Topic 1, Litware, inc.
Overview
Litware, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named Litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named Litware.com. All domain controllers are configured as DNS servers and host the Litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private links.
Litware has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized.
The virtualization environment contains the servers in the following table.
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs).
Planned Changes
Litware plans to implement the following changes:
• Deploy Azure ExpressRoute to the Montreal office.
• Migrate the virtual machines hosted on Server1 and Server2 to Azure.
• Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
• Migrate App1 and App2 to two Azure web apps named webApp1 and WebApp2.
Technical requirements
Litware must meet the following technical requirements:
• Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instance*.
• Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
• Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
• Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
• Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.Litware.com.
• Connect the New Your office to VNet1 over the Internet by using an encrypted connection.
• Create a workflow to send an email message when the settings of VM4 are modified.
• Create a custom Azure role named Role1 that is based on the Reader role.
• Minimize costs whenever possible.
You discover that VM3 does NOT meet the technical requirements. You need to verify whether the issue relates to the NSGs.
What should you use?
- A . Diagram in VNet1
- B . the security recommendations in Azure Advisor
- C . Diagnostic settings in Azure Monitor
- D . Diagnose and solve problems in Traffic Manager Profiles
- E . IP flow verify in Azure Network Watcher
E
Explanation:
Scenario: Litware must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
You need to meet the technical requirement for VM4.
What should you create and configure?
- A . an Azure Notification Hub
- B . an Azure Event Hub
- C . an Azure Logic App
- D . an Azure services Bus
B
Explanation:
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks – without you writing any code.
Reference: https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
You need to recommend a solution to automate the configuration for the finance department users.
The solution must meet the technical requirements.
What should you include in the recommended?
- A . Azure AP B2C
- B . Azure AD Identity Protection
- C . an Azure logic app and the Microsoft Identity Management (MIM) client
- D . dynamic groups and conditional access policies
D
Explanation:
Technically, The finance department needs to migrate their users from AD to AAD using AADC based on the finance OU, and need to enforce MFA use. This is conditional access policy. Employees also often get promotions and/or join other departments and when that occurs, the user’s OU attribute will change when the admin puts the user in a new OU, and the dynamic group conditional access exception (OU= [Department Name Value]) will move the user to the appropriate dynamic group on next AADC delta sync.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
HOTSPOT
You need to the appropriate sizes for the Azure virtual for Server2.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal.
Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure.
Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
HOTSPOT
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershellGet-AzRoleDefinition -Name "Reader" | ConvertTo-Json
https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-5.9.0
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=powershell-7.1
https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0
HOTSPOT
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Create a virtual network gateway and a local network gateway.
Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.
The VPN gateway includes the following elements:
✑ Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet.
✑ Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises network is routed through this gateway.
✑ Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
✑ Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner.
This connection is private. Traffic does not go over the internet.
Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
You need to ensure that VM1 can communicate with VM4. The solution must minimize administrative effort.
What should you do?
- A . Create a user-defined route from VNET1 to VNET3.
- B . Assign VM4 an IP address of 10.0.1.5/24.
- C . Establish peering between VNET1 and VNET3.
- D . Create an NSG and associate the NSG to VMI and VM4.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
HOTSPOT
You implement the planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Topic 2, Humongous Insurance
Overview
Existing Environment
Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.
Active Directory Environment
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.
The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company’s departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Scenario:
Topic 2, Humongous Insurance
Overview
Existing Environment
Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.
Active Directory Environment
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.
The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company’s departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Scenario:
Topic 2, Humongous Insurance
Overview
Existing Environment
Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.
Active Directory Environment
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.
The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company’s departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Scenario:
Topic 2, Humongous Insurance
Overview
Existing Environment
Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.
Active Directory Environment
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.
The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company’s departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Scenario:
Topic 2, Humongous Insurance
Overview
Existing Environment
Humongous Insurance is an insurance company that has three offices in Miami, Tokoyo, and Bankok.
Each has 5000 users.
Active Directory Environment
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com.
The functional level of the forest is Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user." You verify that the Azure subscription has the available licenses.
Requirements
Planned Changes
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure
The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
✑ Default Azure system routes that will be the only routes used to route traffic
✑ A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
✑ A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
✑ A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements
Humongous Insurance identifies the following requirements for the company’s departments:
✑ Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
✑ During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Scenario:
Which blade should you instruct the finance department auditors to use?
- A . Partner information
- B . Overview
- C . Payment methods
- D . Invoices
D
Explanation:
You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open.
Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.
Click Opt in and accept the terms.
Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Reference: https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE Each correct selection is worth one point.
- A . Azure Active Directory (AD) Identity Protection and an Azure policy
- B . a Recovery Services vault and a backup policy
- C . an Azure Key Vault and an access policy
- D . an Azure Storage account and an access policy
C
Explanation:
D: Seamless SSO works with any method of cloud authentication – Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users’ Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Seamless SSO needs the user’s device to be domain-joined, but doesn’t need for the device to be Azure AD Joined.
C: Azure AD connect does not port 8080. It uses port 443.
E: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to Azure AD.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
- A . Join the client computers in the Miami office to Azure AD.
- B . Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
- C . Allow inbound TCP port 8080 to the domain controllers in the Miami office.
- D . Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
- E . Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
BD
Explanation:
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of ‘alice@domain name.onmicrosoft.com’.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office.
Each office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
You need to resolve the Active Directory issue.
What should you do?
- A . From Active Directory Users and Computers, select the user accounts, and then modify the User Principal Name value.
- B . Run idfix.exe, and then use the Edit action.
- C . From Active Directory Domains and Trusts, modify the list of UPN suffixes.
- D . From Azure AD Connect, modify the outbound synchronization rule.
B
Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.
Scenario: Active Directory Issue
Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Reference: https://www.microsoft.com/en-us/download/details.aspx?id=36832
Which blade should you instruct the finance department auditors to use?
- A . invoices
- B . partner information
- C . cost analysis
- D . External services
C
Explanation:
Cost analysis: Correct Option
In cost analysis blade of Azure, you can see all the detail for custom time span. You can use this to determine expenditure of last few day, weeks, and month. Below options are available in Cost analysis blade for filtering information by time span: last 7 days, last 30 days, and custom date range. Choosing the first option (last 7 days) auditors can view the costs by time span.
Cost analysis shows data for the current month by default. Use the date selector to switch to common date ranges quickly. Examples include the last seven days, the last month, the current year, or a custom date range. Pay-as-you-go subscriptions also include date ranges based on your billing period, which isn’t bound to the calendar month, like the current billing period or last invoice. Use the <PREVIOUS and NEXT> links at the top of the menu to jump to the previous or next period, respectively. For example, <PREVIOUS will switch from the Last 7 days to 8-14 days ago or 15-21 days ago.
Invoice: Incorrect Option
Invoices can only be used for past billing periods not for current billing period, i.e. if your requirement is to know the last week’s cost then that also not filled by invoices because Azure generates invoice at the end of the month. Even though Invoices have custom timespan, but when you put in dates for a week, the pane would be empty. Below is from Microsoft document:
Resource Provider: Incorrect Option
When deploying resources, you frequently need to retrieve information about the resource providers and types. For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This resource provider offers a resource type called vaults for creating the key vault. This is not useful for reviewing all Azure costs from the past week which is required for audit.
Payment method: Incorrect Option
Payment methods is not useful for reviewing all Azure costs from the past week which is required for audit.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/quick-acm-cost-analysis
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/download-azure-invoice-daily-usage-date
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
- A . ad.humongousinsurance.com
- B . humongousinsurance.onmicrosoft.com
- C . humongousinsurance.local
- D . humongousinsurance.com
D
Explanation:
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com.
The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of ‘alice@domain name.onmicrosoft.com’.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office.
Each office has a dedicated connection to the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Allow inbound TCP port 8080 to the domain controllers in the Miami office.
- B . Add http://autogon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami
office. - C . Join the client computers in the Miami office to Azure AD.
- D . Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.
- E . Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.
BE
Explanation:
B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users’ Intranet zone settings by using Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
E: Seamless SSO works with any method of cloud authentication – Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
- A . From the Groups blade, invite the user accounts to a new group.
- B . From the Profile blade, modify the usage location.
- C . From the Directory role blade, modify the directory role.
B
Explanation:
Scenario: Licensing Issue
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
- A . From the Groups blade, invite the user accounts to a new group.
- B . From the Profile blade, modify the usage location.
- C . From the Directory role blade, modify the directory role.
B
Explanation:
Scenario: Licensing Issue
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
- A . From the Groups blade, invite the user accounts to a new group.
- B . From the Profile blade, modify the usage location.
- C . From the Directory role blade, modify the directory role.
B
Explanation:
Scenario: Licensing Issue
HOTSPOT
You are evaluating the name resolution for the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Explanation:
Statement 1: Yes
All client computers in the Paris office will be joined to an Azure AD domain.
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2.
Microsoft Windows Server Active Directory domains, can resolve DNS names between virtual networks. Automatic registration of virtual machines from a virtual network that’s linked to a private zone with auto-registration enabled. Forward DNS resolution is supported across virtual networks that are linked to the private zone.
Statement 2: Yes
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.
As this is a registration network so this will work.
Statement 3: No
Only VMs in the registration network, here the ClientResources-VNet, will be able to register hostname records. Since Subnet4 not connected to Client Resources Network thus not able to register its hostname with humongoinsurance.local
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
HOTSPOT
You are evaluating the connectivity between the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Explanation:
Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering between Paris-VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to connect to each other.
All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the Internet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/networking/networking-overview#internet-connectivity
Topic 3, Contoso Ltd
Overview
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Existing Environment
Currently, Contoso uses multiple types of servers for business operations, including the following:
✑ File servers
✑ Domain controllers
✑ Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App 1.
App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements
Planned Changes
Contoso plans to implement the following changes to the infrastructure:
✑ Move all the tiers of App1 to Azure.
✑ Move the existing product blueprint files to Azure Blob storage.
✑ Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Technical Requirements
Contoso must meet the following technical requirements:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
✑ Ensure that all the virtual machines for App1 are protected by backups.
✑ Copy the blueprint files to Azure over the Internet.
✑ Ensure that the blueprint files are stored in the archive storage tier.
✑ Ensure that partner access to the blueprint files is secured and temporary.
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Use unmanaged standard storage for the hard disks of the virtual machines.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
✑ Minimize administrative effort whenever possible.
User Requirements
Contoso identifies the following requirements for users:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
✑ Designate a new user named Admin1 as the service administrator of the Azure subscription.
✑ Ensure that a new user named User3 can create network objects for the Azure subscription.
You need to meet the user requirement for Admin1.
What should you do?
- A . From the Subscriptions blade, select the subscription, and then modify the Properties.
- B . From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings.
- C . From the Azure Active Directory blade, modify the Properties.
- D . From the Azure Active Directory blade, modify the Groups.
A
Explanation:
Change the Service administrator for an Azure subscription
Sign in to Account Center as the Account administrator.
Select a subscription.
On the right side, select Edit subscription details.
Scenario: Designate a new user named Admin1 as the service administrator of the Azure subscription.
Reference: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
You need to move the blueprint files to Azure.
What should you do?
- A . Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
- B . Use the Azure Import/Export service.
- C . Generate an access key. Map a drive, and then copy the files by using File Explorer.
- D . Use Azure Storage Explorer to copy the files.
D
Explanation:
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Reference: https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
- A . a recovery plan
- B . an Azure Backup Server
- C . a backup policy
- D . a Recovery Services vault
D
Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
Reference: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
HOTSPOT
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server
HOTSPOT
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Explanation:
Box 1: Selected
Only selected users should be able to join devices
Box 2: Yes
Require Multi-Factor Auth to join devices.
From scenario:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
You need to recommend an identify solution that meets the technical requirements.
What should you recommend?
- A . federated single-on (SSO) and Active Directory Federation Services (AD FS)
- B . password hash synchronization and single sign-on (SSO)
- C . cloud-only user accounts
- D . Pass-through Authentication and single sign-on (SSO)
A
Explanation:
Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.
Scenario: Technical Requirements include:
Prevent user passwords or hashes of passwords from being stored in Azure.
Reference: https://www.sherweb.com/blog/active-directory-federation-services/
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?
- A . Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.
- B . Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.
- C . Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
- D . Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
C
Explanation:
As App1 is public-facing we need an incoming security rule, related to the access of the web servers.
Scenario: You have a public-facing application named App1. App1 is comprised of the following three
tiers: a SQL database, a web front end, and a processing middle tier.
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Statement 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage which will ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for
these.
Statement 2: No
Azure Table storage stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, non-relational data.
Common uses of Table storage include:
HOTSPOT
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
HOTSPOT
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal
HOTSPOT
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/overview
You need to ensure that you can grant Group4 Azure RBAC read-only permissions to all the A2ure file shares.
What should you do?
- A . On storagel and storage4, change the Account kind type to StorageV2 (general purpose v2).
- B . Recreate storage2 and set Hierarchical namespace to Enabled.
- C . On storage2, enable identity-based access for the file shares.
- D . Create a shared access signature (SAS) for storagel, storage2, and storage4.
HOTSPOT
You implement the planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You need to add VM1 and VM2 to the backend poo! of LB1.
What should you do first?
- A . Create a new NSG and associate the NSG to VNET1/Subnet1.
- B . Connect VM2 to VNET1/Subnet1.
- C . Redeploy VM1 and VM2 to the same availability zone.
- D . Redeploy VM1 and VM2 to the same availability set.
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements.
Which storage account should you identify?
- A . storage4
- B . storage1
- C . storage2
- D . storage3
DRAG DROP
You need to configure the alerts for VM1 and VM2 to meet the technical requirements.
Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.
HOTSPOT
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
https://learn.microsoft.com/en-us/azure/backup/backup-azure-files?tabs=backup-center
https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm#back-up-from-azure-vm-settings
Topic 5, mix Ques
HOTSPOT
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1.
VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb 1.
You need to configure slb1 to allow connectivity to VM 1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Remove the public IP address from VM1
If the Public IP on VM1 is set to Dynamic, that means it is a Public IP with Basic SKU because Public IPs with Standard SKU have Static assignments by default, that cannot be changed. We cannot associate Basic SKUs IPs with Standard SKUs LBs. One cannot create a backend SLB pool if the VM to be associated has a Public IP. For Private IP it doesn’t matter weather it is dynamic or static, still we can add the such VM into the SLB backend pool.
Box 2: Create and configure an NSG
Standard Load Balancer is built on the zero trust network security model at its core. Standard Load Balancer secure by default and is part of your virtual network. The virtual network is a private and isolated network. This means Standard Load Balancers and Standard Public IP addresses are closed to inbound flows unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. To learn more about NSGs and how to apply them for your scenario, see Network Security Groups. Basic Load Balancer is open to the internet by default.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?
- A . Modify the address space of the local network gateway.
- B . Remove the public IP addresses from the virtual machines.
- C . Modify the address space of Subnet1.
- D . Create a deny rule in a network security group (NSG) that is linked to Subnet1.
D
Explanation:
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don’t have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1: Incorrect choice
Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network.
Modify the address space of the local network gateway: Incorrect choice
Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.
Remove the public IP addresses from the virtual machines: Incorrect choice
If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
You have an Azure subscription that contains a virtual network named VNET1.
VNET1 contains the subnets shown in the following table.
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
– Allow web requests from the internet to VM3, VM4, VM5, and VM6.
– Allow all connections between VM1 and VM2.
– Allow Remote Desktop connections to VM 1.
– Prevent all other network traffic to VNET 1.
What is the minimum number of NSGs you should create?
- A . 1
- B . 3
- C . 4
- D . 12
C
Explanation:
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Each network security group also contains default security rules.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
HOTSPOT
You plan to use Azure Network Watcher to perform the following tasks:
– Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
– Task2: Validate outbound connectivity from an Azure virtual machine to an external host
Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Task 1: IP flow verify
The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
Task 2: Connection troubleshoot
The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overview
You have an Azure subscription that contains two virtual machines named VM1 and VM2
You create an Azure load balancer.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balance resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution. MOTL Each correct selection 5 worth one point.
- A . a frontend IP address
- B . a backend pool
- C . a health probe
- D . an inbound NAT rule
- E . a virtual network
A, C
Explanation:
To create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2, you need to create two additional load balance resources: a frontend IP address and a health probe.
A frontend IP address is the IP address that the clients use to access the load balancer. It can be either public or private, depending on the type of load balancer. A frontend IP address is required for any load balancing rule1.
A health probe is used to monitor the health and availability of the backend instances. It can be either TCP, HTTP, or HTTPS, depending on the protocol of the load balancing rule. A health probe is required for any load balancing rule1.
A backend pool is a group of backend instances that receive the traffic from the load balancer. You already have a backend pool that contains VM1 and VM2, so you don’t need to create another one.
An inbound NAT rule is used to forward traffic from a specific port on the frontend IP address to a specific port on a backend instance. It’s not required for a load balancing rule, but it can be used to access individual instances for troubleshooting or maintenance purposes1.
A virtual network is a logical isolation of Azure resources within a region. It’s not a load balance resource, but it’s required for creating an internal load balancer or connecting virtual machines to a load balancer2.
HOTSPOT
You have an Azure subscription that contains a virtual network named VNet1.
VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table.
Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box1: 10.0.0.0/16
Address prefix in networking refer to the destination IP address range. In this scenario, destination is Vnet1, hence Address prefix will be the address space of Vnet1.
Box 2: Virtual appliance
Next hop gets the next hop type and IP address of a packet from a specific VM and NIC. Knowing the next hop helps you determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere
Next Hop –> VM1 –> Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
Box 3: GatewaySubnet
In the scenario it is asked for all the inbound traffic to Vnet1. Inbound traffic is flowing through SubnetGW. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.So its traffic from Gateway subnet only.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-next-hop-overview
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE Each correct selection is worth one point.
- A . Modify the extensionProfile section of the Azure Resource Manager template.
- B . Create a new virtual machine scale set in the Azure portal.
- C . Create an Azure policy.
- D . Create an automation account.
- E . Upload a configuration script.
A, B
Explanation:
To automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image and has web server components installed, you need to perform the following actions:
Modify the extensionProfile section of the Azure Resource Manager template. This section defines the extensions that are applied to the scale set virtual machines after they are provisioned. You can use the Custom Script Extension to run PowerShell scripts that install and configure the web server components. For more information, see Deploy an application to an Azure Virtual Machine Scale Set1.
Upload a configuration script. This is the PowerShell script that contains the commands to install and configure the web server components. You can upload the script to a storage account or a GitHub repository, and then reference it in the extensionProfile section of the template. For an example of a configuration script, see Tutorial: Install applications in Virtual Machine Scale Sets with Azure PowerShell2.
HOTSPOT
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
You add 14 virtual machines to WEBPROD-AS-USE2.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have one VM. Only one update domain is rebooted at a time.
Therefore, a maximum of two VMs will be offline.
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain.
A rack failure will affect one fault domain so 7 VMs will be offline.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
HOTSPOT
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
To install kubectl locally, use the az aks install-cli command:
az aks install-cli
Reference: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Ousted?
- A . 172.17.7.1
- B . 131.107.2.1
- C . 192.168.10.2
- D . 10.0.10.11
B
Explanation:
When any internet user will try to access the cluster which is behind a load balancer, traffic will first hit to load balancer front end IP. So in the DNS configuration you have to provide the IP address of the load balancer.
Reference: https://stackoverflow.com/questions/43660490/giving-a-dns-name-to-azure-load-balancer
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not support multiple active instances.
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
What task should you include in the runbook?
- A . Add the Azure Performance Diagnostics agent to VM1.
- B . Modify the VM size property of VM1.
- C . Add VM1 to a scale set.
- D . Increase the vCPU quota for the subscription.
- E . Add a Desired State Configuration (DSC) extension to VM1.
B
Explanation:
To create a scheduled runbook to increase the processor performance of VM1 at the end of each month, you need to modify the VM size property of VM1. This will allow you to scale up the VM to a larger size that has more CPU cores and memory. You can use Azure Automation to create a PowerShell runbook that changes the VM size using the Set-AzVM cmdlet. You can then schedule the runbook to run at the end of each month using the Azure portal or Azure PowerShell. For more information, see How to resize a virtual machine in Azure using Azure Automation1.
You plan to create the Azure web apps shown in the following Table.
What is the minimum number of App Service plans you should create for the web apps?
- A . 1
- B . 2
- C . 3
- D . 4
B
Explanation:
.NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can’t mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.
Reference: https://docs.microsoft.com/en-us/azure/app-service/overview
HOTSPOT
You have the App Service plans shown in the following table.
You plan to create the Azure web apps shown in the following table.
You need to identify which App Service plans can be used for the web apps.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: ASP1 ASP3
Asp1, ASP3: ASP.NET Core apps can be hosted both on Windows or Linux.
Not ASP2: The region in which your app runs is the region of the App Service plan it’s in.
Box 2: ASP1
ASP.NET apps can be hosted on Windows only.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=platform-linux
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage#
You have an Azure subscription named Subscription1 that is used be several departments at your
company.
Subscription1 contains the resources in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
- A . RG1
- B . VM1
- C . Storage1
- D . Container1
A
Explanation:
You have an Azure subscription named Subscription1 that is used be several departments at your
company.
Subscription1 contains the resources in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
- A . RG1
- B . VM1
- C . Storage1
- D . Container1
A
Explanation:
You have an Azure subscription named Subscription1 that is used be several departments at your
company.
Subscription1 contains the resources in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
- A . RG1
- B . VM1
- C . Storage1
- D . Container1
A
Explanation:
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
What should you do first?
- A . From the Recovery Service vault, stop the backup of each backup item.
- B . From the Recovery Service vault, delete the backup data.
- C . Modify the disaster recovery properties of each virtual machine.
- D . Modify the locks of each virtual machine.
A
Explanation:
You can’t delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can’t, the vault is still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure File Servers, SQL Servers in Azure VM, and Azure virtual machines.
Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
HOTSPOT
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit.
Explanation:
Box 1: 10 years
The yearly backup point occurs to 1 March and its retention period is 10 years.
Box 2: 36 months
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.
Note: Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
HOTSPOT
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 4
As there are 4 distinct set of resource types (Ingress, Egress, Delete storage account, Restore blob
ranges), so you need 4 alert rules. In one alert rule you can’t specify different type of resources to
monitor. So you need 4 alert rules.
Box 2: 3
There are 3 distinct set of "Users to notify" as (User 1 and User 3), (User1 only), and (User1, User2, and User3). You can’t set the action group based on existing group (Group1 and Group2) as there is no specific group for User1 only. So you need to create 3 action group.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
You have an Azure virtual machine named VM1.
Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
You need to specify which resource type to monitor.
What should you specify?
- A . metric alert
- B . Azure Log Analytics workspace
- C . virtual machine
- D . virtual machine extension
C
Explanation:
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
HOTSPOT
You have an Azure subscription that contains the resource groups shown in the following table.
You create the following Azure Resource Manager (ARM) template named deploy json.
You deploy the template by running the following cmdlet.
Item-AzSubscriptionDeployment -location -Template file deploy-json
For each or the following statements, select Yes il the statement is bue. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT
You have Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following resource groups:
RG1 includes a web app named App1 in the West Europe location.
Subscription2 contains the following resource groups:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
App1 present in RG1 and in RG1 there is no lock available. So you can move App1 to other resource groups, RG2, RG3, RG4.
Note:
App Service resources can only be moved from the resource group in which they were originally created. If an App Service resource is no longer in its original resource group, move it back to its original resource group.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations
You have an Azure subscription that contains the resources in the following table.
VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit button.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet.
What should you do?
- A . Associate the NSG to Subnet1.
- B . Disassociate the NSG from a network interface.
- C . Change the DenyWebSites outbound security rule.
- D . Change the Port_80 inbound security rule
A
Explanation:
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated with: 0 subnets, 0 NIC’s", so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC or Subnet.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
You have an on-premises server that contains a folder named D:Folder1.
You need to copy the contents of D:Folder1 to the public container in an Azure Storage account named contoso data.
Which command should you run?
- A . https://contosodata.blob.core.windows.net/public
- B . azcopy sync D:folder1 https://contosodata.blob.core.windows.net/public –snapshot
- C . azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive
- D . az storage blob copy start-batch D:Folder1 https:// contosodata.blob.core.windows.net/public
C
Explanation:
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
You have a Recovery Services vault named RSV1. RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days.
RSV1 performs daily backups of VM1. VM1 hosts a static website that was updated eight days ago.
You need to recover VM1 to a point eight days ago. The solution must minimize downtime.
What should you do first?
- A . Deallocate VM1.
- B . Restore VM1 by using the Replace existing restore configuration option.
- C . Delete VM1.
- D . Restore VM1 by using the Create new restore configuration option.
D
Explanation:
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
To recover VM1 to a point eight days ago, you need to use the Azure Backup service to restore the VM from a recovery point. A recovery point is a snapshot of the VM data at a specific point in time. Azure Backup creates recovery points according to the backup policy that you configure for the Recovery Services vault1.
In this case, the Recovery Services vault named RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14 days. This means that you can restore the VM from any point in the last 14 days, as long as there is a recovery point available. Since you need to recover VM1 to a point eight days ago, you can use the daily backup recovery point that was created on that day2.
To restore the VM from a recovery point, you have two options: Replace existing or Create new. The Replace existing option overwrites the existing VM with the restored data, while the Create new option creates a new VM with the restored data. The Replace existing option requires you to deallocate or delete the existing VM before restoring it, which can cause downtime and data loss. The Create new option allows you to restore the VM without affecting the existing VM, which minimizes downtime and data loss3.
Therefore, the best option is to restore VM1 by using the Create new restore configuration option. This will create a new VM with the same name as VM1 and append a suffix to it, such as -Restored. You can then verify that the new VM has the correct data and configuration, and switch over to it when you are ready. You can also delete the original VM if you don’t need it anymore3.
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
The process is simple:
Add the custom domain name to your directory
Add a DNS entry for the domain name at the domain name registrar
Verify the custom domain name in Azure AD
Reference: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
HOTSPOT
You have the App Service plan shown in the following exhibit.
The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
HOTSPOT
You have an Azure subscription.
You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
– dependsON: resoureceID
– storageProfile: ImageReference Reference :
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency#dependson
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-compute/storageprofile?view=azure-node-latest
HOTSPOT
You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2.
The subscription contains the resources shown in the following table.
The subscription contains the alert rules shown in the following table.
The users perform the following actions:
• User1 creates a new virtual disk and attaches the disk to VM1.
• User2 creates a new resource tag and assigns the tag to RG1 and VM1.
Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
In this case, you have two alert rules: Alert1 and Alert2. Alert1 has a scope of RG1, which means it applies to all the resources in the resource group named RG1. Alert1 has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on the resources in RG1. An administrative operation is any operation that changes the configuration or state of a resource, such as creating, deleting, updating, or restarting.
Alert2 has a scope of VM1, which means it applies only to the virtual machine named VM1. Alert2 also has a condition of All Administrative operations, which means it triggers when any administrative operation is performed on VM1.
Now, let’s see which alert rules are triggered by each user.
User1 creates a new virtual disk and attaches the disk to VM1. This is an administrative operation on
VM1, so it triggers Alert2. However, it does not trigger Alert1, because the new disk is not part of RG1. Therefore, the correct answer for User1 is C. Only Alert2 is triggered.
User2 creates a new resource tag and assigns the tag to RG1 and VM1. This is also an administrative operation on both RG1 and VM1, so it triggers both Alert1 and Alert2. Therefore, the correct answer for User2 is D. Alert1 and Alert2 are triggered.
HOTSPOT
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer
NOTE Each correct selection is worth one point.
Explanation:
HOTSPOT
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer
NOTE Each correct selection is worth one point.
Explanation:
HOTSPOT
You have an Azure subscription that contains the hierarchy shown in the following exhibit.
You create an Azure Policy definition named Policy1.
To which Azure resources can you assign Policy and which Azure resources can you specify as exclusions from Policy1? To answer, select the appropriate options in the answer
NOTE Each correct selection is worth one point.
Explanation:
HOTSPOT
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
User1 – The Owner Role lets you manage everything, including access to resources.
User3 – The Network Contributor role lets you manage networks, including creating subnets.
User2 – The Security Admin role can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table.
You create two user accounts that are configured as shown in the following table.
To which groups do User1 and User2 belong? To answer. select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Group 1 only
First rule applies
Box 2: Group1 and Group2 only
Both membership rules apply.
Reference: https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections
You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.
A user named User1 has the following roles for Subscription1:
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
- A . Remove User1 from the Security Reader and Reader roles for Subscription1.
- B . Assign User1 the Owner role for VNet1.
- C . Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.
- D . Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1
B
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20user%20to%20grant,Azure%20subscriptions%20and%20management%20groups.
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?
- A . Owner
- B . Virtual Machine Administrator Login
- C . Contributor
- D . Virtual Machine Contributor
D
Explanation:
To ensure that User1 can deploy virtual machines and manage virtual networks, you need to assign an RBAC role that grants the necessary permissions to perform these tasks. The solution must also use the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.
Based on these requirements, the best RBAC role to assign to User1 is D. Virtual Machine Contributor. This role allows User1 to create and manage virtual machines, disks, snapshots, and network interfaces. It also allows User1 to connect virtual machines to existing virtual networks and subnets. However, it does not allow User1 to create or delete virtual networks or subnets, or to access the virtual machines themselves. This role follows the principle of least privilege by limiting User1’s access to only the resources and actions that are relevant to deploying virtual machines and managing virtual networks1.
HOTSPOT
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
✑ Replicates synchronously
✑ Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
You create an Azure Storage account named Contoso storage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should be open between the home computers and the data file share?
- A . 80
- B . 443
- C . 445
- D . 3389
C
Explanation:
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
You have an Azure subscription named Subscription1.
You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
- A . Azure Data Lake Store
- B . a virtual machine
- C . the Azure File Sync Storage Sync Service
- D . Azure Blob storage
D
Explanation:
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
The maximum size of an Azure Files Resource of a file share is 5 TB.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a quest user account in contoso.com for each of the 500 external users.
Solution: from Azure AD in the Azure portal, you use the Bulk create user operation.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
"Bulk Create" is for new Azure AD Users.
For Guests:
– Use "Bulk invite users" to prepare a comma-separated value (.csv) file with the user information and invitation preferences
– Upload the .csv file to Azure AD
– Verify the users were added to the directory
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users.
You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: You create a Power Shell script that runs the New-MgUser cmdlet for each user.
Does this meet the goal?
- A . Yes
- B . NO
B
Explanation:
The New-MgUser cmdlet is part of the Microsoft Graph PowerShell SDK, which is a module that allows you to interact with the Microsoft Graph API. The Microsoft Graph API is a service that provides access to data and insights across Microsoft 365, such as users, groups, mail, calendar, contacts, files, and more1.
The New-MgUser cmdlet can be used to create new users in your Azure AD tenant, but it has some limitations and requirements. For example, you need to have the Global Administrator or User Administrator role in your tenant, you need to authenticate with the Microsoft Graph API using a certificate or a client secret, and you need to specify the required parameters for the new user, such as userPrincipalName, accountEnabled, displayName, mailNickname, and passwordProfile2. However, the New-MgUser cmdlet does not support creating guest user accounts in your Azure AD tenant. Guest user accounts are accounts that belong to external users from other organizations or domains. Guest user accounts have limited access and permissions in your tenant, and they are typically used for collaboration or sharing purposes3.
To create guest user accounts in your Azure AD tenant, you need to use a different cmdlet: New-AzureADMSInvitation. This cmdlet is part of the Azure AD PowerShell module, which is a module that allows you to manage your Azure AD resources and objects. The New-AzureADMSInvitation cmdlet can be used to create and send an invitation email to an external user, which contains a link to join your Azure AD tenant as a guest user. You can also specify some optional parameters for the invitation, such as the invited user display name, message info, redirect URL, or send invitation message.
Therefore, to meet the goal of creating guest user accounts for 500 external users from a CSV file, you need to use a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each user, not the New-MgUser cmdlet.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Network Contributor role at the subscription level to Admin1.
Does this meet the goal?
- A . Yes
- B . NO
A
Explanation:
Your account must meet one of the following to enable traffic analytics:
Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Traffic Manager Contributor role at the subscription level to Admin1
- A . Yes
- B . NO
B
Explanation:
The Traffic Manager Contributor role is not related to Traffic Analytics. Traffic Manager is a service that provides DNS-based load balancing and traffic routing across different regions and endpoints. Traffic Manager Contributor is a role that allows you to create and manage Traffic Manager profiles, endpoints, and geographies1.
Traffic Analytics is a service that provides visibility into user and application activity in your cloud networks. Traffic Analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With Traffic Analytics, you can visualize network activity, identify hot spots, secure your network, optimize your network deployment, and pinpoint network misconfigurations2.
To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:
Microsoft.Network/applicationGateways/read
Microsoft.Network/connections/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/localNetworkGateways/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/routeTables/read
Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualNetworks/read
Microsoft.OperationalInsights/workspaces/*
Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor3. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissions for enabling Traffic Analytics4.
Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The Owner role is a very high-level role that grants full access to manage all resources in the scope, including the ability to assign roles to other users. This role does not follow the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.
To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:
Microsoft.Network/applicationGateways/read
Microsoft.Network/connections/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/localNetworkGateways/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/routeTables/read
Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualNetworks/read
Microsoft.OperationalInsights/workspaces/*
Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor1. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissions for enabling Traffic Analytics2.
Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Monitor, you create a metric on Network in and Network Out.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Correct answer is packet capture in Azure Network Watcher. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a connection monitor.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-
overview
HOTSPOT
You have an Azure subscription that contains the container images shown in the following table.
You plan to use the following services:
• Azure Container Instances
• Azure Container Apps
• Azure App Service
In which services can you run the images? To answer, select the options in the answer area. NOTE: Each correct answer is worth one point.
Explanation:
Image 1: Azure Container Apps only.
image 2: Azure Container Instances, Azure Container Apps, and App Services.
The images you have in your Azure subscription are different types of container images that can run on different Azure services. A container image is a package of software that includes everything needed to run an application, such as code, libraries, dependencies, and configuration files. Container images are portable and consistent across different environments, such as development, testing, and production.
Azure Container Instances is a service that allows you to run containers directly on the Azure cloud, without having to manage any infrastructure or orchestrators. You can use Azure Container Instances to run any container image that is compatible with the Docker image format and follows the Open Container Initiative (OCI) specification. You can also run Windows or Linux containers on Azure Container Instances.
Azure Container Apps is a service that allows you to build and deploy cloud-native applications and microservices using serverless containers. You can use Azure Container Apps to run any container image that is compatible with the Docker image format and follows the Open Container Initiative (OCI) specification. You can also run Windows or Linux containers on Azure Container Apps.
Azure App Service is a service that allows you to build and host web applications, mobile backends, and RESTful APIs using various languages and frameworks. You can use Azure App Service to run custom container images that are compatible with the Docker image format and follow the App Service Docker image contract. You can also run Windows or Linux containers on Azure App Service.
You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1.
You plan to configure Azure Monitor for VM Insights.
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.
What should you create first?
- A . an Azure Monitor Private Link Scope (AMPIS)
- B . a private endpoint
- C . a Log Analytics workspace
- D . a data collection rule (DCR)
A
Explanation:
Azure Monitor for VM Insights is a feature of Azure Monitor that provides comprehensive monitoring and diagnostics for your Azure virtual machines and virtual machine scale sets. It collects performance data, process information, and network dependencies from your virtual machines and displays them in interactive charts and maps. You can use Azure Monitor for VM Insights to troubleshoot performance issues, optimize resource utilization, and identify network bottlenecks1. To enable Azure Monitor for VM Insights, you need to install two agents on your virtual machines: the Azure Monitor agent (preview) and the Dependency agent. The Azure Monitor agent collects performance metrics and sends them to a Log Analytics workspace. The Dependency agent collects process information and network dependencies and sends them to the InsightsMetrics table in the same workspace2.
By default, the agents communicate with Azure Monitor over the public internet. However, if you want to ensure that all the virtual machines only communicate with Azure Monitor through a virtual network named VNet1, you need to configure private network access for the agents.
Private network access allows the agents to communicate with Azure Monitor using a private endpoint, which is a special network interface that connects your virtual network to an Azure service without exposing it to the public internet. A private endpoint uses a private IP address from your virtual network address space, so you can secure and control the network traffic between your virtual machines and Azure Monitor3.
To configure private network access for the agents, you need to create an Azure Monitor Private Link Scope (AMPIS) first. An AMPIS is a resource that groups one or more Log Analytics workspaces together and associates them with a private endpoint. An AMPIS allows you to manage the private connectivity settings for multiple workspaces in one place4.
After creating an AMPIS, you need to create a private endpoint in VNet1 and link it to the AMPIS. This will enable the agents on your virtual machines to send data to the Log Analytics workspaces in the AMPIS using the private IP address of the private endpoint5.
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
You plan to create a data collection rule named DCRI in Azure Monitor.
Which resources can you set as data sources in DCRI, and which resources can you set as destinations in DCRI? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Data Sources: VM1 only
Destination: Workspace1 Only
Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2.
Server2 has the following tools installed:
– The DNS Manager console
– Azure PowerShell
– Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription 1. The solution must minimize administrative effort.
What should you use?
- A . Azure PowerShell
- B . Azure CLI
- C . the Azure portal
- D . the DNS Manager console
B
Explanation:
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.
Reference: https://docs.microsoft.com/en-us/azure/dns/dns-import-export
You have an Azure subscription that hat Traffic Analytics configured.
You deploy a new virtual machine named VM1 that has the following settings:
• Region- East US
• Virtual network: VNet1
• NIC network security group: NSG1
You need to monitor VM1 traffic by using Traffic Analytics.
Which settings should you configure?
- A . Diagnostic settings for VM1
- B . Insights for VM1
- C . NSG flow logs for NSG1
- D . Diagnostic settings for NSG1
C
Explanation:
Traffic Analytics analyzes the network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud1. NSG flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG2. To use Traffic Analytics, you need to enable NSG flow logs for the network security groups you want to monitor1.
Diagnostic settings for VM1 or NSG1 are not required for Traffic Analytics. Diagnostic settings are used to stream log data from an Azure resource to different destinations such as Log Analytics workspace, Event Hubs, or Storage account3. Insights for VM1 are also not required for Traffic Analytics. Insights are a feature of Azure Monitor that provide analysis of the performance and health of an Azure resource4.
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1. Subnet1 is in a virtual network named VNet1. You need to
prevent VM1 from accessing VM2 on port 3389.
What should you do?
- A . Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.
- B . Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
- C . Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.
- D . Configure Azure Bastion in VNet1.
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
VNet1 is in a resource group named RG1.
Subscription1 has a user named User1.
User1 has the following roles;
• Reader
• Security Admin
• Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
- A . Assign User1 the Contributor role for VNet1.
- B . Remove User from the Security Reader and Reader roles tot Subscription1.
- C . Assign User1 the Network Contributor role for VNet1.
- D . Assign User1 the User Access Administrator role for VNet1
D
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#:~:text=The%20User%20Access%20Administrator%20role%20enables%20the%20user%20to%20grant,Azure%20subscriptions%20and%20management%20groups.
You have an Azure subscription that contains two Log Analytics workspaces named Workspace 1 and Workspace? and 100 virtual machines that run Windows Server.
You need to collect performance data and events from the virtual machines.
The solution must meet the following requirements:
• Logs must be sent to Workspace! and Workspace?
• All Windows events must be captured
• All security events must be captured.
What should you install and configure on each virtual machine?
- A . the Azure Monitor agent
- B . the Windows Azure diagnostics extension (WAD)
- C . the Windows VM agent
A
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor’s legacy monitoring agents.
You have an Azur« subscription that contains a virtual machine named VM1 and an Azure key vault named KV1.
You need to configure encryption for VM1.
The solution must meet the following requirements:
• Store and use the encryption key in KV1.
• Maintain encryption if VM1 is downloaded from Azure.
• Encrypt both the operating system disk and the data disks.
Which encryption method should you use?
- A . encryption at host
- B . customer-managed keys
- C . Azure Disk Encryption
- D . Confidential disk encryption
C
Explanation:
Azure Disk Encryption is a service that helps you encrypt your Windows and Linux IaaS virtual machine disks1. It uses BitLocker for Windows and DM-Crypt for Linux to provide volume encryption for the OS and data disks2. Azure Disk Encryption requires that you use a key encryption key in Azure Key Vault to encrypt the volume encryption key, which is then stored on the disk. You can use either a service-managed key or a customer-managed key in Azure Key Vault3. Azure Disk Encryption also supports encrypting virtual machine disks that are downloaded from Azure4.
You have an Azure App Services web app named App1.
You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Azure Active Directory (Azure AD) credentials to deploy content to App1. The solution must use the principle of least privilege.
What should you do?
- A . Configure app-level credentials for FTPS.
- B . Assign The Website Contributor role to the developers.
- C . Assign the Owner role to the developers.
- D . Configure user-level credentials for FTPS.
B
Explanation:
"To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. These credentials are not the same as your Azure subscription credentials." https://learn.microsoft.com/en-us/azure/app-service/deploy-configure-credentials?tabs=cli
You have an Azure subscription that contains an Azure Storage account.
You plan to create an Azure container instance named container1 that will use a Docker image namedImage1. Image1 contains a Microsoft SQL Server instance that requires persistent storage.
You need to configure a storage service for Container1.
What should you use?
- A . Azure Files
- B . Azure Blob storage
- C . Azure Queue storage
- D . Azure Table storage
A
Explanation:
https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/
You have an Azure subscription that contains a web app named webapp1. You need to add a custom domain named www.contoso.com to webapp1.
What should you do first?
- A . Upload a certificate.
- B . Add a connection string.
- C . Stop webapp1.
- D . Create a DNS record.
D
Explanation:
You can use either a CNAME record or an A record to map a custom DNS name to App Service. You should use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root domains, use A records.
Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?
- A . all three virtual machines in a single Availability Zone
- B . all virtual machines in a single Availability Set
- C . each virtual machine in a separate Availability Zone
- D . each virtual machine in a separate Availability Set
C
Explanation:
An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create three or more VMs across three zones in an Azure region, your VMs are effectively distributed across three fault domains and three update domains. The Azure platform recognizes this distribution across update domains to make sure that VMs in different zones are not updated at the same time.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones
You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?
- A . one virtual machine scale set that has 10 virtual machines instances
- B . one Availability Set that has three fault domains and one update domain
- C . one Availability Set that has 10 update domains and one fault domain
- D . one virtual machine scale set that has 12 virtual machines instances
D
Explanation:
A virtual machine scale set is a group of identical virtual machines that are automatically distributed across fault domains and update domains in one or more placement groups1. A fault domain is a logical group of underlying hardware that share a common power source and network switch, and a failure in one fault domain will not affect virtual machines in other fault domains2. An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time3.
By creating a virtual machine scale set with 12 instances, you can ensure that App1 has high availability and scalability. You can configure the scale set to have a minimum number of instances that must always be running, and a maximum number of instances that can be scaled up or down based on demand or a schedule. You can also configure the scale set to use automatic OS image upgrades, which will apply updates to the virtual machines in batches, ensuring that at least one instance is always running during the upgrade process.
HOTSPOT
Your company purchases a new Azure subscription.
You create a file named Deploy json as shown in the following exhibit
You connect to the subscription and run the following cmdlet:
New-AzDeployment -Location westus -TemplateFile “deploy.json”"
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Explanation:
Based on the file named Deploy.json and the cmdlet you ran, here are the answers to your statements:
You can deploy a virtual machine to RGI. = No
You can deploy a virtual machine to RG2. = No
You can manually create a resource group named RG3. = Yes
Let me explain why:
The Deploy.json file defines a template for creating a resource group and a virtual machine in Azure. The template has two parameters: resourceGroupName and vmName. The template also has two resources: one for the resource group and one for the virtual machine. The resource group resource has a property called name, which is set to the value of the resourceGroupName parameter. The virtual machine resource has a property called location, which is set to the value of the location parameter of the deployment cmdlet.
The cmdlet you ran specifies the location as westus and the template file as Deploy.json. However, it does not specify any values for the resourceGroupName and vmName parameters. Therefore, the cmdlet will prompt you to enter those values interactively before creating the deployment.
If you enter RGI as the value for the resourceGroupName parameter and VM1 as the value for the
vmName parameter, then the cmdlet will create a resource group named RGI and a virtual machine named VM1 in the westus location. Therefore, you can deploy a virtual machine to RGI.
However, if you enter RG2 as the value for the resourceGroupName parameter, then the cmdlet will fail with an error. This is because RG2 already exists in your subscription and you cannot create a resource group with the same name as an existing one. Therefore, you cannot deploy a virtual machine to RG2 using this template and cmdlet.
You can manually create a resource group named RG3 by using another cmdlet: New-AzResourceGroup. This cmdlet takes two parameters: Name and Location. For example, you can run the following cmdlet to create a resource group named RG3 in westus:
New-AzResourceGroup -Name RG3 -Location westus
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named GUI.
Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Swap the slots
- B . Deploy the App1 update to webapp1-prod, and then test the update
- C . Stop webapp1-prod
- D . Deploy the App1 update to webapp1-test, and then test the update
- E . Stop webapp1-test
AD
Explanation:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
HOTSPOT
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Explanation:
Box 1: can connect to the container from any device
In the policy "osType": "window" refer that it will create a container in a container group that runs Windows but it won’t block access depending on device type.
Box 2: the container will restart automatically
Docker provides restart policies to control whether your containers start automatically when they exit, or when Docker restarts. Restart policies ensure that linked containers are started in the correct order. Docker recommends that you use restart policies, and avoid using process managers to start containers.
on-failure: Restart the container if it exits due to an error, which manifests as a non-zero exit code. As the flag is mentioned as "on-failure" in the policy, so it will restart automatically
Reference:
https://docs.microsoft.com/en-us/cli/azure/container?view=azure-cli-latest
https://docs.docker.com/config/containers/start-containers-automatically/
You have an Azure Storage account named storage1.
You plan to use AzCopy to copy data to storage1.
You need to identify the storage services in storage1 to which you can copy the data.
What should you identify?
- A . blob, file, table, and queue
- B . blob and file only
- C . file and table only
- D . file only
- E . blob, table, and queue only
B
Explanation:
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-requirements
You have an Azure subscription that contains a storage account named storage1.
You plan to use conditions when assigning role-based access control (RABC) roles to storage1.
Which storage1 services support conditions when assigning roles?
- A . containers only
- B . file shares only
- C . tables only
- D . queues only
- E . containers and queues only
- F . files shares and tables only
A
Explanation:
"Currently, conditions can be added to built-in or custom role assignments that have blob storage or queue storage data actions. " https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview#where-can-conditions-be-added
Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that all the traffic from VM1 to storage! travels across the Microsoft backbone network.
What should you configure?
- A . private endpoints
- B . Azure Firewall
- C . Azure AD Application Proxy
- D . Azure Peering Service
B
Explanation:
Per the MS documentation, private endpoint seems to be the proper choice: "You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet." Link: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
