Question Set 1
HOTSPOT
You have an Azure subscription named Subscription1.
Subscription1 contains the resources in the following table:
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator named Admin1 creates an Azure virtual machine VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
We cannot just move a virtual machine between networks.
What we need to do is identify the disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.
Reference:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-onazure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vmbetween-vnets
You have an Azure subscription named Subscription1 that is used by several departments at your company.
Subscription1 contains the resources in the following table.
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment.
From the Azure Portal, for which blade can you view the template that was used for the deployment?
- A . Container1
- B . VM1
- C . Storage2
- D . RG1
D
Explanation:
You can verify the deployment by exploring the resource group from the Azure portal
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-manager-tutorial
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-firsttemplate?tabs=azure-powershell
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant. Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2.
What should you do first?
- A . Modify the IP address space of VNet2.
- B . Move VM1 to Subscription2.
- C . Provision virtual network gateways.
- D . Move VNet1 to Subscription2.
C
Explanation:
We require a virtual network gateway for VNet-to-VNet connectivity.
Incorrect Answers:
A: There is no need to modify the address space. If you update the address space for one VNet, the other VNet automatically knows to route to the updated address space.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-cli
You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.
What should you do?
- A . From the Azure portal, modify session control of Policy1.
- B . From multi-factor authentication page, modify the user settings.
- C . From multi-factor authentication page, modify the service settings.
- D . From the Azure portal, modify grant control of Policy1.
D
Explanation:
We need to modify the grant control of Policy1.
The grant control can trigger enforcement of one or more controls.
– Require multi-factor authentication (Azure Multi-Factor Authentication)
– Require device to be marked as compliant (Intune)
– Require Hybrid Azure AD joined device
– Require approved client app
– Require app protection policy
Note: It is now possible to explicitly apply the Require MFA for admins rule.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
HOTSPOT
You plan to deploy five virtual machines to a virtual network subnet. Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 5
We have five virtual machines. Each virtual machine will have a public IP address and a private IP address. Each will require a network interface.
Box 2: 1
Each virtual machine requires the same inbound and outbound security rules. We can add tem to one group.
Reference: https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?
- A . From the Azure portal, modify the Access control (IAM) settings of RG1.
- B . From the Azure portal, modify the Policies settings of RG1.
- C . From the Azure portal, modify the Access control (IAM) settings of VM1.
- D . From the Azure portal, modify the value of the Managed Service Identity option for VM1.
D
Explanation:
Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
HOTSPOT
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual networks in the following table:
Subscription1 contains the virtual machines in the following table:
The firewalls on all the virtual machines are configured to allow all ICMP traffic.
You add the peerings in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
VM1 on VNet1 can ping VM3 on VNet3 as VNet1 and VNet3 are peered.
VM2 onVNet2 can ping VM3 on VNet3 as VNet2 and VNet3 are peered.
VM2 cannot ping VM1 as there is not peering between VNet2 and VNet1. Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant.
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?
- A . From on-premises network, deploy Active Directory Federation Services (AD FS).
- B . From Azure AD, add and verify a custom domain name.
- C . From on-premises network, request a new certificate that contains the Active Directory domain name.
- D . From the server that runs Azure AD Connect, modify the filtering options.
B
Explanation:
The UPN is used by Azure AD to allow users to sign-in. The UPN that a user can use, depends on whether or not the domain has been verified. If the domain has been verified, then a user with that suffix will be allowed to sign-in to Azure AD.
To do so, you need to add and verify a custom domain in Azure AD before you can start syncing the users.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#azure-adsign-in
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync#detect-upnmismatch-if-object-is-synced-to-azure-active-directory
You have an Active Directory forest named contoso.com.
You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled. You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs. You need to ensure that the synchronization completes successfully.
What should you do?
- A . From Azure PowerShell, run Start-AdSyncSyncCycle CPolicyType Initial.
- B . Run Azure AD Connect and set the SSO method to Pass-through Authentication.
- C . From Synchronization Service Manager, run a full import.
- D . Run Azure AD Connect and disable staging mode.
D
Explanation:
In staging mode, the server is active for import and synchronization, but it does not run any exports. A server in staging mode is not running password sync or password writeback, even if you selected these features during installation. When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-operations
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party registrar. You need to ensure that you can create Azure AD users that have names containing a suffix of@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party registrar. You need to ensure that you can create Azure AD users that have names containing a suffix of@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party registrar. You need to ensure that you can create Azure AD users that have names containing a suffix of@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name. You have a domain name of contoso.com registered at a third-party registrar. You need to ensure that you can create Azure AD users that have names containing a suffix of@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
You have an Azure subscription that contains 100 virtual machines. You regularly create and delete virtual machines. You need to identify unattached disks that can be deleted.
What should you do?
- A . From Microsoft Azure Storage Explorer, view the Account Management properties.
- B . From Azure Cost Management, create a Cost Management report.
- C . From the Azure portal, configure the Advisor recommendations.
- D . From Azure Cost Management, open the Optimizer tab and create a report.
D
Explanation:
You can find unused disks in the Azure Storage Explorer console. Once you drill down to the Blob containers under a storage account, you can see the lease state of the residing VHD (the lease state determines if the VHD is being used by any resource) and the VM to which it is leased out. If you find that the lease state and the VM fields are blank, it means that the VHD in question is unused.
Note: The ManagedBy property stores the Id of the VM to which Managed Disk is attached to. If the ManagedBy property is $null then it means that the Managed Disk is not attached to a VM
Reference:
https://cloud.netapp.com/blog/reduce-azure-storage-costs
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
- A . three rules and three action groups
- B . one rule and one action group
- C . three rules and one action group
- D . one rule and three action groups
C
Explanation:
We need a separate rule for each condition. We also need a separate action group for each action type that we want to fire when the rule is met.
In this scenario we have three conditions (when any virtual machines are powered off, restarted, or deallocated) and one action type (you are sent an email message).
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A . Upload a configuration script.
- B . Create an automation account.
- C . Create a new virtual machine scale set in the Azure portal.
- D . Create an Azure policy.
- E . Modify the extensionProfilesection of the Azure Resource Manager template.
CE
Explanation:
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
You have an Azure subscription.
You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
- A . Customer insights
- B . Monitor
- C . Advisor
- D . Metrics
C
Explanation:
Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. You can get cost recommendations from the Cost tab on the Advisor dashboard.
Reference:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
An app uses a virtual network with two subnets. One subnet is used for the application server. The other subnet is used for a database server. A network virtual appliance (NVA) is used as a firewall.
Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database server that stores sensitive data. A Border Gateway Protocol (BGP) route is used for the traffic to the on-premises database server.
You need to recommend a method for creating the user-defined route.
Which two options should you recommend? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . For the virtual network configuration, use a VPN.
- B . For the next hop type, use a virtual network peering.
- C . For the virtual network configuration, use Azure ExpressRoute.
- D . For the next hop type, use a virtual network gateway.
AD
Explanation:
You can create custom, or user-defined, routes in Azure to override Azure’s default system routes, or to add additional routes to a subnet’s route table.
You can specify the following next hop types when creating a user-defined route:
– Virtual appliance: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall.
– Virtual network gateway: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. The virtual network gateway must be created with type VPN. You cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.
– None: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.
– Virtual network: Specify when you want to override the default routing within a virtual network.
– Internet: Specify when you want to explicitly route traffic destined to an address prefix to the Internet, or if you want traffic destined for Azure services with public IP addresses kept within the Azure backbone network.
Incorrect Answers:
B: You cannot specify VNet peering or VirtualNetworkServiceEndpoint as the next hop type in user-defined routes. Routes with the VNet peering or VirtualNetworkServiceEndpoint next hop types are only created by Azure, when you configure a virtual network peering, or a service endpoint.
C: You cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
You manage a solution in Azure that consists of a single application which runs on a virtual machine (VM). Traffic to the application has increased dramatically.
The application must not experience any downtime and scaling must be dynamically defined.
You need to define an auto-scale strategy to ensure that the VM can handle the workload.
Which three options should you recommend? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . Deploy application automatic vertical scaling.
- B . Create a VM availability set.
- C . Create a VM scale set.
- D . Deploy application automatic horizontal scaling.
- E . Deploy a custom auto-scale implementation.
DRAG DROP
You develop a web app that uses the tier D1 app service plan by using the Web Apps feature of Microsoft Azure App Service.
Spikes in traffic have caused increases in page load times.
You need to ensure that the web app automatically scales when CPU load is about 85 percent and minimize costs.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Explanation:
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-get-started
HOTSPOT
You have Azure subscription that contains a virtual network named VNet1.
VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table.
Subnet1 contains a virtual appliance named VM1 that operates as a router. You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD). You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . Short Message Service (SMS) messages
- B . Authentication app
- C . Email addresses
- D . Security questions
- E . App passwords
AB
Explanation:
The following authentication mechanisms can be used for both MFA and SSPR:
– Short Message Service (SMS) messages
– Azure AD passwords
– Microsoft Authenticator app
– Voice call
Incorrect Answers:
C, D:
The following authentication mechanisms are used for SSPR only:
– Email addresses
– Security questions
E: App passwords authentication mechanisms can be used for MFA only, but only in certain cases.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM resources using Azure resource lock.
References:
https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azurelock-to-control-your-azure-resources/
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Automation script.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
From the RG1 blade, click Deployments
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-firsttemplate?tabs=azure-powershell
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscription blade, you select the subscription, and then click Resource providers.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
From the RG1 blade, click Deployments
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-firsttemplate?tabs=azure-powershell
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Deployments.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-firsttemplate?tabs=azure-powershell
HOTSPOT You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: always
Endpoint status is enabled.
Box 2: Never
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
https://azure.microsoft.com/en-us/blog/azure-backup-now-supports-storage-accounts-secured-with-azurestorage-firewalls-and-virtual-networks/
HOTSPOT
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
– Replicates synchronously
– Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
DRAG DROP
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share. You deploy an Azure File Sync Storage Sync Service, and you create a sync group. You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3: Add a server endpoint
Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-filesdeployment-guide
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a dataset CSV file
- B . an XML manifest file
- C . a driveset CSV file
- D . a PowerShell PS1 file
- E . a JSON configuration file
AC
Explanation:
A: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
C: Modify the driveset.csv file in the root folder where the tool resides.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
You create an Azure Storage account named contosostorage. You plan to create a file share named data. Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
- A . 80
- B . 443
- C . 445
- D . 3389
C
Explanation:
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
HOTSPOT
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
IP forwarding enables the virtual machine a network interface is attached to:
– Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
– Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
https://www.quora.com/What-is-IP-forwarding
HOTSPOT
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: add an address space
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a network interface
The 10.2.1.0/24 network exists. We need to add a network interface.
References:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-pportal
HOTSPOT
You have an Azure subscription named Subscription1.
Subscription1 contains the resources in the following table.
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2.
The adatum.com zone is configured is shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Azure DNS provides automatic registration of virtual machines from a single virtual network that’s linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No
Forward DNS resolution is supported across virtual networks that are linked to the
private zone as resolution virtual networks. VM5 does belong to a resolution virtual
network.
Box 3: Yes
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.
References: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
- A . Add a gateway subnet to VNet1.
- B . Create a subnet on VNet1 and VNet2
- C . Modify the address space of VNet1
- D . Configure a service endpoint on VNet2
C
Explanation:
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of 10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-andconstraints
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be
able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Your company plans to store several documents on a public website.
You need to create a container named bios that will host the documents in the storagelod8322489 storage account. The solution must ensure anonymous access and must ensure that users can browse folders in the container.
What should you do from the Azure portal?
To create a container in the Azure portal, follow these steps:
Step 1: Navigate to your new storage account in the Azure portal.
Step 2: In the left menu for the storage account, scroll to the lob service section, then select Blobs.
Select the + Container button.
Type a name for your new container: bios
Set the level of public access to the container: Select anonymous access.
Step 3. Select OK to create the container.
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be
able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Your company plans to host in Azure the source files of several line-of-business applications. You need to create an Azure file share named corpsoftware in the storagelod8322489 storage account. The solution must ensure that corpsoftware can store only up to 250 GB of data.
What should you do from the Azure portal?
Step 2: Click on add File Share button:
Step 3: Provide Name (corpdata7523690n1) and Quota (250 GB).
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be
able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to back up all the Azure virtual machines in your Azure subscription at 02:00 Coordinated Universal Time (UTC) daily.
You need to prepare the Azure environment to ensure that any new virtual machines can be configured quickly for backup. The solution must ensure that all the daily backups performed at 02:00 UTC are stored for only 90 days.
What should you do from your Recovery Services vault on the Azure portal?
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery Services and click Recovery Services vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location Task B.
B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click Backup, then on the Getting Started with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the Backup Goal blades opens when you click Backup on the Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Virtual Machine, and click OK.
B4. Finish the Wizard.
Task C. create a backup schedule
C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft Azure Backup.
C2. In the Backup agent’s Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6. In the Select Items to Backup page, click Next.
On the Specify Backup Schedule page, specify
Schedule a backup every: day
At the following times: 2.00 AM
C7. On the Select Retention Policy page, set it to 90 days, and click Next.
C8. Finish the Wizard.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be
able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to connect several virtual machines to the VNET01-USEA2 virtual network.
In the Web-RGlod8322489 resource group, you need to create a virtual machine that uses the Standard_B2ms size named Web01 that runs Windows Server 2016. Web01 must be added to an availability set.
What should you do from the Azure portal?
Step 2. In the Basics tab, under Project details, make sure the correct subscription is selected and then choose Web-RGlod8095859 resource group
Step 3. Under Instance details type/select:
Virtual machine name: Web01
Image: Windows Server 2016
Size: Standard_B2ms size
Leave the other defaults.
Step 4: Finish the Wizard
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You recently created a virtual machine named Web01.
Yo u need to attach a new 80-GB standard data disk named Web01-Disk 1 to Web01.
What should you do from the Azure portal?
Step 1. In the Azure portal, from the menu on the left, select Virtual machines.
Step 2. Select the Web01 virtual machine from the list.
Step 3. On the Virtual machine page, , in Essentials, select Disks.
Step 4. On the Disks page, select the Web01-Disk1 from the list of existing disks.
Step 5. In the Disks pane, click + Add data disk.
Step 6. Click the drop-down menu for Name to view a list of existing managed disks accessible to your Azure subscription.
Select the managed disk Web01-Disk1 to attach:
References: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/attach-disk-portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be
able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to allow connections between the VNET01-USEA2 and VNET01-USWE2 virtual networks.
You need to ensure that virtual machines can communicate across both virtual networks by using their private IP address.
The solution must NOT require any virtual network gateways.
What should you do from the Azure portal?
Peer virtual networks
Step 1. In the Search box at the top of the Azure portal, begin typing VNET01-USEA2. When VNET01-USEA2 appears in the search results, select it.
Step 2. Select Peerings, under SETTINGS, and then select + Add, as shown in the following picture:
Step 3. Enter, or select, the following information, accept the defaults for the remaining settings, and then select OK.
Name: myVirtualNetwork1-myVirtualNetwork2 (for example)
Subscription: elect your subscription.
Virtual network: VNET01-USWE2 – To select the VNET01-USWE2 virtual network, select Virtual network, then select VNET01-USWE2. You can select a virtual network in the same region or in a different region.
Now we need to repeat steps 1-3 for the other network VNET01-USWE2:
Step 4. In the Search box at the top of the Azure portal, begin typing VNET01-USEA2. When VNET01- USEA2 appears in the search results, select it.
Step 5. Select Peerings, under SETTINGS, and then select + Add.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtualnetworks-
portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to host several secured websites on Web01.
You need to allow HTTPS over TCP port 443 to Web01 and to prevent HTTP over TCP port 80 to Web01.
What should you do from the Azure portal?
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Step A: Create a network security group
A1. Search for and select the resource group for the VM, choose Add, then search for and select Network security group.
A2. Select Create.
The Create network security group window opens.
A3. Create a network security group
Enter a name for your network security group.
Select or create a resource group, then select a location.
A4. Select Create to create the network security group.
Step B: Create an inbound security rule to allows HTTPS over TCP port 443
B1. Select your new network security group.
B2. Select Inbound security rules, then select Add.
B3. Add inbound rule
B4. Select Advanced.
From the drop-down menu, select HTTPS.
You can also verify by clicking Custom and selecting TCP port, and 443.
B5. Select Add to create the rule.
Repeat step B2-B5 to deny TCP port 80
B6. Select Inbound security rules, then select Add.
B7. Add inbound rule
B8. Select Advanced.
Clicking Custom and selecting TCP port, and 80.
B9. Select Deny.
Step C: Associate your network security group with a subnet
Your final step is to associate your network security group with a subnet or a specific network interface.
C1. In the Search resources, services, and docs box at the top of the portal, begin typing Web01. When the Web01 VM appears in the search results, select it.
C2. Under SETTINGS, select Networking. Select Configure the application security groups, select the Security Group you created in Step A, and then select Save, as shown in the following picture:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255.
You need to ensure that only devices from the on-premises network can connect to the rg1lod7523691n1 storage account.
What should you do from the Azure portal?
Step 2: Click on the settings menu called Firewalls and virtual networks.
Step 3: Ensure that you have elected to allow access from ‘Selected networks’.
Step 4: To grant access to an internet IP range, enter the address range of 131.107.2.0 to 131.107.2.255 (in CIDR format) under Firewall, Address Ranges.
References: https://docs.microsoft.com/en-us/azure/storage/common/storagenetwork-security
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to store media files in the rg1lod8322490 storage account.
You need to configure the storage account to store the media files. The solution must ensure that only users who have access keys can download the media files and that the files are accessible only over HTTPS.
What should you do from the Azure portal?
Step 1: In the Azure portal, select All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.
On the Storage Accounts window that appears.
Step 2: Locate the rg1lod7523691n1 storage account.
Step 3: On the storage account page, in the Services section, select Files.
Step 4: On the menu at the top of the File service page, click + File share. The New file share page drops down.
Step 5: In Name type myshare. Click OK to create the Azure file share.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-touse-files-portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Another administrator attempts to establish connectivity between two virtual networks named VNET1 and VNET2. The administrator reports that connections across the virtual networks fail.
You need to ensure that network connections can be established successfully between VNET1 and VNET2 as quickly as possible.
What should you do from the Azure portal?
To create a virtual network gateway
Step1: In the portal, on the left side, click +Create a resource and type ‘virtual network gateway’ in search. Locate Virtual network gateway in the search return and
click the entry. On the Virtual network gateway page, click Create at the bottom of the page to open the Create virtual network gateway page.
Step 2: On the Create virtual network gateway page, fill in the values for your virtual network gateway.
Name: Name your gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It’s the name of the gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the ‘Choose a virtual network’ page. Select the VNet. If you don’t see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you previously created a valid gateway subnet, this setting will not appear.
Step 4: Select Create New to create a Gateway subnet.
Step 5: Click Create to begin creating the VPN gateway. The settings are validated and you’ll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.
References: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-managerportal?
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to configure VM1 to be accessible from the internet.
You need to add a public IP address to the network interface used by VM1.
What should you do from the Azure portal?
Step 1: In Azure portal, click More services > type virtual machines in the filter box, and then click Virtual machines.
Step 2: In the Virtual machines pane, click the VM you want to add IP addresses to. Click Network interfaces in the virtual machine pane that appears, and then select the network interface you want to add the IP addresses to. In the example shown in the following picture, the NIC named myNIC from the VM named myVM is selected:
Step 3: In the pane that appears for the NIC you selected, click IP configurations.
Step 4: Click Create public IP address.
Step 5: In the Create public IP address pane that appears, enter a Name, select an IP address assignment type, a Subscription, a Resource group, and a Location, then click Create, as shown in the following picture:
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networkmultiple-ip-addresses-portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to allow RDP connections over TCP port 3389 to VM1 from the Internet. The solutions must prevent connections from the Internet over all other TCP ports.
What should you do from the Azure portal?
Step 2: Select your new network security group.
Step 3: Select Inbound security rules, . Under Add inbound security rule, enter the following
Destination: Select Network security group, and then select the security group you created previously.
Destination port ranges: 3389
Protocol: Select TCP
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
HOTSPOT
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual
machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace image.
You need to complete the storageprofile section of the template.
How should you complete the storageProfile section? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Explanation:
… "
storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
},
…
References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
You have an Azure tenant that contains two subscriptions named Subscription1 and Subscription2.
In Subscription1, you deploy a virtual machine named Server1 that runs Windows Server 2016. Server1 uses managed disks.
You need to move Server1 to Subscription2. The solution must minimize administration effort.
What should you do first?
- A . Create a new virtual machine in Subscription2
- B . In Subscription2, create a copy of the virtual disk
- C . Create a snapshot of the virtual disk
- D . From Azure PowerShell, run the Move-AzureRmResource cmdlet
D
Explanation:
To move existing resources to another resource group or subscription, use the Move-AzureRmResource cmdlet.
References:
https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-move-resources#moveresources
You have an Azure subscription.
You have an on-premises virtual machine named VM1.
The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
- A . the processor
- B . the memory
- C . Integration Services
- D . the hard drive
- E . the network adapters
D
Explanation:
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhdimage?toc=azure virtual-machines windows toc.json
You have an Azure policy as shown in the following exhibit.
What is the effect of the policy?
- A . You can create Azure SQL servers in any resource group within Subscription 1.
- B . You can create Azure SQL servers in ContosoRG1 only.
- C . You are prevented from creating Azure SQL Servers in ContosoRG1 only.
- D . You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B
Explanation:
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
DRAG DROP
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Box 1: Assign a tag to each resource.
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they’re costing you. You can see the current spend and burn rate in Azure portal.
You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines.
Your company has three cost centers named Manufacturing, Sales, and Finance.
You need to associate each virtual machine to a specific cost center.
What should you do?
- A . Add an extension to the virtual machines
- B . Modify the inventory settings of the virtual machine
- C . Assign tags to the virtual machines
- D . Configure locks for the virtual machine
C
Explanation:
You apply tags to your Azure resources to logically organize them into a taxonomy. Each tag consists of a name and a value pair. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value.
Tags enable you to retrieve related resources from different resource groups.
This approach is helpful when you need to organize resources for billing or management.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
HOTSPOT
Your company has a virtualization environment that contains the virtualization hosts shown in the following table.
The virtual machines are configured as shown in the following table.
All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker). You plan to migrate the virtual machines to Azure by using Azure Site Recovery. You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Incorrect Answers: VM1 cannot be migrates as it has BitLocker enabled. VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB. VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm
requirements
HOTSPOT
You have an Azure subscription that contains multiple resource groups.
You create an availability set as shown in the following exhibit.
You deploy 10 virtual machines to AS1.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 6 Two out of three update domains would be available, each with at least 3 VMs. An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions
You have an Azure subscription that contains two storage accounts named storagecontoso1 and storagecontoso2. Each storage account contains a queue service, a table service, and a blob service.
You develop two apps named App1 and App2. You need to configure the apps to store different types of data to all the storage services on both the storage accounts.
How many endpoints should you configure for each app?
- A . 2
- B . 3
- C . 6
- D . 12
A
Explanation:
Each app needs a service endpoint in each Storage Account.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
HOTSPOT
You have an Azure subscription named Subscription1.
You have a virtualization environment that contains the virtualization servers in the following table.
The virtual machines are configured as shown in the following table.
All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker). You plan to use Azure Site Recovery to migrate the virtual machines to Azure.
Which virtual machines can you migrate? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Incorrect Answers: VM1 cannot be migrates as it has BitLocker enabled. VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB. VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vmrequirements
SIMULATION Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to migrate a large amount of corporate data to Azure Storage and to back up files stored on old hardware to Azure Storage.
You need to create a storage account named corpdata8548984n1, in the corpdatalod8548984 resource group.
The solution must meet the following requirements:
– corpdata8548984n1 must be able to host the virtual disk files for Azure virtual machines
– The cost of accessing the files must be minimized
– Replication costs must be minimized
What should you do from the Azure portal?
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select corpdatalod8548984.
Step 5: Enter a name for your storage account: corpdata8548984n1
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios) General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)
Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RAGRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to move backup files and documents from an on-premises Windows file server to Azure Storage. The backup files will be stored as blobs.
You need to create a storage account named corpdata8548984n2.
The solution must meet the following requirements:
– Ensure that the documents are accessible via drive mappings from Azure virtual machines that run Windows Server 2016
– Provide the highest possible redundancy for the documents
– Minimize storage access costs
What should you do from the Azure portal?
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select Create New. Create a new Resourc e
Step 5: Enter a name for your storage account: corpdata8548984n2
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios) General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)
Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RAGRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to deploy two Azure virtual machines named VM1003a and VM1003b based on an Ubuntu Server image.
The deployment must meet the following requirements:
– Provide a Service Level Agreement (SLA) of 99.95 percent availability
– Use managed disks
What should you do from the Azure portal?
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1003a as the name for the first Virtual machine. The user name and password entered here will be used to log in to the virtual machine. When complete, select OK. You can create the new VM in an existing resource group, or choose Create new to create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type filter.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to start the virtual machine deployment.
Repeat the procedure for the second VM and name it VM1003b.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to deploy an Azure virtual machine named VM1004a based on an Ubuntu Server image, and then to configure VM1004a to meet the following requirements:
– The virtual machines must contain data disks that can store at least 15 TB of data
– The data disk must be able to provide at least 2,000 IOPS
– Storage costs must be minimized
What should you do from the Azure portal?
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1004a as the name for the first Virtual machine. The user name and password entered here will be used to log in to the virtual machine. When complete, select OK. You can create the new VM in an existing resource group, or choose Create new to create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type filter. To support 15 TB of data you would need a Premium disk.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok
to start the virtual machine deployment.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to create 100 Azure virtual machines on each of the following three virtual networks:
– VNET1005a
– VNET1005b
– VNET1005c
All the network traffic between the three virtual networks will be routed through VNET1005a. You need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect to other virtual machines by using their private IP address. The solutions must NOT require any virtual gateways and must minimize the number of peerings.
What should you do from the Azure portal before you configuring IP routing?
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1005a
Address space: 10.0.0.0/16
Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: Repeat steps 3-5 for VNET1005b (10.1.0.0/16, 10.1.0.0/24), and for VNET1005c 10.2.0.0/16, 10.2.0.0/24).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to deploy several Azure virtual machines and to connect them to a virtual network named VNET1007.
You need to ensure that future virtual machines on VNET1007 can register their name in an internal
DNS zone named corp8548984.com. The zone must NOT be hosted on a virtual machine.
What should you do from Azure Cloud Shell?
To complete this task, start Azure Cloud Shell and select PowerShell (Linux), Click Show Advanced settings, and then enter corp8548984n1 in the Storage account text box and File1 share text box. Click Create storage, and then complete the task.
Step 2: Select PowerShell
When you start the Azure Cloud Shell for the first time, you will be prompted to create a storage account in order to associate a new Azure File Share to persist files across sessions.
Step 3: Click Show Advanced settings.
Step 4: Enter corp8548984n1 in the Storage account text box and File1 share text box. Click Create storage.
Step 5: Enter the following command at the powershell command prompt:
New-AzDnsZone -Name "corp8548984.com"
-ResourceGroupName "mycloudshell"
-ZoneType Private
-RegistrationVirtualNetworkId VNET1007
Note: A DNS zone is created by using the New-AzDnsZone cmdlet with a value of Private for the
ZoneType parameter.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-powershell
https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart-powershell
https://docs.microsoft.com/en-us/powershell/module/az.dns/new-azdnszone?view=azps-1.5.0
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Another administrator reports that she is unable to configure a web app named corplod8548987n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address.
The solution must minimize Azure-related costs.
What should you do from the Azure portal?
Find and select application corplod8548987n3:
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Another administrator reports that she is unable to configure a web app named corplod8548987n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address.
The solution must minimize Azure-related costs.
What should you do from the Azure portal?
Find and select application corplod8548987n3:
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
Another administrator reports that she is unable to configure a web app named corplod8548987n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address.
The solution must minimize Azure-related costs.
What should you do from the Azure portal?
Find and select application corplod8548987n3:
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to add a deployment slot named staging to an Azure web app named corplod10217507n4.
The solution must meet the following requirements:
– When new code is deployed to staging, the code must be swapped automatically to the production slot.
– Azure-related costs must be minimized.
What should you do from the Azure portal?
Locate and open the corplod@lab.LabInstance.Idn4 web app.
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to add a deployment slot named staging to an Azure web app named corplod10217507n4.
The solution must meet the following requirements:
– When new code is deployed to staging, the code must be swapped automatically to the production slot.
– Azure-related costs must be minimized.
What should you do from the Azure portal?
Locate and open the corplod@lab.LabInstance.Idn4 web app.
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to add a deployment slot named staging to an Azure web app named corplod10217507n4.
The solution must meet the following requirements:
– When new code is deployed to staging, the code must be swapped automatically to the production slot.
– Azure-related costs must be minimized.
What should you do from the Azure portal?
Locate and open the corplod@lab.LabInstance.Idn4 web app.
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to deploy an application gateway named appgw1015 to load balance internal IP traffic to the Azure virtual machines connected to subnet0.
You need to configure a virtual network named VNET1015 to support the planned application gateway.
What should you do from the Azure portal?
Click Networking, Virtual Network, and select VNET1015.
Step 2:
Click Subnets, and Click +Add on the VNET1015 – Subnets pane that appears.
Step 3:
On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
Step 4:
Locate subnet0 and add it.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resourcemanager-portal
SIMULATION
Click to expand each objective.
To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live
environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task. Labs are not timed separately, and this exam may have more than one lab that you must complete.
You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You plan to connect a virtual network named VNET1017 to your on-premises network by using both an Azure ExpressRoute and a site-to-site VPN connection.
You need to prepare the Azure environment for the planned deployment. The solution must maximize the IP address space available to Azure virtual machines.
What should you do from the Azure portal before you create the ExpressRoute and the VPN gateway?
Step 1:
Go to More Services > Virtual Networks
Step 2:
Then click on the VNET1017, and click on subnets. Then click on gateway subnet.
Step 3:
In the next window define the subnet for the gateway and click OK
It is recommended to use /28 or /27 for gateway subnet.
As we want to maximize the IP address space we should use /27.
References:
https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpngateway-between-azure-and-on-premise/
HOTSPOT
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1.
You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: User1 and User3 only.
The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them.
Box 2: User1 and User2 only
The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named VM2 that operates as a router. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network. You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3. You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . On the peering connections, allow forwarded traffic
- B . Create a route filter
- C . On the peering connections, allow gateway transit
- D . Create route tables and assign the table to subnets
- E . On the peering connections, use remote gateways
CE
Explanation:
Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway.
The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-andconstraints
DRAG DROP
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Remove peering between Vnet1 and VNet2.
You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
HOTSPOT
You are designing a virtual network to support a web application. The web application uses Blob storage to store large images. The web application will be deployed to an Azure App Service Web App.
You have the following requirements:
– Secure all communications by using Secured Socket layer (SSL)
– SSL encryption and decryption must be processed efficiently to support high traffic load on the web application
– Protect the web application from web vulnerabilities and attacks without modification to backend code
– Optimize web application responsiveness and reliability by routing HTTP request and responses to the endpoint with the lowest network latency for the client.
You need to configure the Azure components to meet the requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Azure application Gateway
Azure Application Gateway supports end-to-end encryption of traffic. Application Gateway terminates the SSL connection at the application gateway. The gateway then applies the routing rules to the traffic, re-encrypts the packet, and forwards the packet to the appropriate back-end server based on the routing rules defined. Any response from the web server goes through the same process back to the end user.
Box 2: Azure Security Center
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not – as well as on premises.
Box 3: Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic
optimally to services across global Azure regions, while providing high availability and
responsiveness.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-sslpowershell
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
HOTSPOT
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
– General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
– Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
– General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs). A monitoring solution on a different network will need access to the VMs inside the scale set. You need to define public access to the VMs.
Solution: Deploy a standalone VM that has a public IP address to the virtual network.
Does the solution meet the goal?
- A . Yes
- B . No
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs). A monitoring solution on a different network will need access to the VMs inside the scale set. You need to define public access to the VMs.
Solution: Implement an Azure Load Balancer.
Does the solution meet the goal?
- A . Yes
- B . No
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs). A monitoring solution on a different network will need access to the VMs inside the scale set. You need to define public access to the VMs.
Solution: Design a scale set to automatically assign public IP addresses to all VMs.
Does the solution meet the goal?
- A . Yes
- B . No
HOTSPOT
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 4
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET. The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any
planned maintenance or unplanned disruption that happens to the active instance, the standby
instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.
Box 3: 2
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
HOTSPOT
You have peering configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: vNET6 only
Box 2: Modify the address space
The virtual networks you peer must have non-overlapping IP address spaces.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-andconstraints
You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1.
An administrator plans to manage Clus1 from an Azure AD-joined device.
You need to ensure that the administrator can deploy the YAML application manifest file for a container application.
You install the Azure CLI on the device.
Which command should you run next?
- A . kubectl get nodes
- B . az aks install-cli
- C . kubectl apply Cf appl.yaml
- D . az aks get-credentials –resource-group RG1 –name Clus1
C
Explanation:
kubectl apply Cf appl.yaml applies a configuration change to a resource from a file or stdin.
Incorrect Answers:
A: kubectl get nodes gets a list of all nodes.
B: az aks install-cli download and install the Kubernetes command-line tool.
D: az aks get-credentials gets access credentials for a managed Kubernetes cluster
References:
https://kubernetes.io/docs/reference/kubectl/overview/https://docs.microsoft.com/en-us/cli/azure/aks
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs). A monitoring solution on a different network will need access to the VMs inside the scale set. You need to define public access to the VMs.
Solution: Use Remote Desktop Protocol (RDP) to connect to the VM in the scale set.
Does the solution meet the goal?
- A . Yes
- B . No
A
Explanation:
Instead, deploy a standalone VM that has a public IP address to the virtual network.
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to recommend a connectivity solution that will enable the virtual machines on VNET1 and VNET2 to communicate through the Microsoft backbone infrastructure.
What should you include in the recommendation?
- A . Azure ExpressRoute
- B . peering
- C . a site-to-site VPN
- D . a point-to-site VPN
B
Explanation:
Virtual network peering enables you to seamlessly connect Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the
peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only.
Azure supports:
– VNet peering – connecting VNets within the same Azure region
– Global VNet peering – connecting VNets across Azure regions
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1.
What should you do?
- A . From Diagnostic settings for VM1, configure the performance counters to include network counters.
- B . From the VM1 blade, configure Connection troubleshoot.
- C . From the VM1 blade, install performance diagnostics and run advanced performance analysis
- D . From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
C
Explanation:
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM). Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the performance analysis, and collects one or more of the traces, as listed in the following sections. Use this scenario to troubleshoot complex issues that require additional traces. Running this scenario for longer periods will increase the overall size of diagnostics output, depending on the size of the VM and the trace options that are selected.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics
You have an Azure subscription that contains the resource groups shown in the following table.
The subscription contains the storage accounts shown in the following table.
You create a Recovery Services vault named Vault1 in RG1 in the West US location. You need to identify which storage accounts can be used to archive the diagnostics logs of Vault1.
Which storage accounts should you identify?
- A . Storage1 only
- B . Storage2 only
- C . Storage3 only
- D . Storage1 or Storage2 only
- E . Storage1 or Storage3 only
DE
Explanation:
The same region or the same resource group.
HOTSPOT You have an Azure subscription.
You plan to deploy two Azure web apps that have the requirements shown in the following table.
You need to select the App Service plans for the web apps. The solution must minimize costs.
Which App Service plan should you select for each web app? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://azure.microsoft.com/en-us/pricing/details/app-service/plans/
You have an Azure subscription.
You create a custom role in Azure by using the following Azure Resource Manager template.
You assign the role to a user named User1.
Which action can User1 perform?
- A . Delete virtual machines.
- B . Create resource groups.
- C . Create virtual machines.
- D . Create support requests.
D
Explanation:
The "Microsoft.Support/*" operation will allow the user to create support tickets.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
A company plans to use third-party application software to perform complex data analysis processes. The software will use up to 500 identical virtual machines (VMs) based on an Azure Marketplace VM image.
You need to design the infrastructure for the third-party application server.
The solution must meet the following requirements:
– The number of VMs that are running at any given point in time must change when the user workload changes.
– When a new version of the application is available in Azure Marketplace it must be deployed without causing application downtime.
– Use VM scale sets.
– Minimize the need for ongoing maintenance.
Which two technologies should you recommend? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . single storage account
- B . autoscale
- C . single placement group
- D . managed disks
HOTSPOT
You have an Azure subscription that contains the storage account shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Azure Files supports two storage tiers: premium and standard. Standard file shares are created in general purpose (GPv1 or GPv2) storage accounts and premium file shares are created in FileStorage storage accounts.
You cannot create Azure file shares from Blob storage accounts or premium general purpose (GPv1 or GPv2) storage accounts. Standard Azure file shares must created in standard general purpose accounts only and premium Azure file shares must be created in FileStorage storage accounts only. Premium general purpose (GPv1 and GPv2) storage accounts are for premium page blobs only.
Box 2: Yes
Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS. Along with the three copies of your data stored within a single region, a further three copies are stored in the twinned Azure region. So using GRS means you get all the features of the LRS storage within your primary zone, but you also get a second LRS data storage in a neighbouring Azure region. This data is updated asynchronously, so there is a small lag between the 2 data sets, but for most cases this is acceptable.
Box 3: Yes
Blob Storage Standard can be used both LRS and GRS.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq
https://www.skylinesacademy.com/blog/2019/7/31/azure-storage-replication
https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
HOTSPOT
You create and save an Azure Resource Manager template named Template1 that includes the following four sections.
Section1.
Section2.
Section3.
Section4.
You deploy Template1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You have an Azure subscription that contains the storage accounts shown in the following table.
All storage accounts contain blobs only. You need to implement several lifecycle management rules for all storage accounts.
What should you do first?
- A . Upgrade contosostorage1 and contosostorage2 to General Purpose V2 accounts.
- B . Move 5 TB of blob data from contosostorage3 to contosostorage4.
- C . Move 5 TB of blob data from contosostorage1 to contosostorage2.
- D . Recreate contosostorage5 as a General Purpose V2 account.
A
Explanation:
Microsoft recommends that you use a general-purpose v2 storage account for most scenarios. You can easily upgrade a general-purpose v1 or an Azure Blob storage account to a general-purpose v2 account with no downtime and without the need to copy data.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-scalability-targets
HOTSPOT
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the virtual machines shown in the following table.
RG2 contains the virtual machines shown in the following table.
All the virtual machines are configured to use premium disks and are accessible from the Internet.
VM1 and VM2 are in an availability set named AVSET1. VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2. VM5 and VM6 are in different availability zones.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
VM1 and VM2 are in an available set named AVSET1.
For all Virtual Machines that have two or more instances deployed in the same Availability Set, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.
Box 2: No
VM3 and VM4 are in the same availability zone and are in an availability set named AVSET2.
Box 3: Yes
VM5 and VM6 are in different availability zones.
For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we [Microsoft] guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.
References: https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
DRAG DROP
You have an Azure virtual machine named VM1 that runs Windows Server 2016. You install a line-to-business application on VM1. You need to create an Azure virtual machine by using VM1 as a custom image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Run sysprep.exe on VM1.
If a template, or system image is used, System administrators must run the Sysprep tool to clear the SID information. The Sysprep tool is usually one of the last tasks performed by a system administrator when building a server image/template, that way each clone of the template will generalize a new unique SID for every server image copied from the template and will prepare the server for a first time boot.
The end result is a System template that functions as a new unique build every time it is deployed.
Step 2: From Azure CLI, deallocate VM1 and mark VM1 as generalized
To create an image, the VM needs to be deallocated. Deallocate the VM with Stop-AzVm. Then, set the state of the VM as generalized with Set-AzVm so that the Azure platform knows the VM is ready for use a custom image
Step 3: Create a virtual machine scale set
Now create a scale set with New-AzVmss that uses the -ImageName parameter to define the custom VM image created in the previous step.
References:
https://thesolving.com/server-room/when-and-how-to-use-sysprep/
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-use-custom-image-powershell
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You consent to Azure AD Privileged Identity Management (PIM).
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
– Conduct access reviews to ensure users still need roles
Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
– Conduct access reviews to ensure users still need roles
References: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. A user named Admin1 attempts to create an access review from the Azure Active Directory admin center
and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available. Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles. You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You purchase an Azure Directory Premium P2 license for contoso.com.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
– Conduct access reviews to ensure users still need roles
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
You have a resource group named RG1 that contains the following:
– A virtual network that contains two subnets named Subnet1 and Subnet2
– An Azure Storage account named contososa1
– An Azure firewall deployed to Subnet2
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
Deploy an Azure firewall to Subnet1.
Remove the Azure firewall.
Implement a virtual network service endpoint.
Create a stored access policy for contososa1.
Explanation:
Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Your company has the groups shown in the following table.
The company has an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 attempts to enable Enterprise State Roaming for all the users in the Managers group.
Admin1 reports that the options for Enterprise State Roaming are unavailable from Azure AD.
You verify that Admin1 is assigned the Global administrator role.
You need to ensure that Admin1 can enable Enterprise State Roaming.
What should you do?
- A . Enforce Azure Multi-Factor Authentication (MFA) for Admin1.
- B . Purchase an Azure AD Premium P1 license for each user in the Managers group.
- C . Assign an Azure AD Privileged Identity Management (PIM) role to Admin1.
- D . Purchase an Azure Rights Management (Azure RMS) license for each user in the Managers group.
B
Explanation:
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/enterprise-state-roaming-enable
HOTSPOT
You play to deploy an Azure virtual machine named VM1 by using an Azure Resource Manager template. You need to complete the template.
What should you include in the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Within your template, the dependsOn element enables you to define one resource as a dependent on one or more resources. Its value can be a comma-separated list of resource names.
Box 1: ‘Microsoft.Network/networkInterfaces’
This resource is a virtual machine. It depends on two other resources:
Microsoft.Storage/storageAccounts
Microsoft.Network/networkInterfaces
Box 2: ‘Microsoft.Network/virtualNetworks/’
The dependsOn element enables you to define one resource as a dependent on one or more resources. The resource depends on two other resources:
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-createtemplates-with-dependent-resources
HOTSPOT
You plan to create a virtual machine as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: is guaranteed to remain the same
OS disk type: Premium SSD
Premium SSD Managed Disks are high performance Solid State Drive (SSD) based Storage designed to support I/O intensive workloads with significantly high throughput and low latency. With Premium SSD Managed Disks, you can provision a persistent disk and configure its size and performance characteristics.
Box 2: secure enclaves
Virtual machine size: Standard_DC2s
DC-series virtual machines are a new family of VMs to protect the confidentiality and integrity of your data and code while it’s processed in Azure through the use of secure enclaves.
Incorrect:
Not dm-crypt: Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs).
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/series/
HOTSPOT
A company runs multiple Windows virtual machines (VMs) in Azure. The IT operations department wants to apply the same policies as they have for on-premises VMs to the VMs running in Azure, including domain administrator permissions and schema extensions.
You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Join the VMs to a new domain controller VM in Azure
Azure provides two solutions for implementing directory and identity services in Azure:
– (Used in this scenario) Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
– Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
Box 2: Set up VPN connectivity.
This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/
HOTSPOT
Your company has an Azure Container Registry named Registry1.
You have an Azure virtual machine named Serverl that runs Windows Server 2019.
From Serverl, you create a container image named image1.
You need to add image1 to Registry1.
Which command should you run on Server1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
An Azure container registry stores and manages private Docker container images, similar to the way Docker Hub stores public Docker images. You can use the Docker command-line interface (Docker CLI) for login, push, pull, and other operations on your container registry.
Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli https://docs.docker.com/engine/reference/commandline/push/
Your company has an office in Seattle. You have an Azure subscription that contains a virtual network named VNET1. You create a site-to-site VPN between the Seattle office and VNET1.
VNET1 contains the subnets shown in the following table.
You need to redirect all Internet-bound traffic from Subnet1 to the Seattle office.
What should you create?
- A . a route for GatewaySubnet that uses the virtual network gateway as the next hop
- B . a route for GatewaySubnet that uses the local network gateway as the next hop
- C . a route for Subnet1 that uses the local network gateway as the next hop
- D . a route for Subnet1 that uses the virtual network gateway as the next hop
D
Explanation:
A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is not within the address prefix of any other route in a subnet’s route table. When a subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next hop type. We need to create a custom route in Azure to use a virtual network gateway in the Seattle office as the next hop.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
HOTSPOT
You have an Azure subscription that contains the Azure SQL servers shown in the following table.
The subscription contains the elastic pools shown in the following table.
The subscription contains the Azure SQL databases shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Note: You cannot add databases from different servers into the same pool
Box 1: Yes
Pool2 contains DB2 but DB1 and DB2 are on Sql1. DB1 can thus be added to Pool2.
Box 2: Yes
Pool3 is empty.
Box 3: Yes
Pool1 contains DB1 but DB3 and DB1 are on Sql1. DB3 can thus be added to Pool1.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-pool
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity
Governance settings are available. Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles. You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include: Conduct access reviews to ensure users still need roles
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview