prefix:
10.0.0.0/16

Next hop type:
Virtual appliance

Assigned to:
Subnet1 and Subnet2

Question 36

Q

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.

You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE Each correct selection is worth one point.

Modify the extensionProfile section of the Azure Resource Manager template.
Create a new virtual machine scale set in the Azure portal.
Create an Azure policy.
Create an automation account.
Upload a configuration script.

Answer

A

Answer:

Modify the extensionProfile section of the Azure Resource Manager template.
Upload a configuration script.

Question 37

Q

HOTSPOT

You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.

You need to install the kubectl client on Computer1.

Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
NOTE: Each correct selection is worth one point.

az
docker
msiexec.exe
Install-Module

aks
/package
-name
pull
Install-cli

Answer

A

Understanding kubectl and Azure CLI

kubectl: The command-line tool for interacting with Kubernetes clusters, including AKS.

Azure CLI (az): The official command-line interface for managing Azure resources.

Azure CLI aks Command Group: A set of Azure CLI commands specifically for managing Azure Kubernetes Service resources.

Install-Module: A PowerShell command that is used to install modules, and is not part of the Azure CLI.

Analyzing the Requirements

kubectl Installation: We need to install the kubectl client on a Windows 10 computer.

Azure CLI: The Azure CLI is installed on the target computer and must be used to install kubectl.

Determining the Correct Command

Let’s evaluate the options:

az: This is a correct component of the command, and indicates that the command is part of the Azure CLI.

docker: This is a tool for container management, it is not related to installing the kubectl command, and is not correct.

msiexec.exe: This is a windows tool for running msi packages, which are not used for the installation of kubectl. This option is incorrect.

Install-Module: This is a PowerShell command used to install PowerShell modules, and is not part of the Azure CLI. This option is incorrect.

aks: This is a correct component of the command, and indicates that the command is specific to Azure Kubernetes Service.

/package: This is not a correct part of the required command. This option is incorrect.

-name: This is not a correct part of the required command. This option is incorrect.

pull: This is a docker specific command and not the command to install kubectl. This option is incorrect.

install-cli: This is the correct parameter to use with the az aks command, and specifies that we are installing the cli tools for AKS.

The Correct Command Components

The correct components are:
az aks install-cli

Question 38

Q

You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not support multiple active instances.

At the end of each month, CPU usage for VM1 peaks when App1 runs.

You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.

What task should you include in the runbook?

Add the Azure Performance Diagnostics agent to VM1.
Modify the VM size property of VM1.
Add VM1 to a scale set.
Increase the vCPU quota for the subscription.
Add a Desired State Configuration (DSC) extension to VM1.

Answer

A

Understanding Azure Virtual Machine Scaling

VM Size: The pre-configured set of resources assigned to a VM (vCPUs, memory, etc.)

Dynamic Scaling: Manually or automatically adjusting VM resources (like size) based on demand.

Runbooks: Automated scripts used for managing Azure resources using Azure Automation.

Scale Sets: A way to manage a group of identical, auto-scaling VMs.

Azure Performance Diagnostics Agent: Gathers data that would be used for debugging issues, it does not allow for reconfiguring the virtual machine.

Desired State Configuration (DSC): Used for ensuring servers have a specific configuration, it cannot scale virtual machines, or reconfigure the VM size.

vCPU Quota: A limit on the number of virtual CPUs that can be used in a subscription.

Analyzing the Requirements

CPU Performance Increase: The runbook must increase the CPU processing performance of VM1 at the end of the month.

Scheduled Runbook: The process should be automated and scheduled using an Azure Automation runbook.

Single Instance: The application does not support multiple instances, so scaling must occur on the single virtual machine, and a scale set is not suitable.

Analyzing the Options

Let’s evaluate each action:

Add the Azure Performance Diagnostics agent to VM1.

Analysis: The performance diagnostics agent is used to collect metrics for debugging issues, and cannot be used to increase the processing performance of a virtual machine. Therefore this option is incorrect.

Modify the VM size property of VM1.

Analysis: This is the correct approach. Modifying the VM size allows you to change the number of vCPUs and memory for a virtual machine. A runbook can be created to change the VM size at the end of each month.

Add VM1 to a scale set.

Analysis: This is incorrect. The application does not support multiple instances, so a virtual machine scale set is not the correct approach.

Increase the vCPU quota for the subscription.

Analysis: Increasing the quota will allow to create larger virtual machines, but it will not change the processor performance of the specified virtual machine and will not dynamically manage the virtual machine. This action is incorrect.

Add a Desired State Configuration (DSC) extension to VM1.

Analysis: DSC is used to ensure a specific configuration of a virtual machine, and does not allow for scaling a virtual machine. This option is incorrect.

The Correct Action

The correct task to include in the runbook is to modify the VM size property of VM1.

Answer:

Modify the VM size property of VM1.

Question 39

Q

You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.

IP address Assigned to
131.107.2.1 Load balancer front end
192.168.10.2 Kubernetes DNS service
172.17.7.1 Docket bridge address
10.0.10.11 Kubernetes cluster node

You need to provide internet users with access to the applications that run in Cluster1.

Which IP address should you include in the DNS record for Ousted?

172.17.7.1
131.107.2.1
192.168.10.2
10.0.10.11

Answer

A

Understanding AKS Networking

Public IP Address: Used for external (internet) access to Azure resources.

Load Balancer Frontend: The public IP address associated with an Azure load balancer that is used to expose applications running in AKS.

Kubernetes DNS Service: Internal IP address for the Kubernetes DNS service within the cluster and it is not used for exposing external access to applications.

Docker Bridge Address: An IP address used by Docker for internal networking, this is not used for public access.

Kubernetes Cluster Node: An IP address of a worker node within the cluster and is not used for exposing external access to applications.

Analyzing the IP Addresses

131.107.2.1: Load balancer front end.

192.168.10.2: Kubernetes DNS service.

172.17.7.1: Docker bridge address.

10.0.10.11: Kubernetes cluster node.

Determining the Correct IP Address for DNS

To provide internet users with access to applications in Cluster1, the DNS record must point to the public IP address that is exposed by the load balancer.

Therefore, the correct IP address is 131.107.2.1.

Answer:

131.107.2.1

Question 40

Q

You plan to create the Azure web apps shown in the following Table.

Name Runtime stack
WebApp1 .NET 6 (LTS)
WebApp2 ASP.NET V4.8
WebApp3 PHP 8.1
WebApp4 Python 3.11

What is the minimum number of App Service plans you should create for the web apps?

1
2
3
4

Answer

A

Understanding Azure App Service Plans

App Service Plan: Defines the compute resources (CPU, memory) that are available for the web apps that it hosts.

Resource Sharing: A single app service plan can be used for multiple web apps, provided that they are all in the same region and use the same operating system (Windows/Linux)

Runtime Stack Compatibility: Web apps using different runtime stacks may have different requirements and capabilities.

Linux vs. Windows: Linux based apps must be hosted on Linux based App Service plans, and Windows based apps must be hosted on Windows based app service plans.

Analyzing the Web App Requirements

WebApp1: .NET 6 (LTS) - Windows based

WebApp2: ASP.NET V4.8 - Windows based

WebApp3: PHP 8.1 - Linux based

WebApp4: Python 3.11 - Linux based

Determining Minimum Number of App Service Plans

Windows Apps: Both WebApp1 and WebApp2 can be hosted on the same Windows App Service plan, as they are both windows based.

Linux Apps: Both WebApp3 and WebApp4 can be hosted on the same Linux App Service plan, as they are both Linux based.

Therefore, you need one app service plan for Windows apps, and one app service plan for the Linux based apps.

The Minimum Number of App Service Plans

Therefore the minimum number of App Service plans required for the above virtual machines is two.

Answer:

2

Question 41

Q

You have an Azure subscription named Subscription1 that is used be several departments at your company.

Subscription1 contains the resources in the following table:

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.

You need to view the template used for the deployment.

From which blade can you view the template that was used for the deployment?

RG1
VM1
Storage1
Container1

Name | Type |

Answer

A

Understanding Azure Resource Manager (ARM) Templates

ARM Templates: JSON files that define the infrastructure and configuration for Azure deployments (infrastructure-as-code).

Deployment History: Azure records a history of all deployments, including deployments done using ARM templates.

Resource Group Scope: Deployments are scoped to a resource group, and the template can be viewed from the resource group or deployment blade.

Individual resource view: The templates cannot be viewed from the resources that were deployed.

Analyzing the Scenario

Deployment: VM1 and Storage2 were deployed using a single ARM template.

Template Viewing: We need to find the template that was used for this specific deployment.

Analyzing the Options

Let’s examine the available options:

RG1:

Analysis: This is the correct approach. When you perform a deployment using an ARM template, the deployment is assigned to a resource group. You can access the deployment history in the resource group to identify the used template.

VM1:

Analysis: The virtual machine blade allows for managing a virtual machine, but does not show deployment details. Therefore, this option is incorrect.

Storage1:

Analysis: The storage account blade allows for managing storage accounts, but does not show deployment details of other resources that were created. Therefore, this option is incorrect.

Container1:

Analysis: The container blade allows for managing a storage container, but does not show deployment details of other resources that were created. Therefore, this option is incorrect.

The Correct Location

The correct place to view the template used for the deployment is the RG1 blade, where the resources are being stored.
The information about the template is not held within the resources themselves, but in the deployment history section, which is located in the resource group scope.

Answer:

RG1

Question 42

Q

You have an Azure virtual machine named VM1.

Azure collects events from VM1.

You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.

You need to specify which resource type to monitor.

What should you specify?

metric alert
Azure Log Analytics workspace
virtual machine
virtual machine extension

Answer

A

Understanding Azure Monitor Alerts

Azure Monitor Alerts: Send notifications when specified conditions are met.

Target Resource: The specific Azure resource to monitor for alerts (e.g., a VM, a metric, a log analytics workspace).

Signal: A specific condition that triggers the alert (e.g., a performance metric, a log entry).

System Event Log: A log source within a Windows VM that contains OS-level events, including errors.

Virtual Machine Extension: A way to add different capabilities to a virtual machine.

Log Analytics Workspace: Used to collect and store log and metric data from Azure resources.

Metric Alert: An alert triggered by a specific metric, such as CPU utilization.

Analyzing the Requirements

Target: Monitor VM1.

Event: Specifically monitor the System event log for errors.

Alert Trigger: Trigger the alert when an error is logged.

Azure Monitor: The monitoring service being used to configure the alerts.

Analyzing the Options

Let’s evaluate each option:

metric alert

Analysis: Metric alerts are based on numeric values such as CPU utilization or memory usage. They cannot be used to monitor log entries. This option is incorrect.

Azure Log Analytics workspace

Analysis: This is the correct resource type. The logs from the virtual machine are being collected and stored in the Log Analytics Workspace, this is the correct place to create the alert.

virtual machine

Analysis: While the virtual machine is the subject of the monitoring, it is not the correct resource type to select for this scenario. This is because we are not monitoring a metric, but a log entry. Therefore, this option is incorrect.

virtual machine extension

Analysis: Extensions are used for configuring and managing the virtual machine, and not for monitoring event logs, therefore this option is incorrect.

The Correct Resource Type

The correct resource type to monitor for the required log events is Azure Log Analytics workspace.

Answer:

Azure Log Analytics workspace

Question 43

Q

You have an Azure subscription that contains the resource groups shown in the following table.
Name Location
RG1 East US
RG2 West US
You create the following Azure Resource Manager (ARM) template named deploy.json.
```json
{
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json”,
“contentVersion”: “1.0.0.0”,
“parameters”:{},
“variables”: {},
“resources”:[
{
“type”: “Microsoft.Resources/resourceGroups”,
“apiVersion”: “2018-05-01”,
“location”: “eastus”,
“name”: “[concat(‘RG’, copyIndex())]”,
“copy”: {
“name”: “copy”,
“count”: 4
}
}
],
“outputs”: {}
}
~~~
You deploy the template by running the following cmdlet.
Item-AzSubscriptionDeployment -location -Template file deploy-json
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements Yes No
The commands will create four new resources.
The commands will create storage accounts in the West US Azure region.
The first storage account that is created will have a prefix of 0.

Answer

A

Understanding ARM Templates

ARM Templates: JSON files that define Azure infrastructure and configuration.

$schema: Defines the version of the schema used for the ARM template.

contentVersion: Indicates the version number of the template.

parameters: Defines any input parameters for the template.

variables: Defines local variables that can be used in the template.

resources: Defines the resources that will be deployed.

type: The resource type.

apiVersion: The version of the Azure REST API to use when creating the resource.

location: The location of the Azure resource.

copy: Used to create multiple resources.

copyIndex(): Returns the current iteration of the loop.

outputs: Defines the output values of the deployment.

Deployment cmdlet: The New-AzSubscriptionDeployment cmdlet deploys an ARM template at the subscription scope, and will be deployed to the location specified in the command, which is not in the JSON template.

Analyzing the Template

Resource Type: Microsoft.Resources/resourceGroups - Indicates that it will deploy resource groups.

copy loop: This will create the number of resources specified in the count parameter.

name: The name of the resource will be constructed using the concat and copyIndex() functions.

location: Set to eastus indicating that the resources will be deployed to East US.

Analyzing the Deployment Command

New-AzSubscriptionDeployment -location -TemplateFile deploy.json: Deploys the ARM template at the subscription level, the location parameter will determine where the resource groups will be created.

Analyzing the Statements

“The commands will create four new resources.”

Analysis: The copy loop with a count of 4 will result in creating four resources, therefore this is correct.

Answer: Yes

“The commands will create storage accounts in the West US Azure region.”

Analysis: The template creates resource groups, not storage accounts, and will deploy them to the location specified in the cmdlet which is not specified in the prompt. The location specified in the template is eastus , so this statement is incorrect.

Answer: No

“The first storage account that is created will have a prefix of 0.”

Analysis: The template creates resource groups, not storage accounts. The naming of the resource groups is defined as RG and the copyIndex() function. The copyIndex() function starts at 0, so the resource group names will be RG0 RG1 RG2 and RG3. Therefore the first resource group will have a prefix of 0. This statement is incorrect as it mentions storage accounts, and not resource groups.

Answer: No

Answer Area

Statements Yes No
The commands will create four new resources. Yes
The commands will create storage accounts in the West US Azure region. No
The first storage account that is created will have a prefix of 0.

Question 44

Q

You have Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following resource groups:
|—|—|—|
| RG1 | West Europe | None |
| RG2 | West Europe | Read Only |
RG1 includes a web app named App1 in the West Europe location.
Subscription2 contains the following resource groups:
| Name | Region | Lock type |
|—|—|—|
| RG3 | East Europe | Delete |
| RG4 | Central US | none |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Statements
App1 can be moved to RG2
App1 can be moved to RG3
App1 can be moved to RG4

Name | Region | Lock type |

Answer

A

Understanding Azure Resource Locks and Resource Moves

Resource Locks: Azure locks prevent accidental modification or deletion of Azure resources. There are two types of locks:

CanNotDelete: Prevents deletion of the resource.

ReadOnly: Prevents all modifications to the resource.

Resource Moves: Moving resources to different resource groups can be done if there are no conflicting locks or other limitations.

Location Constraint: Resources must be within the same region as their parent resources, or must be moved to a resource group in the same region before being moved to a new one.

Analyzing the Resources and Locks

Subscription1:

RG1: Location: West Europe, No locks.

RG2: Location: West Europe, ReadOnly lock.

App1: Web app, location: West Europe, within RG1.

Subscription2:

RG3: Location: East Europe, Delete lock.

RG4: Location: Central US, no locks.

Analyzing the Statements

Let’s evaluate each statement:

“App1 can be moved to RG2”

Analysis: RG2 has a ReadOnly lock. ReadOnly locks prevent modifications, including moving resources. Therefore, App1 cannot be moved to RG2.

Answer: No

“App1 can be moved to RG3”

Analysis: RG3 is in East Europe. The resource needs to be in the same region as the virtual network. App1 is currently located in the West Europe region, it must be moved to another resource group in the same location before it can be moved to another region. Therefore, App1 cannot be moved to RG3.

Answer: No

“App1 can be moved to RG4”

Analysis: RG4 is located in Central US. App1 is located in West Europe. The locations are different, therefore, the resource cannot be moved to RG4 directly, and must be moved to a resource group in the same region first. Therefore, App1 cannot be moved to RG4.

Answer: No

Answer Area:

Statements Yes No
App1 can be moved to RG2 No
App1 can be moved to RG3 No
App1 can be moved to RG4 No

Question 45

Q

You have an on-premises server that contains a folder named D:Folder1.

You need to copy the contents of D:Folder1 to the public container in an Azure Storage account named contoso data.

Which command should you run?

https://contosodata.blob.core.windows.net/public
azcopy sync D:folder1 https://contosodata.blob.core.windows.net/public –snapshot
azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive
az storage blob copy start-batch D:Folder1 https:// contosodata.blob.core.windows.net/public

Question 46

Q

DRAG DROP

You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.

You have a domain name of contoso.com registered at a third-party registrar.

You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.

Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Actions
Configure company branding.
Add an Azure AD tenant.
Verify the domain.
Create an Azure DNS zone.
Add a custom domain name.
Add a record to the public contoso.com DNS zone.
Answer Area

Answer

A

Understanding Azure CLI for Storage

azcopy: A command-line utility used for copying data to and from Azure Storage.

az storage blob: A command group for managing Azure Blob Storage.

az storage blob copy start-batch: A command that can copy multiple files in a batch.

copy: The correct command to copy files using azcopy and is a command that can be used in many tools.

sync: Copies files using a synchronization method using azcopy.

–recursive: A parameter to copy files and folders recursively, is specific to azcopy.

Public Container: A container where anonymous read access is enabled.

URL: The correct syntax to address the container.

Local file path: The local path must be valid and accessible by the application or user.

Analyzing the Requirements

Source: Copy from the local folder D:Folder1.

Destination: Copy to a public container in Azure Blob Storage named contosodata.

Requirement: Use an Azure CLI command.

File Copy: A command must be used that copies all the files within the directory, and subdirectories.

Analyzing the Options

https://contosodata.blob.core.windows.net/public azcopy sync D:folder1 https://contosodata.blob.core.windows.net/public –snapshot

Analysis: This command is not correct. The source of the copy command should come before the destination, also the –snapshot parameter does not apply to a copy command and this is not the appropriate command.

azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive

Analysis: This is the correct approach. This command uses azcopy, specifies the source folder, and the destination blob container URL, also includes the recursive parameter to ensure all the files and folders are copied.

az storage blob copy start-batch D:Folder1 https:// contosodata.blob.core.windows.net/public

Analysis: This command is incorrect. az storage blob copy start-batch is designed for copying between storage accounts not to copy from a local directory. Also, it is not possible to copy a folder from a local directory directly to Azure.

The Correct Command

The correct command to copy all the contents of the D:\Folder1 directory to the contosodata public container is:

azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive

Answer:

azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive

Question 47

Q

You have an Azure subscription.

You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.

Question:
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Template:

json
Copy code
{
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”,
…
“type”: “Microsoft.Compute/virtualMachines”,
…
“dependsOn”: [
“[‘(Microsoft.Network/networkInterfaces/’, ‘VM1’)’]”
],
“properties”: {
“storageProfile”: {
“*”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“sku”: “2019-Datacenter”,
“version”: “latest”
}
}
}
}
Options for Completion:

“dependsOn” (dropdown options):

reference
resourceId
Union
“storageProfile” (dropdown options):

Array
Image
ImageReference
vhd

Answer

A

Let me help you complete the ARM template correctly for deploying a virtual machine in Azure. [1]
The correct options are:
For “dependsOn”: resourceId
For “storageProfile”: imageReference
Here’s why:
For “dependsOn”:
resourceId is the correct function to use because:
It generates the fully qualified resource ID for dependent resources
It’s used to properly reference other resources in the template
In this case, it’s referencing the network interface that the VM depends on
For “storageProfile”:
imageReference is the correct property because:
It’s used to specify the VM image details
The template shows the publisher, offer, sku, and version properties, which are all specific properties of an imageReference object
This structure matches the standard way to define a marketplace image in Azure
The corrected template section would look like this:
{
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”,
…
“type”: “Microsoft.Compute/virtualMachines”,
…
“dependsOn”: [
“[resourceId(‘Microsoft.Network/networkInterfaces’, ‘VM1’)]”
],
“properties”: {
“storageProfile”: {
“imageReference”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“sku”: “2019-Datacenter”,
“version”: “latest”
}
}
}
}
Copy
Insert at cursor
json
This configuration will properly reference the network interface dependency and correctly specify the Windows Server 2019 image to be used for the virtual machine.

Question 48

Q

You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2.

The subscription contains the resources shown in the following table.
The subscription contains the resources shown in the following table:

Name Type Description
RG1 Resource group Created in RG1
VM1 Virtual machine Created in RG1
The subscription contains the alert rules shown in the following table:

Name Scope Condition
Alert1 RG1 All Administrative operations
Alert2 VM1 All Administrative operations
The users perform the following actions:

User1 creates a new virtual disk and attaches the disk to VM1.
User2 creates a new resource tag and assigns the tag to RG1 and VM1.
Question:
Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer Area (Options):

For User1:
No alert is triggered.
Only Alert1 is triggered.
Only Alert2 is triggered.
Both Alert1 and Alert2 are triggered.

For User2:
No alert is triggered.
Only Alert1 is triggered.
Only Alert2 is triggered.
Both Alert1 and Alert2 are triggered.

Answer

A

Understanding Azure Activity Log Alerts

Activity Log: Records events that occur in an Azure subscription, such as resource creation, modification, or deletion.

Alert Rules: Trigger notifications based on events logged in the Activity Log.

Scope: Defines the resource or resource group that is monitored by an alert rule.

Condition: Defines the event that triggers the alert. In this case, it’s all “Administrative operations”.

Administrative Operations: Includes actions like creating, updating, or deleting resources or properties.

Analyzing the Resources and Alerts

RG1: Resource group, with Alert1 scoped to it.

VM1: Virtual machine, with Alert2 scoped to it.

Alert1: Scope: RG1, Condition: All Administrative operations.

Alert2: Scope: VM1, Condition: All Administrative operations.

Analyzing the User Actions

User1:

Creates a new virtual disk and attaches it to VM1.

Analysis: Creating and attaching a virtual disk to VM1 is an administrative operation related to the virtual machine. The action is within the scope of RG1, and it is also an action related to VM1 so it will trigger both alerts.

User2:

Creates a new resource tag and assigns the tag to RG1 and VM1.

Analysis: Modifying resource tags for both a resource group and a virtual machine is considered an administrative action on these resources. Therefore the action will trigger both Alert1 and Alert2 as User 2 changed resources within the scope of both alerts.

Answer Area:

For User1:
Both Alert1 and Alert2 are triggered.

For User2:
Both Alert1 and Alert2 are triggered.

Question 49

Q

You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.

Which user can perform each configuration? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Add a subnet to VNet1:
User1 only
User3 only
User1 and User3 only
User2 and User3 only
User1, User2, and User3

Assign a user the Reader role to VNet1:
User1 only
User2 only
User3 only
User1 and User2 only
User2 and User3 only
User1, User2, and User3

User | Role |

Answer

A

Understanding Azure RBAC Roles

Owner: Grants full access to all resources, including the ability to perform all actions and assign roles.

Security Admin: Can manage security-related resources like NSGs, but does not manage other network objects. This role also has access to read resources.

Network Contributor: Can manage network resources (virtual networks, subnets, network interfaces, etc.) but cannot manage access control.

Reader: Can read resource configurations but cannot modify or manage them.

Analyzing the Users

User1: Owner - Full access to all resources in the subscription.

User2: Security Admin - Can manage security-related resources, and read all resources.

User3: Network Contributor - Can manage networking resources.

Determining the Correct Permissions

Let’s analyze which user can perform which task:

Add a subnet to VNet1:

Analysis:

User1 (Owner): Has the correct permissions to modify any resource, including adding a subnet to a virtual network.

User2 (Security Admin): Security admins can not modify virtual networks, and do not have the correct permissions.

User3 (Network Contributor): Has the correct permissions to modify virtual networks, and to add subnets.

Therefore, User1 and User3 both have the appropriate permissions.

Assign a user the Reader role to VNet1:

Analysis:

User1 (Owner): Has all the necessary permissions, including the ability to grant access to all resources, including setting a user to the reader role.

User2 (Security Admin): Security Admins do not have the permissions to assign roles.

User3 (Network Contributor): The network contributor role does not grant the ability to change roles and permissions on virtual networks.

Therefore only User1 has the correct permissions to assign the role.

Answer Area:

Add a subnet to VNet1:
User1 and User3 only

Assign a user the Reader role to VNet1:
User1 only

Question 50

Q

You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.

You create two user accounts that are configured as shown in the following table.

To which groups do User1 and User2 belong? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

User1:
Group1 only
Group2 only
Group3 only
Group1 and Group2 only
Group1 and Group3 only
Group2 and Group3 only
Group1, Group2, and Group3

User2:
Group1 only
Group2 only
Group3 only
Group1 and Group2 only
Group1 and Group3 only
Group2 and Group3 only
Group1, Group2, and Group3

Answer

A

Understanding Azure AD Groups

Security Groups: Used to manage access to Azure resources.

Microsoft 365 Groups: Used for collaboration and include additional features.

Assigned Membership: Members are added and removed explicitly.

Dynamic User Membership: Membership is determined by a rule based on user attributes.

startsWith: A dynamic membership rule that matches if the value starts with a specific string.

notIn: A dynamic membership rule that matches if the user property does not contain any of the specified values.

Analyzing the Groups

Group1:

Type: Security

Membership: Dynamic user

Rule: (user.city -startsWith “m”)

Group2:

Type: Microsoft Office 365

Membership: Dynamic user

Rule: (user.department -notIn [“HR”])

Group3:

Type: Microsoft Office 365

Membership: Assigned

Analyzing the Users

User1:

City: Montreal

Department: Human resources

Office 365 license: Yes

User2:

City: Melbourne

Department: Marketing

Office 365 license: No

Determining Group Membership

Let’s determine which user belongs to each group:

User1:

Group1: User1’s city is “Montreal,” which does start with “m,” so User1 is a member of Group1.

Group2: User1’s department is “Human resources” which is in the notIn list. Therefore User1 is not a member of Group2.

Group3: Group3 uses Assigned membership, meaning User1 must be manually added as a member. As there is no indication that User1 has been added as a member, User1 is not a member of Group3.

User2:

Group1: User2’s city is “Melbourne,” which does start with “m,” so User2 is a member of Group1.

Group2: User2’s department is “Marketing,” which is not in the notIn list, therefore User2 is a member of Group2.

Group3: Group3 uses Assigned membership, meaning User2 must be manually added as a member. As there is no indication that User2 has been added as a member, User2 is not a member of Group3.

Answer Area:

User1:
Group1 only

User2:
Group1 and Group2 only

Question 51

Q

You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.

A user named User1 has the following roles for Subscription1:

Reader
Security Admin
Security Reader

You need to ensure that User1 can assign the Reader role for VNet1 to other users.

What should you do?

Remove User1 from the Security Reader and Reader roles for Subscription1.
Assign User1 the Owner role for VNet1.
Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1

Answer

A

Understanding Azure RBAC and Roles

Azure RBAC (Role-Based Access Control): A system for managing access to Azure resources using roles and scopes.

Roles: Define a set of permissions that can be granted to users, groups, or service principals.

Reader: Can view Azure resources but cannot make changes.

Security Admin: Can manage security-related resources, but cannot assign roles.

Security Reader: Can view security-related settings but cannot make changes, including roles.

Contributor: Can manage Azure resources, but cannot manage access to them.

Owner: Has full control over Azure resources, including the ability to assign roles.

Scope: The level in the Azure hierarchy to which a role assignment applies (management group, subscription, resource group, or resource).

Analyzing the Requirements

User1:

Current Roles: Reader, Security Admin, and Security Reader at the Subscription1 level.

Task: User1 needs to assign the Reader role to other users for VNet1.

Role assignment: User1 should have the minimal required permissions to perform the requested task.

Analyzing the Options

Let’s evaluate each option:

Remove User1 from the Security Reader and Reader roles for Subscription1.

Analysis: Removing these roles does not grant User1 the ability to assign roles. Therefore this is incorrect.

Assign User1 the Owner role for VNet1.

Analysis: This is the correct approach. Assigning the Owner role to User1, scoped to VNet1, provides the necessary permissions to assign roles for that specific virtual network, as it allows for all types of actions, including managing RBAC.

Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

Analysis: The contributor role does not allow to manage roles and permission. Therefore this option is incorrect.

Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1

Analysis: The Contributor role allows for resource management, but not the ability to manage roles. Therefore this option is incorrect.

The Correct Action

The correct action is to Assign User1 the Owner role for VNet1.

Answer:

Assign User1 the Owner role for VNet1.

Question 52

Q

You have an Azure subscription that contains a user named User1.

You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.

Which role-based access control (RBAC) role should you assign to User1?

Owner
Virtual Machine Administrator Login
Contributor
Virtual Machine Contributor

Answer

A

The correct RBAC role to assign to User1 would be Virtual Machine Contributor .
Here’s why this is the best choice, following the principle of least privilege:
Virtual Machine Contributor is the most appropriate because: [1]
It allows User1 to create and manage virtual machines
It provides permissions to manage network interfaces and other VM-related resources
It includes the necessary permissions to work with virtual networks
It doesn’t provide excessive permissions beyond what’s needed for the specified tasks
Let’s analyze why the other options are not appropriate:
Owner:
Too broad - grants full access to all resources
Violates the principle of least privilege
Includes unnecessary permissions like managing user access and billing
Virtual Machine Administrator Login:
This role is primarily for logging into VMs using Azure AD credentials
Doesn’t provide the necessary permissions to deploy VMs or manage networks
Too narrow for the required tasks
Contributor:
Too broad - allows management of all resource types
While it would work, it violates the principle of least privilege
Provides unnecessary access to non-VM and non-network resources
The Virtual Machine Contributor role provides the perfect balance of:
Permission to create and manage VMs
Ability to work with virtual networks
Following the principle of least privilege by not granting unnecessary permissions
Allowing the specific tasks mentioned in the requirement without excess privileges

Question 53

Q

You plan to create an Azure Storage account in the Azure region of East US 2.

You need to create a storage account that meets the following requirements:

✑ Replicates synchronously

✑ Remains available if a single data center in the region fails

How should you configure the storage account? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.
Answer Area
Replication:
Geo-redundant storage (GRS)
Locally-redundant storage (LRS)
Read-access geo-redundant storage (RA GRS)
Zone-redundant storage (ZRS)
Account kind:
Blob storage
Storage (general purpose v1)
StorageV2 (general purpose v2)

Answer

A

Understanding Azure Storage Replication Options

Locally Redundant Storage (LRS): Replicates data three times within a single data center. Provides basic protection against hardware failures.

Geo-Redundant Storage (GRS): Replicates data three times within the primary region and also three times in a secondary region hundreds of miles away. Offers protection against regional outages.

Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but also provides read-only access to the secondary region.

Zone-Redundant Storage (ZRS): Replicates your data synchronously across three availability zones in the primary region. Protects against data center failures within a region.

Understanding Storage Account Types

Blob Storage: Optimized for storing unstructured data (blobs).

Storage (general purpose v1): Legacy storage account type supporting blobs, tables, queues, and files.

StorageV2 (general purpose v2): The recommended storage account type supporting blobs, tables, queues, and files.

Analyzing the Requirements

East US 2 Region: The storage account should be created in the specified Azure region.

Synchronous Replication: The data must be replicated synchronously. This is important, as asynchronous replication can lead to data loss in an outage.

Single Data Center Failure: The data should be available, even if a single data center within East US 2 fails.

Determining Correct Configuration

Let’s evaluate the options:

Replication:

Geo-redundant storage (GRS): Geo-redundant storage replicates asynchronously to a second region, and therefore cannot be used.

Locally-redundant storage (LRS): This option will not protect against the failure of the data center itself, as all copies of the data will be within the same data center.

Read-access geo-redundant storage (RA GRS): Read-access geo-redundant storage replicates asynchronously to a second region, and therefore cannot be used.

Zone-redundant storage (ZRS): This is the correct choice. ZRS replicates data synchronously across three availability zones within the same Azure region.

Account kind:

Blob storage: While this type of storage account supports ZRS, it is not required to use it to enable ZRS.

Storage (general purpose v1): General purpose v1 accounts do not support ZRS.

StorageV2 (general purpose v2): This is the correct choice, as the Storage V2 account supports all replication options, including ZRS.

Answer Area:

Replication:
Zone-redundant storage (ZRS)

Account kind:
StorageV2 (general purpose v2)

Question 54

Q

You create an Azure Storage account named Contoso storage.

You plan to create a file share named data.

Users need to map a drive to the data file share from home computers that run Windows 10.

Which outbound port should be open between the home computers and the data file share?

80
443
445
3389

Answer

A

Determining the Correct Outbound Port

Let’s evaluate the options:

80:

Analysis: Port 80 (HTTP) is used for web traffic and is not used for connecting to an Azure file share over the SMB protocol. This option is incorrect.

443:

Analysis: Port 443 (HTTPS) is used for secure web traffic and authentication, and it is also used for accessing storage resources. While this port may be used for communicating with Azure Storage, it is not the correct port for connecting to an SMB file share. This option is incorrect.

445:

Analysis: This is the correct port. The Server Message Block (SMB) protocol, which is used to access Windows file shares, uses port 445 (TCP).

3389:

Analysis: Port 3389 (RDP) is used for Remote Desktop connections and is not used to access an Azure file share. This option is incorrect.

The Correct Outbound Port

The correct outbound port for accessing an Azure file share from a Windows computer is 445.

Answer:

445

Question 55

Q

You have an Azure subscription named Subscription1.

You have 5 TB of data that you need to transfer to Subscription1.

You plan to use an Azure Import/Export job.

What can you use as the destination of the imported data?

Azure Data Lake Store
a virtual machine
the Azure File Sync Storage Sync Service
Azure Blob storage

Answer

A

Understanding Azure Import/Export

Purpose: Azure Import/Export service is designed to transfer large amounts of data to or from Azure storage using physical hard drives. It’s efficient when network bandwidth is a limitation.

Destination: When importing data, the destination is where the data from your shipped hard drives is stored.

Supported Destinations: Azure Import/Export primarily supports these destinations:

Azure Blob Storage (including block blobs, page blobs, and append blobs)

Azure Files (file shares)

Analyzing the Options

Let’s go through each option:

Azure Data Lake Store: Azure Import/Export does not directly support Data Lake Store as a destination. You would need to copy the data to Data Lake Store after it’s been imported into Blob storage. This option is incorrect.

A virtual machine: Azure Import/Export does not directly support virtual machines as a destination. You would need to import the data into storage and then copy the data to the VM’s drives. This option is incorrect.

The Azure File Sync Storage Sync Service: Azure File Sync does not store the data directly, it synchronizes file shares with Azure. It’s not a valid import/export destination. This option is incorrect.

Azure Blob storage: Azure Blob Storage is a valid and supported destination for Azure Import/Export jobs. You can import data to blob containers for various use cases. This option is correct.

The Correct Destination

The correct destination for data imported using an Azure Import/Export job is Azure Blob storage.

Answer:

Azure Blob storage

Question 56

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a quest user account in contoso.com for each of the 500 external users.

Solution: from Azure AD in the Azure portal, you use the Bulk create user operation.

Does this meet the goal?

Yes
No

Answer

A

Understanding Azure AD Bulk Operations

Azure AD Bulk Operations: Provide a way to perform actions on multiple users or groups at once.

Bulk Create Users: Can be used to create multiple user accounts from a CSV file.

Guest Accounts: External users invited to access resources in an Azure AD tenant.

CSV File: A comma separated values file that contains user data.

Analyzing the Requirements

500 External Users: We need to create 500 new guest user accounts in contoso.com.

CSV File: The data is stored in a CSV file (names and email addresses).

Analyzing the Solution

The solution proposes using the Bulk create user operation in the Azure portal.

Determining if the Solution Meets the Goal

Azure AD Supports CSV Import: The Azure AD portal does allow for importing user details from a CSV file for bulk creation, and you can specify to create guest user accounts.

Scalable Approach: Bulk operations are designed for tasks involving many users, making it suitable for this situation.

Required Fields: The Bulk create operation uses the email address as the primary identifier for the guest user.

Therefore, the proposed solution does meet the goal.

Answer:

Yes

Question 57

Q

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

You have a CSV file that contains the names and email addresses of 500 external users.

You need to create a guest user account in contoso.com for each of the 500 external users.

Solution: You create a Power Shell script that runs the New-MgUser cmdlet for each user.

Does this meet the goal?

Yes
NO

Answer

A

Determining if the Solution Meets the Goal

PowerShell Scripting: PowerShell allows for scripted automation.

New-MgUser for Guest Users: The New-MgUser cmdlet can create guest users when you specify the UserType parameter and configuration for an external user (invitation, etc.).

CSV import: PowerShell can read a CSV file and process it.

Given these points, the solution using a PowerShell script and New-MgUser cmdlet is a valid and efficient way to meet the goal.

Therefore, the proposed solution does meet the goal.

Answer:

Yes

Question 58

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Network Contributor role at the subscription level to Admin1.

Does this meet the goal?

Yes
NO

Answer

A

Analyzing the Solution

The solution proposes assigning the Network Contributor role at the subscription level to Admin1.

Determining if the Solution Meets the Goal

Network Contributor Permissions: The Network Contributor role grants permissions to create and manage networking resources such as virtual networks, subnets, and network interfaces.

Traffic Analytics Permissions: Enabling Traffic Analytics requires specific permissions related to Network Watcher and Log Analytics, and these are not explicitly given with the network contributor role. The Network Contributor is for network objects, not the specific functionality needed for the configuration of Traffic Analytics.

The Network Contributor role will not provide the required permissions. Therefore the proposed solution does NOT meet the goal.

Answer:

No

Question 59

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1

Yes
NO

Answer

A

Determining if the Solution Meets the Goal

Traffic Manager Contributor Permissions: The Traffic Manager Contributor role grants permissions to create and manage traffic manager profiles, which are used for traffic routing based on DNS. This is not related to enabling NSG flow logs or traffic analytics.

Traffic Analytics Permissions: Enabling Traffic Analytics requires specific permissions related to Network Watcher and Log Analytics, and these are not provided by the Traffic Manager Contributor role.

The Traffic Manager Contributor role will not provide the required permissions. Therefore the proposed solution does NOT meet the goal.

Answer:

No

Question 60

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Owner role at the subscription level to Admin1.

Does this meet the goal?

Yes
No

Answer

A

Analyzing the Requirements

Admin1: Needs the necessary role to enable Traffic Analytics.

Subscription Scope: The role should be at the subscription level.

Analyzing the Solution

The solution proposes assigning the Owner role at the subscription level to Admin1.

Determining if the Solution Meets the Goal

Owner Permissions: The Owner role grants all permissions to all resources in the subscription.

Traffic Analytics Permissions: The Owner role grants all the necessary permissions to create and configure all resources, including network watcher, and enable traffic analytics.

Therefore, the proposed solution does meet the goal. While this is not the most secure approach, it does meet the requirements of the prompt.

Answer:

Yes

Question 61

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these

questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Monitor, you create a metric on Network in and Network Out.

Does this meet the goal?

Yes
No

Answer

A

Determining if the Solution Meets the Goal

Metrics limitations: Azure Monitor metrics only provide numerical data, and does not capture specific details about the network packets, such as the protocol, port, and source/destination addresses, which is a key requirement of this scenario.

Metric usage: While a metric will track the overall volume of network traffic between the two machines, it will not allow detailed inspection of the traffic.

Traffic inspection: The requirement is not just to monitor traffic volume, but to inspect the network traffic, which would require capturing and analyzing packet data.

Time Frame: While the metric will provide an aggregated count of the traffic within the specified timeframe, it will not provide detailed data for each connection attempt.

Therefore, creating a metric for network in and out does NOT meet the goal.

Answer:

No

Question 62

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these

questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Performance Monitor, you create a Data Collector Set (DCS).

Does this meet the goal?

Yes
No

Answer

A

Analyzing the Requirements

Network Traffic Inspection: We need to inspect all network traffic from VM1 to VM2.

Time Frame: The inspection should cover a three-hour period.

Traffic Detail: We need to analyze details about the packets, such as source and destination addresses and ports, as well as the protocol used.

Analyzing the Solution

The solution proposes using Performance Monitor and a Data Collector Set (DCS).

Determining if the Solution Meets the Goal

Traffic Analysis limitations: While Performance Monitor can track general network traffic counters (such as bytes in, bytes out), it will not capture specific network packets with source and destination information, ports, and protocols.

DCS limitations: Data Collector Sets are also not designed to capture specific details about network packets, such as the source and destination IP addresses.

Time Frame: The metric will provide an aggregated count of the traffic within the specified timeframe, it will not provide specific data about individual connection attempts.

Therefore, using Performance Monitor and creating a Data Collector Set does not meet the goal.

Answer:

No

Question 63

Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You manage a virtual network named VNet1 that is hosted in the West US Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.

Solution: From Azure Network Watcher, you create a connection monitor.

Does this meet the goal?

Yes
No

Answer

A

Determining if the Solution Meets the Goal

Connection Monitor’s Purpose: A connection monitor is used to track connectivity and performance between two endpoints, and does not allow for the capture of specific packet data. It checks if the connection is successful, and does not inspect all the traffic.

Traffic inspection: The requirement is not just to monitor connectivity, but to inspect the network traffic, which would require capturing and analyzing packet data.

Traffic detail: Connection monitor does not provide a way to inspect packets, it only confirms reachability.

Therefore, using a connection monitor in Azure Network Watcher does NOT meet the goal.

Answer:

No

Question 64

Q

You have an Azure subscription that contains the container images shown in the following table.

You plan to use the following services:

Azure Container Instances
Azure Container Apps
Azure App Service

In which services can you run the images? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.
Answer Area
Image1:
Azure Container Instances only
Azure Container Apps only
Azure Container Instances and App Services only
Azure Container Apps and App Services only
Azure Container Instances, Azure Container Apps, and App Services
Image2:
Azure Container Instances only
Azure Container Apps only
Azure Container Instances and App Services only
Azure Container Apps and App Services only
Azure Container Instances, Azure Container Apps, and App Services

Name | Operating system |

Answer

A

Understanding Azure Container Services

Azure Container Instances (ACI): A serverless container service for running containerized applications without managing VMs.

Azure Container Apps: A fully managed serverless container service optimized for running microservices and containerized applications.

Azure App Service: A platform as a service (PaaS) for hosting web applications and APIs, and supports running containerized applications in web apps.

Container Image Support: Azure services will either be Linux or Windows based, or have specific configuration to support both.

Analyzing the Container Images

Image1: Based on Windows Server

Image2: Based on Linux

Determining Service Compatibility

Let’s see what is compatible with each image:

Azure Container Instances (ACI):

Supports both Windows and Linux-based container images.

Therefore, both Image1 and Image2 can run on ACI.

Azure Container Apps:

Supports both Windows and Linux based container images.

Therefore, both Image1 and Image2 can run on Azure Container Apps.

Azure App Service:

Supports both Windows and Linux-based container images.

Therefore, both Image1 and Image2 can run on Azure App Service.

Answer Area:

Image1:

Azure Container Instances, Azure Container Apps, and App Services

Image2:

Azure Container Instances, Azure Container Apps, and App Services

Answer 64

A

Understanding DNS and Azure DNS

On-Premises DNS: A DNS server hosted and managed within the local network (Server1).

Azure DNS: A DNS service in Azure for hosting and managing DNS zones.

DNS records: Records that are used to resolve domain names to ip addresses, and other related functions.

DNS Zone Transfer: A process to replicate the content of a DNS zone from one server to another.

Azure CLI: The command line interface used for managing Azure resources.

Azure PowerShell: Provides a set of cmdlets for managing Azure resources.

Azure Portal: The graphical interface used for managing Azure resources.

DNS Manager console: The DNS management console that runs on Windows, and does not provide Azure access.

Analyzing the Requirements

Migrate DNS Zone: Move the adatum.com DNS zone from Server1 to Azure.

Minimize Effort: Use the most efficient method.

Location of tools: The migration is being performed from Server2, which has Azure CLI and PowerShell installed.

Analyzing the Options

Azure PowerShell:

Analysis: Azure PowerShell provides cmdlets for managing Azure DNS zones, including importing DNS records from a file. This can be used to automate the creation of the zone, and the import of all the records.

Azure CLI:

Analysis: The Azure CLI provides commands for managing Azure DNS zones. Similar to PowerShell, it can be used to script the entire process of creating the zone and importing the DNS records.

The Azure portal:

Analysis: The Azure portal provides a graphical way to create a zone and manually add the records. For 1000 DNS records, this would be an inefficient and error-prone approach and should be avoided. This approach will require manual import of each record, which is not scalable.

The DNS Manager console:

Analysis: The DNS Manager console only manages local Windows DNS configurations, and cannot be used to create an Azure DNS zone directly. This option is incorrect.

The Most Efficient Solution

Both Azure PowerShell and Azure CLI are suitable for this task. They both provide the ability to perform a scripted deployment and import of all the records, and they both meet the requirements of being available on the target system.

As the prompt does not provide a specific requirement on either option, the more suitable answer is Azure PowerShell.

Answer:

Azure PowerShell

Answer 65

A

Determining Required Settings

Let’s evaluate each option:

Diagnostic settings for VM1

Analysis: Diagnostic settings will not capture network flow information, which is needed to be used with traffic analytics. This option is not correct.

Insights for VM1

Analysis: While VM insights will gather a set of metrics for the virtual machine, it does not provide the required information for traffic analytics. This option is incorrect.

NSG flow logs for NSG1

Analysis: This is the correct approach. Traffic Analytics works by processing NSG flow logs, so we need to enable flow logs for the Network Security Group associated to VM1.

Diagnostic settings for NSG1

Analysis: While a diagnostic setting is required, there is not an option to enable or configure NSG flow logs in this way. This option is incorrect.

The Correct Settings

The correct setting to configure in order to be able to monitor the traffic using traffic analytics is to enable NSG flow logs for NSG1.

Answer:

NSG flow logs for NSG1

Answer 66

A

Understanding Network Security Groups (NSGs)

NSG Rules: Control inbound and outbound traffic to Azure resources.

Priority: Rules are evaluated in order of priority (lower number = higher priority).

Action: Each rule has an action (Allow or Deny).

Protocol and Port: Rules specify the protocol (TCP, UDP, etc.) and port.

Source and Destination: Rules specify the source and destination of the traffic.

Subnet vs. Interface: NSGs can be applied to subnets or to individual network interfaces.

Inbound Rules: Control traffic coming into a resource.

Outbound Rules: Control traffic going out of a resource.

Analyzing the Requirements

Block RDP: Prevent VM1 from accessing VM2 on port 3389 (RDP).

Specific Block: The block must be specific to traffic from VM1 to VM2.

NSG Usage: The solution must use network security groups.

Subnet location: VM1 and VM2 are in the same subnet.

Analyzing the Options

“Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.”

Analysis: This is the correct approach. To block VM1 from initiating RDP to VM2, we must block the outbound traffic from VM1 to VM2. Since we must apply a security rule to the VM to block traffic to the target virtual machine we should apply it to the interface of the virtual machine, which will take precedence over subnet level rules.

“Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.”

Analysis: This option is incorrect as the rule is an inbound rule, which does not block outbound traffic. Also the rule is not specific to VM1 accessing VM2, and would block traffic from all virtual machines in that subnet from accessing the subnet.

“Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.”

Analysis: This option is incorrect as the rule is a deny rule for a source port, not a destination port, and it is at the subnet level, not the virtual machine level, and is therefore too broad. The source port also is not relevant in this scenario.

“Configure Azure Bastion in VNet1.”

Analysis: Azure Bastion provides a secure method of connecting to virtual machines using RDP, and would allow you to monitor access to the virtual machine, but is not the correct approach to block access from one virtual machine to another. This is not the correct action based on the requirements.

The Correct Solution

The correct solution is to create an NSG with an outbound rule to deny destination port 3389 and apply it to the network interface of VM1.

Answer:

Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.

Answer 67

A

Analyzing the Options

Let’s evaluate each option:

“Assign User1 the Contributor role for VNet1.”

Analysis: The Contributor role allows managing resources, but it does not allow you to manage access to the resources. Therefore this option is incorrect.

“Remove User1 from the Security Reader and Reader roles for Subscription1.”

Analysis: Removing existing roles does not provide any additional permissions to User1. Therefore this option is incorrect.

“Assign User1 the Network Contributor role for VNet1.”

Analysis: The Network Contributor role grants permissions to manage network resources, not access control, and will not allow the assignment of roles. Therefore this is not the correct option.

“Assign User1 the User Access Administrator role for VNet1.”

Analysis: This is the correct action. The User Access Administrator role grants the permission to manage access to the specified resource, in this case VNet1. This is the required permission to assign the Reader role, and provides the correct level of access based on the requirements.

The Correct Action

The correct action is to Assign User1 the User Access Administrator role for VNet1.

Answer:

Assign User1 the User Access Administrator role for VNet1.

Brainscape's Knowledge GenomeTM

test16 Flashcards

Brainscape's Knowledge Genome^TM