Timed Mode Set 3 – AZ-104 Azure Administrator

Question 1

Your company has an existing subscription in Azure.

You provisioned an Azure Storage account named TutorialsDojoAccount and then created a file share named TDShare.

You need to create a script that will allow you to connect to your file share.

What is the UNC path of the file share?

A. \TutorialsDojoAccount.file.core.windows.net\TDShare
B. \TDShare.file.core.windows.net\TutorialsDojoAccount
C. \file.core.windows.net.TutorialsDojoAccount\TDShare
D. \TutorialsDojoAccount.TDShare\file.core.windows.net

Answer 1

A. \TutorialsDojoAccount.file.core.windows.net\TDShare

Explanation:
Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.

File shares can be used for many common scenarios:

1. Many on-premises applications use file shares. This feature makes it easier to migrate those applications that share data to Azure. If you mount the file share to the same drive letter that the on-premises application uses, the part of your application that accesses the file share should work with minimal, if any, changes.
2. Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them and that they use the same version.
3. Resource logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

About Azure file share backup - Azure Backup | Microsoft Docs

Azure Files is Microsoft’s easy-to-use cloud file system. Azure file shares can be seamlessly used in Windows and Windows Server.

In order to use an Azure file share outside of the Azure region it is hosted in, such as on-premises or in a different Azure region, the OS must support SMB 3.0. You can use Azure file shares on a Windows installation that is running either in an Azure VM or on-premises.

The Azure File Share UNC path format is:

\<storageAccountName>.file.core.windows.net\<File></File></storageAccountName>

For example:

\StoragePhilippines.file.core.windows.net\ElNidoPalawanFileShare

Hence, the correct answer is:

\TutorialsDojoAccount.file.core.windows.net\TDShare

References:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

Check out this Azure Files Cheat Sheet:

https://tutorialsdojo.com/azure-file-storage/

Question 2

Your company has an Azure Subscription that contains an Azure Container named TDContainer.

There is a requirement to launch a new Azure container instance that uses a docker image named TDImage. The container image contains a Microsoft SQL Server instance that requires persistent storage.

You need to create a storage service that will meet the requirements for TDContainer.

What should you use?

A. Azure Table storage
B. Azure Queue storage
C. Azure Blob storage
D. Azure Files

Answer 2

D. Azure Files

Explanation:
Containers are becoming the preferred way to package, deploy, and manage cloud applications. Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.

Azure Container Instances is a solution for any scenario that can operate in isolated containers, without orchestration. Run event-driven applications, quickly deploy from your container development pipelines, and run data processing and build jobs.

Containers offer significant startup benefits over virtual machines (VMs). Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs.

Bring Linux or Windows container images from Docker Hub, a private Azure container registry, or another cloud-based docker registry. Azure Container Instances caches several common base OS images, helping speed deployment of your custom application images.

By default, Azure Container Instances are stateless. If the container crashes or stops, all of its states are lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. Azure Container Instances can mount an Azure file share created with Azure Files.

Azure Files offers fully managed file shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol. Using an Azure file share with Azure Container Instances provides file-sharing features similar to using an Azure file share with Azure virtual machines.

Azure Disks or Files are commonly used to provide persistent volumes for Azure Container Instances and Azure VMs.

Hence, the correct answer is: Azure Files.

Azure Queue Storage is incorrect because this service is simply used for storing large numbers of messages to enable communication between components of a distributed application.

Azure Table Storage and Azure Blob Storage are both incorrect because Azure Container Services does not support direct integration of these services.

References:

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-overview

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files

Check out this Azure Container Instances Cheat Sheet:

https://tutorialsdojo.com/azure-container-instances-aci/

Azure Blob vs. Disk vs. File Storage:

https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/

Question 3

Your company has an Azure subscription that contains an Azure Storage account named tutorialsdojoaccount.

There is a requirement to copy a virtual machine image to a container named tdimage from your on-premises datacenter. You need to provision an Azure Container instance to host the container image.

Which AzCopy command should you run?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

1.AzCopy
A. Sync
B. Copy
C. Make

2. “https://tutorialsdojoaccount.____.core.windows.net/tdimage” (blob)
   A. queue
   B. file
   C. table
   D. blob

Answer 3

1. C. Make
2. D. blob

Explanation:
The Azure Storage platform is Microsoft’s cloud storage solution for modern data storage scenarios. Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.

Blob storage is designed for:

– Serving images or documents directly to a browser.

– Storing files for distributed access.

– Streaming video and audio.

– Writing to log files.

– Storing data for backup and restore disaster recovery, and archiving.

– Storing data for analysis by an on-premises or Azure-hosted service.

A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs. VHD files can be used to create custom images that can be stored in an Azure Blob container, which are used to provision virtual machines.

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. The azcopy make command is commonly used to create a container or a file share.

The correct syntax in creating a blob container is:

azcopy make “https://[account-name].blob.core.windows.net/[top-level-resource-name]”

For example:

azcopy make “https://myaccount.blob.core.windows.net/mycontainer/myblob”

Therefore, the correct answers are:

AzCopy = Make

https://tutorialsdojoaccount.____.core.windows.net/tdimage = Blob

Copy is incorrect because it simply copies source data to a destination location.

Sync is incorrect because it only replicates the source location to the destination location.

File is incorrect because when you execute this command, it will create a file share. Take note that it is mentioned in the scenario that container images and instances are used.

Table is incorrect because this is just a NoSQL data store that accepts authenticated calls from inside and outside the Azure cloud which allows you to store large amounts of structured data.

Queue is incorrect because this simply provides cloud messaging between application components that allows you to decouple your applications so that they can scale independently.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-make

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Azure Blob vs Disk vs File Storage:

https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/

Question 4

You have the following virtual networks in your Azure subscription.
AZ104-3-04 scenario

Which of the following virtual networks can you establish a virtual network peering from TDVnet1?

A. TDVnet2 only
B. TDVnet3 and TDVnet4 only
C. TDVnet2, TDVnet3 and TDVnet4
D. TDVnet2 and TDVnet3 only

Answer 4

B. TDVnet3 and TDVnet4 only

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.

Azure supports the following types of peering:

– Virtual network peering: Connect virtual networks within the same Azure region.

– Global virtual network peering: Connecting virtual networks across Azure regions.

Take note, the virtual networks you peer with must have non-overlapping IP address spaces.

Hence, the correct answer is: TDVnet3 and TDVnet4 only.

The following options are incorrect because the address space 10.1.0.0/17 of TDVnet2 overlaps with the address space 10.1.0.0/16 of TDVnet1. You need to plan ahead when you create your virtual network address spaces in the event that you will need to peer your virtual networks. You can always change the address space of a virtual network, but you need to make sure that the subnets within it must be contained to the new address space of your virtual network.

– TDVnet2 only

– TDVnet2, TDVnet3 and TDVnet4

– TDVnet2 and TDVnet3 only

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 5

Your company has an Azure subscription named TDSubcription1. It contains the following resources:

az104-3-05 scenario imageWhich subnet/s can you associateTDNSG1with?

A. You can associate it to the subnets of TDVnet1 and TDVnet2 only.
B. You can associate it to the subnet of TDVnet1 only.
C. You can associate it to the subnet of TDVnet2 only.
D. You can associate it to the subnet of TDVnet3 only.

Answer 5

D. You can associate it to the subnet of TDVnet3 only.

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

You can only associate a network security group to a subnet or network interface within the same region as the network security group. So if your network security is in the Azure security groups, it can’t be moved from one region to another. However, you can use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. You can then stage the resource in another region by exporting the NSG to a template, modifying the parameters to match the destination region, and then deploying the template to the new region.

Hence, the correct answer is: You can associate it to the subnet of TDVnet3 only.

The following options are incorrect because TDVnet1 and TDVnet2 are located in Southeast Asia. You can only associate a network security group to a subnet within the same region as the network security group.

– You can associate it to the subnets of TDVnet1 and TDVnet2 only

– You can associate it to the subnet of TDVnet1 only

– You can associate it to the subnet of TDVnet2 only

References:

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 6

Your company has a virtual network named TDVnet1 and a policy-based virtual network gateway named TD1 in your Azure subscription.

You have users that need to access TDVnet1 from a remote location.

Which two actions should you do so your users can establish a point-to-site connection to TDVnet1?

A. Deploy a gateway subnet
B. Delete TD1
C. Deploy a route-based VPN gateway
D. Reset TD1
E. Download and install the VPN client configuration file

Answer 6

B. Delete TD1
C. Deploy a route-based VPN gateway

Explanation:
Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

When you configure a point-to-site VPN connection, you must use a route-based VPN type for your gateway. Policy-based VPN type for point-to-site VPN connection is not supported by Azure.

If you create a policy-based VPN type as your gateway, you need to delete it and deploy a route-based VPN gateway instead.

Hence, the correct answers are:

– Delete TD1

– Deploy a route-based VPN gateway

The option that says: Deploy a gateway subnet is incorrect. A gateway subnet is a prerequisite when you create a point-to-site VPN connection and since there is already an existing point-to-site VPN connection in your Azure subscription, you don’t have to deploy one again.

The option that says: Reset TD1 is incorrect. Resetting TD1 will not work since it is a policy-based VPN type. Take note that you need a route-based VPN type for point-to-site VPN connections.

The option that says: Download and install the VPN client configuration file is incorrect. Even if you have downloaded and installed the VPN client configuration file, the users still won’t be able to connect to TDVnet1 because TD1 is a policy-based VPN type. You have to delete TD1 first and deploy a new route-based VPN gateway.

References:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about

Check out this Azure VPN Gateway Cheat Sheet:

https://tutorialsdojo.com/azure-vpn-gateway/

Question 7

Your company has an Azure subscription named TDSubscription1.

You plan to host your media assets to a storage account.

You created an Azure storage account named tutorialsdojostorage using the following parameters:

azure_create_storage_account

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

1. How many copies of your data will be maintained by the Azure storage account at the minimum? 

A. 3
B. 4
C. 5
D. 6

2. The files that you will host in tutorialsdojostorage are frequently accessed files. What setting should you modify?
   A. Account Kind
   B. Access Tier
   C. Versioning
   D. Performance

Answer 7

1. D. 6
2. B. Access Tier

Explanation:
An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Data in your Azure storage account is durable and highly available, secure, and massively scalable.

Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers four options for how your data is replicated:

Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability.
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability.
Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.
Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.

Take note that Geo-redundant storage (GRS) maintains six copies total, including three copies in the primary region and three copies in the secondary region.

Azure storage offers different access tiers, allowing you to store blob object data in the most cost-effective manner. Available access tiers include:

Hot – Optimized for storing data that is accessed frequently.
Cool – Optimized for storing data that is infrequently accessed and stored for at least 30 days.
Archive – Optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements, on the order of hours.

Therefore, you will have a total of 6 copies maintained because its replication setting is Geo-redundant storage (GRS). This storage option copies your data asynchronously across 3 Azure availability zones in your primary region and 3 copies in the secondary region, for a total of 6 copies.

Conversely, if you will store frequently accessed files, you must modify the access tier to hot tier from cool tier.

The option that says: 3 is incorrect because only Locally redundant storage (LRS) and Zone-redundant storage (ZRS) maintains a total of 3 copies of data.

The options that say: 4 and 5 are incorrect because there is no Azure Storage redundancy type that maintains 4 and 5 copies of data. Only 3 for LRS and GRS and 6 for GRS and GZRS.

Account Kind is incorrect because this simply offers several types of storage accounts such as StorageV2, Storage, and BlobStorage. Each type supports different features and has its own pricing model.

Versioning is incorrect because this feature is for automatically maintaining the previous versions of an object. When blob versioning is enabled, you can restore an earlier version of a blob to recover your data if it is erroneously modified or deleted.

Performance is incorrect because this tiering system is primarily used for determining the speed capability of your storage account. There are two types of performance tiers: Standard: optimized for high capacity/throughput and Premium: optimized for high transaction rates and single-digit consistent storage latency.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers

Check out this Azure Storage Overview Cheat Sheet:

https://tutorialsdojo.com/azure-storage-overview/

Locally Redundant Storage (LRS) vs Zone-Redundant Storage (ZRS) vs Geo-redundant storage (GRS):

https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

Question 8

d

Question 9

d

Question 10

You have an Azure virtual network named TDVnet1 that contains the following subnets shown below:
az104-3-10 scenario imageYou plan to create a network security group for your virtual machines.

Due to regulatory compliance, you must meet the following requirements:

Virtual machines in TDSub2 and TDSub3 must have HTTPS traffic from the Internet.
Remote Desktop connections from the public Internet must only access TD1.
All traffic between TD1 and TD2 must be allowed.
Restrict all other external network traffic from accessing TDVnet1.

What is the minimum number of network security groups that you should provision to satisfy the requirements above?

A. 1
B. 3
C. 5
D. 6

Answer 10

A. 1

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Network Security Groups can be attached to multiple subnets and/or network interfaces. Unless you have a specific reason to, it is recommended that you associate a network security group to a subnet or a network interface, but not both.

In the image above, the requirements of the scenario are fully satisfied. You only need to create one network security group with multiple rules and associate it with TDSub1, TDSub2, and TDSub3.

1. Virtual machines in TDSub2 and TDSub3 must have HTTPS traffic from the Internet.

– You can whitelist the address spaces of TDSub2 and TDSub3 in the destination IP addresses/CIDR ranges of an inbound security rule. This will force HTTPS traffic to only those subnets without allowing HTTPS traffic to TDSub1. See priority 100 in the image above.

2. Remote Desktop connections from the Internet must access TD1.

– Since there are two virtual machines in TDSub1 and the requirement states that only TD1 must have Remote Desktop connection, you cannot whitelist the address space of TDSub1 in the destination IP addresses.

– An alternative to this is whitelisting the IP address of TD1 to the destination IP addresses when you create an inbound security rule. See priority 110 in the image above.

3. All traffic between TD1 and TD2 must be allowed.

– When you create a network security group, the default rules of a network security group always allow traffic coming from WITHIN the virtual network. No action is needed from your side.

4. Restrict all other external network traffic from accessing TDVnet1.

– The default rules of a network security group explicitly deny all incoming traffic. No action is needed from your side.

Hence, the correct answer is: 1.

3, 5, and 6 are incorrect because you only need to create one network security group with multiple rules to satisfy the requirements of the scenario.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 11

Your company has an Azure subscription that has the following resources deployed:

az104-3-11 scenario image
There is a requirement that requires you to configure Azure Backup reports using TDBackup1 to determine which backup items consume the most storage.

Which Log Analytics workspace can you use to store the backup reporting data?

A. TDAnalytics1 only
B. TDAnalytics2 only
C. TDAnalytics3 only
D. TDAnalytics1, TDAnalytics2, and TDAnalytics3

Answer 11

D. TDAnalytics1, TDAnalytics2, and TDAnalytics3

Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.

Azure Backup report provides a reporting solution that uses Azure Monitor logs and Azure workbooks. These resources help you get rich insights on your backups across your entire backup estate. Backup Reports serve as a one-stop destination for tracking usage, auditing of backups and restores, and identifying key trends at different levels of granularity.

A common requirement for backup admins is to obtain insights on backups based on data that spans a long period of time. Use cases for such a solution include:

– Allocating and forecasting of cloud storage consumed.

– Auditing of backups and restores.

– Identifying key trends at different levels of granularity.

By default, the data in a Log Analytics workspace is retained for 30 days. To see data for a longer time horizon, change the retention period of the Log Analytics workspace.

Take note that when you create a Log Analytics workspace, it does not matter if the vault is located in a different region or subscription.

Hence, the correct answer is: TDAnalytics1, TDAnalytics2, and TDAnalytics3.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-overview

https://docs.microsoft.com/en-us/azure/backup/configure-reports

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 12

Your company has an Azure subscription that contains a virtual machine named TD1 and a virtual network named TDVnet1.

You have an on-premises Server Message Block (SMB) file server named FileServer1.

There is a requirement to connect TD1 to FileServer1.

What should you create?

A. Create an Azure virtual network peering
B. Create an Azure AD Connect sync
C. Create an Azure Application Gateway
D. Create an Azure Virtual Network Gateway

Answer 12

D. Create an Azure Virtual Network Gateway

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

An Azure Virtual Network Gateway or VPN Gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.

You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

A site-to-site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

Hence, the correct answer is: Create an Azure Virtual Network Gateway.

The option that says: Create an Azure virtual network peering is incorrect as this only enables you to seamlessly connect two or more Virtual Networks in Azure. Take note that in this scenario, you need to connect your on-premises network to Azure.

The option that says: Create an Azure AD Connect sync is incorrect because this service is simply the main component of Azure AD Connect. This service synchronizes information held in the on-premises Active Directory to Azure AD. For example, if you provision or deprovision groups and users on-premises, these changes propagate to Azure AD. You can not use this to synchronize FileServer1 to TD1 since the file server is not an Active Directory.

The option that says: Create an Azure Application Gateway is incorrect because this service is just a web traffic load balancer that enables you to manage traffic to your web applications.

References:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Check out this Azure VPN Gateway Cheat Sheet:

https://tutorialsdojo.com/azure-vpn-gateway/

Question 13

Your company has an Azure subscription named TDSubscription1 that contains the following resources:
az104-3-13 scenario image

You recently added a new address space 10.30.0.0/16 to TDVnet1.

What should you do next?

A. Delete the peering between TDVnet1 and TDVnet2.
B. Delete TDVnet2.
C. Re-create the peering between TDVnet1 and TDVnet2.
D. Sync the peering between TDVnet1 and TDVnet2.

Answer 13

D. Sync the peering between TDVnet1 and TDVnet2.

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.

You can resize the address space of Azure virtual networks that are peered without incurring any downtime on the currently peered address space. This feature is useful when you need to resize the virtual network’s address space after scaling your workloads. After resizing the address space, all that is required is for peers to be synced with the new address space changes. Resizing works for both IPv4 and IPv6 address spaces.

Addresses can be resized in the following ways:

– Modifying the address range prefix of an existing address range (For example, changing 10.1.0.0/16 to 10.1.0.0/18).

– Adding address ranges to a virtual network.

– Deleting address ranges from a virtual network.

– Resizing of address space is supported cross-tenant.

Hence, the correct answer is: Sync the peering between TDVnet1 and TDVnet2.

The statement that says: Delete TDVnet2 is incorrect because you can add an address space to your virtual network without deleting it.

The following statements are incorrect because you do not need to delete and re-create the peering when you add an address space to an existing virtual network peering. All you have to do is sync the peering after you have added an address space.

– Delete the peering between TDVnet1 and TDVnet2

– Re-create the peering between TDVnet1 and TDVnet2

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 14

Your Azure subscription contains a fleet of virtual machines.

You recently deployed an Azure bastion named TD1 with an SKU of Basic and a subnet size of /26.

There is a requirement that more than 90 users will concurrently use TD1. You need to be able to accommodate the number of users that will be accessing TD1. The solution must minimize administrative effort.
What should you do first?

A. Deploy a new bastion server with an SKU of Standard
B. Increase the instance count of TD1.
C. Increase the server size of TD1.
D. Upgrade the SKU of TD1

Answer 14

D. Upgrade the SKU of TD1

Explanation:
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, virtual machines don’t need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world while providing secure access using RDP/SSH.

Two instances are created when you configure Azure Bastion using the Basic SKU. Using the Standard SKU, you can specify the number of instances. This is called host scaling.

Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. The number of connections per instance depends on your actions when connected to the client VM. For example, if you are doing something data-intensive, it creates a more significant load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

Remember that you can only use host scaling if your bastion server has an SKU of Standard

To accommodate additional concurrent client connections, first, you need to upgrade the SKU of TD1 from Basic to Standard(after upgrading to Standard, you can not revert back to Basic SKU) After that, you can increase the instance count of TD1 to whatever number of servers are required to accommodate the 90 users.

Hence, the correct answer is: Upgrade the SKU of TD1.

The option that says: Deploy a new bastion server with an SKU of Standard is incorrect because there is no need to deploy a new bastion server with an SKU of Standard. You can upgrade the SKU of TD1 to Standard. One of the requirements is that your solution must minimize administrative effort.

The option that says: Increase the instance count of TD1 is incorrect because you will only be able to increase the instance count if TD1 is already using an SKU of Standard. Take note that the question asks what you will do first.

The option that says: Increase the server size of TD1 is incorrect because there is no option to increase the server size of a bastion server. If you need more computing power, you can increase the instance count of the bastion server. Remember that you need to use an SKU of Standard before being able to use host scaling.

References:

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings

Question 15

d

Question 16

You have an Azure subscription that contains an Azure DNS zone named tutorialsdojo.com.

There is a requirement to delegate a subdomain named portal.tutorialsdojo.com to another Azure DNS zone.

What solution would satisfy the requirement?

A. Navigate to tutorialsdojo.com and add a PTR record named portal.
B. Navigate to tutorialsdojo.com and add an NS record named portal.
C. Navigate to tutorialsdojo.com and add a CNAME record named portal.
D. Navigate to tutorialsdojo.com and add a TXT record named portal

Answer 16

B. Navigate to tutorialsdojo.com and add an NS record named portal.

Explanation:
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.

You can use the Azure portal to delegate a DNS subdomain. For example, if you own the tutorialsdojo.com domain, you can delegate a subdomain called portal to another, separate zone that you can administer separately from the tutorialsdojo.com zone.

To delegate an Azure DNS subdomain, you must first delegate your public domain to Azure DNS. Once your domain is delegated to your Azure DNS zone, you can delegate your subdomain.

You can delegate a subdomain by doing the following:

1. Create a new Azure DNS zone named portal.tutorialsdojo.com. Copy down the four nameservers as you will need them for step 2.
2. Navigate to the tutorialsdojo.com DNS zone and add an NS record named portal. Under records, enter the four nameservers from portal.tutorialsdojo.com and click ok.
3. To verify your work, open a PowerShell window and type nslookup portal.tutorialsdojo.com

Hence, this statement is correct: Navigate to tutorialsdojo.com and add an NS record named portal.

The following statements are incorrect because PTR, CNAME, and TXT records are not used to delegate an Azure DNS subdomain.

– Navigate to tutorialsdojo.com and add a PTR record named portal.

– Navigate to tutorialsdojo.com and add a CNAME record named portal.

– Navigate to tutorialsdojo.com and add a TXT record named portal.

References:

https://docs.microsoft.com/en-us/azure/dns/dns-overview

https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

Check out this Azure DNS Cheat Sheet:

https://tutorialsdojo.com/azure-dns/

Question 17

You have created a vault backup policy in Recovery Services as shown below:

backuppolicy

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

1. The created backup on January 15 will be retained for [answer].

A. 30 Days
B. 4 Weeks
C. 36 months
D. 5 years

2. The created backup on December 15 will be retained for [answer].

A. 30 Days
B. 4 Weeks
C. 36 months
D. 5 years

Answer 17

1. C. 36 months
2. D. 5 years

Explanation:
Azure Backup Policy has two components: Schedule (when to take a backup) and Retention (how long to retain backup). You can define the policy based on the type of data that’s being backed up, RTO/RPO requirements, operational or regulatory compliance needs, and workload type.

To create a backup policy, you need to create a Recovery Services vault first. Take note that the services supported by Azure Backup are virtual machine, file share, SQL server, and SAP HANA. Based on the given policy, the retention period for monthly backup is 36 months. Since January 15 is not configured as a yearly backup point, this backup is considered a monthly backup.

Hence, the correct answers are:

– The created backup on January 15 will be retained for 36 months.

– The created backup on December 15 will be retained for 5 Years.

References:

https://docs.microsoft.com/en-us/azure/backup/guidance-best-practices

https://docs.microsoft.com/en-us/azure/backup/backup-azure-manage-vms

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 18

Your company has an Azure subscription named ManilaSubscription that contains multiple virtual machines.

The subscription has a user named ManilaUser01 which has the following roles:

Backup Reader
Storage Blob Data Contributor
DevTest Labs User

You need to ensure that ManilaUser01 can assign a Reader role to all the users in the subscription.

What role should you assign?

A. Assign the User Access Administrator role.
B. Assign the Security Reader role.
C. Assign the Virtual Machine Contributor role.
D. Assign the Security Admin role.

Answer 18

A. Assign the User Access Administrator role.

Explanation:
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

The four fundamental Azure roles are Owner, Contributor, Reader, and User Access Administrator. To assign a Reader role to all the users in the Azure subscription, you must grant the user a User Access Administrator role. This role allows you to manage user access to the Azure resources.

Hence, the correct answer is: Assign the User Access Administrator role.

The option that says: Assign the Security Reader role is incorrect because this role only allows the user to view permissions in the Security Center.

The option that says: Assign the Virtual Machine Contributor role is incorrect because this role just lets you manage virtual machines. Take note that this role doesn’t allow you to access virtual machines directly nor assign a Reader role to all the users in the subscription.

The option that says: Assign the Security Admin role is incorrect. This role has the same permissions as the Security Reader role. The only difference is that it can update the security policy and dismiss alerts and recommendations.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Azure Active Directory vs. Role-Based Access Control:

https://tutorialsdojo.com/azure-active-directory-ad-vs-role-based-access-control-rbac/

Question 19

You plan to automate the deployment of Windows Servers using a virtual machine scale set.

You need to make sure that the web components are installed in the virtual machines.

Which two actions should you perform?

A. Create a configuration script.
B. Create an automation account.
C. Create a policy.
D. Configure the extensionProfile section of the ARM template.
E. Create a new scale set.

Answer 19

A. Create a configuration script.
D. Configure the extensionProfile section of the ARM template.

Explanation:
Azure virtual machine scale sets let you create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications and allow you to centrally manage, configure, and update a large number of VMs.

The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post-deployment configuration, software installation, or any other configuration or management tasks.

Hence, the correct answers are:

– Create a configuration script.

– Configure the extensionProfile section of the ARM template.

The option that says: Create an automation account is incorrect because an automation account wouldn’t help you automatically install web components. You still need to create a configuration script and extensionProfile in the ARM template.

The option that says: Create a policy is incorrect because this option only evaluates resources in Azure. Take note that you don’t need to create a policy to install web components.

The option that says: Create a new scale set is incorrect because this wouldn’t install the required web components. Instead of creating a new scale set, you should use a custom script extension to install the web components in the VMs.

References:

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-app

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template#what-is-the-azure-custom-script-extension

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-app#already-provisioned

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 20

1. TD-App1
   A. TD-ASP1
   B. TD-ASP2
   C. TD-ASP1 and TD-ASP2
   D. TD-ASP1 and TD-ASP3
2. TD-App2
   A. TD-ASP1
   B. TD-ASP2
   C. TD-ASP1 and TD-ASP2
   D. TD-ASP1 and TD-ASP3

Answer 20

1. C. TD-ASP1 and TD-ASP2
2. B. TD-ASP2

Explanation:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile backends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

In Azure App Service, an app always runs in an App Service plan. An App Service plan defines a set of computing resources for a web app to run. One or more apps can be configured to run on the same App Service plan. When you create an App Service plan in a certain region (for example, East US), a set of computing resources is created for that plan in that region only.

Based on the given scenario, you need to determine which App Service plan is suitable for the Java 17 and ASP .NET 4.8 runtime stacks. When you create an App Service plan, you need to select an operating system. The Java 17 runtime stack can run on both Linux and Windows operating systems. While the ASP .NET 4.8 runtime stack can only run on Windows operating system.

For TD-ASP3, the location of the App Service Plan is in North Europe. Take note that an App Service plan can only be associated with a web app located in the same region.

Therefore, the correct answers are:

– TD-ASP1 and TD-ASP2

– TD-ASP2

References:

https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

https://docs.microsoft.com/en-us/azure/app-service/environment/intro

Check out this Azure App Service Cheat Sheet:

https://tutorialsdojo.com/azure-app-service/

Question 21

A. A user is restricted from creating any Azure Virtual Networks in TD Subscription.
B. A user is allowed to create Azure Virtual Networks in TD-RG only.
C. A user is restricted from creating Azure Virtual Networks in TD-RG.
D. A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription.

Answer 21

B. A user is allowed to create Azure Virtual Networks in TD-RG only.

Explanation:
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Policy evaluates resources in Azure by comparing the properties of resources to the business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative.

In the given policy, the resource group TD-RG is excluded in the effect of the policy. This means that you are allowed to create Virtual Networks in TD-RG. A policy exclusion allows you to assign a policy at a high level and then exclude scopes within it. For example, in an environment with applications and a central network, you want to have a policy for all the application resource groups but not the network resource group.

Hence, the correct answer is: A user is allowed to create Azure Virtual Networks in TD-RGonly.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD-RG is incorrect. You are not prevented from creating Virtual Networks in the TD-RG resource group because it is excluded in the given policy.

The option that says: A user is restricted from creating any Azure Virtual Networks in TD Subscription is incorrect. Just like the option above, you are allowed to create Virtual Networks in the excluded resource group.

The option that says: A user is allowed to create Azure Virtual Networks in any resource group within TD Subscription is incorrect because you can only create Virtual Networks in the TD-RG resource group.

References:

https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

https://docs.microsoft.com/en-us/azure/governance/policy/overview

Check out this Azure Policy Cheat Sheet:

https://tutorialsdojo.com/azure-policy/

Question 22

Your company has an Azure Subscription that contains an Azure Kubernetes Service (AKS) cluster and an Azure AD tenant named tutorialsdojo.com.

You received a report that the system administrator is unable to grant access to Azure AD users who need to use the cluster.

You need to grant the users in tutorialsdojo.com access to the cluster.

What should you implement?

A. Configure external collaboration settings.
B. Create an OAuth 2.0 authorization endpoint.
C. Create a new AKS cluster.
D. Add a namespace.

Answer 22

B. Create an OAuth 2.0 authorization endpoint.

Explanation:
Azure Kubernetes Service (AKS) makes it simple to deploy a managed Kubernetes cluster in Azure. AKS reduces the complexity and operational overhead of managing Kubernetes by offloading much of that responsibility to Azure. As a hosted Kubernetes service, Azure handles critical tasks like health monitoring and maintenance for you. The Kubernetes masters are managed by Azure. You only manage and maintain the agent nodes. As a managed Kubernetes service, AKS is free — you only pay for the agent nodes within your clusters, not for the masters.

The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources. As shown in the image above, the Azure AD client application will use kubectl to sign in users with OAuth 2.0 device authorization grant flow. Azure AD will provide an access_token, id_token, and a refresh_token then the user will request to kubectl using an access_token from kubeconfig. After validation, the API will perform an authorization decision based on the Kubernetes Role/RoleBinding. Once authorized, the API server returns a response to kubectl.

Hence, the correct answer is: Create an OAuth 2.0 authorization endpoint.

The option that says: Configure external collaboration settings is incorrect because external collaboration settings only let you turn guest invitations on or off for different types of users in your organization. This option wouldn’t help you grant the users in tutorialsdojo.com access to the cluster.

The option that says: Create a new AKS cluster is incorrect because a cluster is just a set of nodes that run containerized applications. Creating a new cluster is not necessary. You need to create an authorization endpoint to grant the users access to the domain name.

The option that says: Add a namespace is incorrect because a namespace only divides cluster resources between multiple users. Remember that users can only interact with resources within their assigned namespaces. To grant the users in tutorialsdojo.com access to the cluster, you should create an OAuth authorization endpoint.

References:

https://docs.microsoft.com/en-us/azure/aks/concepts-identity

https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli

Question 23

Your company has a virtual network that contains a MySQL database hosted on a virtual machine.

You created a web app named tutorialsdojo-webapp using the Azure App service.

You need to make sure that tutorialsdojo-webapp can fetch the data from the MySQL database.

What should you implement?

A. Create an internal load balancer.
B. Enable VNet Integration and connect the web app to the virtual network.
C. Peer the virtual network to another virtual network.
D. Create an Azure Application Gateway.

Answer 23

B. Enable VNet Integration and connect the web app to the virtual network.

Explanation:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable network. The VNet Integration feature enables your apps to access resources in or through a VNet. VNet Integration doesn’t enable your apps to be accessed privately.

Azure App Service has two variations on the VNet Integration feature:

– The multitenant systems support the full range of pricing plans except for Isolated.

– The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.

Hence, the correct answer is: Enable VNet Integration and connect the web app to the virtual network.

The option that says: Create an internal load balancer is incorrect because this option only distributes the traffic. An internal load balancer is mainly used to load balance traffic inside a virtual network.

The option that says: Peer the virtual network to another virtual network is incorrect because virtual network peering wouldn’t help the web app access the virtual machine.

The option that says: Create an Azure Application Gateway is incorrect because the distribution of web traffic is not needed in the scenario. An Azure Application Gateway is just a web traffic load balancer that enables you to manage traffic to your web applications. Take note that the only requirement is to ensure that tutorialsdojo-webapp can access the data from the MySQL database hosted on a virtual machine.

References:

https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

https://azure.microsoft.com/en-in/services/app-service/

Check out this Azure App Service Cheat Sheet:

https://tutorialsdojo.com/azure-app-service/

Question 24

Your company has two Azure virtual networks named TDVNet1 and TDVNet2 in Central US region. A virtual machine named TD-VM1 is running in TDVNet1 while the other virtual network has a virtual machine named TD-VM2.

A web application is hosted on TD-VM1 and the data is retrieved and processed by TD-VM2.

Several users reported that the web application has a sluggish performance.

You are instructed to track the average round-trip time (RTT) of the packets from TD-VM1 to TD-VM2.

Which of the following options can satisfy the given requirement?

A. IP flow verify
B. Connection Troubleshoot
C. Connection Monitor
D. NSG flow logs

Answer 24

C. Connection Monitor

Explanation:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.

In this scenario, you can use Connection Monitor to track the average round-trip time (RTT) of the packets from TD-VM1 to TD-VM2. In Azure Network Watcher, Connection Monitor provides unified end-to-end connection monitoring. The Connection Monitor feature also supports hybrid and Azure cloud deployments.

Benefits of using the Connection Monitor:

– Unified, intuitive experience for Azure and hybrid monitoring needs

– Cross-region, cross-workspace connectivity monitoring

– Higher probing frequencies and better visibility into network performance

– Faster alerting for your hybrid deployments

– Support for connectivity checks that are based on HTTP, TCP, and ICMP

– Metrics and Log Analytics support for both Azure and non-Azure test setups

Hence, the correct answer is Connection Monitor.

IP flow verify is incorrect because this feature only looks at the rules for all Network Security Groups (NSGs) applied to the network interface. It is stated in the scenario that you must track the packets from TD-VM1 to TD-VM2. IP flow verify is not capable of providing the average round-trip time of the packets from the source to the destination.

Connection Troubleshoot is incorrect because it simply checks connectivity between source and destination. Take note that you need to track the average round-trip time of the packets from VM1 to VM2. Therefore, you need to use Connection Monitor to analyze the end-to-end connection and not the Connection Troubleshoot operation.

NSG flow logs is incorrect because it only allows you to log information about IP traffic flowing (ingress and egress) through an NSG. Take note that you can’t use NSG flow logs to track the average RTT of the packets from TD-VM1 to TD-VM2. You need to use Connection Monitor to provide unified end-to-end connection monitoring.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview

https://docs.microsoft.com/en-us/azure/azure-monitor/faq

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 25

Your company recently created a new Azure subscription. You checked the subscription and it contains the following resources.
az104-3-25 scenario image
TD-RG3 contains a web app named TD-App3 which is located in North Europe.

You plan to move TD-App3 to TD-RG1.

What is the effect of moving the web app to a different resource group?

A. The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 1.
B. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 3.
C. The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 3.
D. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.

Answer 25

D. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.

Explanation:
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile backends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

In this scenario, the TD-App3 is located in the North Europe region. Take note that you cannot change an App Service plan’s region. Also, if you move a resource to a new resource group or subscription, the location of the resource would not change. If you need to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App Service plan in any region.

Since you plan to move TD-App3 to TD-RG1, the policy that will be applied to TD-App3 is the policy of TD-RG1 (Policy1). Remember that the assigned policy on the resource group will also be applied to the resources. You can also assign multiple policies in one resource group.

Hence, the correct answer is: The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.

The option that says: The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 1 is incorrect because TD-App3 would still remain in the North Europe region even if you moved the resource to a different resource group.

The option that says: The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 3 is incorrect because Policy 3 is only applied to the TD-RG3 resources. Since you moved the resources to TD-RG1, the policy applied to the TD-App3 is Policy1.

The option that says: The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 3 is incorrect because if you moved a resource to a different resource group, the location of the resource would not change.

References:

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Check out this Azure App Service Cheat Sheet:

https://tutorialsdojo.com/azure-app-service/

Question 26

You are managing an Azure subscription that contains a resource group named TD-RG1 which has a virtual machine named TD-VM1.

TD-VM1 has services that will deploy new resources on TD-RG1.

You need to make sure that the services running on TD-VM1 should be able to manage the resources in TD-RG1 using its identity.

Which of the following actions should you do first?

A. Configure the access control of TD-VM1.
B. Configure the security settings of TD-RG1.
C. Configure the managed identity of TD-VM1.
D. Configure the access control of TD-RG1.

Answer 26

C. Configure the managed identity of TD-VM1.

Explanation:
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external (such as Microsoft 365, the Azure portal, and thousands of other SaaS applications) and internal resources (such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization).

There are two types of managed identities:

– System-assigned: some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

– User-assigned: you may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

In this scenario, you can use the system-assigned managed identity. Take note that this identity is restricted to only one resource. You can grant permissions to the managed identity by using Azure RBAC. The managed identity is authenticated with Azure AD, so you don’t have to store any credentials.

Hence, the correct answer is: Configure the managed identity of TD-VM1.

The option that says: Configure the security settings of TD-RG1 is incorrect because it only provides security recommendations and security alerts for your resource group. As per the scenario, you need to ensure that the services running on TD-VM1 are able to manage the resources in TD-RG1 using its identity. Therefore, you need to configure the managed identity settings of TD-VM1.

The options that say: Configure the access control of TD-VM1 and Configure the access control of TD-RG1 are incorrect because these are only adding role assignments to an Azure resource. A role assignment is a process of attaching a role definition to a user, group, or service principal to provide access to a specific resource. Remember that access is granted by creating a role assignment, and access is revoked by removing a role assignment. You have to configure a managed identity instead.

References:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

Question 27

d

Question 28

d

Question 29

Your company has 12 peered virtual networks in your Azure subscription.

You plan to deploy a network security group for each virtual network.

There is a compliance requirement that port 80 should be automatically blocked between virtual networks whenever a new network security group is created.

Solution: You create a security rule that denies incoming port 80 traffic.

Does the solution meet the goal?

A. Yes
B. No

Answer 29

B. No

Explanation:
Azure Network Security Group is used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

It is stated in the scenario that blocking port 80 should be done automatically whenever a new network security group is created. By creating a rule manually, it becomes quite cumbersome to configure as you need to create a security rule for every network security group you create. It’s best practice to always automate your security processes to avoid administrative overhead.

You should use a custom policy definition in order to automate the requirement.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 30

Your company has 12 peered virtual networks in your Azure subscription.

You plan to deploy a network security group for each virtual network.

There is a compliance requirement that port 80 should be automatically blocked between virtual networks whenever a new network security group is created.

Solution: You create a custom policy definition and assign it to the subscription.

Does the solution meet the goal?

A. Yes
B. No

Answer 30

A. Yes

Explanation:
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Azure Policy has a list of built-in policy definitions, but if you need something more specific, you can create your own by creating a custom policy definition that will allow your organization to meet its compliance requirements.

A custom policy definition allows customers to define their own rules for using Azure. These rules often enforce:

– Security practices

– Cost management

– Organization-specific rules (like naming or locations)

In this scenario, you can create a custom policy to automatically block port 80 whenever a new network security group is created.

Hence, the correct answer is: Yes.

References:

https://docs.microsoft.com/en-us/azure/governance/policy/overview

https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition

Check out this Azure Policy Cheat Sheet:

https://tutorialsdojo.com/azure-policy/

Question 31

Your company has 12 peered virtual networks in your Azure subscription.

You plan to deploy a network security group for each virtual network.

There is a compliance requirement that port 80 should be automatically blocked between virtual networks whenever a new network security group is created.

Solution: You configure the network security group (NSG) flow log to automatically block port 80.

Does the solution meet the goal?

A. Yes
B. No

Answer 31

B. No

Explanation:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.

Network security group (NSG) flow logs are a feature of Azure Network Watcher that allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

It is stated in the scenario that port 80 should be automatically blocked between virtual networks whenever a new network security group is created. NSG flow logs are only used to monitor traffic that is allowed or denied by a network security group.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 32

You have an Azure Subscription and an Azure Active Directory group named Developers.

The Azure Subscription has a resource group named Dev.

You need to assign a role in the Developers group to allow the users to create Azure Logic Apps in the resource group.

Solution: In the Dev resource group, assign a User Access Administrator role to the Developers group.

Does the proposed solution meet the goal?

A. Yes
B. No

Answer 32

B. No

Explanation:
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant just the right access to users that they need to perform their jobs.

The associated permissions for the User Access Administrator role are only related to the specific access of each user to access different Azure resources. This role cannot create or manage any type of Azure resources.

Since the requirement in the scenario is to allow the users to create Azure Logic Apps in the resource group, you have to assign a Contributor role to the users of the Developers group.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Azure Active Directory (AD) vs Role-Based Access Control (RBAC):

https://tutorialsdojo.com/azure-active-directory-ad-vs-role-based-access-control-rbac/

Question 33

You have an Azure Subscription and an Azure Active Directory group named Developers.

The Azure Subscription has a resource group named Dev.

You need to assign a role in the Developers group to allow the users to create Azure Logic Apps in the resource group.

Solution: In the Dev resource group, assign a Logic App Operator role to the Developers group.

Does the proposed solution meet the goal?

A. Yes
B. No

Answer 33

B. No

Explanation:
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the needed access to allow your users to perform their jobs.

The Logic App Operator role only lets you read, enable, and disable logic apps. You can’t edit, update, or create logic apps.

To satisfy the requirement in the scenario, you have to assign a Contributor role to the Developers Azure AD group of the Dev resource group.

Hence, the correct answer is: No.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Azure Active Directory (AD) vs. Role-Based Access Control (RBAC):

https://tutorialsdojo.com/azure-active-directory-ad-vs-role-based-access-control-rbac/

Question 34

You have an Azure Subscription and an Azure Active Directory group named Developers.

The Azure Subscription has a resource group named Dev.

You need to assign a role in the Developers group to allow the users to create Azure Logic Apps in the resource group.

Solution: In the Dev resource group, assign a Contributor role to the Developers Azure AD group.

Does the proposed solution meet the goal?

A. Yes
B. No

Answer 34

A. Yes

Explanation:
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the right amount of access that users need to perform their jobs.

The permissions for the Contributor Role are:

– Create and manage all types of Azure resources

– Create a new tenant in Azure Active Directory

– Cannot grant access to others

Assigning the Contributor role to the users will satisfy this requirement since it allows the users to create Azure Logic Apps within a certain resource group.

Hence, the correct answer is: Yes.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Azure Active Directory (AD) vs. Role-Based Access Control (RBAC):

https://tutorialsdojo.com/azure-active-directory-ad-vs-role-based-access-control-rbac/

Question 35

Overview

Tutorials Dojo is an online learning portal for technology-related topics that empowers its users to upgrade their skills and career. Tutorials Dojo has users worldwide, ranging from the United States, Europe, and Asia.

Existing Environment

Tutorials Dojo uses a wide range of servers for its business operations, including the following:

Domain Controller.
File Servers.
Microsoft SQL Servers.
Active Directory forest named tutorialsdojo.com. The servers and workstations are joined to the Active Directory.

A public-facing application named TutorialsDojoPortal compromises the following three tiers.

A web tier.
A business tier.
A database tier.

The web tier and business tier each consists of 5 virtual machines, while the database tier only has two, a primary and secondary SQL database server.

Planned Changes

Tutorials Dojo plans to implement the following changes to the infrastructure:

Migrate TutorialsDojoPortal to Azure.
Migrate the media files to Azure Blob Storage.
Utilize Content Delivery Network.

Technical Requirements

Tutorials Dojo must meet the following technical requirements:
Migrate the TutorialsDojoPortal virtual machines to Azure.
Limit the number of ports between TutorialsDojoPortal tiers.
Backup and disaster recovery scenario for TutorialsDojoPortal servers.
Migrate the media files to Azure over the Internet.
The media files must be stored in a Blob container and cached via Content Delivery Network.
The virtual machines must be joined to the Active Directory.
The SQL database server must run on virtual machines.
Minimize administrative effort whenever possible.

User Requirements

Create a new user named TutorialsDojoAdmin1 as the service admin for the Azure Subscription.
Ensure that the TutorialsDojoAdmin1 receive email alerts for budget alerts.
Ensure that only Administrators can create virtual machines.

Your company has already migrated the TutorialsDojoPortal to Azure.

There is a requirement to implement a backup solution for TutorialsDojoPortal.

What should you create first?

A. Backup policy
B. Recovery Services Vault
C. Microsoft Azure Backup Server (MABS)
D. Recovery Plan

Answer 35

B. Recovery Services Vault

Explanation:
Azure Backup is a cost-effective, secure, one-click backup solution that’s scalable based on your backup storage needs. The centralized management interface makes it easy to define backup policies and protect a wide range of enterprise workloads, including Azure Virtual Machines, SQL and SAP databases, and Azure file shares.

When you back up data in Azure, you store that data in an Azure resource called a Recovery Services vault. The Recovery Services vault resource is available from the Settings menu of most Azure services. The benefit of having the Recovery Services vault integrated into the Settings menu of most Azure services is the ease of backing up data.

Here are the steps when you backup an Azure virtual machine:

– Create a Recovery Services vault

– Define a backup policy

– Apply the backup policy to protect multiple virtual machines

Hence, the correct answer is: Recovery Services Vault.

Backup policy is incorrect because you need to create a Recovery Services vault first. A backup policy is a schedule for how often and when recovery points are taken. A policy also includes the retention range for the recovery points.

Microsoft Azure Backup Server is incorrect. Microsoft Azure Backup Server (MABS) is a server product that can be used to back up on-premises physical servers, VMs, and apps running on them. The prerequisite of deploying a Microsoft Azure Backup Server is to have a Recovery Services Vault.

Recovery Plan is incorrect. A recovery plan gathers machines into recovery groups for the purpose of failover. A recovery plan helps you to define a systematic recovery process, by creating small independent units that you can failover. A unit typically represents an app in your environment. The requirement is to implement a backup solution not a disaster recovery solution.

References:

https://docs.microsoft.com/en-us/azure/backup/backup-overview

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 36

Overview

Tutorials Dojo is an online learning portal for technology-related topics that empowers its users to upgrade their skills and career. Tutorials Dojo has users worldwide, ranging from the United States, Europe, and Asia.

Existing Environment

Tutorials Dojo uses a wide range of servers for its business operations, including the following:

Domain Controller.
File Servers.
Microsoft SQL Servers.
Active Directory forest named tutorialsdojo.com. The servers and workstations are joined to the Active Directory.

A public-facing application named TutorialsDojoPortal compromises the following three tiers.

A web tier.
A business tier.
A database tier.

The web tier and business tier each consists of 5 virtual machines, while the database tier only has two, a primary and secondary SQL database server.

Planned Changes

Tutorials Dojo plans to implement the following changes to the infrastructure:

Migrate TutorialsDojoPortalto Azure.
Migrate the media files to Azure Blob Storage.
Utilize Content Delivery Network.

Technical Requirements

Tutorials Dojo must meet the following technical requirements:
Migrate the TutorialsDojoPortal virtual machines to Azure.
Limit the number of ports between TutorialsDojoPortal tiers.
Backup and disaster recovery scenario for TutorialsDojoPortal servers.
Migrate the media files to Azure over the Internet.
The media files must be stored in a Blob container and cached via Content Delivery Network.
The virtual machines must be joined to the Active Directory.
The SQL database server must run on virtual machines.
Minimize administrative effort whenever possible.

User Requirements

Create a new user named TutorialsDojoAdmin1 as the service admin for the Azure Subscription.
Ensure that the TutorialsDojoAdmin1 receive email alerts for budget alerts.
Ensure that only Administrators can create virtual machines.

Your company has already migrated the TutorialsDojoPortal to Azure.

There is a requirement to migrate the media files to Azure.

What should you do?

A. Use Azure Import/Export service to copy the files.
B. Use file explorer to copy the files by mapping a drive using a shared access signature (SAS) in the Azure storage account to grant temporary access.
C. Use Azure Storage Explorer to copy the files.
D. Use file explorer to copy the files by mapping a drive using an Azure storage account access key for authorization.

Answer 36

C. Use Azure Storage Explorer to copy the files.

Explanation:
Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.

Blob storage is designed for:

– Serving images or documents directly to a browser.

– Storing files for distributed access.

– Streaming video and audio.

– Writing to log files.

– Storing data for backup and restore disaster recovery, and archiving.

– Storing data for analysis by an on-premises or Azure-hosted service.

Microsoft Azure Storage Explorer is a standalone app that is accessible, intuitive, feature-rich graphical user interface (GUI) for full management of cloud storage resources and makes it easy to work with Azure Storage data on Windows, macOS, and Linux. You can upload, download, and manage Azure blobs, files, queues, and tables, as well as Azure Cosmos DB and Azure Data Lake Storage entities.

The requirements to be considered for this scenario are:

– Migrate the media files to Azure over the Internet.

– The media files must be stored in a Blob container and cached via Content Delivery Network.

Hence, the correct answer is: Use Azure Storage Explorer to copy the files.

The option that says: Use Azure Import/Export service to copy the files is incorrect. Azure Import/Export service is primarily used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. The requirement states that the transfer of the media files must be done over the Internet.

The following options are incorrect because you cannot mount a Blob container using file explorer. Take note that the requirement states that the media files must be stored in a Blob container.

– Use file explorer to copy the files by mapping a drive using a shared access signature (SAS) in the Azure storage account to grant temporary access.

– Use file explorer to copy the files by mapping a drive using an Azure storage account access key for authorization.

References:

https://azure.microsoft.com/en-us/features/storage-explorer/

https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer

Check out this Azure Blob Storage Cheat Sheet:

https://tutorialsdojo.com/azure-blob-storage/

Question 37

Overview

Tutorials Dojo is an online learning portal for technology-related topics that empowers its users to upgrade their skills and career. Tutorials Dojo has users worldwide, ranging from the United States, Europe, and Asia.

Existing Environment

Tutorials Dojo uses a wide range of servers for its business operations, including the following:

Domain Controller.
File Servers.
Microsoft SQL Servers.
Active Directory forest named tutorialsdojo.com. The servers and workstations are joined to the Active Directory.

A public-facing application named TutorialsDojoPortal compromises the following three tiers.

A web tier.
A business tier.
A database tier.

The web tier and business tier each consists of 5 virtual machines, while the database tier only has two, a primary and secondary SQL database server.

Planned Changes

Tutorials Dojo plans to implement the following changes to the infrastructure:

Migrate TutorialsDojoPortal to Azure.
Migrate the media files to Azure Blob Storage.
Utilize Content Delivery Network.

Technical Requirements

Tutorials Dojo must meet the following technical requirements:

Migrate the TutorialsDojoPortal virtual machines to Azure.
Limit the number of ports between TutorialsDojoPortal tiers.
Backup and disaster recovery scenario for TutorialsDojoPortal servers.
Migrate the media files to Azure over the internet.
The media files must be stored in a Blob container and cached via Content Delivery Network.
The virtual machines must be joined to the Active Directory.
The SQL database server must run on virtual machines.
Minimize administrative effort whenever possible.

User Requirements

Create a new user named TutorialsDojoAdmin1 as the service admin for the Azure Subscription.
Ensure that the TutorialsDojoAdmin1 receive email alerts for budget alerts.
Ensure that only Administrators can create virtual machines.

You need to identify the storage requirements for TutorialsDojoPortal media files.

For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

Questions 	Yes 	No	
A. Azure Table storage meets the storage requirements of TutorialsDojoPortal media files.	
	
B. Azure Files storage meets the storage requirements of TutorialsDojoPortal media files.	
	
C. Azure Blob storage meets the storage requirements TutorialsDojoPortal media files.

Answer 37

Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.

Azure Table stores large amounts of structured data. The service is a NoSQL datastore that accepts authenticated calls from inside and outside the Azure cloud.

Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

Azure Content Delivery Network (CDN) is a distributed network of servers that is used to cache and store content. These servers are in locations that are close to end-users to minimize latency.

You can use Azure CDN to cache content from a Blob container and configure the custom domain endpoint for your Blob container, provision custom TLS/SSL certificates, and configure custom rewrite rules. Azure CDN also provides TLS encryption with your own certificate.

The server locations are referred to as Point-of-presence (POP) locations. CDNs store cached data on edge servers, or servers close to your users, in these POP locations.

The requirement to be considered for this scenario is:

– The media files must be stored in a Blob container and cached via Content Delivery Network.

Hence, this statement is correct: Azure Blob storage meets the storage requirements TutorialsDojoPortal media files.

The statement that says: Azure Table storage meets the storage requirements of TutorialsDojoPortal media files is incorrect because Azure Table is ideal for storing structured, non-relational data. You simply cannot integrate Azure Table with Azure CDN. Take note that the requirement states that the files must be stored in a blob container and cached via CDN.

The statement that says: Azure Files storage meets the storage requirements of TutorialsDojoPortal media files is incorrect. Azure Files can be only accessed through SMB protocol and cannot be put directly behind an Azure CDN which only supports HTTP(80) and HTTPS(443) protocols.

References:

https://docs.microsoft.com/en-us/azure/cdn/cdn-overview

https://docs.microsoft.com/en-us/azure/cdn/cdn-create-a-storage-account-with-cdn

Check out this Azure Content Delivery Network Cheat Sheet:

https://tutorialsdojo.com/azure-content-delivery-network/

Azure Blob vs. Disk vs. File Storage:

https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/

Question 38

Adatum Corporation is an insurance company that has a total of 5,000 employees with its headquarters located in Singapore and three satellite offices in Tokyo, Seattle, and London.

Existing Environment

Adatum Corporation hosts its applications in their Singapore datacenter. The Singapore datacenter consists of the following servers:
az104-3-38 scenario imageYour network contains an Active Directory forest named adatum.com. All servers and client computers are joined to Active Directory.

A private connection is used for traffic in between offices. Each office has a network device that can be used for VPN connections.

Adatum uses two web applications named AdatumApp1 and AdatumApp2.

Planned Changes

Adatum Corporation plans to implement the following modifications for their migration to Azure:

Establish a private connection to Azure from the headquarters in Singapore.
Move the virtual machines located in the Singapore datacenter to Azure.
Move AdatumApp1 and AdatumApp2 to two Azure App Service named AdatumWeb1 and AdatumWeb2.
Ensure that the on-premises active directory is synchronized with Azure Active Directory.

Technical Requirements

Minimize administrative effort and cost whenever possible.
Ensure that the information technology department receives an email whenever the CPU utilization vm3.adatum.com reaches 75%.
Ensure that you create an Azure custom role named AdatumAdministrator that is based on the built-in Contributor role.
Enable Multi-Factor Authentication (MFA) for the information technology department only.
The servers in the Montreal office must be able to establish a connection over port 443 to vm3.adatum.com.
Ensure that the London office can send encrypted traffic to Azure over the public Internet.
Ensure that AdatumWeb2 can automatically increase the number of instances based on CPU utilization.

You need to retrieve the JSON string of the Contributor role so you can customize it to create the AdatumAdministrator custom role.

Which command should you run?

A. Get-AzRoleAssignment -Name Contributor | ConvertTo-Json
B. Get-AzRoleAssignment -Name Contributor | ConvertFrom-Json
C. Get-AzRoleDefinition -Name Contributor | ConvertTo-Json
D. Get-AzRoleDefinition -Name Contributor | ConvertFrom-Json

Answer 38

C. Get-AzRoleDefinition -Name Contributor | ConvertTo-Json

Explanation:
Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

If the Azure built-in roles don’t meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

Take note that in this scenario, you need to create a custom role named AdatumAdministrator that is based on the built-in policy Contributor role. You need to retrieve the JSON format file of the Contributor role so that you can customize it to your needs.

To retrieve the JSON string of the Contributor role, you need to use the command:

– Get-AzRoleDefinition -Name <role_name> | ConvertTo-Json</role_name>

Hence, the correct answer is: Get-AzRoleDefinition -Name Contributor | ConvertTo-Json

Get-AzRoleDefinition -Name Contributor | ConvertFrom-Json is incorrect because the ConvertFrom-Json cmdlet just converts your JSON string to a PSCustomObject object that has a property for each field in the JSON string. Take note that you need to retrieve the JSON role so that you can customize it to your needs.

The following options are incorrect because the Get-AzRoleAssignment simply allows you to list Azure RBAC role assignments at the specified scope. By default, it lists all role assignments in the selected Azure subscription. You have to use the respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.

– Get-AzRoleAssignment -Name Contributor | ConvertTo-Json

– Get-AzRoleAssignment -Name Contributor | ConvertFrom-Json

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell

Check out this Azure Role-Based Access Control (RBAC) Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac

Question 39

Overview

Adatum Corporation is an insurance company that has a total of 5,000 employees with its headquarters located in Singapore and three satellite offices in Tokyo, Seattle, and London.

Existing Environment

Adatum Corporation hosts its applications in their Singapore datacenter. The Singapore datacenter consists of the following servers:
az104-3-39 scenario imageYour network contains an Active Directory forest named adatum.com. All servers and client computers are joined to Active Directory.

A private connection is used for traffic in between offices. Each office has a network device that can be used for VPN connections.

Adatum uses two web applications named AdatumApp1 and AdatumApp2.

Planned Changes

Adatum Corporation plans to implement the following modifications for their migration to Azure:

Establish a private connection to Azure from the headquarters in Singapore.
Move the virtual machines located in the Singapore datacenter to Azure.
Move AdatumApp1 and AdatumApp2 to two Azure App Service named AdatumWeb1 and AdatumWeb2.
Ensure that the on-premises active directory is synchronized with Azure Active Directory.

Technical Requirements

Minimize administrative effort and cost whenever possible.
Ensure that the information technology department receives an email whenever the CPU utilization vm3.adatum.com reaches 75%.
Ensure that you create an Azure custom role named AdatumAdministrator that is based on the built-in Contributor role.
Enable Multi-Factor Authentication (MFA) for the information technology department only.
The servers in the Montreal office must be able to establish a connection over port 443 to vm3.adatum.com.
Ensure that the London office can send encrypted traffic to Azure over the public Internet.
Ensure that AdatumWeb2 can automatically increase the number of instances based on CPU utilization.

You create an Azure virtual network named TDVnet1.

You need to fulfill the connectivity requirement for the London office.

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

1. What should you do on the Azure portal?
   A. Deploy a virtual network peering
   B. Deploy an ExpressRoute circuit only
   C. Deploy a virtual network gateway and a local network gateway
   D . Deploy an ExpressRoute circuit only and a local network gateway
2. What should you do in the London office?
   A. Configure a VPN device for site to site VPN connection
   B. Configure a VPN device for point to site VPN connection
   C. Configure a local network gateway
   D. Configure an ExpressRoute circuit

Answer 39

1. C. Deploy a virtual network gateway and a local network gateway
2. A. Configure a VPN device for site to site VPN connection

Explanation:
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

A Site-to-Site VPN gateway connection is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Take note that in this scenario, you must ensure that the London office can send encrypted traffic to Azure over the public Internet, and deploying a site-to-site VPN gateway connection satisfies the requirement.

Therefore, you have to Deploy a virtual network gateway and a local network gateway on the Azure portal.

Conversely, you must Configure a VPN device for site-to-site VPN connection in the London office.

The statement that says: Deploy a virtual network peering is incorrect because you only use this if you need to seamlessly connect two or more Virtual Networks in Azure. In this scenario, you need to connect the on-premises network in London to Azure.

The statement that says: Deploy an ExpressRoute circuit only is incorrect. ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. Remember that the requirement states that the traffic to Azure must go through the Internet gateway and not via a private connection.

The statement that says: Deploy an ExpressRoute circuit only and a local network gateway is incorrect because you do not need to deploy a local network gateway when you create an ExpressRoute connection. Also, you need to deploy a site-to-site VPN connection instead of an ExpressRoute circuit.

The statement that says: Configure a VPN device for point-to-site VPN connection is incorrect because you need to connect the London office to Azure and you can only achieve that by using a site-to-site VPN connection. A point-to-site VPN connection is typically used for remote work wherein you need a computer to have a secure connection to your Azure virtual network.

The statement that says: Configure a local network gateway is incorrect because a local network gateway is deployed in Azure only and not on your on-premises data center.

The statement that says: Configure an ExpressRoute circuit is incorrect because an ExpressRoute circuit can only be deployed in Azure. You can not deploy an ExpressRoute circuit in your data center on your own. If you need to create an ExpressRoute connection, on the on-premises side, you need to contact your Internet service provider to assist you with connecting your on-premises network to Azure privately.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Check out this Azure VPN Gateway Cheat Sheet:

https://tutorialsdojo.com/azure-vpn-gateway/

Question 40

Overview

Adatum Corporation is an insurance company that has a total of 5,000 employees with its headquarters located in Singapore and three satellite offices in Tokyo, Seattle, and London.

Existing Environment

Adatum Corporation hosts its applications in their Singapore datacenter. The Singapore datacenter consists of the following servers:
az104-3-40 scenario imageYour network contains an Active Directory forest named adatum.com. All servers and client computers are joined to Active Directory.

A private connection is used for traffic in between offices. Each office has a network device that can be used for VPN connections.

Adatum uses two web applications named AdatumApp1 and AdatumApp2.

Planned Changes

Adatum Corporation plans to implement the following modifications for their migration to Azure:

Establish a private connection to Azure from the headquarters in Singapore.
Move the virtual machines located in the Singapore datacenter to Azure.
Move AdatumApp1 and AdatumApp2 to two Azure App Service named AdatumWeb1 and AdatumWeb2.
Ensure that the on-premises active directory is synchronized with Azure Active Directory.

Technical Requirements

Minimize administrative effort and cost whenever possible.
Ensure that the information technology department receives an email whenever the CPU utilization vm3.adatum.com reaches 75%.
Ensure that you create an Azure custom role named AdatumAdministrator that is based on the built-in Contributor role.
Enable Multi-Factor Authentication (MFA) for the information technology department only.
The servers in the Montreal office must be able to establish a connection over port 443 to vm3.adatum.com.
Ensure that the London office can send encrypted traffic to Azure over the public internet.
Ensure that AdatumWeb2 can automatically increase the number of instances based on CPU utilization.

According to the sales department, vm3.adatum.com does not have connectivity to the Montreal office.

You need to determine if a network security group is causing the issue.

What Azure Network Watcher feature should you use?

A. Next hop
B. IP flow verify
C. Traffic Analytics
D. NSG Flow Logs

Answer 40

B. IP flow verify

Explanation:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. If the packet is denied by a security group, the name of the rule that denied the packet is returned. IP flow verify helps administrators quickly diagnose connectivity issues from or to the Internet and from or to the on-premises environment.

IP flow verify first looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. It is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

Hence, the correct answer is: IP flow verify.

Next hop is incorrect because this simply helps you determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere. Take note that in this scenario, you need to determine if the network security group is blocking the ingress or egress traffic.

NSG Flow Logs is incorrect. It is only a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group.

Traffic Analytics is incorrect because this just allows you to process your NSG Flow Log data that enables you to visualize, query, analyze, and understand your network traffic.

References:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Check out this Azure Virtual Network Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-network-vnet

Question 41

Your organization Azure subscription has the following resources:

Azure Kubernetes Service

Azure Container Registry

Azure Blob Storage

You need to create a container image and deploy it to the cluster.

Which of the following commands should you do first?

A. az import-export create
B. az aks run
C. az aks create
D. az acr build

Answer 41

D. az acr build

Explanation:
Azure Container Registry is a managed registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your container images and related artifacts. Use Azure container registries with your existing container development and deployment pipelines, or use Azure Container Registry Tasks to build container images in Azure. Build on demand, or fully automate builds with triggers such as source code commits and base image updates.

To deploy an application on your AKS cluster, you’ll need to build a container image first. Then create a deployment manifest file to run the image in your cluster.

In this scenario, you need to identify what command should you use first, and if you take a look at the scenario again there is a statement you must create a container image. The command az acr build allows you to queue a quick build, providing streaming logs for an Azure Container Registry. So after you push the image to the container registry, you should run az acr build.

Hence, the correct answer is: az acr build.

The option that says: az aks create is incorrect because there is already an existing AKS cluster in your Azure subscription.

The option that says: az aks run is incorrect because in order to run a container image to your cluster, you need to build the image first and deploy it to the container.

The option that says: az import-export create is incorrect because this is a command to create a new job or updates an existing job in the specified subscription.

References:

https://learn.microsoft.com/en-us/cli/azure/acr?view=azure-cli-latest

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-intro

https://learn.microsoft.com/en-us/training/modules/aks-deploy-container-app/5-exercise-deploy-app

Check out this Azure Container Registry Cheat Sheet:

https://tutorialsdojo.com/azure-container-registry/

Question 42

Your company has an Azure subscription that contains several users.

You must ensure that only one user is able to deploy virtual machines and manage virtual networks.

Which of the following options should you use to satisfy the principle of least privilege?

A. Owner
B. Virtual Machine Contributor
C. Contributor
D. Network Contributor

Answer 42

C. Contributor

Explanation:
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources. Azure includes several built-in roles that you can use. For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. If the built-in roles don’t meet the specific needs of your organization, you can create your own Azure custom roles.

According to the “principle of least privilege,” workers should only have access to resources necessary for carrying out their job duties. In this scenario, the roles that you can use to deploy VMs and manage VNets are through Owner and Contributor roles, but the requirement is to assign a role with the least privilege.

The Owner grants full access to manage all resources, including the ability to assign roles in Azure RBAC. While the Contributor role grants full access to manage all resources but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Hence, the correct answer is: Contributor.

Owner is incorrect because this role will allow the user to have full access to all of the resources including the assignment of roles in Azure RBAC.

Virtual Machine Contributor is incorrect because this role does not grant you management access to the virtual network.

Network Contributor is incorrect because you can only use this role to manage the network but deploy virtual machines.

References:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Question 43

You are currently managing multiple Azure virtual machines that are used for lab experiments.

The VMs are continuously backed up and stored in the Recovery Services vault named td-backup-labs.

You have been asked to delete td-backup-labs vault but it contains protected items.

Which of following options should you do first?

A. Modify the lock type of RSV.
B. Delete the backup data.
C. Modify the backup policy.
D. Stop the backup of each item.

Answer 43

D. Stop the backup of each item.

Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and SQL Server in Azure VMs.

To delete a Recovery Services vault, you need to stop the continuous backup first. Because if you try to delete the vault without stopping the backup, you would receive an error notification.

You can’t delete a Recovery Services vault with any of the following dependencies:

– You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).

– You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.

– You can’t delete a vault that contains backup data in the soft deleted state.

– You can’t delete a vault that has registered storage accounts.

If you try to delete the vault without removing the dependencies, you’ll encounter one of the following error messages:

– Vault cannot be deleted as there are existing resources within the vault.

– Recovery Services vault cannot be deleted as there are backup items in soft deleted state in the vault. The soft deleted items are permanently deleted after 14 days of delete operation.

Hence, the correct answer is: Stop the backup of each item.

The option that says: Modify the lock type of RSV is incorrect because there’s no lock type configured in scenario. Even if you modify the lock type, you still won’t be able to delete the vault.

The option that says: Delete the backup data is incorrect because you need to stop the backup first before you’re able to delete a backup data.

The option that says: Modify the backup policy is incorrect because you won’t still be able to delete the RSV even if you modify the backup policy. To delete a vault, stop the backup items.

References:

https://learn.microsoft.com/en-us/azure/backup/backup-azure-delete-vault?tabs=portal#delete-protected-items-in-the-cloud

https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

Check out this Azure Virtual Machine Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 44

Your company is planning to launch an internal web app using an AKS cluster.

The app should be accessible via the pod’s IP address.

Which of the following network settings should you configure to meet this requirement?

A. Azure NSG
B. kubenet
C. Azure Private Link
D. Azure CNI

Answer 44

D. Azure CNI

Explanation:
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

A Kubernetes cluster provides two options to configure your network:

– By default, AKS clusters use kubenet, and a virtual network and subnet are created for you. With kubenet, nodes get an IP address from a virtual network subnet.

– With Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly.

Since you will connect to the app using the pod’s IP address, you need to select Azure CNI upon creation of your cluster.

Hence, the correct answer is: Azure CNI.

kubenet is incorrect because as stated in the scenario, you need to connect via the pods ip address. With this option, network address translation is then configured on the nodes, and pods receive an IP address behind the node IP.

Azure NSG is incorrect because you don’t need to allow or deny inbound and outbound network traffic.

Azure Private Link is incorrect because this just provides private access to Azure-hosted services. It will not allow you to configure the cluster network type to assign IP addresses to pods.

References:

https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni

https://learn.microsoft.com/en-us/azure/aks/concepts-network

Check out this Azure Kubernetes Service Cheat Sheet:

https://tutorialsdojo.com/azure-kubernetes-service-aks/

Question 45

Your organization Azure subscription contains the following identities:
az104-3-45

You created an alert rule and configured an action group with the notification type Email Azure Resource Manager Role, which sends an email to the Monitoring Reader role.

The Monitoring Reader role is assigned to the user, service principal and group.

Which of the following identities will receive an email notification?

A. TDU1, TDU2, TDU3, TDSP1, and TDSP2
B. TDU3
C. TDU3 and TDSP2
D. TDU1, TDU2, and TDSP1

Answer 45

B. TDU3

Explanation:
Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues that affect them and the resources they depend on.

An action group is a collection of notification preferences set by the Azure subscription’s owner. Since an action group is a global service, it is not bound to a specific Azure region and can handle any client requests. For example, if one region of the action group service is unavailable, traffic is routed and processed by other regions. A catastrophe recovery solution is provided by an action group as a global service.

When you use the Email Azure Resource Manager role type of notification, you can send email to members of a subscription’s role. Emails are only sent to Azure AD user members who are members of the role. Azure AD groups and service principals are not emailed. Also, a notification email will only be sent to the primary email address.

Hence, the correct answer is: TDU3.

All of the other options are incorrect because only TDU3 will able to receive the email notification since emails are only sent to Azure AD user members who are members of the role.

– TDU1, TDU2, TDU3, TDSP1, and TDSP2

– TDU3 and TDSP2

– TDU1, TDU2, and TDSP1

References:

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups

Check out this Azure Monitor Cheat Sheet:

https://tutorialsdojo.com/azure-monitor/

Question 46

Note: This item is part of a series of questions with the exact same scenario but with a different proposed answer. Each one in the series has a unique solution that may, or may not, comply with the requirements specified in the scenario.

You created a new Azure AD group for Network Administrators in your organization Azure Subscription.

You need to make sure that the users in the group can enable Traffic Analytics and visualize traffic distribution.

Solution: Assign a Reader role to the group.

Does the solution meet the goal?

A. Yes
B. No

Answer 46

B. No

Explanation:
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

With traffic analytics, you can:

– Visualize network activity across your Azure subscriptions.

– Identify hot spots.

– Secure your network by using information about the following components to identify threats: Open ports, Applications that attempt to access the internet, and VMs that connect to rogue networks.

– Optimize your network deployment for performance and capacity by understanding traffic flow patterns across Azure regions and the internet.

– Pinpoint network misconfigurations that can lead to failed connections in your network.

To enable traffic analytics, your account must have any of the following Azure roles at the subscription scope: owner, contributor, or network contributor.

But before you use traffic analytics, ensure your environment meets the following requirements:

– A Network Watcher enabled subscription.

– Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.

– An Azure Storage account to store raw flow logs.

– An Azure Log Analytics workspace with read and write access.

Going back to the given solution, the users in the group can visualize the traffic distribution by assigning a Reader role to the group.

Hence, the correct answer is: No.

References:

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

Question 47

You created a new Azure AD group for Network Administrators in your organization Azure Subscription.

You need to make sure that the users in the group can enable Traffic Analytics and visualize traffic distribution.

Solution: Assign a Security Operator role to the group.

Does the solution meet the goal?

A. Yes
B. No

Answer 47

B. No

Explanation:
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

With traffic analytics, you can:

– Visualize network activity across your Azure subscriptions.

– Identify hot spots.

– Secure your network by using information about the following components to identify threats: Open ports, Applications that attempt to access the internet, and VMs that connect to rogue networks.

– Optimize your network deployment for performance and capacity by understanding traffic flow patterns across Azure regions and the internet.

– Pinpoint network misconfigurations that can lead to failed connections in your network.

To enable traffic analytics, your account must have any of the following Azure roles at the subscription scope: owner, contributor, or network contributor.

But before you use traffic analytics, ensure your environment meets the following requirements:

– A Network Watcher enabled subscription.

– Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.

– An Azure Storage account to store raw flow logs.

– An Azure Log Analytics workspace with read and write access.

Going back to the given solution, a Security Operator can only create and manage security events. By assigning this role, the users in the group won’t be able to enable traffic analytics. You must assign the required Azure roles to use the service.

Hence, the correct answer is: No.

References:

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

Question 48

You created a new Azure AD group for Network Administrators in your organization Azure Subscription.

You need to make sure that the users in the group can enable Traffic Analytics and visualize traffic distribution.

Solution: Assign a Contributor role to the group.

Does the solution meet the goal?

A. Yes
B. No

Answer 48

A. Yes

Explanation:
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

With traffic analytics, you can:

– Visualize network activity across your Azure subscriptions.

– Identify hot spots.

– Secure your network by using information about the following components to identify threats: Open ports, Applications that attempt to access the internet, and VMs that connect to rogue networks.

– Optimize your network deployment for performance and capacity by understanding traffic flow patterns across Azure regions and the internet.

– Pinpoint network misconfigurations that can lead to failed connections in your network.

To enable traffic analytics, your account must have any of the following Azure roles at the subscription scope: owner, contributor, or network contributor.

But before you use traffic analytics, ensure your environment meets the following requirements:

– A Network Watcher enabled subscription.

– Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.

– An Azure Storage account to store raw flow logs.

– An Azure Log Analytics workspace with read and write access.

Going back to the given solution, the users in the group can visualize the traffic distribution by assigning a Contributor role to the group. A Contributor role can manage all resources but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Hence, the correct answer is: Yes.

References:

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Check out this Azure Active Directory Cheat Sheet:

https://tutorialsdojo.com/azure-active-directory-azure-ad/

Question 49

You have been assigned to manage two Azure virtual machines and Recovery Services vaults. Both VMs currently store back up to a single vault.

You must configure the other VM to backup in a different vault.

Which of the following options should you do first?

A. Stop the backup of one VM.
B. Delete the backup data.
C. Stop the backup of both VM.
D. Change the VM target vault.

Answer 49

A. Stop the backup of one VM.

Explanation:
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your backup data while minimizing management overhead.

To change the Recovery Services vault of a virtual machine, you need to stop the backup first since Azure VMs may only be assigned a single Recovery Services Vault (RSV) at a time. After the backup stops, you can now assign a new vault to your VM.

Hence, the correct answer is: Stop the backup of one VM.

The option that says: Delete the backup data is incorrect because you need to stop the backup before you can delete the backup data.

The option that says: Stop the backup of both VM is incorrect because you don’t need to stop the backup of both VMs to change the vault of one VM.

The option that says: Change the VM target vault is incorrect because you also need to stop the backup of one VM to change the RSV.

References:

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare

https://learn.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

Check out this Azure Virtual Machines Cheat Sheet:

https://tutorialsdojo.com/azure-virtual-machines/

Question 50

l