test16 Flashcards
Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?
A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
which option is correct? why correct?
C. an Azure Virtual Network Gateway
Why C is Correct:
SMB Share Connectivity:
SMB (Server Message Block) shares typically exist on-premises and require a secure network connection for access.
To enable your Azure resources (like the webapp1) to access on-premises resources (Share1), you need to set up a hybrid connectivity solution.
Azure Virtual Network Gateway:
An Azure Virtual Network Gateway enables secure communication between your Azure Virtual Network (VNET1) and your on-premises network via a VPN connection (Site-to-Site VPN or Point-to-Site VPN).
This ensures that webapp1, which is connected to VNET1, can route traffic to your on-premises SMB share (Share1).
Integration Path:
webapp1 → VNET1 → Virtual Network Gateway → On-premises network → SMB Share (Share1)
SMB Protocol Compatibility:
SMB relies on private IP connectivity, which requires a secure tunnel or VPN connection.
Azure Virtual Network Gateway provides this tunnel, enabling communication between Azure and your on-premises network.
Why the Other Options are Incorrect:
A. Azure Application Gateway
Purpose: Azure Application Gateway is a Layer 7 load balancer for HTTP/HTTPS traffic.
Why Incorrect: SMB operates at a lower level (Layer 4 - transport layer, using TCP port 445), not HTTP/HTTPS. It is not designed for accessing SMB shares.
B. Azure Active Directory (Azure AD) Application Proxy
Purpose: Azure AD Application Proxy is used to publish web applications (e.g., HTTP/HTTPS) that are hosted on-premises.
Why Incorrect: SMB shares are file shares, not web applications. Azure AD Application Proxy does not support SMB protocol or file-based resources.
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:
Policy name *
Policy1
Backup schedule
Frequency * Time * Timezone *
Daily 11:00 PM (UTC) Coordinated Universal Time
Instant Restore
Retain instant recovery snapshot(s) for
2 Day(s)
Retention range
Retention of daily backup point.
At For Day(s)
11:00 PM 30
Retention of weekly backup point.
On * At For Week(s)
Sunday 11:00 PM 10
Retention of monthly backup point.
Week Based Day Based
On * At For Month(s)
1 11:00 PM 36
Retention of yearly backup point.
Week Based Day Based
In * On * At For Year(s)
March 1 11:00 PM 10
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Answer Area
The backup that occurs on Sunday, March 1, will be retained for [answer choice].
30 days
10 weeks
36 months
10 years
The backup that occurs on Sunday, November 1, will be retained for [answer choice].
30 days
10 weeks
36 months
10 years
Which one is correct in per question on answer area? why?
Retention Settings Recap:
Daily Backup Point:
Retained for 30 days.
Taken every day at 11:00 PM.
Weekly Backup Point:
Retained for 10 weeks.
Occurs on Sunday at 11:00 PM.
Monthly Backup Point:
Retained for 36 months.
Week-based: on the 1st Sunday of every month at 11:00 PM.
Yearly Backup Point:
Retained for 10 years.
Occurs in March on the 1st day at 11:00 PM.
Question 1: The backup that occurs on Sunday, March 1
March 1 is a Sunday.
The backup on Sunday, March 1 qualifies for:
Daily Backup → retained for 30 days.
Weekly Backup → retained for 10 weeks (as it’s a Sunday).
Monthly Backup → since March 1 is the 1st day of the month and a Sunday, this backup qualifies as the monthly backup point retained for 36 months.
Yearly Backup → March 1 is the yearly backup point and is retained for 10 years.
Retention Priority: The longest retention duration applies to a backup point that meets multiple policies.
Therefore, the backup on Sunday, March 1 will be retained for 10 years because it qualifies as a yearly backup point.
Question 2: The backup that occurs on Sunday, November 1
November 1 is also a Sunday.
The backup on Sunday, November 1 qualifies for:
Daily Backup → retained for 30 days.
Weekly Backup → retained for 10 weeks (as it’s a Sunday).
Monthly Backup → since November 1 is the 1st day of the month and a Sunday, this backup qualifies as the monthly backup point retained for 36 months.
Yearly Backup → November is not defined as the yearly backup month, so it does not qualify for the 10-year retention.
Retention Priority: The longest applicable retention duration is 36 months (monthly backup point).
You have an Azure subscription.
You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict network traffic between the pods.
What should you configure on the AKS cluster?
A. the Azure network policy
B. the Calico network policy
C. pod security policies
D. an application security group
I think the correct answer is B.
The question describes “the pods will use kubernet networking.”
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet (Linux).
Hence, the correct answer is B.
You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a wildcard certificate for contoso.com.
You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1.
You need to configure App1 to use the wildcard certificate of KV1.
What should you do first?
A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
B. Assign a managed user identity to App1.
C. Configure KV1 to use the role-based access control (RBAC) authorization system.
D. Create an access policy for KV1 and assign the policy to User1.
which one is correct? why correct?
The correct answer is B. Assign a managed user identity to App1.
Explanation:
To configure App1 to use the wildcard certificate stored in KV1, you need to ensure that App1 has the necessary permissions to access KV1. The best practice for this scenario is to use a managed identity for App1. Managed identities provide an automatically managed identity in Azure AD for applications to use when connecting to resources that support Azure AD authentication, such as Azure Key Vault.
Once you assign a managed identity to App1, you can then create an access policy in KV1 to grant the managed identity the necessary permissions to access the certificate. This approach is more secure and manageable compared to assigning permissions directly to a user.
Steps:
Assign a managed user identity to App1.
Create an access policy for KV1 and assign the managed identity of App1 to the policy with the necessary permissions (e.g., get, list).
This ensures that App1 can securely access the wildcard certificate in KV1.
Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files.
Which of the following is TRUE in this scenario?
A. You can only recover the files to the infected VM.
B. You can recover the files to any VM within the company’s subscription.
C. You can only recover the files to a new VM.
D. You will not be able to recover the files.
which one is correct? why correct?
The correct answer is B: You can recover the files to any VM within the company’s subscription.
Here’s why:
Azure Backup Instant Restore provides flexible recovery options, including:
File-level recovery
Recovery to the original location
Recovery to an alternate location within the same subscription
In a ransomware scenario, it would be risky and potentially counterproductive to recover files to the infected VM (eliminating option A) since:
The ransomware might still be active
The recovered files could be re-encrypted immediately
The system might still be compromised
Option C is incorrect because you’re not limited to recovering only to a new VM - you can recover to any existing VM in the subscription.
Option D is incorrect because Azure Backup is specifically designed to protect against ransomware and allow recovery of files from backup points taken before the infection.
The ability to recover to any VM within the subscription provides:
Flexibility in recovery options
Ability to verify files in a safe environment
Option to recover to a clean system
Protection against reinfection
This flexibility is particularly important in ransomware scenarios where you need to ensure you’re recovering to a clean environment to prevent reinfection.
If you’re looking to implement similar protection in AWS, AWS Backup provides comparable capabilities for protecting against ransomware and offers flexible recovery options for your resources.
You have an Azure subscription.
You plan to migrate 50 virtual machines from VMware vSphere to the subscription.
You create a Recovery Services vault.
What should you do next?
A. Configure an extended network.
B. Create a recovery plan.
C. Deploy an Open Virtualization Application (OVA) template to vSphere.
D. Configure a virtual network.
which one is correct? why correct?
The correct answer is C: Deploy an Open Virtualization Application (OVA) template to vSphere.
Here’s why this is the correct answer:
When migrating VMs from VMware vSphere to Azure, you need to follow a specific sequence of steps: [1]
First steps:
Create a Recovery Services vault (which you’ve already done)
Deploy the OVA template to vSphere (this is your next step)
The OVA template deployment is critical because it:
Sets up the configuration server in your VMware environment
Acts as a bridge between VMware and Azure
Handles the replication of VMs
Coordinates the migration process
Why the other options are incorrect:
A. Configure an extended network
This is not the immediate next step
Network configuration comes later in the process
You need the configuration server (OVA) in place first
B. Create a recovery plan
Recovery plans are created after you have your infrastructure set up
You can’t create effective recovery plans without first having the basic migration infrastructure in place
D. Configure a virtual network
While you will need to configure networking eventually
This is not the immediate next step in the sequence
The configuration server needs to be in place first to handle the migration
The logical sequence for VMware to Azure migration is:
Create Recovery Services vault
Deploy OVA template (Configuration server)
Configure networking
Set up replication
Create recovery plans
Perform the migration
Therefore, since you’ve already created the Recovery Services vault, deploying the OVA template is the correct next step in the migration process.
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
Create a virtual machine
PROJECT DETAILS
Subscription: MyDev-Test Subscription
Resource group: RG1
(Create new)
INSTANCE DETAILS
Virtual machine name: VM1
Region: (US) West US 2
Availability options: No infrastructure redundancy required
Image: Windows Server 2016 Datacenter
(Browse all public and private images)
Azure Spot instance: No
Size: Standard DS1 v2
1 vCPU, 3.5 GiB memory (ZAR 632.47/month)
(Change size)
Tabs on top:
Basics | Disks | Networking | Management | Advanced | Tags | Review + create
Top notification
“⚠ Changing Basic options may reset selections you have made. Review all options prior to creating the virtual machine.”
The planned disk configurations for VM1 are shown in the following exhibit.
Disks
Description:
“Azure VMs have one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. The size of the VM determines the type of storage you can use and the number of data disks allowed. Learn more”
Disk options
OS disk type: Standard HDD
(The selected VM size supports premium disks. We recommend Premium SSD for high IOPS workloads. Virtual machines with Premium SSD disks qualify for the 99.9% connectivity SLA.)
Enable Ultra Disk compatibility (Preview):
Yes
No (selected)
(Ultra Disks are only available when using Managed Disks.)
Data disks
“You can add and configure additional data disks for your virtual machine or attach existing disks. This VM also comes with a temporary disk.”
(Note: Adding unmanaged data disks is currently not supported at the time of VM creation. You can add them after the VM is created.)
Advanced
Use managed disks:
No (selected)
Yes
Storage account:
(new) rg1 disks799
(Create new)
Tabs on top:
Basics | Disks | Networking | Management | Advanced | Tags | Review + create
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Use managed disks
B. OS disk type
C. Availability options
D. Size
E. Image
which option is correct? why correct?
The correct answers are A and C:
A. Use managed disks
C. Availability options
Here’s why these are the correct answers:
Use managed disks (A):
Availability Zones require managed disks
The current configuration shows “Use managed disks: No”
Unmanaged disks are not supported in Availability Zones
You must change this to “Yes” to enable Availability Zone support [1]
Availability options (C):
Current setting shows “No infrastructure redundancy required”
To use Availability Zones, you need to change this setting to specify an Availability Zone [2]
This setting must be modified to select a specific Availability Zone for the VM
Why the other options are incorrect:
B. OS disk type:
While Premium SSD is recommended for better performance, the disk type itself doesn’t affect Availability Zone compatibility
Standard HDD can work with Availability Zones as long as it’s managed
D. Size:
The current size (Standard DS1 v2) supports Availability Zones
VM size doesn’t determine Availability Zone compatibility
E. Image:
Windows Server 2016 Datacenter is supported in Availability Zones
The image selection doesn’t affect Availability Zone compatibility
Key requirements for Availability Zones:
Must use managed disks [3]
Must explicitly select an Availability Zone in the availability options
Must be in a region that supports Availability Zones
Therefore, to enable VM1 to be created in an Availability Zone, you need to:
Change “Use managed disks” from No to Yes
Modify “Availability options” to select a specific Availability Zone
You have the Azure virtual machines shown in the following table:
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?
Name Azure region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe
A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy
which option is correct? why correct?
The correct answer is A: Create a new Recovery Services vault.
Here’s why:
Recovery Services Vault Regional Limitations:
Recovery Services vaults are region-specific
A single vault can only protect resources within the same region
VM1 and VM2 are in West Europe and are protected by an existing vault
VM3 and VM4 are in North Europe (different region)
Why a new vault is needed:
You cannot use the existing vault in West Europe to protect VMs in North Europe
Each region requires its own Recovery Services vault
This is a fundamental architectural requirement for Azure Backup
Why other options are incorrect:
B. Create a storage account
Storage accounts are not a prerequisite for Azure Backup [1]
The Recovery Services vault manages the backup storage automatically [2]
This is not the first step in protecting new VMs
C. Configure the extensions for VM3 and VM4
Extensions can’t be configured without a vault in place
This is a subsequent step after creating the vault
The backup extension is automatically managed by Azure Backup
D. Create a new backup policy
Backup policies are created within a Recovery Services vault [3]
You can’t create a policy without first having a vault
This would be a later step in the process
The correct sequence of steps would be:
Create a new Recovery Services vault in North Europe
Configure backup policies in the new vault
Enable protection for VM3 and VM4
Configure any necessary extensions
Therefore, creating a new Recovery Services vault is the first and necessary step to protect VM3 and VM4, as they are in a different region from the existing vault.
You have an Azure subscription named AZPT1 that contains the resources shown in the following table:
|—|—|
| storagel | Azure Storage account |
| VNET1 | Virtual network |
| VM1 | Azure virtual machine |
| VM1Managed | Managed disk for VM1 |
| RVAULT1 | Recovery Services vault for the site recovery of VM1 |
You create a new Azure subscription named AZPT2.
You need to identify which resources can be moved to AZPT2.
Which resources should you identify?
A. VM1, storage1, VNET1, and VM1Managed only
B. VM1 and VM1Managed only
C. VM1, storage1, VNET1, VM1Managed, and RVAULT1
D. RVAULT1 only
Name | Type |
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
Create a virtual machine
Basics | Disks | Networking | Management | Advanced | Tags | Review + create
Create a virtual machine that runs Linux or Windows. Select an image from Azure marketplace or use your own customized image. Complete the Basics tab then Review + create to provision a virtual machine with default parameters or review each tab for full customization.
Looking for classic VMs? Create VM from Azure Marketplace
Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all your resources.
PROJECT DETAILS
Subscription:
MyDev-Test Subscription
Resource group:
RG1
Create new
INSTANCE DETAILS
Virtual machine name:
VM1
Region:
(US) West US 2
Availability options:
No infrastructure redundancy required
Image:
Windows Server 2016 Datacenter
Browse all public and private images
Azure Spot instance:
No
Size:
Standard DS1 v2
1 vcpu, 3.5 GiB memory (ZAR 632.47/month)
Change size
The planned disk configurations for VM1 are shown in the following exhibit.
Disks
Azure VMs have one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. The size of the VM determines the type of storage you can use and the number of data disks allowed.
Disk options
OS disk type:
Standard HDD
(Select the OS disk type. This selection affects the disk performance. We recommend Premium SSD for high IOPS workloads. Standard SSDs are better suited for entry-level production applications. Standard HDDs can be used for dev/test scenarios.)
Enable Ultra Disk compatibility (Preview):
No
(Ultra Disks are only available when using Managed Disks.)
Data disks
You can add and configure additional data disks for your virtual machine or attach existing disks. This VM also comes with a temporary disk.
Adding unmanaged data disks is currently not supported at the time of VM creation. You can add them after the VM is created.
Advanced
Use managed disks:
No | Yes
Storage account:
(new rg1disks799)
Create new
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Use managed disks
B. OS disk type
C. Availability options
D. Size
You have the Azure virtual machines shown in the following table:
Name Azure region
VM1 West Europe
VM2 West Europe
VM3 North Europe
VM4 North Europe
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?
A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy
You have an Azure subscription that contains the vaults shown in the following table.
| Name | Type |
|—|—|
| Recovery1 | Recovery Services vault |
| Backup1 | Azure Backup vault |
You deploy the virtual machines shown in the following table.
You have the backup policies shown in the following table.
| Name | Type | In vault |
|—|—|—|
| Policy1 | Standard | Recovery1 |
| Policy2 | Enhanced | Recovery2 |
| Policy3 | Not applicable | Backup1 |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer Area
Statements Yes No
VM1 can be backed up by using Policy1.
VM2 can be backed up by using Policy3.
VM2 can be backed up by using Policy2.
Name | Operating system | Security Configuration |
|—|—|—|
| VM1 | Windows Server | Azure Disk Encryption |
| VM2 | Linux | Trusted launch |
HOTSPOT -
You have two Azure App Service apps named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table:
App Backup Every Start backup schedule from Retention (Days) Keep at least one backup
App1 1 Days January 6, 2021 0 Yes
App2 1 Days January 6, 2021 30 Yes
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
Statements Yes No
On January 15, 2021, App1 will have only one backup in storage. ( ) ( )
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021. ( ) ( )
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot. ( ) ( )
Your company’s Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you decide to recover the VM’s files.
Which of the following is TRUE in this scenario?
A. You can only recover the files to the infected VM.
B. You can recover the files to any VM within the company’s subscription.
C. You can only recover the files to a new VM.
D. You will not be able to recover the files.
HOTSPOT -
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
| Name | Kind | Location | File share | Identity-based access for file share |
|—|—|—|—|—|
| storage1 | Storage (general purpose v1) | West US | sharea | Azure Active Directory Domain Services (Azure AD DS) |
| storage2 | StorageV2 (general purpose v2) | East US | shareb, sharec | Disabled |
| storage3 | BlobStorage | East US 2 | Not applicable | Not applicable |
| storage4 | FileStorage | Central US | shared | Azure Active Directory Domain Services (Azure AD DS) |
| Name | IP address | Location | Connected to | |
| VM1 | 10.0.1.4 | West US | VNET1/Subnet1 | |
| VM2 | 10.0.2.4 | West US | VNET1/Subnet2 | |
| VM3 | 172.16.1.4 | Central US | VNET2/Subnet1 | |
| VM4 | 192.168.1.4 | West US | VNET3/Subnet1 | |
| VM5 | 10.0.22.4 | East US | VNET4/Subnet1 | |
Answer Area
Recovery Services vaults:
1
2
3
4
7
Backup policies:
1
2
3
4
5
6
