Professional Documents
Culture Documents
AZ-104 Exam 240209 577Q-conDiscusiones-251a500
AZ-104 Exam 240209 577Q-conDiscusiones-251a500
20% Discount
12 MONTHS
$499.99 $399.99
Buy Now
3 MONTHS
$199.99 $159.99
Buy Now
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
A. Yes
B. No
Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Correct Answer: B - No
Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 95 times
If you create a VM and later want to migrate it into a VNet, it is not a simple configuration change. You must redeploy the VM into the
VNet. The easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the original disks in
the VNet.
upvoted 59 times
Selected Answer: B
The answer is NO
upvoted 1 times
Selected Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
upvoted 1 times
Selected Answer: B
B) "No"
The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.
Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 4 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
B. No <
upvoted 1 times
Besides, it seems possible to change the primary vNIC of a VM after deployment, so I'm not getting this whole "need to delete VM to
change VNET" thing. What am I missing ?
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
A. Yes
B. No
Correct Answer: A
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
You should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 68 times
You should delete VM1. Then recreate VM1 and add the network interface for VM1.
upvoted 1 times
A) "Yes"
The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.
Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 1 times
Correct Answer: A
upvoted 1 times
Yep A is correct
upvoted 1 times
A. Yes
upvoted 1 times
Selected Answer: A
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.
Solution: You turn off VM1, and then you add a new network interface to VM1.
A. Yes
B. No
Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Correct Answer: B - No
Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 37 times
Correct Answer: B- No
upvoted 1 times
Selected Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
upvoted 1 times
B) "No"
The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.
Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
B. No <
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.
You plan to deploy the virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16
vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas
Correct Answer:
Box 1: Yes
We can add 1 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 1 vCPU (VM3) = 19 vCPUs
Box 2: No
We cannot add 4 vCPUs. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 4 vCPU (VM4) = 22 vCPUs
Box 3: No
We cannot add 16 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 16 vCPU (VM5) = 34 vCPUs
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quota
upvoted 198 times
"The vCPU quotas for virtual machines and scale sets are arranged in two tiers for each subscription, in each region. The first tier is the
Total Regional vCPUs, and the second tier is the various VM size family cores such as the D-series vCPUs. Anytime a new VM is deployed
the vCPUs for the VM must not exceed the vCPU quota for the VM size family or the total regional vCPU quota. If you exceed either of
those quotas, the VM deployment won't be allowed. "
"Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a
quota increase or delete VMs that are no longer needed."
https://learn.microsoft.com/en-us/azure/virtual-machines/quotas
upvoted 5 times
Correct YES NO NO
The deallocated VM are still using and reserving the used 16 vCPU + 2 vCPU ,so in total we only have 2 vCPU available in the region
upvoted 144 times
Explanation:
Even though the VM2 is in a Stopped (Deallocated) Status and we do not get charged for the CPU\RAM resources, the quota will not have
the resources available to be consumed by other VM's.
Since the quota specifies a maximum of 20 Total regional vCPU's, we currently have 18 reserved by VM1 and VM2, so we can just deploy
VM3. VM4 and VM5 surpass our budget.
upvoted 6 times
HOTSPOT -
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update
domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
Correct Answer:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains, so 4 update domains will have 2 VMs and 6 update
domains will have 1 VM. Only one update domain is rebooted at a time.
D1 D2 D3 D4 D5 D6 D7 D8 D9 D10
vm1 vm2 vm3 vm4 vm5 vm6 vm7 vm8 vm9 vm10
vm11 vm12 vm13 vm14
Maximum Down = 2
Minimum Down = 1
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
14 VM in 2 Fault Domain
Rack 1 Rack 2
vm1 vm8
vm2 vm9
vm3 vm10
vm4 vm11
vm5 vm12
vm6 vm13
vm7 vm14
Maximum Down = 7
Minimum Down = 7
upvoted 602 times
Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six
update domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
upvoted 60 times
where is 14 VMs ?
upvoted 1 times
Explanation:
We have 14 VM's and 10 Update Domains. this means that 6 VM's will each be in its isolated Update Domain and 8 VM's will share a
Update Domain with another VM.
UpdateDomain1: 2 VM's
UpdateDomain2: 2 VM's
UpdateDomain3: 2 VM's
UpdateDomain4: 2 VM's
UpdateDomain5: 1 VM's
UpdateDomain6: 1 VM's
UpdateDomain7: 1 VM's
UpdateDomain8: 1 VM's
UpdateDomain9: 1 VM's
UpdateDomain10: 1 VM's
This means that when a scheduled update occurs at maximum 2 VM's will be down.
We also have 2 Fault Domains, which means that each Fault Domain will have 7 VM's inside. When a disaster occurs, at most 7 VM's will be
impacted.
upvoted 20 times
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
upvoted 1 times
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
upvoted 2 times
Maximum VM Down = 7
Minimum VM Down = 7
upvoted 23 times
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Cluster1?
A. 131.107.2.1
B. 10.0.10.11
C. 172.17.7.1
D. 192.168.10.2
Correct Answer: A
Correct Answer: A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
Reference:
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
upvoted 97 times
Correct Answer - A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP
upvoted 1 times
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
upvoted 1 times
Selected Answer: A
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 1 times
Selected Answer: A
A) " 131.107.2.1"
In Kubernetes when we expose apps we either expose them though Ingress using a single front-end loadbalancer IP, or we expose them
using Services like NodePort or LoadBalancer.
Based on the provided scenario we should map the DNS entry to the Load Balancer Front End Ip and expose applications using Ingress.
upvoted 4 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
ddsfsfsd
upvoted 3 times
Selected Answer: A
A is correct
upvoted 1 times
A. 131.107.2.1
upvoted 1 times
A is correct... For me when It says Internet users/Access and I see load balancer with front IP that's mean it's the public IP and hence is the
answer but also the Cluster IP can be considered if public LD was not there
upvoted 2 times
Selected Answer: A
aaaaaaaaaaaaaaa
upvoted 3 times
Selected Answer: A
Correct Answer : A
upvoted 2 times
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
Correct Answer: B
Creating one App Service Plan, you can support up to 10 Web Apps. Adding any of the other resources are pointless and not noted as a
requirement.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 142 times
Correct: you only need a single App service plan, as your web apps will share the service plans resource availability.
Adding any of the other resources are pointless and not noted as a requirement.
upvoted 64 times
To minimize costs, you would want to host all 10 web apps within the same App Service plan, given they don't require separate scaling or
resource needs. If you use 10 separate App Service plans, you would be provisioning and paying for resources for each of those 10 plans
separately.
Selected Answer: B
Selected Answer: B
One App Service Plan can a lot of Web Apps based on the SKU chosen: https://docs.microsoft.com/en-us/azure/app-service/overview-
hosting-plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
upvoted 5 times
Correct Answer: B
upvoted 1 times
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
Selected Answer: B
Correct answer
upvoted 1 times
HOTSPOT -
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Hot Area:
Correct Answer:
Correct.
Explanation:
No Access restrictions are specified.
The "restartPolicy" is set as "OnFailure".
upvoted 49 times
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-restart-policy
upvoted 1 times
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a
day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
Correct Answer: C
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
Correct Answer: C
While resizing, the VM must be in a stopped state, therefore there will be a downtime.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines
upvoted 124 times
Selected Answer: C
Selected Answer: C
Changing the size of an Azure virtual machine involves a stop and restart of the virtual machine, which will cause downtime for the line-of-
business application hosted on VM1. This downtime can be minimized by using Azure Availability Sets or by taking appropriate steps to
prepare for the change, such as backing up data or moving the application to another virtual machine.
Adding a managed disk, installing the Puppet Agent extension, or enabling Desired State Configuration Management should not cause
downtime for VM1.
upvoted 3 times
Selected Answer: C
...nothing to tell.
upvoted 1 times
Selected Answer: C
Reference: https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 3 times
Selected Answer: C
Correct Answer: C 🗳️
While resizing the VM it must be in a stopped state.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 2 times
Selected Answer: C
C is correct as resizing requires shutdown because of the hardware specs also because the current hardware cluster may not be able to
support it and hence VM will be moved to another one that have the resources to take on the new size
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
Selected Answer: C
correct
upvoted 1 times
If the virtual machine is currently running, changing its size will cause it to be restarted.
If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
upvoted 1 times
If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal
upvoted 4 times
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.
B. Deploy the App1 update to webapp1-prod, and then test the update
C. Stop webapp1-prod
D. Deploy the App1 update to webapp1-test, and then test the update
E. Stop webapp1-test
Correct Answer: AD
Answer is correct.
1.Deploy the App to “webapp1-test” which is staging environment and test it there.
2.Once the test is success swap the slots, so the new changes will be available under production.
upvoted 94 times
This is probably referring to "Swap with preview (multi-phase swap)", so no need to worry about going into production immediately after
swapping the slots.
Selected Answer: AD
D) " Deploy the App1 update to webapp1-test, and then test the update" & A) " Swap the slots"
Reference: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 10 times
Selected Answer: AD
Correct Answer: AD
upvoted 1 times
it makes sense
upvoted 1 times
Question #30 Topic 4
You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
Which three actions should you perform? Each correct answer presents part of the solution.
You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual
Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher. For more
information, see Network Watcher create.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Create a VM with a network security group
Enable Network Watcher (done by default with the vnet/subnet creation)
-- and register the Microsoft.Insights provider ---------todo
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability --todo BUT !
NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data.
So you need to create a storage account before enable the NSG flow
Download logged data
View logged data
upvoted 70 times
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 35 times
You have an Azure subscription named Subscription1 that has the following providers registered: STORAGE
Why D?
upvoted 1 times
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial
upvoted 3 times
"By default, Network Watcher is automatically enabled." The only reason you would have to enable it is if you had disabled it. So A is not
the answer.
The question states you need to record the data and since there are no disks on the VM you must create storage.
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing
through a network security group.
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial
upvoted 1 times
The storage account (option D) is typically needed to store NSG flow logs, but since the question doesn't specify that the logs should be
retained for an extended period, enabling flow logs would suffice for the immediate need.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 1 times
"By default, Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network
Watcher will be automatically enabled in your Virtual Network's region."
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create?tabs=portal
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logging
According to these, the workflow should be: {Enable Network Watcher for your region (should be enabled already when the Vnet was
created) > register Microsoft.Insights provider > create Azure storage account (should be there already for managed disks) > Create a flow
log > enable traffic analytics & LA workspace.}
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log
network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
Note: Storage account is already created since VMs have unmanaged disks.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://docs.microsoft.com/en-us/answers/questions/3619/what-is-the-difference-between-managed-disk-and-un.html
upvoted 2 times
You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
A. Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.
B. Deploy five virtual machines. Modify the Size setting for each virtual machine.
C. Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 29 times
Correct Answer: D
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set
VMs are created in a single shot).
VM (virtual machines) orchestration mode: Virtual machines created outside of the scale set can be explicitly added to the scale set. The
orchestration mode VM will only create an empty VMSS without any instances, and you will have to manually add new VMs into it by
specifying the VMSS ID during the creation of the VM. (Separately VMs are created and added to scale set later)
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 137 times
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 1 times
mihir25 2 months, 3 weeks ago
NAME HAS BEEN CHNAGED NEW NAME IS SOMTHING LIKE THIS
Selected Answer: D
To deploy multiple virtual machine instances as quickly as possible, you should use a virtual machine scale set.
Between the given options regarding virtual machine scale sets and their orchestration mode:
- VM (virtual machines) orchestration mode allows you to manage each instance of a virtual machine as a separate entity. This is mainly
used for situations where you want to customize the instances individually.
- ScaleSetVM orchestration mode (the default mode) treats the instances in the scale set as a set, making it easier to manage them as a
group, which is ideal for deploying multiple instances quickly.
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
upvoted 1 times
Selected Answer: D
correct is D :
reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 1 times
Selected Answer: D
Correct Answer: D
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set
VMs are created in a single shot).
upvoted 1 times
I can say that Uniform orchestration superceded ScaleSetVM while Flexible orchestration superceded VM mode.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 9 times
Selected Answer: D
D) " Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode. "
Selected Answer: D
Correct Answer: D 🗳️
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 1 times
Selected Answer: D
Yep D
Optimized for large-scale stateless workloads with identical instances.
Virtual machine scale sets with Uniform orchestration use a virtual machine profile or template to scale up to desired capacity. While there
is some ability to manage or customize individual virtual machine instances, Uniform uses identical VM instances. Individual Uniform VM
instances are exposed via the virtual machine scale set VM API commands.
***NOTE***
You cannot add existing Machine to any type of VM scale set,
In Flexible Orchestration ScaleSet ONLY newly created VMs or VMS spawned by the Condition of the scaleset Can be added to scale set
Uniform Scaleset DO NOT allow of addition of newly created VM to the scale set
upvoted 2 times
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode
upvoted 1 times
Selected Answer: D
The scalesetVM has new name 'uniform' orchestration mode, which create uniform VMs and uses VMSS API to manage.
Another orchestration mode is Flexible Orchestration mode, which uses VM API to individually manages VMs.
upvoted 6 times
Question #32 Topic 4
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A
Correct Answer: B
.NET Core 3.0: Windows and Linux ASP
.NET V4.7: Windows only
PHP 7.3: Windows and Linux
Ruby 2.6: Linux only
Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to
choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview
upvoted 80 times
Selected Answer: B
Tested on 2022-10-12 in the portal : PHP & Ruby are Linux only so the answer is 2
upvoted 18 times
Selected Answer: B
Azure App Service plans define the region (Datacenter) of the physical server where your web app will be hosted and the amount of
storage, RAM, and CPU the underlying virtual machine will have. One App Service plan can host multiple web apps, mobile apps, API apps,
and function apps. All apps in the same plan run on the same VM instance(s) and share the same resources.
Different runtime stacks (like .NET Core, ASP.NET, PHP, or Ruby) can coexist in the same App Service plan, provided they are supported by
the operating system of the plan (Windows or Linux).
Selected Answer: B
The correct answer is still "B", but probably this question will soon require some update.
- current LTS versioon of .NET Core is called .NET 6 (goes both in windows and Linux)
- .NET 4.7 is not available (.NET 4.8 is) - this goes in windows only
- PHP is available in versions 8.0, 8.1, 8.2 --> this goes in liinux only
- Ruby support has ended in April 2023.
All in all, the table is specifying "runtime stack", so I guess it should state more clearly that it expect answers with "code" publish mode.
Actually, one could also just deploy 1 service plan by using the "docker container" mode - though the operational effort would be higher.
upvoted 5 times
So, you would need one App Service plan for all the web apps:
https://learn.microsoft.com/en-us/azure/app-service/overview#next-steps
Also you can’t use Windows and Linux Apps in the same App Service Plan.
Passed the exam on 26 July 2023. Scored 870. Exact question came.
upvoted 3 times
Selected Answer: B
WebApp1 and WebApp2 in windows appservice plan and WebApp3 and WebApp4 in linux.
Selected Answer: B
2 is right. You need 1 for windows and 1 for linux. Because .Net 47 runs only on windows. Ruby runs only on linux. The other 2 can run on
both.
upvoted 2 times
Selected Answer: B
The answer is B.
Each Azure App Service plan can host multiple web apps, but each plan is limited to a specific set of features and corresponding worker
size. In this case, .NET Core 3.1, ASP .NET V 4.8, PHP 7.3, and Ruby 2.6 are all different runtime stacks, so each web app must be hosted on
a separate App Service plan. Therefore, the minimum number of App Service plans required to host all four web apps is two.
You can host WebApp1 and WebApp2 on an App Service plan that supports .NET Core and ASP.NET, and you can host WebApp3 and
WebApp4 on another App Service plan that supports PHP and Ruby.
upvoted 1 times
ASP.NET V4.8 is a Windows-specific runtime stack and does not work on Linux. If you want to run ASP.NET web applications on Linux, you
can use .NET Core runtime stack, which supports cross-platform development and can run ASP.NET Core web applications on Linux as well
as Windows.
upvoted 1 times
Selected Answer: B
az webapp list-runtimes
{
"linux": [
"DOTNETCORE:7.0",
"PYTHON:3.11",
"PHP:8.2",
"RUBY:2.7",
],
"windows": [
"dotnet:7",
"dotnet:6",
"ASPNET:V4.8",
"ASPNET:V3.5",
]
}
upvoted 3 times
HOTSPOT -
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
The budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are
exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
https://docs.microsoft.com/en-gb/azure/cost-management-billing/costs/tutorial-acm-create-budgets
Correct Answer:
Budget alerts have scope in Resource Group RG1, which includes VM1, but not VM2.
VM1 consumes 20 Euro/day, so 20 euros * 30 days = 600 euros.
The 50%, 500 Euro limit, will be reached in 25 days (25*20 = 500), so an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway, because AG1 action
group contains a user.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated,
it's reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 322 times
Correct
upvoted 1 times
https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-budget-scenario
Budgets are commonly used as part of cost control. Budgets can be scoped in Azure. For instance, you could narrow your budget view
based on subscription, resource groups, or a collection of resources. In addition to using the budgets API to notify you via email when a
budget threshold is reached, you can use Azure Monitor action groups to trigger an orchestrated set of actions resulting from a budget
event.
upvoted 1 times
Explanation:
Budgets don't by default interact with resources when thresholds are reached.
Only one email will be sent because on RG1 the VM1 will cost around 600€ (20€ per day).
upvoted 2 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
A. Yes
B. No
Correct Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
Correct Answer: B - No
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 96 times
Selected Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
upvoted 1 times
Selected Answer: B
B) "No"
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?
tabs=azure-powershell#verify-deployment
upvoted 1 times
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
B. No .
upvoted 1 times
Correct: B (No)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.
Solution: You create a new network interface, and then you add the network interface to VM1.
A. Yes
B. No
Correct Answer: B
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Correct Answer: B - No
Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 63 times
Selected Answer: B
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
(repeated question!)
upvoted 1 times
Selected Answer: B
B) "No"
The only way to change a VNET on a VM pis by deleting and re-creating the VM.
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
I Luv Honey Because it is B => VM=>VNET=>VNIC cannot migrate/move MUST all be in same region so either redeploy VM or create NEW
one and attach disk to it
upvoted 1 times
Selected Answer: B
B. No .
upvoted 1 times
Selected Answer: B
Correct answer
upvoted 2 times
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
A. User1 only
B. User2 only
Correct Answer: C
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device.
Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
ans : D,
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
ans is D
upvoted 5 times
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
The Azure AD global administrator role
The Azure AD joined device local administrator role
The user performing the Azure AD join
upvoted 19 times
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure
portal. The role does not grant permissions to manage any other properties on the device.
answer is C
upvoted 13 times
"At the time of Microsoft Entra join, we add the following security principals to the local administrators group on the device:
https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin
upvoted 2 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
upvoted 1 times
Global Admin, Azure AD joined device local administrator role, User joining the device. The additional local administrators box is for any
addition local admins you want to manually add, but default is set to none
upvoted 1 times
Selected Answer: C
User1 because he joined the Device to the tenant so he must be Admin on the device.
By default, Local administrators on joined devices, are the device owners and Global Administrators, so User2 is also.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#how-it-works
upvoted 8 times
Selected Answer: C
Correct Answer: C 🗳️
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices.
The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a
device. Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and
device owners are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
upvoted 1 times
Selected Answer: C
C is correct
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
*The Azure AD global administrator role
*The Azure AD device administrator role
*The user performing the Azure AD join
*Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined
devices. The default is All.
*Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet
*The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
and None. The default is All
**remember AZ AD device admin is NOT same as Cloud device admin, MS misleading here*
upvoted 9 times
Selected Answer: C
Added User2 to Cloud Device Administrator Role. Signed into the device and tried to run cmd as administrator. Result...UAC screen
requesting administrative credentials. Entered User1 credentials and administrative cmd opened.
upvoted 1 times
Selected Answer: C
C is correct
upvoted 1 times
Question #37 Topic 4
HOTSPOT -
RG1 includes a web app named App1 in the West Europe location.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: No -
RG2 is read only. ReadOnly means authorized users can read a resource, but they cannot delete or update the resource.
Box 2: Yes -
Box 3: Yes -
Note:
App Service resources are region-specific and cannot be moved directly across regions. You can move the App Service resource by creating a
copy of your existing App Service resource in the target region, then move your content over to the new app. You can then delete the source app
To make copying your app easier, you can clone an individual App Service app into an App Service plan in another region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/move-limitations/app-service-move-limitations
For first box, "when you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add
later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence."
Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#lock-inheritance
upvoted 6 times
Correct Answer:
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource. For this reason, all of them are 'Y'.
Box 1: Yes
Box 2: Yes
Box 3: Yes
upvoted 80 times
No
Yes
Yes
upvoted 1 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 1 times
Can a person with Reader role move resources across resource group?
A read-only lock on a resource group prevents users from moving any new resource into that resource group.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 2 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the following resource group:
✑ Name: RG1
✑ Region: West US
✑ Tag: `tag1`: `value1`
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
✑ Exclusions: None
✑ Policy definition: Append a tag and its value to resources
✑ Assignment name: Policy1
✑ Parameters:
✑ Tag name: tag2
After Policy1 is assigned, you create a storage account that has the following configuration:
✑ Name: storage1
✑ Location: West US
✑ Resource group: RG1
✑ Tags: `tag3`: `value3`
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Tags applied to the resource group are not inherited by the resources in that resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
michaelmorar Highly Voted 1 year, 9 months ago
Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by
triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.
upvoted 89 times
I was not sure til i read the following, i think part important to pay attention to it the "Append a tag and its value to resources" and as per
below
Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or
updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply
to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see
https://aka.ms/modifydoc).
Ans is
Tag assigned to RG1 - tag1: value1
Tag assigned to storage1: tag2: value2 and tag3: value3
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
upvoted 24 times
RG is not a resource in itself, so it will only have tag 1. Tag 2 is a policy for resources only, and tag 3 was created for the storage account.
The storage account has tag 2 as per the policy settings, and obivously has tag 3 associated as per the settings on the resource itself.
upvoted 1 times
"Append a tag and its value to resources" does not take effect on Resource Groups, only on Resources. Also, the policy applies on newly
created or updated resources only. The existing resources will stay as is. So given answer is correct.
Created same policy as shown here > Waited 1 Hour > Created new RG > no tags applied from policy. Created Storage Account & VM > tag
from policy applied to both.
upvoted 5 times
Correct answer:
Tag assigned to RG1 - tag1: value1 and tag2: value2 -> tag2 inherit from the policy
Tag assigned to storage1: tag2: value2 and tag3: value3 -> tag2 inherit from the policy
Inherit tags
Resources don't inherit the tags you apply to a resource group or a subscription.
To apply tags from a subscription or resource group to the resources, see Azure Policies - tags.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
upvoted 3 times
Storage1 inherits 'tag1: value1' from RG1 also as storage1 was created in this resource group after it's creation and tags are indeed
inherited from the resource group IF created after tags are applied to the resource group.
The Resource Group already existed before the Policy was created. And the policy is for resources only not resource groups.
The storage account was created with tag3 and then gets appended the tag2 because the policy.
upvoted 12 times
HOTSPOT -
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: 60 -
One alert per minute will trigger one email per minute.
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
Correct Answer:
Box 1: 60
One alert per minute will trigger one email per minute.
Box 2: 12 or 0
-If it’s a typo and it means Alert1, then Answer = 12 (60/5 = 12)
-If it is actually Alert2 then Answer = 0
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour (60/5 = 12).
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or
device. Rate limiting ensures that alerts are manageable and actionable.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 277 times
E-mail: No more than 100 emails every hour for each email address
SMS: In production: No more than one SMS message every five minutes. In a test action group: No more than one SMS every one minute.
https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits
upvoted 1 times
This is one of those questions where God knows why MS wants us to remember it. I mean this is something you can easily google while on
job.
upvoted 3 times
https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits#action-groups
upvoted 1 times
NYTK 6 months, 3 weeks ago
Came in exams 21/7/2023. "60" and "12" were the selected answers.
upvoted 4 times
Box 1 : 60
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 1 times
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or
device. Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 2 times
Question #40 Topic 4
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
A. VM1 only
Correct Answer: D
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
Answer is correct. D
The following criteria is important for vault backup, the data source (VM) must be in the same region and subscription. It works with any
resource group or any Operating system. Accordingly the answer is correct.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 110 times
Correct Answer: D
To create a Recovery Services Vault to protect Virtual Machines, the vault must be in the same Region as the Virtual Machines. If you have
Virtual Machines in several Regions, create a
Recovery Services Vault in each Region. It works with any resource group or any Operating System.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 101 times
Recovery Services vault can only backup on same region and supports any resource groups.
Ans: D
Ref: https://youtu.be/u1Y4EptZqgc?si=kXQ4av-gu8Xk9shx
upvoted 1 times
Selected Answer: D
Answer: D
"For you to create a vault to help protect any data source, the vault must be in the same region as the data source."
https://learn.microsoft.com/en-us/azure/backup/backup-create-recovery-services-vault#create-a-recovery-services-vault
upvoted 1 times
Selected Answer: D
Selected Answer: D
"Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same
region as the data source." - https://docs.microsoft.com/bs-latn-ba/azure/backup/backup-create-rs-vault
upvoted 2 times
Selected Answer: D
Correct Answer: D 🗳️
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
several regions, create a
Recovery Services vault in each region.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
upvoted 2 times
Selected Answer: D
Correct Answer D
VMs should be in same location with recovery services vault.
This is really sad as it's last available questions from this site on az104. Is there any other site you would recommend?
upvoted 2 times
They could have simply written VM1,VM2,VM3,VM4,VM5 but it seems they're more interested in in confusing a candidate than him/her
passing with proper logic.
Which two tools should you use? Each correct answer presents a complete solution.
Correct Answer: AB
A: The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average
CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A
minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front --cpu-percent=50 --min=3 --max=10
B: Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
A: kubectl command is used for configuring Kubernetes and not AKS cluster.
B: The az aks command is used for the AKS cluster configuration.
C: Set-AzVm cmdlet is used for VMs.
D: Azure portal, under node pools, press scale, then choose auto scale.
E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 205 times
because requirement is about cluster autoscaling (nodes) and not pod autoscaling.
upvoted 1 times
The question is regarding how to autoscale the AKS, so it means that we are talking about the nodes. As we are talking how to scale the
nodes:
a) az aks is neccesary
b) Then you scale the nodes in the portal.
The correct answers are B & D.
If we want to scale the pods, the options would be kubelet, but it is not the case. We are not talking about the containers, we are
talking about the infrastructure behind this.
upvoted 90 times
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#autoscale
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#about-the-cluster-autoscaler
upvoted 5 times
Selected Answer: BD
Selected Answer: BD
A. the kubectl command: kubectl is a command-line tool used for interacting with Kubernetes clusters, including managing deployments
and pods within a cluster. However, it is not used to configure cluster-level settings like autoscaling.
C. the Set-AzVm cmdlet: Set-AzVm is a PowerShell cmdlet used to manage Azure virtual machines (VMs), not AKS clusters or their
autoscaling configurations.
E. the Set-AzAks cmdlet: While the Set-AzAks cmdlet is used for managing AKS clusters in PowerShell, it is not specifically used for
configuring cluster autoscaler. Cluster autoscaler configuration typically involves different commands or settings, and it's not part of the
core Set-AzAks functionality.
To configure cluster autoscaler for AKS, you primarily use the Azure CLI (az) or the Azure portal, as these tools are specifically designed for
managing AKS cluster-level settings and configurations.
upvoted 5 times
The az aks command is a correct tool to configure cluster autoscaler for AKS1, as explained in the previous answer. However, you need
to use another tool in addition to the az aks command, such as the Azure portal. Therefore, A and B are not a complete solution.
upvoted 1 times
.Open AI: To configure cluster autoscaler for an Azure Kubernetes Service (AKS) cluster (AKS1), you can use the following tools:
B. the az aks command: You can use the Azure Command-Line Interface (CLI) command az aks update to configure the cluster autoscaler
for an AKS cluster. This command allows you to enable or disable the cluster autoscaler and set parameters like minimum and maximum
node counts.
D. the Azure portal: You can also configure the cluster autoscaler for AKS using the Azure portal. Navigate to your AKS cluster in the Azure
portal, go to the "Node pools" section, and then configure the autoscaler settings for the specific node pool.
The other options (A, C, and E) are not the primary tools used to configure cluster autoscaler for AKS.
upvoted 1 times
Explanation:
The kubectl command is a command-line tool used to interact with Kubernetes clusters. It allows you to manage and configure various
aspects of your AKS cluster, including enabling the cluster autoscaler. You can use kubectl to apply the necessary configuration changes to
enable the autoscaler.
The az aks command is a command-line tool provided by the Azure CLI (Command-Line Interface). It specifically deals with managing
Azure Kubernetes Service (AKS) resources. Using the az aks command, you can enable the cluster autoscaler by modifying the AKS
cluster's properties.
upvoted 2 times
JunetGoyal 9 months, 2 weeks ago
Exact same Q came in my exam on 30 April2023.I choose A, B.
I want not sure between A,D. haahaahh
upvoted 7 times
ChatGPT response:
The two tools you should use to configure cluster autoscaler for AKS1 are:
B. the az aks command, which provides a command-line interface for managing AKS clusters, including the ability to enable and configure
cluster autoscaler.
E. the Set-AzAks cmdlet, which is a PowerShell cmdlet for managing AKS clusters. It can be used to enable and configure cluster
autoscaler.
Therefore, options B and E are correct. Options A, C, and D are not required for this task.
"follow up question"
Will the answer be the same if I need to configure autoscaler for the AKS cluster. I do not want to scale Kubernetes pods
Configuring cluster autoscaler for an AKS cluster is independent of scaling Kubernetes pods. The purpose of cluster autoscaler is to
automatically adjust the size of the AKS cluster based on the resource demands of the workloads running on it, while scaling Kubernetes
pods involves adjusting the number of replicas for a specific deployment or replica set.
Therefore, to configure cluster autoscaler for an AKS cluster, you would still need to use the az aks command and the Set-AzAks cmdlet.
upvoted 1 times
Selected Answer: BD
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
Correct Answer: C
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
I have this same question in the exam (passed) and does not have the option C.
So I choose the Docker push.
upvoted 160 times
ACR tasks automatically push successfully built images to your registry by default, allowing you to deploy them from your registry
immediately.
Selected Answer: A
It is az acr command. It will create and push the image to container registry.
upvoted 1 times
https://learn.microsoft.com/en-us/answers/questions/1198828/kubectl-vs-azure-cli?cid=kerryherger
https://learn.microsoft.com/en-us/answers/questions/1198828/kubectl-vs-azure-cli?cid=kerryherger
upvoted 1 times
Selected Answer: A
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli
upvoted 2 times
Selected Answer: C
To deploy the container image named App1 to your Azure Kubernetes Service (AKS) cluster named Cluster1, you should first run the az acr
build command1. This command builds a container image in Azure Container Registry (ACR) from the source code located on your
administrative workstation. It also uploads the image to ACR, making it available for deployment to your AKS cluster.
upvoted 1 times
Selected Answer: A
To deploy the container image to the Azure Kubernetes Service (AKS) cluster, you need to perform the following steps:
A. Run the docker push command: This option is the correct choice. Before deploying a container image to AKS, you need to push the
image to a container registry (in this case, Registry1). The docker push command is used to upload the container image to the Azure
Container Registry (ACR) so that it can be accessed by the AKS cluster.
Selected Answer: C
az acr build will build and push the image at the same time. Queues a quick build, providing streaming logs for an Azure Container
Registry.
docker build/push will do the same thing, but you will have to configure docker to login to the container registry.
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
upvoted 1 times
Selected Answer: A
It's probably not C as the image is already created, since that looks to be create and auto push.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-tutorial-prepare-acr
upvoted 1 times
C for question that include the Option . some don't have C option hence choose A: push
1. Create a new container registry
$ az acr create --resource-group $RG ..
2. create a dockerfile inside directory
echo "FROM hello-world" > Dockerfile
3. Build an Image and Push to ACR
run below command using the newly created Dockerfile
$ az acr build --image sample/hello-world:v1 --registry acrbuildcontainer11 --file Dockerfile .
- View the newly created container registry with the sample/hello-world repository.
Go to container registry>acrbuildcontainer11 >Services: Repositories>sample/hello/world > click v1
upvoted 3 times
OpenAI answer:
To deploy App1 to Cluster1, you should first push the container image to the Azure Container Registry instance named Registry1.
B. Creating an App Service plan is used for hosting web apps, not for deploying containerized applications to AKS.
C. Running the az acr build command is used to build and push a Docker container image to an Azure Container Registry (ACR), but in this
case, the container image has already been built, so it only needs to be pushed to the ACR.
D. Running the az aks create command is used to create a new AKS cluster, not to deploy a container image to an existing cluster.
upvoted 10 times
You have an Azure subscription that contains the resources shown in the following table.
A. Proximity2 only
C. Proximity1 only
Correct Answer: A
Resource Group location of VMSS1 is the RG2 location, which is West US.
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups/
Correct Answer: A
Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency
among them, for improved application performance.
Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a
deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity
placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your
applications.
The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center.
Accordingly, it should be proximity 2 only.
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups
upvoted 117 times
This should be proximity 1 only, proximity 2 is not in the same region as the VMSS
upvoted 41 times
- On an average, it takes around 5 mins per question for ET. This includes, answering and going through all discussions and sometimes
test it. So, for 540 questions ET itself will take around 50 hours.
- MS learning is around 20 hours, but in realty it will also take around 50 hours, if you have the habit of taking notes like me.
- If you wish to go for some additional training, example like Pluralsight like I did, it adds another 40 hours.
Each of the above training materials covers a lot of non-overlapping material. So imagine, the humongous amount of data that you need
to memorize which you learned through these trainings across the vast syllabus.
upvoted 2 times
Correct Answer is A
upvoted 1 times
Selected Answer: A
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B
Correct Answer: B - No
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 57 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
B. No <
upvoted 1 times
To check date and time when RG1 create, u have to go at RG1 Resource, go to setting and click at deployment.
upvoted 1 times
deltarj 2 years ago
Q41, 51, 52 & 53 [remember: RG1 blade-->deployment]
upvoted 3 times
Selected Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
upvoted 2 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
You need to view the date and time when the resources were created in RG1.
A. Yes
B. No
Correct Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
Correct Answer: B - No
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 38 times
Selected Answer: B
Selected Answer: B
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
>B. No
upvoted 1 times
ajayasa 1 year, 11 months ago
similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
You need to view the date and time when the resources were created in RG1.
A. Yes
B. No
Correct Answer: A
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 42 times
You can verify the deployment by exploring the resource group from the Azure portal.
You will then see all Deploymets and their status as a result of selecting myResourceGroup. NOT clicking Deployments. It's already listed.
upvoted 1 times
A. correct
upvoted 2 times
Selected Answer: A
A. correct
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Selected Answer: A
A. Yes
upvoted 1 times
A. Azure HDInsight
Correct Answer: B
The Linux Diagnostic Extension should be used which downloads the Diagnostic Extension (LAD) agent on Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux
Correct Answer: B
The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection
and capabilities:
- Metrics
- Syslog
- Files
A: Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. You can use open-source
frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more.
D: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud.
upvoted 124 times
Not correct. Answer is B. it is linux server accordingly Linux Diagnostic Extension should be used which download the Diagnostic Extension
(LAD) agent on Linux server.
upvoted 106 times
Selected Answer: B
To monitor the metrics and logs of a Linux virtual machine in Azure, you can use the Linux Diagnostic Extension (LAD) 3.0. Therefore, the
correct answer is:
LAD is a solution provided by Microsoft to collect diagnostic data, logs, and metrics from Linux virtual machines running in Azure. LAD can
be used to monitor key performance indicators (KPIs) such as CPU, memory, and disk usage, as well as collect system logs and custom
logs.
Option A, Azure HDInsight, is a cloud-based service that provides Apache Hadoop and Spark clusters for big data processing. Option C, the
AzurePerformanceDiagnostics extension, is not a valid Azure service or feature. Option D, Azure Analysis Services, is a PaaS offering that
provides enterprise-grade analytics and BI services in the cloud. It is not designed for monitoring Linux virtual machines.
upvoted 3 times
Correct Answer is B
upvoted 1 times
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli#supported-linux-distributions
upvoted 1 times
Some of the feature in "the AzurePerformanceDiagnostics extension" do not work for Linux VMs: (https://docs.microsoft.com/en-
us/troubleshoot/azure/virtual-machines/performance-diagnostics#select-an-analysis-scenario-to-run)
Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two
sentances of the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times
Some of the feature in "the AzurePerformanceDiagnostics extension" do not work for Linux VMs: (https://docs.microsoft.com/en-
us/troubleshoot/azure/virtual-machines/performance-diagnostics#select-an-analysis-scenario-to-run)
Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two
sentances of the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times
Selected Answer: B
Use the Linux diagnostic extension 4.0 to monitor metrics and logs:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
Azure Performance Diagnostics VM Extension is for Windows:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics-vm-extension
upvoted 1 times
It is clearly B
upvoted 1 times
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version
2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
The Linux diagnostic extension helps a user monitor the health of a Linux VM that runs on Microsoft Azure
upvoted 1 times
Azure Monitor recently launched a new agent, the Azure Monitor agent, that provides all capabilities necessary to collect guest operating
system monitoring data. While there are multiple legacy agents that exist due to the consolidation of Azure Monitor and Log Analytics,
each with their unique capabilities with some overlap, we recommend that you use the new agent that aims to consolidate features from
all existing agents, and provide additional benefits. Learn More
The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows
and Linux machines.
upvoted 9 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Correct.
Usually :
DNS = Port 53
WEB = Port 80 (http) or 443 (https).
Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked
Rule 1 Allow http (Range 50-500) First Match > http Allow.
If we delete Rule 2, Rule 1 Allows http and DNS. First match > It works.
upvoted 38 times
Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked. port 80 not affected
After deleting rule 2
Rule 1 Allow DNS (Range 50-500) First Match > port 53 and the port 80 and 443 is allowed.
upvoted 2 times
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/tutorial-availability-sets
i always get nervous when the discussion count hits 30-50+ . You know something isn't right :D , if its just below 20, then i just skip and
continue
upvoted 132 times
Explanation: An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create
three or more VMs across three zones in an Azure region, your VMs are effectively distributed across three fault domains and three
update domains. The Azure platform recognizes this distribution across update domains to make sure that VMs in different zones are not
updated at the same time.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones
upvoted 3 times
Selected Answer: C
Correct Answer: C
upvoted 3 times
So, for example, if you create three VMs across three availability zones in an Azure region, your VMs are effectively distributed across three
fault domains and three update domains.
If one of the Availability Zones has gone down for some reason, we still have 2 VMs from the rest of the 2 availability zones. Similarly, if
there is an update or a patch to be applied, azure schedules these at different times for different availability zones. So this means, we have
just one of the availability zones affected while the update is being applied. The rest of the 2 zones are unaffected.
upvoted 3 times
Placing in three seperate zones does not garantee availability over these zones
upvoted 2 times
C for me.. AV zone should be 3 as refers to 3 different Data centers, hence lose one 2 available
upvoted 3 times
You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
A. operating system
B. administrator username
D. resource group
Correct Answer: B
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
not correct. Answer is Resource Group. I tried the only ones that need to be updated manually are resource group and password.
upvoted 166 times
Manual steps: log in, deploy VM1. Accept all defaults. Go to resource > template > save to library. View library > deploy template, It pre-
populates the subscription but you have to set an RG. VM Name can be customized, admin user/pass are pulled from template.
Costs about $.15 to verify and less than 5 minutes, if you're in doubt sign up for azure pass and do it yourself.
upvoted 38 times
"what can you configure"... you can't configure a resource group, but you can choose one. A resource group should be already configured.
An administrator username is not preconfigured, so you have to make a new one. I will go with B
upvoted 47 times
Selected Answer: C
I think C
upvoted 1 times
Selected Answer: D
The answer is D
upvoted 2 times
Answer is D
upvoted 1 times
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
Correct Answer: E
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration
Correct Answer: B
Here we need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the
runbook. The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.
C: Scheduled vertical scaling could be a solution, but then you don't need a scheduled runbook and it states that it does not support
multiple active instances. Scale Set is not a n option.
E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.
Reference:
https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-
vms/15823864#:~:text=If%20you%20select%20the%20option,to%20the%20next%20larger%20size
upvoted 192 times
Selected Answer: B
Answer B
upvoted 1 times
Selected Answer: C
Correct answer: C
Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs.
The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
Scale sets provide the following key benefits:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
upvoted 1 times
By modifying the VM size, you can choose a higher-tier virtual machine that offers more CPU resources, which can help handle the
increased CPU usage during peak times. This allows you to scale up the VM's processing power temporarily to meet the demands of the
financial reporting app (App1) at the end of each month.
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
It cannot be D: "Desired State Configuration (DSC) is a feature in PowerShell 4.0 and above that helps administrators to automate the
configuration of Windows and Linux operating systems (OSes)"
upvoted 1 times
answer is B
upvoted 1 times
Question #52 Topic 4
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
--resource-group myResourceGroup \
--publisher Microsoft.Azure.Extensions \
Note:
There are several versions of this question in the exam. The question has two correct answers:
The question can have other incorrect answer options, including the following:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
Correct Answer: B
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 202 times
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 3 times
You are going to deploy multiple Virtual machines having Windows Server Operating System by using Azure Resource Manager Template.
While completing the Virtual machines deployment you need to make sure that NGINX should be available on all the Virtual machines.
What should you do?
Explanation
A Custom Script Extension(CSE) can be used to automatically launch and execute virtual machine customization tasks post configuration.
Your script extension may perform simple tasks such as stopping the virtual machine or installing a software component. However, the
script could be more complex and perform a series of tasks.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-extensions/3-implement-custom-script-extensions
upvoted 5 times
Selected Answer: B
Selected Answer: B
Correct Answer: B
upvoted 2 times
The Azure DSC extension uses the Azure VM Agent framework to deliver, enact, and report on DSC configurations running on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
upvoted 3 times
Selected Answer: B
HOTSPOT -
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: 10.244.0.0/16 -
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-
premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address
range once the cluster is deployed if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
mlantonis Highly Voted 2 years, 9 months ago
Correct Answer:
Box 1: 10.244.0.0/16
The Pod CIDR, because containers live inside Pods.
Note: You can't change this address range once the cluster is deployed, if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16
The Service CIDR is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
upvoted 138 times
I'm writing the exam in 3 hours .. I'll go with the given selections - wish me luck!
upvoted 23 times
Box 1: 10.244.0.0/16
you can create containers live inside Pods.
Box 2: 10.0.0.0/16
service CIDR is used to assign internal services in the AKS cluster an IP address.
upvoted 4 times
Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
upvoted 1 times
HOTSPOT -
You have the App Service plan shown in the following exhibit.
The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: 5 -
Box 2: 3 -
As soon as the average CPU usage drops below 30%, the count will decrease by 1. After the 5 minute cool-down it will decrease by another 1,
reaching 3.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
Correct Answer:
Box 1: 2
70% for 1h, and then 90% for 5 minutes. So, from the default of 1 it will scale out out 1 more. So, 2 in total.
Box 2: 4
90% for 1h and then 25% for 9minutes. So, from the default of 1 it will it scale in to the max 5 (60/5 = 12, which means 6 times scale out,
because we have 5 minutes period of cool down). Then when it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the
average of the last 5 minutes is under 30% ), so it will decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling
in again, but since only 4 minutes left from 9 minutes (9-5 = 4), it won't scale in again. So, 4 in total.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
upvoted 441 times
The calculation provided by Fed seems not correct as it is assumed that after the cool down time, the system wait another 5 min to
collect metrics which seems not the case.
upvoted 13 times
I think:
2
4
upvoted 123 times
2 and 4
upvoted 1 times
Box 2-4
upvoted 1 times
Box 2-4
upvoted 1 times
You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was deployed using default drive settings.
You sign in to VM1 as a user named User1 and perform the following actions:
Correct Answer: C
Correct Answer: C
Reference:
https://www.cloudelicious.net/azure-vms-and-their-temporary-storage
upvoted 159 times
In the exam on Feb 26, 2022, I passed today's exam 784. happy weekend!!
upvoted 27 times
Ref:https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/redeploy-to-new-node-windows
upvoted 5 times
Correct Answer: C
upvoted 3 times
Selected Answer: C
Selected Answer: C
C is correct D drive is temp and Microsoft warns about its usage i.e. temp storage and lost via reboot
upvoted 2 times
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
A. the memory
D. the processor
E. Integration Services
Correct Answer: C
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or
VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the
VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure. Azure supports only generation
1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a
generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 101 times
Slight update to mlantonis answer since it was written 2.5 years ago: Azure supports BOTH generation 1 and generation 2 VMs that are in
VHD file format and that have a fixed-size disk. When the answer was written, generation 2 VHD was not supported.
Ref: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 5 times
Selected Answer: C
Correct Answer: C
upvoted 3 times
C is correct
the VIrtual hard disk is VHDx, it should be format to VHD before using it in Azure cloud environment as Azure VMs support only VHD
format
upvoted 4 times
Selected Answer: C
Question appeared in exam today. The answer is correct. VHDx will not work
upvoted 2 times
Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size
allowed for the OS VHD on a generation 1 VM is 2 TB.
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX). You
can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation.
upvoted 3 times
Question #57 Topic 4
HOTSPOT -
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following
configurations:
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0 -
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
Correct Answer:
Box 1: 4
If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer.
Box 2: 1
Automatic OS updates update 20% of the VMs at once, with a minimum of 1 VM instance at a time. Also 20% of 4 = 0.8.
Reference:
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
upvoted 208 times
The question asks "if the administrator changes the size", not if it gets scaled up vertically. I tested this, and if you resize the scale set all
the virtual machines get resized at once, thus 4 is the correct answer. For the second part, automatic OS updates update 20% of the VMs
at once, with a minimum of 1 VM instance at a time.
upvoted 104 times
HOTSPOT -
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following
configurations:
upvoted 1 times
[ref: https://msftstack.wordpress.com/2016/11/15/azure-scale-set-upgrade-policy-explained/]
Box2 - 0
This refers to the first PS cmdlt 'UpgradePolicy' which "determines what happens when image publishers publishes the latest image OS
image - which in this case Microsoft released the Win Server 2016 image. Since it's set to 'false', there will be no changes made- u[dates
will need to happen manually with user intervention.
[ref: https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246]
upvoted 6 times
Standa_82 12 months ago
It seems to me that picture doesn't match questions.
upvoted 6 times
Box 2: 1
What's set to 'false' is Patch updates. This is recommended to be set to 'False' when Automatic OS upgrades are set to 'True'. What this
means is that the automatic rolling OS Upgrades will happen at 20%.
upvoted 8 times
Based on the above note, as EnableAutomaticUpdates = False the OS updates will not happen. So answers are Box1: 4 and Box 2: 0
upvoted 4 times
Part 2: Answer 4
The Upgrade policy (Don't get confused with "Update" Policy, which is for OS Patches) is set to Automatic. When the Upgrade policy is set
to automatic, all the VMs may be taken down and upgraded at the same time, as per the MS docs:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-bring-vms-up-to-
date-with-the-latest-scale-set-model)
NB: The 20% policy for upgrades mentioned in other comments is for Extensions in a VMSS, not the actual VM scale set.
upvoted 3 times
Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS
disk for all instances in the scale set.
upvoted 2 times
https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource
Manager template.
From which blade can you view the template that was used for the deployment?
A. VM1
B. RG1
C. storage2
D. container1
Correct Answer: B
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template
Correct answer B RG1. the only way to see both together storage and VM
upvoted 60 times
Correct Answer: B
upvoted 51 times
Correct Answer B
Came up in exam today
920/1000
upvoted 7 times
Correct Answer: B
upvoted 2 times
Selected Answer: B
B. RG1
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Correct answer B RG1. the only way to see both together storage and VM
upvoted 2 times
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
A. Redeploy App1
C. Clone App1
Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
Correct Swap slots. this is advantage of using slots. where each slot has its own host name while the app content and configuration
elements are the one who are swapped. this is done seamlessly for traffic direction and no requests are dropped or downtime happens.
upvoted 62 times
Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of
the slots. We can easily revert the deployment by swapping back.
Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two
deployment slots, including the production slot.
1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being
swapped into production.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 59 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by
swapping the same two slots immediately.
upvoted 2 times
Selected Answer: B
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 2 times
Selected Answer: B
Swap slots, this is Beauty of using slots. you can test at ease and as please
upvoted 2 times
Selected Answer: B
Selected Answer: B
Correct Answer
upvoted 2 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run
Windows Server
2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
Correct Answer:
Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.
Box 2: VM1 or a new Azure virtual machine only
For restoring a VM, you can choose 'Create new' or 'Replace existing'.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-restore-files-from-vm.md#for-windows-os
upvoted 175 times
So the scenario is made to run everything within azure. I'm expecting that this should be doable via another machine but then with
connection to the Azure / Account / configuration (that are not really specified here)
upvoted 1 times
File recovery can be done from any machine on internet. for restoring the VM, you can restore the backed up disk and either restore the
disk before the malware (VM) or create a any virtual machine
upvoted 93 times
Here is the doc link that clearly says you need to use a Windows 10 machine for file recovery from Win 2016.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#step-2-ensure-the-machine-meets-the-
requirements-before-executing-the-script
upvoted 2 times
I was able to successfully recover files to my local Windows PC today, 20/8/2023. So I'd say any windows computer with internet
connectivity is the correct answer. The only "challenge" is that it has to be a current/supported release. I don't think you can recover it on a
Windows 7 or Vista machine anymore. I am no script expert so I don't really know if the downloaded scripts checks for Windows version.
But I can definitely say you don't have to use an Azure VM to recover files from the affected VM.
upvoted 4 times
However looking at the below URL and step 4, I'd be tempted to say, Any Windows that has internet connectivity. (Provided it's compatible)
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 2 times
In the second scenario, the correct answer is "VM1 or a new Azure virtual machine only" because the question asks where you can restore
the entire VM, not just files. You can choose to create a new VM or replace the existing one, but the restore can only be done to VM1 or a
new Azure virtual machine.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#choose-a-vm-restore-configuration
- Create new: Use this option if you want to create a new VM. You can create a VM with simple settings, or restore a disk and create a
customized VM.
- Replace existing: Use this option if you want to replace disks on an existing VM.
upvoted 2 times
I could be wrong because the question is very very tricky, but i'm going to trust my guy here.
As much as we love mlantonis and by all mean's he's the G.O.A.T! But i do think he has it wrong here, because it specifically states VM's
ONLY. Therefore it cannot be Any pc that has internet connectivity even though in theory that makes sense but for microsoft that doesn't
comply with their article found in the link below.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times
You discover that the Backup Pre-Check status displays a status of Warning.
A. VM1 is stopped.
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
Correct Answer: B
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to
ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this
class of issues.
Reference:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/
Answer is Correct,
Check the REF they provided, and this REF by Microsoft also, proves that:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-manage-windows-server.md
upvoted 15 times
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 5 times
Selected Answer: B
B is the answer.
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks
Warning: This state indicates one or more issues in VM’s configuration that might lead to backup failures and provides recommended
steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and
falls in this class of issues.
upvoted 5 times
Selected Answer: B
Answer is correct, B: VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
The Azure VM Agent is required for managing virtual machines, and it provides the communication between the virtual machine and
Azure. The latest version of the Azure VM Agent is required for Azure Backup to work correctly. If the agent is not installed or is outdated,
the Backup Pre-Check status might display a warning.
upvoted 1 times
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
upvoted 1 times
Correct answer B
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md#backup-pre-check-
status:~:text=Warning%3A%20This%20state,a%20warning%20state.
upvoted 3 times
Correct Answer: B
Warning indicates one or more issues in the VM's configuration that might lead to backup failures. It provides recommended steps to
ensure successful backups. For example, not having the latest VM Agent installed can cause backups to fail intermittently. This situation
will provide a warning state.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 4 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
Solution: From the Overview blade, you move the virtual machine to a different resource group.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
There are several versions of this question. The following are the correct and incorrect answers that will be presented.
-Solution: From the Overview blade, you move the virtual machine to a different resource group.
upvoted 14 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
redeploy
upvoted 3 times
Question #63 Topic 4
HOTSPOT -
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 2 -
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A
higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
Reference:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030
This link posted by RickySmith shows that they all have 3 FD's.
upvoted 1 times
Another ridiculous question, how can we remember all the maximum number of fault domain for each region?
upvoted 3 times
https://learn.microsoft.com/en-us/azure/virtual-machines/availability-set-overview#how-do-availability-sets-work
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to three fault domains and twenty update domains.
upvoted 6 times
Box 2: 20 -
Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots
nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
upvoted 1 times
The number of error domains for managed availability groups vary by region: two or three per region.
upvoted 1 times
Question #64 Topic 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
Selected Answer: A
Answer is correct
upvoted 1 times
correct
upvoted 1 times
Selected Answer: A
Correct Answer: A 🗳️
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that
automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created
and it can be configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
upvoted 2 times
Correct.
upvoted 1 times
HOTSPOT -
You deploy a virtual machine scale set that is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
box-1 : 3
box-2: 1
upvoted 42 times
Box-1 : 3
Initial starts 2 VM's 15 minutes have passed. at 10 minutes 1 VM was added we now have 3 VM's. Cool down is 5 Minutes before another
10 minute wait cycle starts so the answer is 3.
Box-2: 1
Initial 5 VM's 60 minutes Pass. 1 VM removed every 15 minute cycle. 10 minutes wait timer plus 5 minute cool down equals 15 minutes
cycle. Four 15 minute cycles pass equaling 60 minutes removing 4 VM's. We have 1 VM left.
Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal#create-a-rule-to-
automatically-scale-in
upvoted 30 times
Duration value is only used for data range - how much data autoscaling system has to aggregate to determine if rule applies or not.
Cooldown - how much time has to pass before next autoscale operation to trigger. So once you start you app the first autoscale may
happen not earlier than after duration value (because you need specific data range). Each next will happen every cooldown value
upvoted 1 times
You have web apps in the West US, Central US and East US Azure regions.
You have the App Service plans shown in the following table.
You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
B. Central US only
C. East US only
D. West US only
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
Hi guys:
What does this question want to test?
I couldn't get the point.
upvoted 38 times
You can always create a new App Service plan in any region. Granted the App Service plan can be set for 1 region only. The key word in
answer A is therefore "OR". It is possible to use ASP5 in any of the listed regions, but ONLY IN ONE of the regions. If the answer said
"AND" it would be incorrect. Since it says "OR", A is Correct.
It's absolutely ridiculous to ask questions like this in my opinion. It's like they are trying to set you up for doubt and confusion.
upvoted 2 times
You can also use West US because ASP5 will be a separate App Service Plan for Linux OS. ASP1 is Windows OS, but it is a different
App Service Plan than ASP1. Therefore, all regions would work.
upvoted 1 times
They are emphasizing on OS. ASP5 is for Linux and they have given ASP with region and OS to confuse us.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits
upvoted 8 times
Selected Answer: A
This question is asking in which regional locations can a APP service plan be deployed to. It tells you it will be a Linux Plan to throw you off
and make you wonder if it matters. Which is does not.
Then it asks what should you recommend to make you think you are supposed to choose. The fact is you can recommend any region.
An APP service plan can be deployed in any region and multiple APP service plans can be deployed in a region.
The Plan type you choose depends on the APP's your going to deploy and whether the programing language can be run on Linux or
Windows.
https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 14 times
I also don't like the way I am pushed to prepare for this exam, studying these questions like I do. But complaining about it like some
people here do makes the whole effort even more pointless (if that's even possible)...
upvoted 1 times
How can you create a single ASP5 in multiple locations in the same time? surely it's West US since it's missing a Linux App service plan!!
upvoted 1 times
Selected Answer: A
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 26 times
Selected Answer: B
B is correct
upvoted 2 times
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 2 times
Selected Answer: B
A Desired State Configuration (DSC) extension is a way to configure virtual machines in Azure using PowerShell DSC. You can use a DSC
extension to automate the installation of NGINX on the virtual machines in your scale set as part of the deployment process. This will
ensure that NGINX is available on all virtual machines after they are deployed, and it will also help you maintain consistency in your
configuration. To use a DSC extension, you would include the configuration in your Azure Resource Manager template and specify the
extension in the deployment process.
upvoted 1 times
Selected Answer: B
Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
webserver.
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.6.0
Box 2: -ResourceGroupName RG1. It’s one of parameters of New-AzResourceGroupDeployment to specify to which resource group you
want to deploy resources.
You could use New-AzVm to create a VM, but it doesn’t use a template. You would need to provide all parameters in the command line.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-7.0.0
upvoted 70 times
1. New-AzResourceGroupDeployment
2. -ResourceGroupName RG1
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment
upvoted 9 times
husam421 2 years ago
New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile
New-AzResourceGroupDeployment `
-Name ExampleDeployment `
-ResourceGroupName RG1 `
-TemplateFile
Answer is correct
upvoted 3 times
https://docs.microsoft.com/ko-kr/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-0.10.0
upvoted 3 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Answer: NO
Src: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 40 times
Selected Answer: B
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#deployments-and-yaml-manifests
Deployments are typically created and managed with kubectl create or kubectl apply. Create a deployment by defining a manifest file in
the YAML format.
upvoted 1 times
az aks is a command-line interface (CLI) tool provided by Microsoft Azure to manage and deploy Kubernetes clusters on Azure, while
kubectl is the command-line tool for interacting with a Kubernetes cluster.
The main difference between the two is the scope of their functionality:
- az aks is focused on provisioning and managing AKS clusters, including creating and scaling the cluster, managing authentication and
network configurations, and upgrading the cluster.
- kubectl is focused on interacting with and managing the components running within a Kubernetes cluster, such as deploying and
managing applications, inspecting cluster state, and troubleshooting issues.
Both tools can be used together to effectively manage an AKS cluster, with az aks being used for cluster-level tasks and kubectl for
workload-level tasks.
upvoted 4 times
Selected Answer: B
Answer: NO
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: B
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
Correct Answer:
You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 134 times
Microsoft Monitoring Agent (MMA) mentioned in the question is different from Azure Monitoring Agent (AMA), the latest agent. Azure
Monitor Agent replaces the Azure Monitor legacy monitoring agents.
MMA is referred to Log Analytics Agent during its installation setup and agent connectivity verification to Azure Monitor. Refer to below
link
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard
See: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal
upvoted 6 times
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#virtual-machine-extensions
upvoted 2 times
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
upvoted 1 times
Again, Microsft should remove such LEGACY questions because MMA is being deprecated and replcaed by AMA (Azure Monitor Agent).
upvoted 2 times
Not sure who to blame here. ET for an old question with old terminology or MS for wording the question so poorly.
upvoted 2 times
Selected Answer: B
Note that the Monitoring extension is for *LINUX*, not for Windows.
I hope this question is replaced with a new one, as Azure Monitor Agent should replace the previous Microsoft Monitoring Agent, and then
it would be this extension:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal#virtual-machine-
extension-details
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
https://docs.microsoft.com/en-us/services-hub/health/mma-setup
upvoted 1 times
Selected Answer: B
B. NoB. No
upvoted 1 times
Selected Answer: B
B. No correct
upvoted 1 times
Selected Answer: B
Latest reading of this relates option B to 'Microsoft Monitoring Agent VM extension' which is wrong. So B is the correct answer
upvoted 1 times
Question #71 Topic 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 76 times
Log Analytics
upvoted 1 times
Correct Solution:
-Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Incorrect Solutions:
-Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
-Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source.
upvoted 2 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
A. Yes A. Yes
upvoted 2 times
Selected Answer: A
A. Yes
upvoted 2 times
Selected Answer: A
A - Yes is correct
upvoted 2 times
So it should be B right ? Or does Microsoft considers that adding an extension is the same as installing the agent ? They shouldn't since
they clearly differentiate between this question and the previous one.
upvoted 2 times
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This
question is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you
know that the extension need to be installed first before it appears
Answer is correct
upvoted 1 times
Question #72 Topic 4
You have an Azure subscription that contains the resources shown in the following table.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server
Microsoft Azure Recovery Services Agent also known as MARS or Azure Backup Agent can be used to restore data for entire volume or just
individual folders and files.
reference:
https://learn.microsoft.com/en-us/azure/backup/restore-all-files-volume-mars
upvoted 12 times
B is the answer.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-about-mars#recovery-scenarios
upvoted 2 times
Selected Answer: B
Selected Answer: B
Selected Answer: C
nope, i think it's C because there is no Indication that VM1 is already backing up to the vault. What we see here is the local window server
backup features.
upvoted 1 times
Selected Answer: B
Selected Answer: B
correct ans: B
upvoted 1 times
WISSYWISE 1 year, 5 months ago
The answer is correct:B
upvoted 1 times
HOTSPOT -
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Is correct: https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 41 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#syntax
Add the copy element to the resources section of your template to set the number of items for a property. The copy element has the
following general format:
- The count property specifies the number of iterations you want for the property
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#property-iteration
Use the length function on the array to specify the count for iterations, and copyIndex to retrieve the current index in the array.
upvoted 10 times
By adding the copy loop to the resource section of your template, you can dynamically set the number of resources to be deployed. In
addition, you avoid the repetition of template syntax.
The copy loop can also be used with properties, variables and output.
Fügen Sie das copy-Element dem Ressourcenabschnitt ihrer Vorlage hinzu, um mehrere Instanzen der Ressource bereitzustellen. Das
copy-Element hat das folgende allgemeine Format:
"copy"
:{
"name": "<name-of-loop>",
"count": <number-of-iterations>,
"mode": "serial" <or> "parallel",
"batchSize": <number-to-deploy-serially>
}
The copyIndex() function returns the current iteration of the loop. copyIndex() is zero-based.
By default, Resource Manager creates the resources simultaneously. There is no limit to the number of resources provided in parallel,
except for limiting the total number to 800 resources in the template. The order in which they are created is not guaranteed.
upvoted 6 times
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface
named NIC1.
You need to create a new network interface named NIC2 for VM1.
A. Yes
B. No
Correct Answer: A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same location and subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 21 times
"Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that
exists in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created. You
can't change the virtual network. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted."
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview#network-interfaces
upvoted 11 times
The goal is to create a new network interface named NIC2 for VM1. According to the given information, VM1 is located in West US and
connects to VNET2 using NIC1. To meet the goal, NIC2 should also be created in the same region as VM1, which is West US. However, the
solution states that NIC2 should be created in RG1, which is located in East US. Therefore, the solution does not meet the goal.
upvoted 2 times
The resource group the NIC is created in does not matter. What matters is the region the NIC is connected to. NIC's attached to VM's must
be located in the same region as the VNET/Subnet it is connected to. The NIC must also be created in the same subscription.
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 4 times
The resource group the NIC is created in does not matter. What matters is the region the NIC is connected to. NIC's attached to VM's must
be located in the same region as the VNET/Subnet it is connected to. The NIC must also be created in the same subscription.
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 1 times
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-
network-interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 1 times
Selected Answer: A
Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 2 times
Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 1 times
Correct Answer: A
upvoted 1 times
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20netwo
rk%20in%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 2 times
Question #75 Topic 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface
named NIC1.
You need to create a new network interface named NIC2 for VM1.
A. Yes
B. No
Correct Answer: B
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-
network-interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 5 times
Selected Answer: B
B is the answer.
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-
network-interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 2 times
Selected Answer: B
Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 3 times
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same location and subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 4 times
Correct Answer: B
upvoted 2 times
Selected Answer: B
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20netwo
rk%20in%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 2 times
Question #76 Topic 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface
named NIC1.
You need to create a new network interface named NIC2 for VM1.
A. Yes
B. No
Correct Answer: A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Selected Answer: A
Correct Answer: A
Resource Group doesn't matter in this question, as long as the NIC is in the same location as the VNET & VM
upvoted 24 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-
network-interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 3 times
Selected Answer: A
Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 1 times
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same location and subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 3 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Question #77 Topic 4
You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the
resource group.
A. New-AzResource
B. New-AzResourceGroupDeployment
C. New-AzTenantDeployment
D. New-AzDeployment
Correct Answer: B
Deployment scope.
You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment,
Incorrect:
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a
resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell
Selected Answer: D
D is correct here.
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-8.3.0
upvoted 7 times
Selected Answer: D
New-AzResource -
creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a resource group.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresource
New-AzResourceGroupDeployment -
adds a deployment to an existing resource group.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment
New-AzDeployment -
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment
requires.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment
Selected Answer: D
Coreect answer is D.
The arm template is creating a resource group. So the scope of deployment must be subscription level
upvoted 1 times
Seems B is correct
upvoted 1 times
We are creating RG
Use New-AzDeployment for deploying resources at the subscription level.
Use New-AzResourceGroupDeployment for deploying resources within a specific resource group.
upvoted 1 times
Selected Answer: D
Answer is D: New-AzDeployment which is an lias to New-AzSubscriptionDeployment, the ARM template is creating a RG and a storage
account, so it should be at subscription level.
Take a look at this example & check the templateFile that's being used.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-resource-manager/templates/deploy-to-
subscription.md#powershell
To people who are saying it should be B: New-AzResourceGroup, this cmdlet takes a param -ResourceGroupName of the resource group,
what RG will you pass there? the one you are creating??? this one is for creating resources under that RG provided via the param
ResourceGroupName
upvoted 2 times
check links
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-10.4.1
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-10.4.1
upvoted 1 times
Selected Answer: D
To add resources to a resource group, use the New-AzResourceGroupDeployment which creates a deployment at a resource group. The
New-AzDeployment cmdlet creates a deployment at the current subscription scope, which deploys subscription level resources.
Selected Answer: B
New-AzResourceGroupDeployment
upvoted 1 times
Selected Answer: D
The question says "to create a resource group and deploy an Azure Storage account to the resource group"
You can create a resource group inside a Subscription, hence you need to use the cmdlt that deploys to a Subscription. The correct options
are:
use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment
upvoted 1 times
The example JSON at the bottom of this page creates a resource group and storage account.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-resource-group?tabs=azure-cli
upvoted 1 times
Incorrect:
Not C: To deploy to a tenant, use New-AzTenantDeployment.
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a
resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell
upvoted 1 times
To deploy an Azure Resource Manager (ARM) template, you can use the New-AzResourceGroupDeployment cmdlet in Azure PowerShell.
This cmdlet allows you to deploy a template to a resource group.
upvoted 2 times
Question #78 Topic 4
HOTSPOT -
You have an Azure App Service app named WebApp1 that contains two folders named Folder1 and Folder2.
You need to configure a daily backup of WebApp1. The solution must ensure that Folder2 is excluded from the backup.
What should you create first, and what should you use to exclude Folder2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
App Service can back up the following information to an Azure storage account and container that you have configured your app to use.
App configuration -
File content -
Note: Choose your backup destination by selecting a Storage Account and Container. The storage account must belong to the same
subscription as the app you want to back up. If you wish, you can create a new storage account or a new container in the respective pages.
Box 2: A _backup.filter file -
Suppose you have an app that contains log files and static images that have been backup once and are not going to change. In such cases, you
can exclude those folders and files from being stored in your future backups. To exclude files and folders from your backups, create a
\wwwroot folder of your app. Specify the list of files and folders you want to exclude in this file.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
You need a Backup vault if you want to backup Azure Disks, Azure Blobs or Azure Database for PostgreSQL Server.
The question asks about an App Service, this one backs up to a storage account.
upvoted 87 times
You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.
The question asks about an App Service, this one backs up to a storage account.
upvoted 25 times
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container.
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
Partial backups are supported for custom backups (not for automatic backups). Sometimes you don't want to back up everything on your
app.
To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file.
upvoted 17 times
1.In your app management page in the Azure portal, in the left menu, select Backups.
4. To back up the linked database(s), select Next: Advanced > Include database, and select the database(s) to back up.
Partial backups are supported for custom backups (not for automatic backups).
To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file.
Reference:
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 10 times
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#:~:text=Create%20a%20file,is%20(not%20deleted).
upvoted 3 times
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
upvoted 2 times
"To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file."
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 5 times
Question #79 Topic 4
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: C
Use Azure Resource Manager templates to install applications into virtual machine scale sets with the Custom Script Extension.
Note: The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration,
To see the Custom Script Extension in action, create a scale set that installs the NGINX web server and outputs the hostname of the scale set
VM instance.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
There are several versions of this question in the exam. The question has two correct answers:
1. A Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
upvoted 51 times
Azure VM extensions can be managed by using the Azure CLI, PowerShell, Azure Resource Manager (ARM) templates, and the Azure
portal.
From the Extensions + Applications for the VM, on the Extensions tab, select + Add.
Locate the Custom Script Extension option. Select the extension option, then select Next
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview
upvoted 2 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub, or provide them to the Azure portal at extension runtime.
upvoted 3 times
Selected Answer: C
There are several versions of this question in the exam. The question has two correct answers:
1. A Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
upvoted 3 times
Asymptote 1 year, 3 months ago
Selected Answer: C
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub
Reference:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
Selected Answer: C
Correct Answer
upvoted 1 times
Selected Answer: C
C for sure
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 2 times
Correct Answer: C
upvoted 2 times
Correct Answer: C
upvoted 1 times
Selected Answer: C
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-
windows#:~:text=This%20extension%20is%20useful%20for%20post%2Ddeployment%20configuration%2C%20software%20installation%2
C%20or%20any%20other%20configuration%20or%20management%20task.
upvoted 2 times
Question #80 Topic 4
HOTSPOT -
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: "Microsoft.Compute/VirtualMachines/extensions",
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain join
extension.
Parameters are used that you specify at deployment time. When the extension is deployed, the VM is joined to the specified managed domain.
Box 2: "ProtectedSettings":{
Example:
"apiVersion": "2015-06-15",
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('dnsLabelPrefix'),'/joindomain')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('dnsLabelPrefix'))]"
],
"properties": {
"publisher": "Microsoft.Compute",
"type": "JsonADDomainExtension",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"Name": "[parameters('domainToJoin')]",
"OUPath": "[parameters('ouPath')]",
"Restart": "true",
"Options": "[parameters('domainJoinOptions')]"
},
"protectedSettings": {
"Password": "[parameters('domainPassword')]"
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
Answer is correct.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
upvoted 34 times
Correct Answer:
box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
upvoted 13 times
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain
join extension.
upvoted 4 times
box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
upvoted 2 times
Question #82 Topic 4
HOTSPOT
You are creating an Azure Kubernetes Services (AKS) cluster as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Correct Answer:
Ref: https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli#create-an-aks-cluster
To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure
CNI (advanced) network plugin.
https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli
The AKS to ACR integration assigns the AcrPull role to the Azure Active Directory (Azure AD) managed identity associated with your AKS
cluster.
upvoted 17 times
"To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure
CNI (advanced) network plugin."
Above diagram uses Kubenet Network configuration - That needs to be modified to Azure CNI. Hence firt box answer is "modify the
network configuration setting"
To use Windows Server node pools, you must use Azure CNI. The use of kubenet as the network model is not available for Windows Server
containers.
Also, Windows Containers need their own Node pool as default AKS configuration is for Linux containers. There is a possibility of "increase
the number of node pools" as well - as current node pool count is 1. However, first step would be to fix Network configuration.
upvoted 7 times
https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
upvoted 7 times
Question #83 Topic 4
HOTSPOT
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named Cluster1. Cluster1 hosts a node pool named
You need to perform a coordinated upgrade of Cluster1. The solution must meet the following requirements:
• Minimize costs.
How should you complete the command? To answer, select the appropriate options in the answer area.
Correct Answer:
Answer is WRONG.
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest
We want to edit an existing node pool, so we cannot use "add":
"Add a node pool to the managed Kubernetes cluster."
We want to set it up to use more nodes during an update, so this one is right:
--max-surge
"Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%."
upvoted 46 times
Based on document, it is
Box 1: Update
Box 2: --max-surge
I'm very new here, and I could be wrong. Here is the link. Please verify and don't take my word for it.
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli
upvoted 23 times
https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade
This is what I would use to deploy two new nodes in the cluster, which is the first requirement.
Then I would run az aks upgrade --resource-group RG1 --name cluster1 --kubernetes-version XX to actually upgrade the cluster.
I can't test this unfortunately but it makes the most sense to me.
upvoted 3 times
aks: This part of the command is specific to the Azure Kubernetes Service (AKS) features.
nodepool update: This is the action being performed, which is updating the properties of an AKS node pool.
-n pool1: Specifies the name of the node pool (pool1) that you want to update. Replace pool1 with the actual name of your node pool.
-g rg1: Specifies the resource group (rg1) where your AKS cluster is located. Replace rg1 with the actual name of your resource group.
--cluster-name cluster1: Specifies the name of the AKS cluster (cluster1) to which the node pool belongs. Replace cluster1 with the actual
name of your AKS cluster.
--max-surge=2: Specifies the maximum number of nodes that can be added to the node pool at the same time during an upgrade. In this
example, it sets the maximum surge to 2. Replace 2 with the desired value.
This command allows you to update various properties of an AKS node pool, and in this case, it specifically sets the maximum surge
during an upgrade. The "max surge" is relevant when you perform a node pool upgrade, allowing you to control the number of additional
nodes that can be added at once during the upgrade process.
upvoted 2 times
Box 2: --max-surge 2
Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%.
Incorrect:
* --max-count 2
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [0, 1000]
for user nodepool, and [1,1000] for system nodepool.
* --max-pods -m
The maximum number of pods deployable to a node.
* --node-count -c
Number of nodes in the Kubernetes agent pool. After creating a cluster, you can change the size of its node pool with az aks scale.
default value: 3
Reference:
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool
upvoted 1 times
I don't believe it's scale since this is referring to low resource as per below;
https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli
And the question doesn't mention the need for a new pool, since we need to minimise costs and use existing pool to to do so, I'd have to
presume to use existing so;
1: Update
2: Max surge
See:
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli#upgrade-an-aks-cluster
upvoted 3 times
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli
https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli
upvoted 1 times
1.Scale
2.Node count
upvoted 3 times
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Y: The 4 resources created are the RG1 resource group + the 3 storage accounts
N: the location of the storage accounts is defined by the parameter "location" in the "resources" item that has the value of the Resource
Group (stated by the "resourceGroup().location" function that returns the location of the resource group RG1 which is in Central US)
Y: the names of the storages account have the prefix given by the copyIndex() function in "name": "
[concat(copyIndex(),'storage',uniqueString(resourceGroup().id))]", which starts at the position 0
upvoted 58 times
The commands will create four new resources - NO. A Resource Group is not a resource, so it will only create 3 storage accounts as
resources.
The commands will create storage accounts in the West US Azure region - NO. Note the "location": "[resourceGroup().location]". This will
set the location to the location of the resource group, which is Central US.
"The first storage account that is create will have a prefix of 0": YES. As the name is concated starting with the copyIndex(), that is true.
upvoted 6 times
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual
networks are examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 1 times
Y,N,Y
upvoted 2 times
zellck 1 year ago
YNY is the answer.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources#resource-iteration
Notice that the name of each resource includes the copyIndex() function, which returns the current iteration in the loop. copyIndex() is
zero-based.
upvoted 3 times
Combining your answer with Alexs answer will give you the correct responses then :D
upvoted 1 times
Question #85 Topic 4
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: A
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub, or provide them to the Azure portal at extension runtime.
upvoted 5 times
Selected Answer: A
funny enough, in the first part of the set, the answer often was DSC for similar questions. Makes you wonder.
upvoted 1 times
Selected Answer: A
We can publish a DSC configuration with that one - but what is missing here is assigning the DSC configuration to the VMs. So I think A is
still the more complete solution.
upvoted 1 times
Selected Answer: A
A is correct, a Custom Script extension can be used to install custom resources after a deployment.
upvoted 2 times
Question #86 Topic 4
HOTSPOT
You have an Azure subscription that contains a resource group named RG1.
You plan to use an Azure Resource Manager (ARM) template named template1 to deploy resources. The solution must meet the following
requirements:
• Remove all the existing resources from RG1 before deploying the new resources.
How should you complete the command? To answer, select the appropriate options in the answer area.
Correct Answer:
correct answer
-Mode
Specifies the deployment mode. The acceptable values for this parameter are:
Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified
in the template.
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.2.0
Passed today on 29Jan23 with a score of 970. This question was in the exam.
The provided answer is correct. "-ResourceGroupName" and "Complete".
upvoted 21 times
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-
resourcegroupname
Specifies the name of the resource group to deploy.
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-mode
Specifies the deployment mode. The acceptable values for this parameter are:
-Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
- Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified
in the template.
upvoted 13 times
HOTSPOT
You configure the autoscale rule criteria as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.
2, 15
Initial instance is 1 as specified in first figure.
80% for 15 minutes reaches 10 minutes duration, but haven't reached second turn of scale out, so only one new instance is created.
Since cool down time is 5 minutes, which means after one scale happens, it will count 5 minutes before counting a new 10 minutes, so 15
minutes total.
upvoted 77 times
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-setting-schema
Cool down (minutes)
- The amount of time to wait after a scale operation before scaling again. For example, if cooldown = “PT10M”, autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of
instances.
upvoted 4 times
I don't know why but it seems that majority of people commenting here don't know exactly how autoscaling works. So let me explain few
things. Duration value is only used for data range - how much data autoscaling system has to aggregate to determine if rule applies or
not. Cooldown - how much time has to pass before next autoscale operation to trigger. So once you start you app the first autoscale may
happen not earlier than after duration value (because you need specific data range). Each next will happen every cooldown value. So:
- first scale out will happen after 10 minutes (duration value)
- next scale out will happen after 15 minutes (+5 minutes of cooldown)
Therefore answer for first question is 3 instances
Second one is simpler. Scaling operation just happened. So next scaling may happen after cooldown time which is 5 minutes.
upvoted 43 times
First answer is 3 . After 10 mins, first scale out happens (+1), then after 5 mins of cooling the system checks if last 10 mins usage was
above thresold, then 2nd scale out (+1). So total, 3 instances after 15 mins.
2. 5 , cooling period is 5 mins, so after first scale out, wait for 5 mins and then check again the usage.
upvoted 1 times
"The cooldown period for each rule dictates how long after the previous scale action (whatever rule [..] was [triggered]), the rule can be
applied [again]."
Source: https://github.com/MicrosoftDocs/azure-docs/issues/17169
The first question is a bit theoretical: it makes it appear that the load stays constant at 80% for 15 minutes - which would mean that after
the seconde instance is created after 10 minutes, demand increases accordingly so that even then 80% load is maintained, with no load
decrease.
Anyway, were that to happen, then after another 5 minutes of cooling down, the rule would be allowed to be triggered again, after 15
minutes in total - to create a third instance.
upvoted 5 times
Question 1 - Some folks have done a good job of explaining but people still misunderstand cooldowns so I will try one more time, maybe a
little differently.
In our case the rule requires a straight 10 minutes of data aggregation above 70 to add another node.
This does NOT mean that its additive in increments 10, 20, 30, 40, 50 and it scales out at each 10 minute interval.
And it definitely does NOT mean 10+5 = 15.
The 10 minutes is a SLIDING window based on the interval and the Cooldown
Example
|____over_70______| 10 minutes went by over 70 -- Scale up 1
|____over_70______|__STill_Over_70____| Cooldown of 5 went by and it was STILL above 70 so it scaled again.
AKA in 15 minutes it scaled 2 times because it never dropped below 70 to reset the 10 minute aggregation need.
upvoted 2 times
cooldown: The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M", autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
So, if cooldown = 5 min and Duration = 10 min, after one scale (say at 10:15 AM), it will wait 5 min (10:20 AM) but it will look back 10 min
which means it will look from 10:10 AM to 10:20 AM.
upvoted 4 times
cooldown: The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M", autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
So, if cooldown = 5 min and Duration = 10 min, after one scale (say at 10:15 AM), it will wait 5 min (10:20 PM) but it will look back 10 min
which means it will look for 10:10 AM to 10:20 AM.
upvoted 2 times
Box1 : 2
Box2 : 5
Please correct me if I am wrong.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started#cool-down-period-effects
upvoted 1 times
Duration. The amount of time to look back for metrics. For example, timeWindow = "PT10M" means that every time autoscale runs, it
queries metrics for the past 10 minutes. The time window allows your metrics to be normalized and avoids reacting to transient spikes.
Cool down (minutes). The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M",
autoscale doesn't attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or
removal of instances.
Explanation:
Lets say that the process starts at 00:00
a) At 00:10 we have enough metrics so an evaluation is performed.
Average is above 70% so increase instance by 1. Now we have 2 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:15 and it checks the metrics from 00:05-00:15. Average is above 70% so increase
instance by 1. Now we have 3 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:20 and it checks the metrics from 00:10-00:20 and so on.....
I was very confused from all the comments so I checked this in my LAB. The only difference is that I used a cool down of 2 minutes. I
generated traffic using apache benchmark tool (https://www.apachelounge.com/download/). After the first scale out, every 2 minutes
another scale-out would happen.
What would happen if the condition is evaluated every 1 minute? it will wait for cooldown before scaling even if the condition is met
So if cooldown is 5 minutes and the evaluation is 10, when it's checking the condition the cooldown is over, so it will scale
I use a lot of AppServices with auto scaling and that's how it works, as a real example I could say that in one AppService it scales every 5
mins when there's load, the condition is checked every minute and the cooldown is 5 minutes, if people that thinks that is time + cooldown
it would be 6 mins, but it's not
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started?toc=%2Fazure%2Fapp-service%2Ftoc.json#cool-
down-period-effects
upvoted 3 times
You plan to deploy the Azure container instances shown in the following table.
A. Instance1 only
B. Instance2 only
Correct Answer: C
Selected Answer: D
Answer is D.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance. While we are working to bring all features to Windows containers, you can find current
platform differences in the service
upvoted 42 times
Selected Answer: D
Read the question carefully. The instances you are about to deploy will be deployed "in a Container Group", making it a multi-instance
container group. As per the article referred below, its only available for Linux Containers for now:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance.
upvoted 6 times
Answer is D
upvoted 1 times
"Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance. While we are working to bring all features to Windows containers, you can find current
platform differences in the service Overview."
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
upvoted 4 times
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview#linux-and-windows-containers
upvoted 3 times
Selected Answer: D
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance. While we are working to bring all features to Windows containers, you can find current
platform differences in the service
upvoted 3 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups#what-is-a-container-group
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance.
upvoted 4 times
Selected Answer: D
Since the question states "... deploy to a container group?" I'd also go for D here
upvoted 2 times
Selected Answer: D
Correct answer:D
upvoted 3 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: A
Key word 'NGINX' always will be '...extension'. It was in all of this questions.
upvoted 8 times
Selected Answer: A
This question has come up probably 30 times so far. It better be on my exam now lol
upvoted 2 times
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub, or provide them to the Azure portal at extension runtime.
upvoted 3 times
Selected Answer: A
Selected Answer: A
As per previous questions, look for the extension key in the answer
upvoted 3 times
Question #90 Topic 4
You have an Azure subscription that has the public IP addresses shown in the following table.
A. IP2 only
Correct Answer: D
Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
Azure Firewall
- Dynamic IPv4: No
- Static IPv4: Yes
- Dynamic IPv6: No
- Static IPv6: No
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least
one public static IP address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall
supports standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
upvoted 46 times
Selected Answer: A
Azure Firewall supports the Standard SKU and static IPv4, but it is restricted to the Regional tier only.
In the lab when setting up Azure Firewall with the Premium tier, it defaults to the Regional tier.
As of now, there isn't a direct choice to toggle between Regional and Global tiers during the Azure Firewall's initial configuration.
If you initiate the creation of a public IPv4 using the Global tier and later try to link it with Azure Firewall, the process will be unsuccessful.
This is attributed to Azure Firewall's exclusive compatibility with the Regional tier, excluding the Global tier.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
-Azure Firewall requires at least one public static IP address to be configured. This IP or set of IPs is the external connection point to the
firewall.
-Azure Firewall supports Standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
-Azure Firewall doesn't currently support IPv6. It can operate in a dual stack virtual network using only IPv4, but the firewall subnet must
be IPv4-only
upvoted 3 times
Selected Answer: B
"Azure Firewall supports Standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported."
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
upvoted 1 times
Azure Firewall doesn't currently support IPv6. It can operate in a dual stack VNet using only IPv4, but the firewall subnet must be IPv4-
only.
upvoted 4 times
The Standard SKU public IP address is assigned to a specific region and can be used for Azure Firewall instances deployed within that
region only.
The Global SKU public IP address, as the name suggests, is a globally unique IP address that can be used for Azure Firewall instances
deployed in any region around the world.
In general, if you plan to deploy Azure Firewall instances in multiple regions, it is recommended to use the Global SKU. However, if you
only plan to deploy Azure Firewall instances in a single region, the Standard SKU may be more cost-effective.
upvoted 2 times
B = C - IPv6
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
upvoted 2 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
upvoted 3 times
Selected Answer: B
Just to change the most voted answer which now shows as C. r3nenge explains why B is the answer.
upvoted 4 times
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
upvoted 3 times
Question #91 Topic 4
HOTSPOT
You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the template? To answer, select the appropriate options in the answer area.
Correct Answer:
crymo99 Highly Voted 9 months, 2 weeks ago
- dependsON: resoureceID
- storageProfile: ImageReference
ref: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
upvoted 30 times
The dependsOn property specifies the resources that must be created before the virtual machine can be created. In this case, the virtual
machine must depend on the network interface. The storageProfile property specifies the storage configuration for the virtual machine. In
this case, the virtual machine will use an image from the Microsoft Windows Server image gallery.
upvoted 8 times
HOTSPOT
You need to configure a new Azure App Service app named WebApp1. The solution must meet the following requirements:
Which pricing plan should you choose, and which type of record should you use to verify the domain? To answer, select the appropriate options in
Correct Answer:
WebApp1 must be able to verify a custom domain name of app.contoso.com. All paid tiers (Basic, Standard, Premium, Isolated) allow for
custom domains.
WebApp1 must be able to automatically scale up to eight instances. Auto-scaling is a feature that is available in the Standard, Premium,
and Isolated tiers. It is not available in the Basic tier, which allows you to manually scale up to 3 instances.
Costs and administrative effort must be minimized.
Pricing Plan: Given these requirements, the best option is the "Standard" tier. It offers both auto-scaling and custom domains, while being
less expensive than the Premium or Isolated tiers. The Basic tier does not support auto-scaling, and the Free and Shared tiers do not
support custom domains or auto-scaling.
For verifying a custom domain, Azure uses a CNAME or TXT record. The A record cannot be used for domain verification
exam on 31/Jul/2023
upvoted 8 times
Ref: https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Ref: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage
upvoted 3 times
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
You create an Azure Compute Gallery named ComputeGallery1 as shown in the Azure Compute Gallery exhibit. (Click the Azure Compute Gallery
tab.)
In ComputeGallery1, you create a virtual machine image definition named Image1 as shown in the image definition exhibit. (Click the Image
Definition tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No,
Correct Answer:
So many people here are making assumptions without actually testing or validating them.
The answer is YYY - Tested in Lab. Neither the region, vCPU count, nor the VM generation had any impact on my ability to select a
particular VM OS disk as a source for an image version.
upvoted 18 times
To me that sounds as if the item on VM generation is purely descriptive, what has been used, not normative, what can or should be
used.
upvoted 1 times
NYY
image definition needs V1 generation, but vCPU and memory are only recommendations.
Text from Azure Portal while creating image definition: "These recommendations are informational only, and do not constrain VM
specification"
upvoted 7 times
Box 1- NO: VM gen 2 is not directly supported for image definition with v1. Image & VM source regions doesn't match
Box 2 - YES: VM generations matches, along with image & VM source region
Box 3 - NO: VM generations matches, but image & VM source region doesn't
https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli#how-do-i-specify-the-source-region-
while-creating-the-image-version
upvoted 3 times
VM1 has a different generation than the compute gallery. Using VMs of a different generation than the gallery can lead to compatibility
issues and may not be supported, as the underlying hardware and virtualization technology can vary between different VM generations.
VM2 matches the region and vm generation. While it's not strictly required to match the CPU recommendation, it's a best practice to use
an image source with CPU settings that align well with your workload. If you anticipate using VM instances with varying CPU capabilities,
consider testing the image source in different VM sizes to ensure it functions as expected. So in short words this isn't a deal breaker.
VM3 is in a different region and compute gallery's are associated with the specific region you create them in. Cross-region operations or
using a VM from one region as an image source for a Compute Gallery in another region may not be directly supported and can lead to
complications in terms of data transfer and latency.
so Y or N ?
upvoted 2 times
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Correct Answer: B
Selected Answer: B
Selected Answer: B
https://learn.microsoft.com/en-us/azure/app-service/overview
Selected Answer: B
To determine the minimum number of App Service plans needed for the web apps, you should consider the runtime stack and
compatibility. Here are the considerations for each web app:
So, you need at least two App Service plans: one for WebApp1 and WebApp2 (shared since they both use .NET), and another for WebApp3
and WebApp4 (separate since they use different runtime stacks).
Selected Answer: D
ChatGPT
An App Service plan defines a set of compute resources for a web app to run. These compute resources are analogous to the server farm
in conventional web hosting. One or more apps can be configured to run on the same computing resources (or in the same App Service
plan)1.
In your case, you plan to create four Azure Web Apps with different runtime stacks: .NET 6 (LTS), ASP.NET v4.8, PHP 8.1, and Python 3.11.
Since each of these web apps uses a different runtime stack, you should create a minimum of four App Service plans, one for each web
app2. This will ensure that each web app can run on the appropriate runtime stack.
upvoted 1 times
Question #95 Topic 4
HOTSPOT
You have an Azure subscription that contains the resource groups shown in the following table.
You create the following Azure Resource Manager (ARM) template named deploy.json.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-cli#deployment-location-
and-name
upvoted 42 times
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-10.3.0#parameters
upvoted 4 times
WRONG!
Correct Answers:
1. No. Because of location parameters RGs will be created in west us region
2. Yes. Copy 4 in arm template
3. Yes. name: [concat('RG', copyIndex())] with count 4 will produce four RG: RG0, RG1,RG2,RG3 in west us region
upvoted 24 times
"For subscription level deployments, you must provide a location for the deployment. The location of the deployment is separate from
the location of the resources you deploy. The deployment location specifies where to store deployment data."
upvoted 7 times
2) No. RG1 and RG2 already exist and you can't have duplicate names for Resource Groups.
3) No. Template dictates the location of where the RG are being created.
upvoted 4 times
You have an Azure App Service app named App1 that contains two running instances.
For the Instance limits scale condition setting, you set Maximum to 5.
What is the maximum number of instances for App1 during the 30-minute period?
A. 2
B. 3
C. 4
D. 5
Correct Answer: A
Selected Answer: D
Memory usage continues to exceed 70%, but the cooldown is still in effect.
No further scaling during this time.
upvoted 3 times
Answer A is correct
upvoted 4 times
Selected Answer: B
2 instances then after 15min : 3 instances. After 5min cooldown start counting.
So correct answer : 3 instances
upvoted 40 times
imagine if this was a real app and you get hit by huge traffic surge. like your company release a new product. what this would do in
your method is scale up one instance every 20 minutes, so it might mean multiple hours of degraded performance while it catches up
to demand, while the reality and my explanation, it would kick in after 15 minutes and then keep scaling every 5 minutes which is a
much faster and reasonable solution.
upvoted 5 times
"The cooldown period for each rule dictates how long after the previous scale action (whatever rule initiated was), the rule can be
applied."
Source: https://github.com/MicrosoftDocs/azure-docs/issues/17169
upvoted 1 times
Selected Answer: D
Correct answer is D , there will be 5 instances. During every scale out, it will check if previous 15 mins have sustained usage of above 70%.
After 15 mins, first scale out (+1), then 20 mins (+1), 25 mins (+1), 30 mins (+1).
upvoted 2 times
Selected Answer: D
Selected Answer: D
After 15 mins - 2
20 mins - 3
25 mins - 4
30 mins- 5
upvoted 1 times
Selected Answer: B
ANSWER is B, 3 instances
upvoted 3 times
Selected Answer: D
Selected Answer: B
Minute 0-15:
Memory usage continues to exceed 70%, but the cooldown is still in effect.
No further scaling during this time.
upvoted 2 times
Selected Answer: D
Check https://www.youtube.com/watch?app=desktop&v=EbiID16PDuk if you are confused. John demonstrates how this works, the answer
in this case will be D.
upvoted 4 times
Selected Answer: D
Answer is D
upvoted 2 times
Selected Answer: B
Answer is B
upvoted 2 times
Selected Answer: D
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-environment-auto-scale
The document provide the calculate method
upvoted 2 times
Question #97 Topic 4
HOTSPOT
You have an Azure subscription that contains the container images shown in the following table.
In which services can you run the images? To answer, select the options in the answer area.
Correct Answer:
Faust777 Highly Voted 4 months, 1 week ago
How the fuck "Azure Container Apps" isn't supported on windows WTF?
upvoted 17 times
Correct
- Azure Container Instances can schedule both Windows and Linux containers with the same API. You can specify your OS type preference
when you create your container groups.
Some features are currently restricted to Linux containers. https://learn.microsoft.com/en-us/azure/container-instances/container-
instances-overview
- Azure Container Apps supports: Any Linux-based x86-64 (linux/amd64) container image with no required base image Containers from
any public or private container registry Sidecar and init containers https://learn.microsoft.com/en-us/azure/container-apps/containers
- Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your
favorite language, be it .NET, .NET Core, Java, Node.js, PHP, and Python. Applications run and scale with ease on both Windows and Linux-
based environments.https://learn.microsoft.com/en-us/azure/app-service/overview
upvoted 6 times
https://learn.microsoft.com/en-us/azure/container-apps/containers#:~:text=Azure%20Container%20Apps%20supports%3A
upvoted 1 times
Any Linux-based x86-64 (linux/amd64) container image with no required base image
Containers from any public or private container registry
Sidecar and init containers
https://learn.microsoft.com/en-us/azure/container-apps/containers
upvoted 4 times
Question #98 Topic 4
You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a
You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1.
A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
C. Configure KV1 to use the role-based access control (RBAC) authorization system.
D. Create an access policy for KV1 and assign the policy to User1.
Correct Answer: A
https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/key-vault/general/authentication
upvoted 3 times
You say that "the only way to get one for a service is a managed identity (system or user generated)." - Can you elaborate on that?
I have found these sources that says that as soon as you register a web app with Entra ID as authorization provider, the app also
receives a service principal:
- https://learn.microsoft.com/en-us/purview/create-service-principal-azure
- https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
In this scenario, you have an Azure App Service web app (App1) and an Azure Key Vault (KV1) containing a wildcard certificate for
contoso.com. You want to configure App1 to use the wildcard certificate from KV1. To achieve this, you need to grant the necessary
permissions to App1.
Access to Key Vault secrets and certificates is managed using Azure AD-based authentication and authorization. The Microsoft Azure App
Service principal represents the App Service web app in Azure AD.
The correct approach is to create an access policy in KV1 that grants the necessary permissions to the Microsoft Azure App Service
principal associated with App1. By doing so, you allow App1 to access the certificate stored in KV1.
Once you've granted the necessary access to the App Service principal, the web app (App1) will be able to use the wildcard certificate from
KV1 for its secure connections.
upvoted 12 times
Selected Answer: B
Access can be done either using RBAC or Access Policy. In both cases the first Action is to configure a Managed User (or System) Identity to
App1 because by default Identities are disabled.
upvoted 1 times
Selected Answer: A
When a app is registered in Azure, a service principle is created for app. Create an access policy in KV1 that grants the necessary
permissions to service principle.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-
certificate
upvoted 1 times
Selected Answer: A
A is the correct answer. Currently, App Service certificates support only Key Vault access policies, not the RBAC model, so you first need to
create a Vault access policy.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal
upvoted 1 times
I have created an app service and a key vault that supports access policies. I then attempted to create an access policy but when I got
to select a Principal, my app1 was not in the list. I first had to create a managed identity on the app service plan, and only then I was
able to create an access policy and choose app1 as a principal.
Therefore, without a managed identity you are not able to create an access policy for app1.
upvoted 1 times
Selected Answer: A
Selected Answer: B
https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
upvoted 1 times
In order to read secrets from a key vault, you need to have a vault created and give your app permission to access it.
Create a key vault by following the Key Vault quickstart.
Create a managed identity for your application.
Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity.
Authorize read access to secrets your key vault for the managed identity you created earlier. How you do it depends on the permissions
model of your key vault:
Azure role-based access control: Assign the Key Vault Secrets User role to the managed identity. For instructions, see Provide access to Key
Vault keys, certificates, and secrets with an Azure role-based access control.
Vault access policy: Assign the Get secrets permission to the managed identity. For instructions, see Assign a Key Vault access policy.
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli
upvoted 1 times
IMHO should be B
upvoted 3 times
ChatGPT
"To configure App1 to use the wildcard certificate from KV1, you should perform the following steps:
Create an access policy for KV1: You need to create an access policy in the Azure Key Vault (KV1) that allows the Azure App Service (App1)
to access the certificate. Access policies define who can perform certain operations on key vault secrets, keys, and certificates. In this case,
you want to grant access to App1.
Assign the policy to the Microsoft Azure App Service principal: After creating the access policy, you should assign it to the Azure App
Service principal, not User1. This allows App1 to use the certificate stored in KV1.
A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
Assigning a managed user identity to App1 (Option B) and configuring KV1 to use RBAC (Option C) are not directly related to granting
access to the certificate for App1. Option D is incorrect because you should assign the policy to the Azure App Service principal, not
User1."
upvoted 1 times
Question #99 Topic 4
You need to create a single Azure Resource Manager (ARM) template that will be used to deploy the resources.
A. VNET1
B. NIC1
C. IP1
D. NSG1
Correct Answer: B
Selected Answer: B
Therefore, the most direct and crucial dependency for VM1 among the listed resources is NIC1 (Option B). The NIC acts as the bridge
between the VM and the other network resources like the virtual network, public IP, and network security group. Hence, it's essential to
ensure that NIC1 is deployed before VM1.
https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-templates-with-dependent-
resources?tabs=CLI
upvoted 10 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency
upvoted 1 times
Selected Answer: A
should be VNET
once you choose you cant go back or have to re-create the vm
i mean you cant switch VNETs only subnets/ip addresses etc.
upvoted 1 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/media/template-tutorial-create-templates-with-dependent-
resources/resource-manager-template-dependent-resources-diagram.png
upvoted 2 times
Question #100 Topic 4
You create the following Azure Resource Manager (ARM) template named Template.json.
Which PowerShell cmdlet should you run from Azure Cloud Shell?
A. New-AzSubscriptionDeployment
B. New-AzManagementGroupDeployment
C. New-AzResourceGroupDeployment
D. New-AzTenantDeployment
Correct Answer: C
Selected Answer: A
Check question #102. That question uses the Subscription level deployment (as part of the question) to deploy RGs.
upvoted 1 times
Here's the PowerShell command to deploy an ARM template that creates a new resource group named "Marketing":
PowerShell
New-AzResourceGroupDeployment -Name <deployment-name> `
-ResourceGroupName Marketing `
-TemplateFile <path-to-template.json> `
-location <location>
upvoted 1 times
Reference:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-11.1.0
upvoted 2 times
Selected Answer: D
Selected Answer: A
New-AzSubscriptionDeployment is the correct answer, as the New-AzResourceDeployment is used to deploy in an existing resource group.
You can use New-AzSubscriptionDeployment(which is an alias for New-AzDeployment) to deploy resources at subscription level.
A is correct.
When you deploy a resource group, you deploy it to a subscription - that's why you need to use New-AzSubscriptionDeployment.
See https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell#deployment-scope
(The command was formerly called New-AzDeployment, see https://learn.microsoft.com/en-us/powershell/module/az.resources/new-
azdeployment?view=azps-10.4.1)
New-AzResourceGroupDeployment is used for ARM template resource deployments within a resource group.
(https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-10.4.1)
As you can't add a resource group to a resource group, C cannot be correct.
upvoted 1 times
Question #101 Topic 4
You have an Azure subscription that contains a resource group named RG1.
You need to modify File1 so that it can be used to automate the deployment of storage1 to RG1.
A. kind
B. scope
C. sku
D. location
Correct Answer: A
The answer is scope. We would use scope to target the resource group for storage account.
https://ochzhen.com/blog/create-resource-group-azure-bicep
upvoted 16 times
Selected Answer: B
Here's why:
scope property explicitly specifies the resource group where the storage account will be deployed. It's essential to align this with the
desired target resource group, RG1, in this case.
kind property already indicates the type of resource being deployed (a storage account), so it doesn't need alteration.
sku property defines the performance and pricing tier, but it's not directly related to deployment targeting.
location property specifies the Azure region for deployment, but it can be set as a variable or input parameter, not necessarily within the
scope property itself.
To ensure successful deployment of storage1 to RG1, modify the scope property in File1 to reference RG1
upvoted 2 times
To automate the deployment of a storage account using a Bicep file, you typically need to specify the necessary properties such as the
resource's name, location, SKU (performance and replication), and other relevant configurations.
In this scenario, if you need to modify File1 to be used for deploying storage1 to RG1, you should modify the "location" property. The
"location" property defines the Azure region where the resource will be created.
D. location
Note: you can't fully trust ChatGPT but at least it's an answer.
upvoted 1 times
Selected Answer: B
The answer is scope. We would use scope to target the resource group for storage account.
https://ochzhen.com/blog/create-resource-group-azure-bicep
upvoted 1 times
To automate the deployment of a storage account using a Bicep file, you typically need to specify properties such as sku, kind, and
location. However, the specific property related to the resource group and its deployment is the location property.
In this scenario, you should modify the location property in File1 to specify the Azure region where the storage account (storage1) should
be deployed. Therefore, the correct answer is D.
upvoted 1 times
So we left only with 2: Location and Scope. Since only Location a required property, it fits the answer
upvoted 2 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-
bicep#storageaccounts
kind: Specify the type of script. Currently, Azure PowerShell and Azure CLI scripts are supported. The values are AzurePowerShell and
AzureCLI
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#sample-bicep-files
upvoted 4 times
Scope is RG1
upvoted 1 times
01111010 3 months, 1 week ago
Selected Answer: D
D (location) is the only logical answer. Here’s the rationale. Kind, sku and location are three required properties. Scope (function) is not.
Since we already 'have a Bicep file named File1' and need 'to automate the deployment of storage1 to RG1' the only variable required
updating is the location, as we can leave other two (kind & sku) as-is. Location is required property which must be modified.
upvoted 4 times
Bicep function scope: - When used to set the scope property, it returns a scope object. Scope is not required parameter.
A is correct.
The scope keyword is targetScope - and its default is resourceGroup, so it's not necessary to be specified.
See the link that Ahkhan has shared: https://ochzhen.com/blog/create-resource-group-azure-bicep
upvoted 2 times
Question #102 Topic 4
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
YNY
The deployment creates 3 RGs called RG0, RG1, RG2 as the index is 0-based.
You can deploy to RG1 as the lock is delete.
You can't deploy to RG2 as the lock is read-only, hence it can't be modified.
upvoted 12 times
YNY is correct
upvoted 3 times
Pay attention to the different resource locks for RG1 (delete) and RG2 (read-only).
Also, as Ahkhan has stated, three resource groups are created by the template, RG0, RG1 and RG2. RG3 can be created manually
afterwards.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources
upvoted 3 times
You have an Azure subscription that contains the resources shown in the following table.
A. Proximity2 only
C. Proximity1 only
Correct Answer: C
Answer is correct, Proximity 1 only because they have the same location in West US.
upvoted 10 times
Selected Answer: C
To get VMs as close as possible, achieving the lowest possible latency, you should deploy them within a proximity placement group.
A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each
other. Proximity placement groups are useful for workloads where low latency is a requirement.
upvoted 3 times
as MS -> A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close
to each other.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/proximity-placement-groups-portal
upvoted 1 times
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the Azure App Service web apps shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
YNN
Point 1: Yes: Using virtual network integration enables your app to access:
Resources in the virtual network you're integrated with.
Resources in virtual networks peered to the virtual network your app is integrated with including global peering connections.
Point 2: NO: Virtual network integration is used only to make outbound calls from your app into your virtual network
Point 3: NO: There are some limitations with using virtual network integration: The feature isn't available for Isolated plan apps in an App
Service Environment
Reference: https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 10 times
So I think it is NNN
upvoted 1 times
Explanation: webapp1 is integrated with vnet1 and vnet1 is peered with vnet2, which vm2 is connected to. So, webapp1 can communicate
with vm2.
Explanation: nsg1 is associated with subnet1, not directly with webapp1. It controls the inbound traffic to the subnet1, not to the
webapp1.
Explanation: webapp2 is deployed to subnet2 and subnet2 is in vnet2. vnet2 is peered with vnet1, which vm1 is connected to. So, webapp2
can communicate with vm1.
upvoted 2 times
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
A. VM1 only
Correct Answer: D
You have an Azure subscription that contains an Azure container registry named ContReg1.
A. root
B. admin
C. administrator
D. ContReg1
Correct Answer: B
Selected Answer: D
tested in LAB
when you go to this Option in the Portal - next to the "Mark" is a Explanation Field and when you hover over it, it say -> the admin user is
identical to the Name of the Container Registry.
Selected Answer: D
Selected Answer: B
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account
upvoted 4 times
Topic 5 - Question Set 5
Question #1 Topic 5
HOTSPOT -
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.
✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Correct Answer:
Provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly
targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most
common attacks. A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each
individual web application. WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network
(CDN) service from Microsoft. WAF on Azure CDN is currently under public preview. WAF has features that are customized for each specific
service. For more information about WAF features for each service, see the overview for each service.
upvoted 5 times
Lazylinux 1 year, 7 months ago
Protects against malicious attacks such as:
*SQL Injection
*Cross-site scripting
*Broken Authentication
*Sensitive data exposure
*XML External entities
*Broken Access control
*Security misconfiguration
*Insecure deserialization
*Vulnerable components
*Insufficient logging
More info here:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
upvoted 4 times
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 83 times
They're all wrong because the question says there are 2 Azure regions, and the below documentation says each region only has a single
hub... Should be 2 hubs and one WAN.
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
"Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be
one hub per Azure region."
upvoted 51 times
Reference - https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 16 times
Selected Answer: B
Explanation:
Virtual hubs in Azure Virtual WAN provide a central point of connectivity and management for your network resources. By deploying three
virtual hubs, one for each office, you establish a direct connection from each datacenter to the Azure Virtual WAN.
Azure Virtual WAN is designed to optimize connectivity across regions, helping to minimize network latency between the datacenters and
the Azure subscription.
By using a single virtual WAN, you can centrally manage and configure the network connections for all three datacenters, streamlining
administration and ensuring consistent network policies across the infrastructure.
Therefore, option B is the most appropriate choice for minimizing network latency while connecting the datacenters to the Azure
subscription.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 2 times
I am not sure I understand the debate. According to ms docs "Virtual WANs are isolated from each other and can't contain a common hub.
Virtual hubs in different virtual WANs don't communicate with each other". That would infer that multiple VWANs is not going to work to
connect all of these together.
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 3 times
Selected Answer: B
B: 1 WAN, 3 hubs
Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It
contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and
can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.
Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual
hubs can be created in the same region.
Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 3 times
Selected Answer: B
Selected Answer: C
which genius thought you have multiple WANs in a single hub?
upvoted 1 times
Selected Answer: B
As of 20/08/2023:
The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region.
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#resources
Also, creating 3 Virtual WAN doesn't make any sense. when WAN is supposed to be this central management mechanism, where multiple
hubs connect to.
So 1 WAN with 3 hubs.
upvoted 3 times
Explanation:
A virtual WAN is a networking service in Azure that provides optimized and automated branch-to-branch connectivity. It allows you to
connect multiple on-premises sites and Azure virtual networks through a hub and spoke topology, providing centralized management and
routing.
In this scenario, you have three offices located in different cities: Miami, Los Angeles, and New York. Each office has a datacenter. To
minimize network latency, you can create a virtual WAN for each office (three virtual WANs in total) and then connect them all using a
single virtual hub.
By creating three virtual WANs and connecting them through a virtual hub, you can establish a hub and spoke network topology that
enables efficient and low-latency communication between the datacenters. This setup ensures that data traffic flows through the optimal
path, reducing latency and providing centralized management and routing.
Therefore, the correct answer is C. Three virtual WANs and one virtual hub.
upvoted 2 times
"The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region."
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#resources
upvoted 3 times
Selected Answer: B
Don't listen to the C's, because "There can be multiple hubs per Azure region."
Reference: https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture
upvoted 3 times
Selected Answer: B
OpenAI
"The best solution to connect the three datacenters to the Azure subscription while minimizing network latency is to use a virtual WAN
with three virtual hubs, one for each datacenter. This would allow for centralized management of the network and optimized routing
between the virtual networks in the East and West Azure regions. Option B, "three virtual hubs and one virtual WAN," is the correct choice
for this scenario."
upvoted 2 times
The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all
your virtual hubs that you would like to have within the virtual WAN. Virtual WAN resources are isolated from each other and cannot
contain a common hub. Virtual hubs across Virtual WAN do not communicate with each other.
There are two regions in this question, so two virtual hubs and one virtual WAN.
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 1 times
Question #3 Topic 5
HOTSPOT -
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Box 1: 5 -
Box 2: 1 -
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same
network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC,
you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the
private IP.
Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
upvoted 104 times
https://youtu.be/ldpefLkTy44
upvoted 2 times
You have an Azure subscription that contains the resources shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
✑ Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?
A. a frontend IP address
C. a health probe
D. a backend pool
Correct Answer: A
I think the answer is correct. Key is port 3389 from the internet for both VMs. If we want to connect to two different machines on the same
port we need to have two different frontend IPs for the port forwarding.
upvoted 66 times
possible
IP1:3389 -> vm1:3389
IP2:3389 -> vm2:3389
or
IP1:3389 -> vm1:3389
IP1:3388 -> vm2:3389
upvoted 7 times
Selected Answer: A
A is the correct answer. Before we can create an inboud NAT rule in the LB, we neeed to create new ip address, after that we can create 2
single VM inbound NAT rules
upvoted 1 times
Selected Answer: A
Again... dont understand the debate. The question reads... "What should you create on LB1 BEFORE you can create the new inbound NAT
rules?" So I am not sure how people think they answer is B. Do they think that before they can create the rule they have to great the rule?
It can have multiple front end IPs.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 2 times
Selected Answer: A
https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules?tabs=inbound-nat-rule-portal#add-a-single-vm-
inbound-nat-rule
Given the need to establish a point of contact for inbound network connectivity, the correct answer is A. a frontend IP address. This is
essential as it serves as the entry point for traffic, which is then directed to the appropriate resources using NAT rules.
upvoted 1 times
Selected Answer: B
You can use the same IP Adress with different frontend ports
IP1:3800 -> vm1:3389
IP1:3801 -> vm2:3389
The frontend port doesn't have to be Port 3389. The Frontend and Backend Ports doesn't have to be the same.
upvoted 1 times
Selected Answer: A
Selected Answer: A
The whole point of NAT rules is that can access a specific port on the VM using any random port number you define in NAT rules. You can
RDP to port 3389 using something like 132.25.32.125:9999 because NAT will translate the incoming port 9999 to 3389.
What you really need is a public IP Address, without which it is not possible to RDP in the VM from Internet.
upvoted 2 times
OpenAI
"Before creating the new inbound NAT rules, you need to create a frontend IP address on LB1. The frontend IP address will be used to
map the incoming traffic to the backend pool and backend VMs. Once you have created the frontend IP address, you can then create the
new inbound NAT rules for port 3389 to provide Remote Desktop access to VM1 and VM2 from the internet.
HOTSPOT -
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
Correct Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network
links).
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
upvoted 110 times
Correct,
OS DNS suffix has no affect on this.
Both prv ips will be listed on internal dns zone.
upvoted 1 times
See below:
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
upvoted 2 times
For VM2, no A record will be added to the adatum.com zone, since the DNS suffix configured in Windows Server is Contoso.com and auto-
registration is not enabled in VNET1 for the Contoso.com DNS zone.
upvoted 2 times
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network
links).
upvoted 2 times
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones
can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-
registration option set.
upvoted 4 times
VM1 and VM2 belongs to the same VNET. So upon VM1 and VM2 creation they will be auto registered on adatum Private DNS Zone having
A Record as their Private IPs. Cheeers yo!
upvoted 8 times
HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one
subnet named
Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
Box 2: ILB1 -
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-standard-diagnostics
Correct Answer:
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP
addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 218 times
B&B is correct!
upvoted 1 times
Box 2: NSG1
NSG flow logs, which provide you information about ingress and egress IP traffic through a Network Security Group associated to
individual network interfaces, VMs, or subnets. By analyzing raw NSG flow logs, and inserting intelligence of security, topology, and
geography, traffic analytics can provide you with insights into traffic flow in your environment. Traffic Analytics provides information such
as most communicating hosts, most communicating application protocols, most conversing host pairs, allowed/blocked traffic,
inbound/outbound traffic, open internet ports, most blocking rules, traffic distribution per Azure datacenter, virtual network, subnets, or,
rogue networks.
upvoted 3 times
You have the Azure virtual networks shown in the following table.
To which virtual networks can you establish a peering connection from VNet1?
B. VNet2 only
Correct Answer: C
Incorrect Answers:
A, B, D: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-faq#vnet-peering
Correct Answer: C
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
upvoted 105 times
Tested, in this context answer is correct. Vnet 2 and Vnet 1 can not be peered and also Vnet 2 and vnet3 or vnet 4 can not be peered.
But tested more and discovered that Vnet1 can make a peering with Vnet 3 and Vnet4. Pay attention if there will be a modification in the
answer. The strange way of Microshit qestions.
upvoted 33 times
Correct Answer:C
upvoted 1 times
Correct Answer:C
upvoted 1 times
Correct Answer: C
upvoted 1 times
Selected Answer: C
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview)
upvoted 4 times
Given answer is correct... Peering should NOT have overlapping Address Space/subnets
upvoted 3 times
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and
Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the
Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
Two backend pools are needed as there are two services with different IP addresses.
Incorrect Answers:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-multivip-overview
If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip#floating-ip
HA ports are recommended for NVAs.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#why-use-ha-ports
For Floating IP…This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. It
also allows no other internal load balancer resource configuration for the given set of back-end instances.
upvoted 3 times
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview#rule-type-2-backend-port-reuse-by-using-
floating-ip
upvoted 1 times
Answer is correct
upvoted 1 times
Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints
without re-encryption.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
upvoted 1 times
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
Multiple HA-ports configurations on an internal standard load balancer
To configure more than one HA port frontend for the same backend pool, use the following steps:
1- Configure more than one front-end private IP address for a single internal standard load balancer resource.
2- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
3- Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.
upvoted 1 times
Ram9198 2 months, 2 weeks ago
Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints
without re-encryption.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
Multiple HA-ports configurations on an internal standard load balancer
To configure more than one HA port frontend for the same backend pool, use the following steps:
1- Configure more than one front-end private IP address for a single internal standard load balancer resource.
2- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
3- Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.
upvoted 1 times
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled: High Availability (HA) Ports are used to enable an
active-active configuration with automatic failover. Floating IP should be disabled for this scenario.
F. Add a frontend IP configuration, two backend pools, and a health probe: For the active-active configuration, you need to configure two
backend pools (one for each NVA), a frontend IP configuration, and a health probe to ensure proper load balancing and failover.
C: Add two load balancing rules that have HA Ports and Floating IP enabled
You need a floating ip for the active-active configuration to switch over quickly
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 1 times
ChatGPT: BDE
To implement an Azure load balancer for the NVAs that meet the requirements specified, you should perform the following three actions:
Add two load balancing rules that have HA Ports enabled and Floating IP disabled:
You need to add two load balancing rules that map the frontend IP address to the backend pool and health probe. Each rule should have
HA Ports enabled and Floating IP disabled to load balance traffic to the two services on the Production subnet that have different IP
addresses.
upvoted 2 times
"To implement an Azure load balancer for the NVAs that meet the requirements, you should perform the following three actions:
A. Deploy a basic load balancer. Basic load balancer is sufficient for this scenario, as it supports automatic failover for active-active
scenarios.
C. Add two load balancing rules that have HA Ports and Floating IP enabled. HA ports are required for active-active failover, and Floating IP
is required to maintain the same IP address during failover.
E. Add a frontend IP configuration, a backend pool, and a health probe. The frontend IP configuration is used to receive incoming traffic,
the backend pool is used to route traffic to the services in the Production subnet, and the health probe is used to monitor the health of the
NVAs and remove them from the load balancer if they are not responding.
Therefore, the correct options are A, C, and E. Option B is not necessary as a basic load balancer meets the requirements. Option D is
incorrect as Floating IP is required for maintaining the same IP address during failover. Option F is incorrect as only one backend pool is
required to route traffic to the services in the Production subnet."
upvoted 1 times
B. Deploy a standard load balancer: As per the requirements mentioned in the question, we need to implement an Azure load balancer for
the NVAs. A standard load balancer provides the option to use HA Ports and Floating IP, which is required to meet the active-active
configuration and automatic failover requirements.
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled: Since the two services on the Production subnet
have different IP addresses, we do not need to balance traffic to them. We only need to load balance traffic to the NVAs. Therefore, we
only need to create a load balancing rule for the NVAs, with HA Ports enabled for active-active configuration and Floating IP disabled.
E. Add a frontend IP configuration, a backend pool, and a health probe: This is required to set up the Azure load balancer. The frontend IP
configuration specifies the IP address that clients will use to access the load balancer. The backend pool contains the network interfaces of
the two NVAs. The health probe monitors the health of the NVAs and ensures that traffic is only sent to healthy NVAs.
upvoted 2 times
A. Deploy a basic load balancer: Basic load balancers support active-active configurations, which are required in this scenario.
E. Add a frontend IP configuration, a backend pool, and a health probe: This step is required to configure the load balancer with the IP
address for the frontend, the backend pool with the IP addresses of the services to load balance, and the health probe to monitor the
availability of the services.
C. Add two load balancing rules that have HA Ports and Floating IP enabled: The load balancing rules are required to specify how the
traffic is distributed among the services in the backend pool. In this scenario, the rules should have HA Ports enabled for high availability
and Floating IP enabled for faster failover.
Therefore, the correct actions are A, E, and C. Options B, D, and F are not required or do not meet the requirements of the scenario. "
upvoted 1 times
Standard Load Balancer is required for features like HA Ports and Floating IP.
Add a frontend IP configuration, a backend pool, and a health probe (E):
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN
gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
"If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must
be downloaded and installed again"
I would go with `A` is the correct option as the S2S config has been changed AFTER the P2S client installation was performed. Installation
of the client software package needs installing again post S2S config changes.
upvoted 97 times
Correct Answer: A
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 52 times
Explanation:
The issue here is that Client1 is not able to connect to VNet2. This is because VNet2 is not connected to the VPN gateway and doesn't
have a gateway of its own. To enable traffic from Client1 to VNet2, we need to enable gateway transit on VNet1.
Gateway transit allows a virtual network to use the VPN gateway in another virtual network to access resources in that network. In this
case, enabling gateway transit on VNet1 will allow Client1 to access resources in VNet2 using the VPN gateway in VNet1.
Enabling gateway transit on VNet2 (option C) is not needed in this scenario because VNet2 doesn't have a VPN gateway. Enabling BGP
on VPNGW1 (option D) is not required because the scenario mentions that static routing is being used.
Downloading and re-installing the VPN client configuration package (option A) is not required as the point-to-site VPN connection from
Client1 to VNet1 is already established and working. The issue is with accessing resources in VNet2, which can be resolved by enabling
gateway transit on VNet1.
upvoted 1 times
Selected Answer: C
The issue is that the point-to-site VPN connection from Client1 is not able to connect to VNet2. This is because virtual network peering in
Azure does not propagate gateway transit. Therefore, the VPN gateway (VPNGW1) in VNet1 cannot be used to reach VNet2. To allow
Client1 to connect to VNet2, we need to enable gateway transit on VNet2 so that the traffic from VNet1 can flow through VNet2 to reach
Client1.
Selected Answer: A
Correct Answer: A
upvoted 2 times
Selected Answer: A
A is correct
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again and also ensure you use the same certificate and if other scenario i.e. new workstation Pt - Site vpn then
download and install client and export certificate from other workstation that is already got working connection and import into new
workstation
upvoted 4 times
Correct
upvoted 2 times
HOTSPOT -
You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the
following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
You create a virtual network link for contoso.com as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
Correct Answer:
All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So,
VM1, VM2 and VM3 will auto-register their host records to contoso.com.
None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet
(adatum.com)
Box 1: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 2: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 3: No
None of the VM will auto-register to the public Azure DNS zone named adatum.com
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 135 times
ref: https://docs.microsoft.com/en-us/azure/dns/dns-faq-private#i-have-configured-a-preferred-dns-suffix-in-my-windows-virtual-
machine--why-are-my-records-still-registered-in-the-zone-linked-to-the-virtual-network-
upvoted 1 times
Question #11 Topic 5
You have an Azure subscription that contains the resources in the following table.
Correct Answer: D
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 74 times
Selected Answer: D
its ok
upvoted 1 times
same region
upvoted 3 times
Selected Answer: D
Correct Answer: D
upvoted 1 times
Lazylinux 1 year, 8 months ago
Selected Answer: D
Selected Answer: D
Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 2 times
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to resources in the target region.
https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal
upvoted 3 times
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
COrrect Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
upvoted 139 times
Once you peer a virtual network with another virtual network, you cannot add or delete address ranges in the address space.
Tip
Since September 2022 you can update the address space for peered virtual networks without removing the peering.
"Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address
space or resize for a peered virtual network without removing the peering."
Source:
https://azure.microsoft.com/en-us/updates/resizing-of-peered-virtual-networks-is-now-generally-available/
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#resize-the-address-space-of-azure-virtual-
networks-that-are-peered
upvoted 25 times
This question is outdated. You can now add or remove address spaces without having to remove the peering first and re-establishing the
peering. You can simply add the address space in VNET1 and perform a resync using Powershell with Sync-AzVirtualNetworkPeering
https://learn.microsoft.com/en-us/powershell/module/az.network/sync-azvirtualnetworkpeering?view=azps-10.2.0
FROM: https://learn.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
** Note: This article has not yet been updated to reflect Azure networking's support for peering resync. Azure virtual networks support
adding and removing address space without the need to remove and restablish peerings; instead each remote peering needs a sync
operation performed after the network space has changed. The sync can be performed using the Sync-AzVirtualNetworkPeering
PowerShell command or from the Azure Portal.**
upvoted 3 times
"Updating the address space of a virtual network that has peers will cause the peered virtual networks to not be able to connect to this
new address space until you perform a sync operation on the peerings. You can sync the peered virtual networks in the peerings tab, but
requires you have contributor permissions on the peered virtual networks."
https://azure.microsoft.com/en-us/blog/how-to-resize-azure-virtual-networks-that-are-peered-now-in-preview/
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: No -
You can't move to a new resource group a NIC that is attached to a virtual machine.
Box 3: No -
Azure Public IPs are region specific and can't be moved from one region to another.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-
us/azure/virtual-network/move-across-regions-publicip-powershell
NickyDee Highly Voted 3 years, 1 month ago
1. YES. I was able to move the storage from RG1 to RG2, however it stayed in the West US region.
2. YES. I was able to move NIC1 from RG1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US
region.
3. NO. The location of IP2 did not change. However I was able to move LP2 from RG2 to RG1 as it isn't associated with any other resource,
however it stayed in the East US region.
All resources moved to the new resource groups, but the region did not change
upvoted 216 times
Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate
the Storage Account.
Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can
move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new
Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example,
you must also move the virtual machine, and other virtual machine-related resources.
Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not
change.
upvoted 134 times
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 37 times
Yes
Yes
No
upvoted 1 times
Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate
the Storage Account.
Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can
move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new
Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example,
you must also move the virtual machine, and other virtual machine-related resources.
Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not
change.
upvoted 1 times
When moving NIC to different RG, you only move NIC's meta-data location, not NIC itself. NIC remains in same location where VM is
located.
upvoted 1 times
My VM is up and running with the auto-created NIC attached, all in RG1. Validating....Taking awhile. This really does take awhile.
It moved to the US West located RG2 without turning off or decommissioning the VM. The location of the NIC is in US East still. The correct
answer is YYN.
upvoted 1 times
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
Correct Answer: D
VM connecting to VNET and VM being inside a VNET is one and the same. Don't overthink, it induces wrong answers
upvoted 8 times
Answer D
You need to acces the MySQL database, not to integrate webapp1 in VNET1.
upvoted 2 times
Selected Answer: C
You can simply create a new subnet within the same vNET and connect the webapp to it. There's no need to make the solution complex by
involving Application Gateway here.
upvoted 1 times
Note: If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 1 times
Option A, deploying an internal load balancer, is not necessary in this scenario, as load balancing is not required.
Option B, peering VNET1 to another virtual network, is also not necessary for this scenario, as it does not address the requirement to
enable communication between the web app and the MySQL database hosted on VM1.
Option D, deploying an Azure Application Gateway, is not necessary for this scenario, as it is primarily used for load balancing and routing
of HTTP/HTTPS traffic. It does not address the requirement to enable communication between the web app and the MySQL database
hosted on VM1.
upvoted 7 times
Selected Answer: C
C
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications."
upvoted 1 times
Selected Answer: C
By connecting webapp1 to VNET1 (answer C), the web app will be able to access the data hosted on VM1 through the virtual network. The
other options do not directly address the requirement to allow webapp1 access to the data hosted on VM1. An internal load balancer and
a peered virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted
on VM1. An Azure Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing,
but it would not directly allow webapp1 to access the data hosted on VM1.
upvoted 2 times
Correct Answer: C
upvoted 2 times
Selected Answer: C
Selected Answer: C
You create an Azure VM named VM1 that runs Windows Server 2019.
A. Connect to VM1.
B. Start VM1.
Correct Answer: B
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
Correct Answer: B
Status is Stopped (Deallocated). The DSC extension for Windows requires that the target Virtual Machine is able to communicate with
Azure. First you start the VM, because you need VM online to deploy DSC Extension.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
upvoted 79 times
Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 66 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer For
Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the
same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
from now on, you will see this question appears 10 times, good luck:)
upvoted 29 times
This is correct
upvoted 9 times
Selected Answer: D
Hey ET admins; Here's public service announcement - please cleanup 10 instances of this question. I think my dog knows how to configure
LB with persistent sessions by now.
upvoted 3 times
To ensure that visitors are serviced by the same web server for each request, you need to enable session persistence, which maps a
client's session to a specific server. In this case, you would want to use Client IP session persistence so that subsequent requests from the
same client are sent to the same web server.
Floating IP (direct server return) is an option that enables traffic to bypass the load balancer and go directly to the backend servers. This is
typically used for scenarios where the backend servers need to return traffic directly to the client, such as for media streaming or UDP-
based protocols. However, it is not relevant for ensuring session persistence.
upvoted 4 times
Selected Answer: D
Selected Answer: D
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
A. Yes
B. No
Correct Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
My comments were incorrect, late night study :-). The answer is Yes. The main point i miss was that NSG-Subnet 1 is correctly modified
with TCP 3389 and NSG-VM1 is removed. In this case you should be able to connect.
- "Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port
range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1."
upvoted 112 times
By adding the rule to NSG-Subnet1 you are allowing RDP on Subnet level. Then you delete NSG-VM1, so you are able to RDP.
Note: A rule to permit RDP traffic may not be created automatically when you create your VM.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 73 times
Selected Answer: B
The proposed solution does not meet the goal. Although the solution adds an inbound security rule to NSG-Subnet1 that allows
connections from Any source to the destination port range 3389 using the TCP protocol, it fails to remove NSG-VM1 from the network
interface of VM1.
To establish Remote Desktop connections from the internet to VM1, you would need to configure the network security groups (NSGs)
correctly. NSG-VM1 should have an inbound security rule allowing Remote Desktop Protocol (RDP) traffic (port 3389) using the TCP
protocol. Additionally, the NSG-Subnet1 should have an inbound security rule that allows the RDP traffic from the internet to the VM's
public IP address.
The correct solution would involve modifying NSG-VM1 to allow RDP traffic over TCP and ensuring that NSG-Subnet1 has an inbound
security rule allowing RDP traffic from the internet to the VM's public IP address.
upvoted 1 times
Selected Answer: A
Answer is A.
The question clearly states ‘You need to be able to establish Remote Desktop connections from the internet to VM1’.
It says nothing about restricting RDP traffic in the subnet.
The proposed solution is not the best possible solution, but it would work. You would be able to establish an RDP connection to VM1 and
the rest of the VMs in the subnet.
upvoted 2 times
Selected Answer: B
OpenAI
"B. No.
The solution provided is not correct as it adds an inbound security rule for TCP protocol to NSG-Subnet1 and removes NSG-VM1 from the
network interface of VM1. However, the custom inbound security rule in NSG-VM1 is for UDP protocol, not TCP, and removing NSG-VM1
from the network interface of VM1 would also remove the custom inbound security rule that allows Remote Desktop connections.
To meet the goal of establishing Remote Desktop connections from the internet to VM1, you should add a custom inbound security rule to
NSG-VM1 that allows connections from the internet to the public IP address of VM1 for port 3389 using the TCP protocol. The rule should
have a lower priority than the existing custom inbound security rule in NSG-VM1 to ensure that it is evaluated first."
upvoted 2 times
Selected Answer: A
Answer is Yes, albeit its a really weird way to solve this. From applying the same NSG to an interface and a Vnet, to allowing RDP into a
whole network instead of scoping it to a single server.
upvoted 2 times
No, this does not meet the goal because the NSG-VM1 has a custom inbound security rule that allows connections on UDP protocol to
port 3389, which is required for Remote Desktop Protocol (RDP) on Windows. By removing NSG-VM1 from the network interface of VM1,
this rule would be deleted, and RDP connections would not be allowed. The correct solution would be to add an inbound security rule to
NSG-VM1 that allows connections from the Internet to the *destination for port range 3389 and uses the TCP protocol. This would allow
RDP connections to VM1 from the Internet while still maintaining the security of the subnet using NSG-Subnet1.
upvoted 2 times
Selected Answer: B
No
The custom inbound security rule in NSG-VM1 allows connections from Any source to the destination for port range 3389 using the UDP
protocol, which is required for Remote Desktop connections. Removing NSG-VM1 from the network interface of VM1 will remove this
security rule and prevent Remote Desktop connections to VM1. To allow Remote Desktop connections from the internet to VM1, you
should keep NSG-VM1 associated to the network interface of VM1 and add the necessary inbound security rule to NSG-Subnet1.
upvoted 1 times
It menton that "You need to be able to establish Remote Desktop connections from the internet to VM1", if we choose A, mean allow
connections from the Any source to the *destination for port range 3389 and uses the TCP protocol which I do not agree.
upvoted 1 times
Answer is A: Yes
upvoted 1 times
Definitely yes. Add a rule to subnet which allows the connection and remove the rule on VM-NIC level that denies the connection.
upvoted 2 times
CJWit 1 year, 3 months ago
the big clue is UDP..... lol
upvoted 1 times
Selected Answer: A
This is a poorly worded question. RDP protocol can work on both TCP and UDP. Microsoft recommends adding NSG groups at the subnet
level as adding NSG at the NIC level can be complex when it comes to troubleshooting and management. Therefore I lean towards answer
A. But technically having a NSG attached to a subnet and another attached to the NIC at the same time works as long as the NSG rules on
both subnet and NIC level allow the same kind of traffic (with ports, protocols etc.)
upvoted 4 times
Yes! the reason is because a SUBNET OR NIC that has no NSG will allow all traffic. The current NSG only applies to UDP 3389, which the
question states and also we know that RDP (3389) is actually TCP. So therefore by removing the NSG the traffic will flow.
upvoted 2 times
Selected Answer: A
Selected Answer: A
Correct Answer: A
upvoted 1 times
Question #18 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
Protocol: UDP -
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for
A. Yes
B. No
Correct Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
Correct Answer: B - No
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 59 times
UDP will work as long as client machine(the one you are connecting from) will have registry updated to use UDP by default :>
So the answer is "No" in but you can actually make it work if you change settings outside of azure.
upvoted 18 times
We need a rule for VM Nic to allow RDP on TCP at 3389. It is not present at the moment
upvoted 1 times
Just for sake of precision: RDP can work both through TCP or UDP (google it!).
The answer of this question though will still be "No" though, because we have two NSG enforced (one on NIC, one on Subnet) - one opens
TCP, the other opens UDP - so either connections will be blocks.
And dudes, please stop crapping these comments with answers with OpenAI, they are just not reliable and often wrong.
upvoted 1 times
Selected Answer: B
OpenAI
"No, this solution will not meet the goal. The current inbound security rule in NSG-VM1 allows Remote Desktop connections using the TCP
protocol on port 3389. The proposed inbound security rule in NSG-Subnet1 allows connections using the UDP protocol, which is not used
for Remote Desktop connections. Therefore, you should add an inbound security rule to NSG-VM1 that allows connections from the
internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol."
upvoted 1 times
Selected Answer: B
No, this solution will not meet the goal as Remote Desktop Protocol (RDP) uses TCP, not UDP. The inbound security rule should be
configured to allow connections from the internet source to the VirtualNetwork destination for port range 3389 and use the TCP protocol,
not UDP. Additionally, the NSG-VM1 should remain associated with the network interface of VM1 as it allows the RDP traffic to reach the
virtual machine.
upvoted 1 times
Correct Answer: B
The default port for RDP is TCP port 3389
upvoted 1 times
Selected Answer: B
Selected Answer: B
Answer is B. Have also tested in lab, definitely can't connect to UDP 3389 alone (although it is cited on several sites that it improves the
experience in some cases).
upvoted 3 times
Selected Answer: B
Selected Answer: A
RDP default TCP not UDP. Traffic is denied by the DenyAllInbound default security rule.
upvoted 4 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork
destination for port range 3389 and uses the TCP protocol.
A. Yes
B. No
Correct Answer: A
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 42 times
Selected Answer: A
I tested in my lab and the correct answer is A. Not sure how others are getting B I followed the same instructions as detailed in the
question.
upvoted 1 times
I don't believe A is correct and don't understand what exactly you guys have tested?
If VM1 has a public IP address, the incoming traffic from the internet would first hit the NSG associated with the network interface (NSG-
VM1). If there's no matching rule in NSG-VM1, the default behavior is to deny the traffic. The traffic won't reach the NSG associated with
the subnet (NSG-Subnet1) because the default rules of NSG-VM1 would prevent it from doing so.
Therefore, you would first have to remove NSG-VM1 in order for NSG-Subnet1 to be evaluated.
upvoted 1 times
Selected Answer: A
A - Yes
Allowed TCP 3389 over both NSG's
upvoted 1 times
Selected Answer: A
"To allow port x to the virtual machine, both NSG1 and NSG2 must have a rule that allows port x from the internet." Or, in this scenario the
port would be 3389, so the answer is YES.
upvoted 1 times
Selected Answer: A
Agree with existing comments, RDP doesn't explicitly require UDP, so TCP will work.
Selected Answer: B
OpenAI
The existing custom inbound security rule on NSG-VM1 is already allowing inbound traffic on port 3389 using the UDP protocol. However,
Remote Desktop Protocol (RDP) uses TCP protocol, not UDP.
To meet the goal of being able to establish Remote Desktop connections from the internet to VM1, you need to modify the existing
custom inbound security rule on NSG-VM1 to use the TCP protocol instead of UDP.
Adding an inbound security rule to NSG-Subnet1 is not necessary as it only affects inbound traffic to resources within the subnet and does
not have any impact on inbound traffic to VM1."
upvoted 1 times
Assuming the priority numbers are the same for both rules, the next evaluation will be based on the traffic direction. Inbound rules are
evaluated first, so both rules will be evaluated. Finally, the rules will be evaluated based on their rule type. In this case, both rules are Allow
rules, so the order of evaluation does not matter."
upvoted 1 times
B. No.
The proposed solution is not correct because it adds a new inbound security rule that allows TCP protocol on port 3389 to both NSG-
Subnet1 and NSG-VM1, but the existing inbound security rule on NSG-VM1 allows UDP protocol on port 3389, not TCP. Therefore, the
proposed solution does not meet the goal of allowing Remote Desktop connections to VM1 from the internet.
To meet the goal, a new inbound security rule should be added to NSG-VM1 that allows TCP protocol on port 3389, in addition to the
existing inbound security rule that allows UDP protocol on port 3389. The inbound security rule on NSG-Subnet1 can remain as the default
rule.
upvoted 4 times
The existing NSG rule that allows UDP over 3389 can be ignored. RDP uses TCP, so it needs to allow TCP over port 3389. It also allowing
UDP over port 3389 doesn't break anything, even though it's not helping.
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
So both NSG's will have the TCP rule and hence it will be allowed.
upvoted 1 times
Selected Answer: B
Remember there are 2 NSGs, one is assigned on NIC of the VM which has a UDP protocol and another on the Subnet which now is added
with TCP 3389.
Both the NSG-VM1 and NSG-Subnet1 are evaluated one after the other and both the rules should allow this traffic.
The TCP rule allowing TCP 3389 (RDP) is created on BOTH NSGs.
Therefore the answer is yes.
upvoted 2 times
Question #20 Topic 5
HOTSPOT -
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas
However, in the first question you have to _first_ add an address space. (and then a subnet)
In the second question you only have to add a subnet as 10.2.1.0/24 is within the vnet's address range 10.2.0.0/16
upvoted 11 times
Is correct!
upvoted 3 times
"Before a virtual machine on VNet1 can receive an IP address from 192.168.1.0/24, you must first add a subnet. This is because the current
address space of VNet1 is 10.2.0.0/16, which does not include the 192.168.1.0/24 address range.
Before a virtual machine on VNet1 can receive an IP address from 10.2.1.0/24, no further action is required as this address range falls
within the existing address space of VNet1 (10.2.0.0/16) and a subnet with the required address prefix can be created within this address
space."
upvoted 1 times
To allow a virtual machine on VNet1 to receive an IP address from 10.2.1.0/24, you must first add a subnet.
upvoted 2 times
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1
B. 3
C. 4
D. 12
Correct Answer: C
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual
Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
Correct Answer: A
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many
subnets and NICs as you choose.
So, you can create 1 NSG and associate it with all 3 Subnets.
- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4,
VM5 and VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without
even configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in
every NSG.
upvoted 338 times
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 2 times
I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG.
My penny.
upvoted 103 times
In summary, you would need three NSGs, each associated with its respective subnet:
Answer A (1)
Job Done
upvoted 3 times
One NSG for the web requests from the internet to VM3, VM4, VM5, and VM6.
One NSG for the connections between VM1 and VM2.
One NSG for the Remote Desktop connections to VM1.
By configuring these NSGs, you can allow the required traffic and prevent all other network traffic to VNET1.
upvoted 3 times
There's nothing stopping you from putting all the rules into a single NSG and then attaching the one NSG to every subnet.
upvoted 2 times
You need to create at least three security groups (NSGs). These would include:
- One NSG assigned to Subnet(x) and Subnet(y) to allow connections from the internet and deny any other connections.
- One NSG assigned to Subnet(n) to allow connections between virtual machines (VMs) and deny any other connections.
- One NSG assigned to VM to Deny (or Allow for this scenario) Remote Desktop connections.
You can assign the same NSG to multiple subnets.
The recommended method to manage network security through NSGs is to use NSGs assigned at the subnet level whenever possible.
NSGs should be assigned directly to VMs only as necessary to handle exceptions.
upvoted 1 times
Explanation:
You can not associate multiple Subnet to 1 NSG (Subnet Level)
1. NSG1-Subnet2 (VM3 and VM4 Allow web request)
2. NSG2-Subnet3 (VM5 and VM6 Allow web request)
3. NSG3-Subnet1 (VM1 and VM2 Prevent all other network traffic to VNET1)
4.NSG4-NICVM1 (Allow Remote Desktop connections to VM1 not VM2 we must set on NIC)
upvoted 1 times
Selected Answer: A
You only need to create one NSG and you can associate it with all the three subnets
upvoted 1 times
Correct Answer: A
upvoted 1 times
Look at first condition, VM3,VM4 (1 NSG on subnet) & VM5, VM6 (1 NSG on subnet). there goes your A into trash.
One more is needed for RDP and block other traffic. 3 NSG it is!
upvoted 2 times
Question #22 Topic 5
You have an Azure subscription that contains the resources shown in the following table.
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
Correct Answer: A
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to
block.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 30 times
A is the answer.
https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-policy-objects
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
upvoted 3 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
check comment
upvoted 1 times
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server
that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
A. Azure CLI
B. Azure PowerShell
Correct Answer: B
Open an elevated PowerShell window (Administrative mode) and run following command install-script PrivateDnsMigrationScript
PrivateDnsMigrationScript.ps1 -
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
upvoted 128 times
I think the point of this question is "The solution must minimize administrative effort." without proper scenario.
upvoted 2 times
A is correct
upvoted 1 times
It´s important to disclaim that when we deal with DNS migrations (expo-impo) between DNS we must handle it with their DNS FILE.
So the only way to operate with thi FILES is via Azure CLI.
" A DNS zone file is a text file containing information about every Domain Name System (DNS) record in the zone. It follows a standard
format, making it suitable for transferring DNS records between DNS systems. Using a zone file is a fast and convenient way to import
DNS zones into Azure DNS. You can also export a zone file from Azure DNS to use with other DNS systems."
https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 1 times
References: https://docs.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 4 times
B. Azure PowerShell
upvoted 1 times
Azure PowerShell provides a comprehensive set of cmdlets for managing Azure resources, including Azure DNS. With Azure PowerShell,
you can automate the process of creating a new Azure DNS zone, configuring the necessary DNS records, and migrating the adatum.com
zone from Server1 to the Azure DNS zone.
upvoted 1 times
Selected Answer: A
Azure CLI
https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 2 times
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
supported via Azure PowerShell or the Azure portal.
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-import-export https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
upvoted 1 times
https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 1 times
Selected Answer: B
To move the adatum.com zone to an Azure DNS zone in Subscription1 while minimizing administrative effort, you should use Azure
PowerShell.
Azure PowerShell provides a comprehensive set of cmdlets specifically designed for managing Azure resources and services, including
Azure DNS. Using Azure PowerShell, you can easily automate the process of creating an Azure DNS zone, importing the existing DNS
records from Server1, and configuring the necessary settings.
upvoted 1 times
Question #24 Topic 5
You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
C. a frontend IP configuration
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-
load-balancer-for-rds/
The difference between inbound NAT rules and port mapping in load balancer rules is that inbound NAT rules apply to direct forwarding
to a VM, whereas load balancer rules forward traffic to a backend pool.
upvoted 33 times
A is correct
upvoted 2 times
Selected Answer: A
To direct all RDP connections to VM3 only, you need to create an inbound NAT rule that maps the RDP port (3389) to the RDP port of VM3.
You can do this by specifying the frontend IP configuration of the public load balancer, the protocol (TCP), the frontend port (3389), and
the backend port (3389) of VM3 in the inbound NAT rule. This will route all incoming RDP traffic to VM3 only, regardless of the load
balancing configuration.
upvoted 3 times
Selected Answer: A
Selected Answer: A
Correct Answer: A
upvoted 2 times
Selected Answer: A
https://docs.microsoft.com/en-us/azure/load-balancer/components
upvoted 9 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.
In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
Correct Answer:
Basic Load Balancer: Backend pool endpoints for Virtual machines in a single availability set or virtual machine scale set.
Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.
Box 1: Yes
VM1 and VM are in the Availability Set.
Box 2: No
Both VMs are not part of any Availability Set or Scale Set.
Box 3: No
Both VMs are not part of any Availability Set or Scale Set.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 173 times
you can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 61 times
"They are the machines or services that create a backend pool. The Basic Tier is quite limiting. It can only have a single availability set,
virtual machine scale set or a single machine. The Standard Tier can span any virtual machine in a single virtual network which includes
blends of scale sets, availability sets, and machines."
upvoted 12 times
YNN
and Why is necesary know the restrictions of basic tier of get a architect ?
upvoted 1 times
Note that it mentions *within the same virtual network*, not *within the same subnet*.
upvoted 2 times
Which identities can you assign the Report Reader role to?
A-User1 only
A-User1 only
HOTSPOT -
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
✑ Name: VM1
✑ Location: West US
✑ Connected to: VNET1
✑ Private IP address: 10.1.0.4
✑ Public IP addresses: 52.186.85.63
✑ DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
Correct Answer:
Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones
can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-
registration option set.
To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual
networks have full access and can resolve all DNS records published in the private zone.
upvoted 143 times
"A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone."
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
upvoted 2 times
DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.
Correct Answer:
Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...
1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created
next.
2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what
is available for answers, the prem side is now configured)
3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
upvoted 296 times
Correct Answer:
As per documentation:
1. Create a virtual network
2. Create a VPN gateway
3. Create a local network gateway
4. Create a VPN connection
5. Verify the connection
6. Connect to a virtual machine
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal
upvoted 115 times
Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and
define the address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a gateway subnet in VNet1 to host the VPN gateway.
Create a VPN connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local
network gateway and the VPN gateway.
Note: Creating a custom DNS server is not necessary for creating a site-to-site VPN connection.
upvoted 1 times
Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and
define the address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local network
gateway and the VPN gateway.
Configure the on-premises VPN device to connect to the Azure VPN gateway, specify the public IP address of the Azure VPN gateway, and
configure the necessary settings, such as the authentication method, encryption algorithm, and IKE version
upvoted 1 times
Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the VNet
Create a local network gateway ** The purpose for this GW is to have replica information about the on-prem VPN GW and provides it to
the Azure VPN GW*** such info is Public IP and the private IP address pool. An abstraction of the on-premises VPN appliance. Network
traffic from the cloud application to the on-premises network is routed through this gateway.
Create a VPN connection, The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises
VPN appliance to encrypt traffic
You have an Azure subscription that contains the resources in the following table.
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
Correct Answer: C
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Correct Answer: C
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated
with: 0 subnets, 0 NIC's", so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC
or Subnet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
upvoted 110 times
Answer is correct - C. Outbound rule: DenyWebSites is setup correctly to block outbound internet traffic over port 80.
upvoted 20 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
check mlantonis
upvoted 5 times
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.
Correct Answer: D
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from
different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the
VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity
types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
Correct Answer: D
Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from
different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the
same Active Directory tenant.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
upvoted 121 times
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists. Also, No need to have the same Azure AD. They
just need to have a Virtual network gateway to communicate using Public IP where it is secured using SSTP or IKEv2
upvoted 68 times
They could have just peered the two vNets as we can peer vNets in 2 different subscriptions.
Can I enable virtual network peering if my virtual networks belong to subscriptions within different Microsoft Entra tenants?
Yes. It's possible to establish virtual network peering (whether local or global) if your subscriptions belong to different Microsoft Entra
tenants. You can do this via the Azure portal, PowerShell, or the Azure CLI.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
upvoted 2 times
Selected Answer: D
To connect VNet1 to VNet2, you need to create a site-to-site VPN connection between the two virtual networks. The first step to
accomplish this is to provision virtual network gateways in both subscriptions. Therefore, the correct answer is:
Once the virtual network gateways are provisioned, you can configure the VPN connection between them to enable traffic to flow between
VNet1 and VNet2. Moving VM1 to Subscription2 or modifying the IP address space of VNet2 is not required to establish the VPN
connection between the two virtual networks. Similarly, moving VNet1 to Subscription2 is not required, but you may need to create a
peering connection between the virtual networks after the VPN connection is established to enable communication between the virtual
machines.
upvoted 2 times
Correct Answer: D
upvoted 1 times
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: C
only after modifying address space, you can create Gw Subnet and then add gw for VNet-VNet
upvoted 2 times
Selected Answer: D
D is correct
Create a virtual network ***( That is the Gateway Subnet)***
Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the VNet
upvoted 3 times
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists.
upvoted 1 times
Answer is correct
upvoted 1 times
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
B. OS disk type
C. Availability options
D. Size
E. Image
Correct Answer: AC
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone
dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/create-portal-availability-zone
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability
zone dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
upvoted 98 times
Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 52 times
Selected Answer: AC
Selected Answer: AC
Selected Answer: AC
Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 2 times
ScarfaceRecords 1 year, 7 months ago
AC is the correct one.
upvoted 1 times
Selected Answer: AC
AC is correct
upvoted 2 times
Should be A, C
upvoted 1 times
Selected Answer: AC
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that
metadata is stored.
Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM ג€" Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance
VM (virtual machines) ג€" Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 109 times
Reference : https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?
tabs=portal
upvoted 12 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups
" Resources in a resource group can be in regions other than that of the resource group."
upvoted 1 times
Answer is correct. The location of the RG doesn't influence the choice of the location of VM. The location of the VM should be the same like
the VM Scale set (single zone or zone redundant )
upvoted 63 times
You can only attach new VMs (non identical) to a Virtual Machine Scale Set in Flexible orchestration mode.
NOTES:
-The VM must be in the same resource group as the scale set.
-If the scale set is regional (no availability zones specified), the virtual machine must also be regional. <and both VM and VMSS must be in
same region>
-If the scale set is zonal or spans multiple zones (one or more availability zones specified), the virtual machine must be created in one of
the zones spanned by the scale set. For example, you can't create a virtual machine in Zone 1, and place it in a scale set that spans Zones 2
and 3.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?tabs=portal-1%2Cportal-
2%2Cportal-3#exceptions-to-attaching-a-new-vm-to-a-virtual-machine-scale-set
upvoted 2 times
You can only attach VMs to a Virtual Machine Scale Set in Flexible orchestration mode.
The VM must be in the same resource group as the scale set.
If the scale set is regional (no availability zones specified), the virtual machine must also be regional.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?tabs=portal
upvoted 11 times
So the answer is
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
So for Box 1;
It can be R1, RG2, RG3, but should be RG1.
For Box 2;
When you are going to create de vm1 you can read this:
You can add your virtual machine to a virtual machine scale set to design highly available and scalable application architecture. Virtual
machines inside a scale set can be deployed into fault domains or Availability zones. The scale set must be set to flexible orchestration
mode, and in the same region and resource group.
upvoted 5 times
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 2: VNET1 -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 111 times
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 20 times
Gateway transit only applies when there is a VPN gateway created and Gateway transit is a peering property that lets one virtual network
use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity hence really allows for reduced cost
and administrative effort since only one VPN GW to manage and pay for
So in summary the Gateway transit option that you enable allows you to use the VPN GW for rooting, Now assuming the VPN GW has all
necessary routes then yes communication between VNET2 and VNET3 is possible but if for argument sake that the VPN GW dont have
routes of VNET2 and VNET3 then both VNETs will NOT be able to communicate
upvoted 8 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
A. Yes
B. No
Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client
computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to
connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 92 times
B is correct:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 21 times
margotfrpp Most Recent 9 months, 4 weeks ago
Selected Answer: B
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
A. Yes
B. No
Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed. Instead export the client certificate
from Computer1 and install the certificate on Computer2.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client
computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to
connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 40 times
Answer is correct No
upvoted 13 times
There are several versions of this question. The following are the correct and incorrect answers that can be presented.
-Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
upvoted 6 times
Correct Answer: B
upvoted 2 times
Selected Answer: B
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
A. Yes
B. No
Correct Answer: B
Correct Answer: B - No
You need to use a custom policy definition, because there is not a built-in policy and Resource Lock is an irrelevant solution.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 86 times
Selected Answer: B
To achieve this goal, you can create an Azure Policy that enforces the required network security rule across all the virtual networks in the
subscription. The policy should specify the rule that blocks TCP port 8080 traffic between the virtual networks. When a new NSG is created,
it will automatically be associated with the policy, and the required network security rule will be enforced.
Resource locks are used to prevent accidental deletion or modification of Azure resources. They do not affect the behavior or
configuration of resources such as NSGs.
upvoted 4 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: A
correct
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Tricky One
upvoted 1 times
Question #36 Topic 5
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
D. Start VM1
Correct Answer: D
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Αny resource with a dynamically assigned public IP address will display the 'name' you gave it when the resource it is assigned to is offline.
A static address will be shown regardless of the resource state. This means that we need to start the VM1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 147 times
to put it simply, the denyall rule at the end is put in so you wouldn't have to type out a couple of hundred different ports that you want
to block and instead would need to allow just a couple of ports that you do actually need
upvoted 1 times
Selected Answer: D
"Computer1 is connected to the Internet." - that threw me off a bit. So it is configured to connect to internet but at this point is not actually
connected to internet because it is not running? never mind. Only D seems the be best option compared to other options.
upvoted 1 times
Selected Answer: D
A. Change the priority of the RDP rule --> Priority is already lowest so no need
B. Attach a network interface --> Question states its already attached so no need
C. Delete the DenyAllInBound rule --> Obviously never to that, but it would also not solve this because it has lowest priority by default
D. Start VM1 --> Remains as the only viable option
upvoted 5 times
Selected Answer: D
Correct Answer: D
You need to stop the VM before attaching a network interface, so starting the VM is the first you should do after attaching it:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm
Selected Answer: D
Correct Answer: D
upvoted 1 times
Selected Answer: D
D is correct
upvoted 1 times
You have the Azure virtual machines shown in the following table.
You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
Correct Answer: D
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP
addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-peering-overview
Correct Answer: D
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering
enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The
traffic between virtual machines uses the Microsoft backbone infrastructure.
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the
Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service
Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the
VNet.
upvoted 88 times
Selected Answer: D
Correct Answer: D
upvoted 2 times
Selected Answer: D
Selected Answer: D
[D]- it's saying local DNS on VM1, conditional forwarder is external DNS not local so answer is D.
upvoted 2 times
Selected Answer: D
Answer is correct. D.
a: A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as contoso.com, to forward
queries to.
b-c no
upvoted 3 times
Answer is correct
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
Hot Area:
Correct Answer:
Box 1: No -
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Correct Answer:
Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.
Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2.
We can understand for sure, that it is not applied to VM1.
Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 199 times
N-Y-Y
upvoted 43 times
tested in LAB
upvoted 2 times
As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to
VM2 subnet on TCP.
As per second Network Watcher test is working but NSG1 blocks ICMP
So NSG1 was NOT applied to VM2 or its subnet.
1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.(ICMP also)
2) NSG1 was not applied to VM2 as per second Network Watcher test, ICMP connection from VM1 to VM2 did succeed.
3) Next hop is VM2 IP which implies they are part of the same vnet.
upvoted 8 times
box1: Yes
NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE.
ICMP is not a TCP traffic. It is also not UDP.
Thus, protocol should be set to ANY.
ANY basically means allowing ALL traffic.
box2: Yes
box3: Yes
upvoted 1 times
Box 1: No
Neither of the Inbound rules in the NSG limit traffic to 172.16.1.0/24 subnet where VM1 lives.
Box 2: No*
Actually not enough information to know either way. Both tests are from Subnet 172.16.1.0/24 to 172.16.2.0/24. Nothing in the NSG1
blocks traffic between the two subnets (given the Allow has a higher priority to the Deny and they are both scoped for the same
Ports/Protocol), which is also the same result as if they were in the same VNET with no NSG applied to anything anyway.
*I would say No though because the rule is defined to the Subnet, not the IP of the VM, which implies it's designed to apply at the Subnet
level. It is grasping at straws but that's all we have. There is no other way to answer this question.
Box 3: Yes
I don't think anyone disagrees on this.
upvoted 3 times
Box 2: Yes
Box 3: Yes, I gotta agree with mlantonis. In Network Watcher you can see that the next hop from VM1 is VM2, so…….
upvoted 2 times
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises
network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises
network. The solution must ensure that all the applications can still be accessed by the Internet users.
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network
connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
upvoted 89 times
None of these answers make any sense. The subnet is a private IP range. You would have to associate the NSG with each NIC for the rules
to affect the public IP address assigned to each NIC on each VM. Also, you'd probably use a Firewall if you weren't retarded.
upvoted 1 times
exp: removing Public IPs will prevent the applications access on port 443 to users on the internet which is a requirement. Deny rule is a
more appropriate solution
upvoted 1 times
Selected Answer: B
But these MS answers re: NSGs are seriously leading newer folks into dangerous territory: you DO NOT create Deny rules for specific
ports. Instead, DENY everything - and only open what you NEED.
Anything else is a disaster waiting to happen - especially in this scenario with machines directly facing the internet...
TL/DR: answer B for the test but do the right thing in a real environment
upvoted 5 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
Selected Answer: B
Correct answer is: Deny direct RDP or SSH access through an NSG.
You do need public IPs for the VMs mainly because internet users need to be able to reach the VM via TCP 443. If LB is in place/mentioned,
the VM won't necessarily need public IP.
upvoted 3 times
You have an Azure subscription that contains the resources in the following table.
Correct Answer: A
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
Full explanation:
Correct Answer is A:
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 118 times
Correct Answer: A
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without
manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing
you to focus on your business logic.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group
upvoted 77 times
Selected Answer: A
You can use the Tthe Networking blade of virtual machine to add a machine to one or more ASGs
upvoted 1 times
Correct Answer: A
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
upvoted 3 times
Lazylinux 1 year, 7 months ago
Selected Answer: A
A is correct
An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group,
and then use the application security group as a source or destination in NSG rules.
upvoted 3 times
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 5 times
Refer https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/
upvoted 5 times
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises
network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Create a connection
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute
connection, VNET1 must already be configured with a gateway subnet so we don't need another one.
Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 177 times
Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.
Azure allows for the coexistence of VPN gateways and ExpressRoute connections within the same virtual network. This configuration is
known as "VPN coexistence" or "VPN ExpressRoute coexistence." It enables you to have both VPN-based connectivity and ExpressRoute
connectivity to your Azure resources, providing flexibility and redundancy.
upvoted 1 times
BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 1 times
OpenAI
"To connect VNet1 to the on-premises network using a site-to-site VPN while minimizing cost, you should perform the following three
actions:
B. Create a local site VPN gateway: A local site VPN gateway represents the on-premises VPN device. By creating a local site VPN gateway,
you can establish a connection between your on-premises network and Azure.
D. Create a gateway subnet: The gateway subnet is a subnet dedicated to hosting the VPN gateway. You need to create a gateway subnet
within VNet1 to deploy the VPN gateway.
E. Create a VPN gateway that uses the Basic SKU: The Basic SKU is the most cost-effective option for a VPN gateway. It provides the
necessary functionality for site-to-site connectivity between your on-premises network and Azure.
ChatGPT
I apologize for the confusion in my previous response. The Basic SKU does not support ExpressRoute connectivity. It only supports site-
to-site VPN connectivity.
If you want to prepare the environment for automatic failover in case of ExpressRoute failure, you would need to use the High
Performance or Ultra Performance SKU for the VPN gateway.
A. Create a connection: This refers to creating a connection object that represents the link between your virtual network and the on-
premises network.
C. Create a VPN gateway that uses the VpnGw1 SKU: This SKU supports ExpressRoute connectivity and provides the necessary
performance and capabilities for automatic failover in case of ExpressRoute failure.
D. Create a gateway subnet: A gateway subnet is required to host the VPN gateway.
It can't be D or E. Since express route exist already, it must have a gateway subnet. BasicSKUs can't co-exist with express route gateway.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 2 times
Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.
co-exist with expressroute so must use VpnGw1. the rest is just standard vpn gateway setup steps.
upvoted 1 times
ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 3 times
ABC is correct
Subnet GW already exist (catchy one)
Basic GW will not work with expressroute
upvoted 2 times
Question #42 Topic 5
HOTSPOT -
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 104 times
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resources in the following table.
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.
LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes -
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend
endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows.
You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health
probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop
sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
Correct Answer:
Box 1: Yes
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the
backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive
new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom
response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails,
Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound
connectivity is impacted.
Box 3: No
There will be no loadbalancing between the VMs.
Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
upvoted 143 times
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
upvoted 14 times
y-y-y ; deleting the rule not means that Lb will not balance the request that are coming; more than that, will allow all connections coming
to frontend IPand balance to backend
upvoted 1 times
If its an internal load balancer, with no rules it will now allow any traffic.
But for a public load balancer allows traffic on all ports by default.
Any suggestions?
upvoted 2 times
HOTSPOT -
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to
your VMs.
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Correct Answer:
Tested in lab. If the VM has a dynamic (hence basic) public IP it cannot be chosen to the B-E pool with the following error msg:
"The SKU of the resource's IP address is different from the SKU of the load balancer."
upvoted 5 times
Guys !! its simple! Don't get confused with complicated text book explanation in comment section .
1) Remove Public IP address from VM1 --> Reason being when you create a LB and add VM to backend pool make sure VM doesn't have a
Public IP assigned to it .
2) Create and configure an NSG . --> key thing to notice in question is "STANDAR LB " . Backend pool VM in standard LB should
compulsorily have NSG associated to it and configured with required port to be allowed.
Example :
With basic sku LB i was able to connect vm via rdp without any nsg..
Now when I tested with standard LB I had to configure and NSG for the vm nic and allow port 3389 to rdp it.. Without nsg it won't allow to
connect
upvoted 38 times
I am a bit confused. Just testet the scenario and I was able to SSH access the VM1 over LB1's FrontEnd IP. No NSG exists, VM1 has its Public
IP and even that no problem to SSH from home PC.
upvoted 1 times
Justification:
NEXT
I created a new load balancing rule for TCP22 on the LB to the backend pool with the VM in it. Succeeded no problem
Attempted Connection to FrontEnd PIP of LB on TCP22 in Putty and got the certificate pop up you would accept. Accepted the certificate
and got the login prompt
- Standard load balancer is built on the zero trust network security model.
- Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network.
- Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security
Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource,
traffic isn't allowed to reach this resource. To learn about NSGs and how to apply them to your scenario, see Network Security Groups.
https://docs.microsoft.com/en-us/azure/load-balancer/skus#skus
upvoted 3 times
Box 1: Remove the public IP address from VM1 - You can only attach virtual machines in the backend pool that have a standard SKU public
IP configuration or no public IP configuration. Since the Public IP of VM is dynamic, the IP must be a Basic SKU IP. You cannot add such a
VM (with Basic SKU IP) to a standard SKU load balancer. The VM does not even show up in the backend pool portal for selection unless you
remove the public IP or convert it to a Standard SKU IP.
Box 2: Create and configure an NSG - Standard load balancer is built on the zero trust network security model. Standard load balancers
and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to
explicitly permit allowed traffic.
upvoted 12 times
Before you connect as many people have called out - "Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with
Standard SKU Load Balancers as they require Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making
them, "Basic SKU.". So remove the public IP address.
You have an Azure subscription that contains the resources shown in the following table.
B. East US only
Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
If you try to create a NIC on a location that does not have any Vnets you will get the following error: "The currently selected subscription
and location lack any existing virtual networks. Create a virtual network first."
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
upvoted 101 times
But it doesnt say what the plan is for the NIC, so wouldnt that mean we can put it anywhere?
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 3 times
Selected Answer: B
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
Correct Answer: A
If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must
Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Correct Answer: B
Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for
adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
upvoted 200 times
Answer A because "VM1 can resolve other hosts on the Internet" yet it's not registered
upvoted 1 times
When you use Azure Provided DNS, Azure automatically assigns DNS server IP addresses to your virtual network. However, it does not
automatically apply the DNS suffix to your virtual machines.
upvoted 1 times
Correct Answer: B
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
Selected Answer: B
Selected Answer: B
Correct Answer: B
upvoted 3 times
Selected Answer: B
HOTSPOT -
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables
you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify
then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at
a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using
connection-troubleshoot.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
Correct Answer:
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability
enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP
flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you
which.
IP Flow Verify
"You might override Azure's default rules, or create additional rules. At some point, a VM may become unable to communicate with other
resources, because of a security rule. IP flow verify then tests the communication and informs you if the connection succeeds or fails."
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#diagnose-network-traffic-filtering-
problems-to-or-from-a-vm
Connection Troubleshoot
"The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4
address"
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#connection-troubleshoot
upvoted 19 times
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP,
remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from
or to the internet and from or to the on-premises environment.
upvoted 3 times
IP Flow Verify: This can used to check if packet is allowed or denied to or from a virtual machine. If a packet is being denied by security
group, you can see which rule is denying the packet
Connection Troubleshoot: Check the connection from a virtual machine to virtual machine, fully qualified domain name, URI or IPv4
address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in
time, rather than monitoring it over time.
upvoted 2 times
NSG flow logs is to show the actual traffic that happens from/to VM.
For IP flow verify is more on testing. You can validate and see if the connection between each resources. If the connection fails, IP flow
verify tells you which security rule allowed or denied the communication
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP
address of
193.77.134.10.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
Box 2: No -
You can set DNS servers per VM or cloud service to override the default network settings.
Box 3: Yes -
You can set DNS servers per VM or cloud service to override the default network settings.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns
Correct Answer:
NIC configured DNS servers takes precedence over VNET configured DNS servers.
Box 1: Yes
VM1 uses the VNET configured DNS 193.77.134.10.
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
The DNS is set on the VNET level.
Box 2: No
VM2 uses the NIC configured DNS 192.168.10.15.
You can set DNS servers per VM or cloud service to override the default network settings.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
Box 3: Yes
VM3 uses the NIC configured DNS 192.168.10.15
You can set DNS servers per VM or cloud service to override the default network settings.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
upvoted 141 times
Appeared in exam 7 January 2024..Came here assure ppl that these questions are still valid..90% questions are from dumps
upvoted 2 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-override-my-dns-settings-on-a-per-vm-or-cloud-
service-basis
upvoted 1 times
vbohr899 11 months, 3 weeks ago
Cleared Exam today 26 Feb, This question was there in exam.
upvoted 2 times
It is either set to "Inherit from virtual network" or "Custom", in which case you must provide a DNS Server address.
I think they wanted to test your knowledge on default DNS assignments for a NIC but couldn't bring themselves to basically put the
answer to part of the question in the question as that is the way the option is worded in the portal, so they throw a "None" in. VERY POOR,
it should be "Default Setting" or "Unchanged".
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-override-my-dns-settings-on-a-per-vm-or-cloud-
service-basis
upvoted 1 times
most of you are confusing on the NIC and DNS, the dns ip of vm2 192.168.10.15 overrules custom ip.
YNY
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 2: None -
Note: When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://docs.microsoft.com/en-us/azure/azure-
resource-manager/management/move-support-resources
Correct Answer:
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource.
upvoted 187 times
VNETS can be moved as well. Only limitation is VNET Peering needs to be disabled first. But is is not a case for this question.
Correct Answer:
As far as I know, having a lock of any type on a resource won't stop you from moving the resource to another RG.
Now, if the lock is not on the resource, but on the target RG, then you would only be able to move the resource if the lock type is
Delete. A Delete lock on the RG doesn't restrict the addition of new resources to the RG, it only restricts the deletion of the resources
already present in the RG.
On the other hand, you won't be able to move the resource if the target RG has a Read-only lock.
upvoted 1 times
Refer: https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#locking-modes-and-states
upvoted 2 times
Don't see a table with IP1, storage1 and VNET1. To test anyway, I created storage2, VNET2 and IP2 in RG1. Then I applied the locks as
stated in the tables. I was able to move all resources from RG1 to RG2. After that I could also move all resources from RG2 back to RG1.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 1 times
A read-only lock on a resource group prevents users from moving any new resource into that resource group.
This implies that if the read-only lock is set up at RG level, the RG becomes read-only and no resources can be moved in or out.
The question is a mess, because it says RG1, then gives a table with <...>2 resources. and misses the table completely with <..>1 resources.
(1/2)
upvoted 1 times
If RG has Read-Only lock on it - resources CAN'T be moved out or in to it and none of those resources can be deleted.
If RG has Delete Lock on it - the resources CAN be moved in or out from the RG.
If only a resource has a Read-only lock - that resource CAN be moved to other RG.
If only a resource has a Delete Lock - that resource CAN be moved to other RG.
Going by the first table that says RG1 has no locks and RG2 has delete lock. i conclude that because of the table. ALL resoruces can be
moved both ways.
2/2
upvoted 1 times
This question is missing some information but I'll try to give some pointers.
1) I created a new RG test1 and test2. Added Read only lock to RG test1 and Delete lock to test2.
I tried to move the SG1, from RG1 to RG2 => Operation Failed
Then tried to move SG2, from RG2 to RG1 => Operation Failed.
Please forgive me for venting. I feel like some of these questions contradict each other at times.
upvoted 3 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
A. Yes
B. No
Correct Answer: B
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Correct Answer: B - No
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 72 times
Tested this and as you are creating the back end it says:
"You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP."
-The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network.
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
-When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 26 times
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU
resources.
upvoted 1 times
Selected Answer: B
Correct Answer: B - No
upvoted 1 times
Read Here (Under the important section as the bottom of the SKU section):
(https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku)
upvoted 2 times
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs. Vms
can only be from a single network.
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 1 times
Question #51 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
A. Yes
B. No
Correct Answer: B
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Correct Answer: B - No
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 37 times
There are several versions of this question. The following are the correct and incorrect answers that can be presented.
-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 12 times
Selected Answer: B
Correct Answer: B - No
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each
virtual machine.
A. Yes
B. No
Correct Answer: A
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 69 times
-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 5 times
I a valid answ
er if You disassociate the public IP address from the network interface of VM2
upvoted 1 times
Selected Answer: A
mlatonis is right
upvoted 2 times
Selected Answer: A
Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP.
upvoted 1 times
Selected Answer: A
A is correct
upvoted 1 times
Selected Answer: A
Tested in Lab:
Correct: A. Yes
You can only attach virtual machines in same location that have a standard SKU public IP configuration or no public IP configuration. All IP
configurations must be on the same virtual network.
upvoted 3 times
Question #53 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
A. Yes
B. No
Correct Answer: A
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Export the client certificate from Computer1 and install the certificate on Computer2.
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 74 times
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
upvoted 2 times
Selected Answer: A
mlatonis is right
upvoted 3 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server
only.
You need to ensure that users can connect to the website from the Internet.
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Correct Answer: C
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Correct Answer: C
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher
numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with
lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
upvoted 92 times
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 40 times
Answer C is correct
Although not the best solution (opening range 50-5000, when you only whant to allow https/443)
upvoted 38 times
Selected Answer: D
No, it is not a good practice to open a range of ports from 400 to 500 for security reasons. In general, it is recommended to only open the
specific ports that are required for a particular service to function, and to limit access to only the minimum set of IP addresses that need it.
For example, in the scenario described, you only need to open port 443 to allow incoming HTTPS traffic to the web server. Opening a
wider range of ports could expose the system to unnecessary security risks, as it increases the attack surface of the system.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal
upvoted 2 times
Selected Answer: C
mlantonis is right
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
blasdelezo 1 year, 6 months ago
Selected Answer: C
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
A. Yes
B. No
Correct Answer: B
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
Correct Answer: B - No
You need to use a custom policy definition, because there is not a built-in policy.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing
when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your
resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 59 times
Answer is correct
upvoted 13 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
HOTSPOT -
✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
With VNet-to-VNet you can connect Virtual Networks in Azure across different regions.
Box 2: Yes -
✑ Virtual network peering: Connect virtual networks within the same Azure region.
✑ Global virtual network peering: Connecting virtual networks across Azure regions.
Box 3: No -
The virtual networks you peer must have non-overlapping IP address spaces.
Reference:
https://azure.microsoft.com/en-us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
Correct Answer:
Box 1: No
To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a
Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 207 times
Three ways can be used for VNET to VNET2 connection in different RGs as well as different Subscriptions:
i. VNET-to-VNET - similar to Site-to-Site (IPSec) but differs in the way Local Network Gateway is configured. VPN-GW on both sides
ii. Site-to-Site (IPSec) - similar to VNET-to-VNET but differs in the way Local Network Gateway is configured. VPN-GW on one side & Local
GW on the other side
iii. VNET Peering - doesn't use a VPN gateway
upvoted 1 times
Ref:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
upvoted 1 times
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions,
both subscriptions can be associated to the same or different Microsoft Entra tenant. If you don't already have an AD tenant, you
can create one.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-
and-constraints
upvoted 1 times
No Yes Yes...
Totally agree with Mlantonis...
Box 1 no; they purposely eliminated the possibility of other subnets to make sure you understand that Site to Site requires Gateway
Subnet.
Box 2 and 3 Yes; They do not overlap so you're good to go.
upvoted 1 times
"If you see an error that specifies that the address space overlaps with a subnet, or that the subnet isn't contained within the address
space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you
created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left
to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an
additional address range and create the gateway subnet there."
upvoted 2 times
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#about-the-gateway-subnet
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address
range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and
services use.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses
needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others.
We recommend that you create a gateway subnet that uses a /27 or /28.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-
constraints
The virtual networks you peer must have non-overlapping IP address spaces.
upvoted 2 times
Reference:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 3 times
Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 1 times
VNET1 10.10.10.0/24
Subnet11 10.10.10.0/24
Box2: Yes
Box3: Yes
upvoted 2 times
Question #57 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/
"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
upvoted 81 times
You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound
rule with low priority. It doesn’t make any sense.
Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load
balancer. The destination port and address range are for the destination computer, not the load balancer.
AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where
the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be
overridden.
upvoted 53 times
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules
http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
upvoted 9 times
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 12 times
a cost of 64999???????
upvoted 2 times
this is to ensure connections to App1 can be established successfully from 131.107.100.50 over TCP port 443, not denying.
upvoted 1 times
B is the Answer..!
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated
by the Load Balancer - health probes, etc.
So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting
this rule will solve the issue.
upvoted 1 times
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/
Correct Answer: B - No
Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source
131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is
somewhere else, maybe the VMs are off, or the firewall is blocking it.
upvoted 74 times
The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.
- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 28 times
alexandrud 2 months, 1 week ago
This question was in my exam today, and I specifically looked at the "Attach network interface" button and it was grayed out (not
enabled like in this screenshot). Creating the Allow inbound from the LB may fix the issue. This was my answer for that question
today and I scored 909. Not sure if it was the correct answer though, but here I think it is still NO.
upvoted 3 times
Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the
loadbalancer reach VM1/VM2
upvoted 45 times
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2).
Standard SKU must be used, Basic SKU is typically for testing ONLY, see Ref1
1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources,
unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) Ref1
2. The security rule we remove will allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though
not sending traffic to them, that's why it's failing.Ref2
Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline
Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times
Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is
only used for testing since the basic type is open to connections from the internet by default and doesn't require network security
groups for operation."
upvoted 1 times
Selected Answer: A
Flow 131.107.100.50 -> LB -> servers. Deleting the rule will allow second half of the flow. So, it solve the problem.
upvoted 1 times
Selected Answer: A
There is a rule 65001 that allows the LB to access VMs, and the rule 200 blocks it for port 443.
Most probably the NSG2 is shared between Vm1 and Vm2.
The active button "Attach Network Interface" indicates VM2 is stopped, but nothing is known about VM1 which is supposed to be able to
accept connections.
upvoted 1 times
Ok, lets dig in :) Rule with prio 100 allows required traffic from required IP but the App1 still is not working. Why? Because of the rule with
prio 200. Why? Because as we can see from the rules - App1 is on 443 port. So most likely health probes are also configured against this
port and these health probes are blocked with rule with prio 200. LB thinks that VMs are not active and does not send the traffic to these
VMs. When we'll delete this rule, health probes will start to work because of rule with prio 65001 and everything will start to work again:)
And one more thing, maybe not so important in this case. "Attach Network Interface" button is active, so VM2 is probably powered off. But
we still have VM1 left in any case :)
upvoted 3 times
so First is Yes!!
upvoted 1 times
Selected Answer: B
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/
Correct Answer: B - No
Allow_131.107.100.50 rule has a higher priority (100). The issue is not related with the priority of the rule.
upvoted 40 times
Answer is correct.
Current rule is already at the highest priority.. i hope such questions appear in the exams to take away some of the stress.
upvoted 18 times
Selected Answer: B
create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
upvoted 2 times
Selected Answer: B
Just checked in Azure. The Attach Network Interface icon is lit, this means the VM is powered off.
upvoted 5 times
Correct Answer: B
upvoted 1 times
So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting
this rule will solve the issue.
upvoted 1 times
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
A. Yes
B. No
Correct Answer: B
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
there is no such built-in policy (yet), that is why we need a custom one
upvoted 82 times
I'd say ans: B, too - as a custom policy would be required for specific ports.
upvoted 5 times
Correct Answer: B - No
You need to use a custom policy definition, because there is not a built-in policy.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing
when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your
resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 54 times
Today in exam , is B
upvoted 6 times
there is no such built-in policy (yet), that is why we need a custom one
upvoted 2 times
Selected Answer: B
We need to use a custom policy definition, because there is no such a built-in policy.
upvoted 1 times
I think you are not right. This default rule will allow Vnet to communicate by default
upvoted 1 times
You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the
For the AKS cluster, you need to choose a network type that will support App1.
A. kubenet
Correct Answer: B
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your
network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure
virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes.
Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network
Answer is correct "B". To have previously reserved IP address for a certain Pod, you should use Azure Container Networking Interface (CNI)
upvoted 70 times
Correct Answer: B
upvoted 49 times
Selected Answer: B
Correct Answer: B
Nodes = Kubenete
Pods = CNI
upvoted 18 times
If using Kubnetes Networking then receive an IP address from logically different address space to Azure Virtual Network Subnet and NAT
is then used to translate IPs from the PODs to the Azure virtual Network and vice versa
If using Azure Container Networking Interface (ACNI): then All PODs get IP from the subnet and can be accessed directly, the ONLY
problem with such method is that it could lead to IP address exhaustion
upvoted 9 times
Kubenet networking - The network resources are typically created and configured as the AKS cluster is deployed.
Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and
configurations.
upvoted 12 times
Question #62 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You disassociate the public IP address from the network interface of VM2.
A. Yes
B. No
Correct Answer: B
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 94 times
You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations
must be on the same virtual network.
ALso, VMs do not have to be powered on when adding them to a backend pool.
Can someone explain why ET has answer B. How is this answer selected on ET platform?
upvoted 2 times
-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 3 times
Selected Answer: A
Correct Answer: A
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
upvoted 1 times
Selected Answer: A
Selected Answer: A
Selected Answer: A
A for sure
As the Basic Public IP SKU had been removed and the LB is STD which means can support singles VMs to be added and dont need be in AV
set or VM scale set and all are in same region
upvoted 2 times
Selected Answer: A
To add VM1 and VM2 as LB back-end pools - you can either remove the public IP of VM2 or assign standard SKU public IP to both the VMs.
upvoted 1 times
Selected Answer: A
I have chosen also the A, but it shows me that B is the correct answer.
do anybody knows why?
upvoted 1 times
Selected Answer: A
Answer: A
You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations
must be on the same virtual network.
upvoted 1 times
Selected Answer: A
My ans
upvoted 1 times
Selected Answer: A
Correct answer is A. VM2 is using a Basic SKU public IP address which is not compatible with a Standard ILB. Therefore you must remove
the public IP.
upvoted 1 times
Selected Answer: A
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
A. Yes
B. No
Correct Answer: A
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
You need to use a custom policy definition, because there is not a built-in policy.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing
when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your
resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 53 times
There are several versions of this question. The following are the correct and incorrect answers that can be presented.
-Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider
Correct Answer: A
You need to use a custom policy definition, because there is not a built-in policy
upvoted 2 times
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
Correct Answer: C
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
Incorrect Answers:
A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction
(inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails,
IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address.
The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather
D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied
by an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
Correct Answer: C
Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the
connection every 60 seconds, so you can monitor latency over time.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 85 times
I was really not sure, but found this about connection monitor:
"Lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds,
so you can monitor latency over time."
Selected Answer: C
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network
topology changes between the VM and the endpoint.
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a
connection, you may find that you can decrease the latency by moving your Azure resources to different Azure regions.
upvoted 1 times
Selected Answer: C
The key is the word “average” which needs to run for a period of time which is what connection monitor does. If it is a one time only then it
would be connection troubleshoot
upvoted 4 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
Actually B is correct answer too, the only reason i Chose C is because of this statement
You need to view the ***average round-trip time (RTT)*** of the packets from VM1 to VM2
Average RTT which means overtime and NOT one time result which Connection troubleshoot does, so because it said average then had to
be connection monitor,
Just note: Connection Monitor is New replacing the Network Performance Monitor
upvoted 2 times
Selected Answer: C
Correct Answer: C
Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the
connection every 60 seconds, so you can monitor latency over time.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 2 times
The monitoring data includes the percentage of checks that failed and the round-trip time (RTT).
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the public load balancers shown in the following table.
You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual
machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: be created in the same availability set or virtual machine scale set.
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
Reference:
https://www.petri.com/comparing-basic-standard-azure-load-balancers
Correct:
Standard SKU: any virtual machines or virtual machine scale sets in a single virtual network.
Basic SKU: Virtual machines in a single availability set or virtual machine scale set.
https://docs.microsoft.com/en-us/azure/load-balancer/skus>
upvoted 38 times
• LB1 – Basic: Be created in the same availability set or virtual machine scale set
• LB2 – Standard: Be connected to the same virtual network
At Standard LB - Backend pool endpoints column: "Any virtual machines or virtual machine scale sets in a single virtual network"
https://learn.microsoft.com/en-us/azure/load-balancer/skus
upvoted 2 times
I really hate how the words "basic" and "standard" are pretty close to synonyms. It'd be like a restaurant having two sizes of drink: Regular
or Medium.
upvoted 22 times
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises
VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select
Hot Area:
Correct Answer:
Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption
that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.
Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
2
2
2
Appear in the Microsoft Exam Test Prep
upvoted 109 times
And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A
config takes care of the rest.
"For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection
recovery will be longer, about 1 to 3 minutes in the worst case."
So, with active/passive the connection recovery can take up to 3 minutes. We need and active/active scenario.
· 2 Public IPs
· 2 Virtual Gateways
· 2 Local Gateways
upvoted 7 times
But the questions state failure of a single azure or local gateway. So we need to use "Dual-redundancy: active-active VPN gateways for
both Azure and on-premises networks". As best I can tell (because it is not explicit), we only need two public IP's on the premises
gateways. The reason for this being Azure will "dial out" or "connect" to the premises gateways, thus Azure not needing public IPs to
create the circuit. This should also be OK for the other requirements too.
upvoted 2 times
All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously,
upvoted 1 times
Correct Answer:
The questions asks how many are required in Azure, so the on-premise ones should not be counted.
Box 1: 2
2 public IP addresses in the on-premises data center, and 2 public IP addresses in the VNET for the active-active. The most reliable option
is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 1
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned
disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or
VNet-to-VNet connections.
Box 3: 1
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
upvoted 105 times
2= two on-premise VPN devices are mentioned, and single local network gateway can only be set up with a SINGLE ip for on-premise
VPN device, two local network gateway are needed for redundancy.
upvoted 29 times
And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A config
takes care of the rest.
You can have Azure GW config in A-A (requiring 1 GW Vnet and 2 PIPs), and the on-prem VPN Devices in Active-Passive (requiring
only one public ip and thus 1 Local Network Gateway)
Active-Passive for on-prem could have explained why Mlantonis answers 1 on box 3. But doesnät rhyme with his own motivation "
active-active VPN gateways for both Azure and on-premises network"
upvoted 2 times
"A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway"
You can only have ONE VNG (which will need to be in active-standby mode)
1 - Azure IP for the VNG
2 - LGs with non-azure ip addresses.
upvoted 1 times
Explanation: You need two public IP addresses in Azure, one for each VPN gateway instance.
Explanation: You only need one virtual network gateway in Azure. This gateway will have two instances for redundancy.
Explanation: You need two local network gateways in Azure, one for each on-premises VPN device.
upvoted 1 times
"Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two
connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between
your Azure virtual network and your on-premises network."
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 1 times
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 1 times
The question is asking about resources to create in "Azure". The public IP for On-prem VPN devices is not an azure resource.
So 2 Public IPs in Azure, 1 Virtual Network Gateway (You are only allowed 2 total per vNET: 1 VPN, 1 ExpressRoute. You cannot have 2 of
same type), 2 Local Gateways in Azure to represent both VPN devices on-prem.
upvoted 5 times
Explanation
Using two public IP addresses ensures that you have two separate endpoints for your VPN tunnels, allowing for redundancy and failover.
Having two virtual network gateways in Azure (each associated with a different public IP address) provides redundancy in case one of the
gateways or its associated resources fails. This minimizes the potential for downtime.
A single local network gateway represents your on-premises VPN devices and doesn't need redundancy in this scenario.
Public IP Addresses: 2
Virtual Network Gateways: 2
Local Network Gateway: 1
upvoted 1 times
Public IP Addresses - You would need a minimum of one public IP address for the Azure VPN Gateway to be reachable over the internet.
Azure VPN Gateway instances are deployed in an active-passive configuration to provide high availability without needing additional
public IPs. Azure automatically handles the failover.
Virtual Network Gateways: You need a single Azure VPN Gateway deployed into your Gateway subnet in VNet1. Azure VPN Gateways
are already set up for high availability. In Azure, the VPN Gateway is deployed in pairs, with each instance having its own public IP
address. Azure takes care of automatic failover, so you don't need to provision multiple VPN Gateways yourself for high availability.
Local Network Gateways: Azure Local Network Gateway objects define the settings for your on-premises VPN devices. Given that you
have two VPN devices, you would need two Local Network Gateway objects, each one pointing to one of the on-premises VPN devices.
upvoted 1 times
since the question is about the minimum number of ... required in Azure: Virtual network gateways and Local network gateways required
just 1, 1.
Public IP addresses: 2
Virtual network gateways: 1
Local network gateways: 2
upvoted 1 times
Public IP addresses: 2
Virtual network gateways: 1
Local network gateways: 1
upvoted 1 times
You have an Azure subscription that contains two virtual machines as shown in the following table.
A. vm1.core.windows.net
B. vm1.azure.com
C. vm1.westeurope.cloudapp.azure.com
D. vm1.internal.cloudapp.net
Correct Answer: B
Answer D
Tested in lab, and got vm1.internal.cloudapp.net.
upvoted 100 times
Selected Answer: D
D vm1.internal.cloudapp.net
how determinate this i pass how solutions architect ?
upvoted 1 times
Selected Answer: D
Selected Answer: D
Answer is D:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-
considerations
upvoted 1 times
Selected Answer: D
D 100% is correct
upvoted 1 times
Selected Answer: D
Selected Answer: D
d correct
upvoted 1 times
Correct Answer: D
upvoted 1 times
internal.cloudapp.net is default DNS suffix for Azure provisioned DNS if no specific DNS is configured in the network
upvoted 9 times
D for Sure..
Reverse DNS is supported in all ARM based virtual networks. You can issue reverse DNS queries (PTR queries) to map IP addresses of
virtual machines to FQDNs of virtual machines.
All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine.
If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two
records. One record will be of the form [vmname].[privatednszonename] and the other will be of the form
[vmname].internal.cloudapp.net
upvoted 11 times
Correct answer is D
upvoted 1 times
Selected Answer: D
Correct extension
upvoted 1 times
Selected Answer: D
Correct Answer: D
internal.cloudapp.net is correct extension.
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in
VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows
the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 155 times
See: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#required-security-rules
YES is correct!
upvoted 1 times
Yea, and that specific IP is failing to connect to App1, even though the highest priority rule is supposed to be specifically
allowing it. So it seems like the issue is with something else besides the rules since the highest priority rule is specifically
allowing a connection that is failing.
What am I missing?
upvoted 5 times
the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped.
Should this be the problem in the whole series of questions?
upvoted 35 times
Selected Answer: A
funniest part is default rule 65001 AllowAzureLoadBalancerInBound does the same job, however you cannot change the priority or delete
it, so it renders it useless...
so described proposal should work technically
also deleting the rule with 200 priority should also work [this answer come in earlier in question set]
upvoted 1 times
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2).
1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources,
unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) See Ref1
Standard SKU should be used, as Basic SKUis tipycally for testing ONLY, see Ref1.
2. The security rule we add is allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not
sending traffic to them, that's why it's failing.See Ref2
Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline
Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times
Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is
only used for testing since the basic type is open to connections from the internet by default and doesn't require network security
groups for operation."
upvoted 1 times
traffic flow => IP 131.107.100.50 -> LB (whatever IPs) -> Servers IPs. Rule 1 take care on first half of the flow. Rule 2 denied second half of
the flow. This is why is required one rule between 1 and 2, as an exception if you want, that will allow second half of the flow = one rule to
allow access from LB to server/s.
upvoted 1 times
I think the answer here must be No, certainly creating a rule that allows all Traffic makes no sense, when Rule 100 appears to do what you
need....
upvoted 1 times
Selected Answer: B
Don't able to find any concept of setting up the cost to set the priority. If the statement is re[laced with the priority of 150 then it can be
yes but in current scenario it is no.
upvoted 2 times
Answer is no
'Allows any traffic FROM the AzureLoadBalancer'. Wrong way.
You need traffic TO the loadbalancer
BlockAlltOher443 blocks traffic to the loadbalancer
upvoted 1 times
Selected Answer: B
Guys, wake up . The network interface is detached (see top left options of the page).
this is why the VM isn't reachable
upvoted 7 times
So NO!!
upvoted 1 times
Adding the rule of priority of 150 just removes the effectiveness of the "BlockAllOther443" rule.
There is some other issue causing the problem - maybe the "attach network interface" option being available, as mentioned by others.
upvoted 2 times
Question #69 Topic 5
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
B. Reset GW1
E. Delete GW1
Correct Answer: CE
C: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It
is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec
tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet
Incorrect Answers:
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-connect-multiple-policybased-rm-ps
If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called Static Routing) are not
supported on any other SKU. PolicyBased Basic VPN Gateway does not support Point-to-Site connectivity. https://learn.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-about-skus-legacy.
upvoted 14 times
The policy type VNG does not support Point to Site VPN .
You cant have 2 VNG in the same VNET .
So the existing policy-based VNG must be deleted so you can create a route based VPN
upvoted 2 times
Policy-based virtual network gateways are typically used with certain firewall devices and support a specific type of VPN configuration.
They do not support point-to-site connections.
Wouldnt we need a point-to-site connection from an on-premises computer to VNet1, and so we will need to use a route-based virtual
network gateway instead.
So C and D
upvoted 1 times
OpenAI
"To configure a point-to-site connection from an on-premises computer to VNet1, you need to perform the following two actions:
D. Add a connection to GW1: You need to add a point-to-site connection to GW1. This will allow the on-premises computer to connect to
VNet1 via GW1.
C. Create a route-based virtual network gateway: You need to create a route-based virtual network gateway to ensure that the point-to-
site connection can be established from the on-premises computer to VNet1.
The other options are not required for setting up a point-to-site connection from an on-premises computer to VNet1.
A. Adding a service endpoint to VNet1 is used for enabling the traffic from the subnet to use the service provided by Azure services
privately.
E. Deleting GW1 would remove the virtual network gateway, which is not required.
F. Adding a public IP address space to VNet1 would not be required for a point-to-site connection."
upvoted 2 times
--VPN types--
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you
choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type.
upvoted 3 times
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#vpntype
upvoted 4 times
Selected Answer: CE
or establishing point-to-
site
connectivity,
you need a route-based
VPN type
upvoted 3 times
Selected Answer: C
Selected Answer: CE
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you
choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type. A
VPN type can also depend on the hardware that you're using. S2S configurations require a VPN device. Some VPN devices only support a
certain VPN type
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with other gateway SKUs.
upvoted 11 times
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway configurations require
a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment model. RouteBased VPNs
use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces
then encrypt or decrypt the packets in and out of the tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as
any-to-any (or wild cards). The value for a RouteBased VPN type is RouteBased.
upvoted 3 times
C and E is correct
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resources in the following table:
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
Correct Answer:
So here we go:
NNY
upvoted 12 times
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does
belong to a resolution virtual network.
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works
from any of the virtual machines within the registration virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
upvoted 7 times
After a debate of 14 comments, is the final answer to the question the same or not?
My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should
be responsible for changing the submitted template.
I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very
confused and generate more doubts than clarifications.
upvoted 5 times
So here we go:
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the private DNS zones shown in the following table.
You add virtual network links to the private DNS zones as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links https://docs.microsoft.com/en-us/azure/dns/private-dns-
autoregistration
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.
2. Yes
A virtual network can have multiple resolution zones associated to it.
3.Yes
No registration zone for VNET2.
upvoted 145 times
2. Yes
A new Link for VNET1 to Zone3.com can be added by associating it as resolution zone with Zone3. Remember, a virtual network can
have one registration and multiple resolution zones associated to it. So, VNET1 will have Zone1 as registration and Zone3 as resolution
zone.
3. Yes
A new Link for VNET2 to Zone1.com with auto-registration enabled is possible as currently VNET2 doesn't have any zone associated to it
as registration zone. Zone2 is associated to VNET2 as resolution zone.
upvoted 1 times
"You can add a virtual network link for VNET1 to Zone3.com": Yes
One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones
associated to it.
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
"You can add a virtual network link for VNET2 to Zone1.com and enable auto registration": Yes
The current link(s) for VNET2 does not have auto registration, so a new link with auto. reg. can be added.
upvoted 13 times
Yes - zone can have 1 reg network and multiple resolution networks (auto-reg not enabled)
1. Yes
2. Yes. You can link VNET1 to Zone3.com A private DNS zone can have multiple registration virtual networks. However, every virtual
network can only have one registration zone associated with it.
3. No. Auto registration is already enabled on Zone 1. When you add a link from VNET2 to Zone
upvoted 66 times
A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 4 times
ppp131176 2 years, 7 months ago
For 2. are you sure? shouldn't this be no? Wouldn't zone3 be the second registration zone?
upvoted 8 times
So answer must be Y Y Y
upvoted 13 times
I have to waste my 30 min to setup the resorces to try this one out....and here is what i got,
1. Yes - We can enable auto register provided there is no conflict
2. Yes - There is no impact of location on setting up Vnet link but in case v-net is already registered with another private zone then auto
registration can't be enabled.
3. No, above reason.
upvoted 1 times
1. Y. You can click the checkbox to Enable Auto-Reg. Note: You can do this to any VNET as long as that VNET is not linked to another Zone
with Auto-reg ON. So if VNET is in another zone but Auto-reg is OFF, then you can enable Auto-Reg in Only One Zone
2. Y. You can add Vnet1 to Zone3 but make sure Auto Reg is OFF. You cannot add Vnet1 to Zone3 with Auto Reg is ON.
3. Y. You can add Vnet2 to Zone1 and set to Auto Reg ON because VNET2 has no link yet to any zone with Auto Reg ON.
to summarize:
Zones can have multiple VNETs. Each VNET can be set to Auto Reg ON
VNETs can be linked to multiple Zones but they can only Auto Reg to one Zone
upvoted 4 times
Yes.
You can create a link between VNET1 and Zone3.com. However, because VNET1 is already a registration virtual network for Zone1.com,
you cannot enable auto-registration for this new link. This is because "every virtual network can only have one registration zone associated
with it."
No.
You cannot enable auto-registration for this potential new link between VNET2 and Zone1.com because, as per the provided explanation,
"every virtual network can only have one registration zone associated with it." Since VNET2 has already been linked to Zone2.com with
auto-registration enabled (as per answer 1), it cannot become the registration virtual network for Zone1.com as well.
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links#registration-virtual-network
upvoted 3 times
Q1: Y. Looks like it needs to be done when the link is created, and doesn't specify it it can be retroactively enabled, but yes can be done.
https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 4 times
https://www.youtube.com/watch?v=Hiohn35DIqA
Great explanation of Azure DNS, zones, registrations and links.
upvoted 1 times
Question #72 Topic 5
HOTSPOT -
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://medium.com/charot/deploy-azure-bastion-preview-using-an-arm-template-15e3010767d6
answer is correct
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a /27 subnet mask. For example, 10.1.1.0/27.
https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 52 times
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24,
etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to
work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of
host scaling in the future.
upvoted 22 times
I passed on September 3, 2023. The options for this exam were updated to 10.0.0.0/26, not 27
upvoted 22 times
1. AzureBastionSubnet
2. 10.10.10.0/27
upvoted 13 times
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet
Azure Bastion requires a dedicated subnet: AzureBastionSubnet. You must create this subnet in the same virtual network that you want to
deploy Azure Bastion to.
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.).
All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but
we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling
in the future.
upvoted 3 times
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
upvoted 2 times
https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 1 times
anantasthana2002 1 year, 6 months ago
Answer is correct
upvoted 1 times
Bastion provides secure RDP and SSH connections to all virtual machines in the virtual network where the service is deployed. Using Azure
Bastion prevents your virtual machines from making RDP and SSH ports publicly available. At the same time, we continue to enable secure
access via RDP/SSH.
Azure Bastion requires a subnet called AzureBastionSubnet within your virtual network. The subnet must have at least the subnet mask
/27, or be larger.
The following Microsoft Docs articles contain more information on the topic:
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
upvoted 1 times
Question #73 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
A. Yes
B. No
Correct Answer: A
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet
capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
If you initiated a packet capture from VM1 to VM2 and ran a capture for three hours, wouldn't you have file which contained all traffic
between VM1 and VM2?
upvoted 23 times
Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve
network problems and determine whether network security policies are being followed.
upvoted 3 times
No
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 3 times
- Connection troubleshoot enables a one-time connectivity and latency check between a virtual machine and Bastion host, application
gateway, or another virtual machine.
Yes - https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions
upvoted 1 times
Creating a packet capture using Azure Network Watcher is a valid solution to inspect network traffic between VM1 and VM2. Network
Watcher provides network monitoring and diagnostic capabilities in Azure, including the ability to capture packets flowing between
resources within a virtual network.
upvoted 1 times
-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 12 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics,
gaining information on network intrusions, to debug client-server communications and much more.
upvoted 3 times
it specifically says from VM1 to VM2. Nature of packet capture is to run the capture in a VM/machine, it does not matter where the traffic is
sent to. You use filter if you want to see certain packets including where it goes, type of traffic etc etc. Yes you can use this tool for VM to
VM but it is not the best tool to use it. For the purpose, I'd got with Connection Monitor.
upvoted 2 times
Selected Answer: A
Answer is YES
upvoted 1 times
The Packet Capture tool allows you to capture network packets entering or leaving your virtual machines. It is a powerful tool for deep
network diagnostics. You can capture all packets, or a filtered subset based on the protocol and local and remote IP addresses and ports.
You can also specify the maximum packet and overall capture size, and a time limit (captures start almost immediately once configured).
Packet captures are stored as a file on the VM or in an Azure storage account, in which case NSGs must allow access from the VM to Azure
storage. These captures are in a standard format and can be analyzed off-line using common tools such as WireShark or Microsoft
Message Analyzer.
**Also, if you go into Network Watcher, you will see under diagnostic tools - Packet Capture.
upvoted 7 times
Selected Answer: A
I will go A
upvoted 1 times
Selected Answer: B
Answer B - No
• **Packet Capture**: Is run on a VM to monitor the in and out flows of IP traffic. It is not used to monitor traffic BETWEEN two VMs.
MS Docs: ("Packet Capture enables you to capture all traffic on a VM in your virtual network.")
• **Connection Monitor**: Is used to monitor connectivity and latency between VMs over a period of time.
MS Docs: ("Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.")
Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times
You will need Packet Capture. as it has an option to specify ALL protocols
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Selected Answer: A
Connection monitor doesn't capture packets, Network Watcher does therefore A is correct
upvoted 1 times
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactivity.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 1 times
Selected Answer: A
Packet capture is correct similar to wireshark, it allows for Sources/Des IP, Ports and times allocation and can be triggered automatically
via VMs alert
upvoted 3 times
Selected Answer: A
It should be the packet capture as we've got in the configuration 'Time limit' field - the duration of the capture session to the file.
Connection monitor has got the 'Test frequency' setting - how frequently sources will ping destinations, we're not collecting the traffic for
the future inspection. The idea in the Connection monitor is to pass a test.
upvoted 2 times
Packet capture can be set to specified interval and connection monitor is for end-to-end monitoring specific connections. Here you have to
capture all network traffic.
upvoted 2 times
Question #74 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
A. Yes
B. No
Correct Answer: A
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/
No.
We need to inspect all the network traffic "from" VM1 "to" VM2 and not between the 2 VMs.
Even if we were using Connection monitor, this one would inspect only network traffic over a specific port.
And for a period of 3 hours, packet capture session time limit default value is 18000 seconds or 5 hours.
upvoted 48 times
-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 12 times
Creating a connection monitor in Azure Network Watcher will not meet the goal of inspecting all the network traffic from VM1 to VM2 for a
period of three hours. Connection monitors in Azure Network Watcher are used to monitor the connectivity between two points in a
network, but they do not capture and inspect the actual network traffic.
To inspect network traffic between VM1 and VM2, you would need to use a network capture tool or software that can capture and analyze
network packets. Azure Network Watcher itself does not have the capability to capture network traffic.
upvoted 1 times
Selected Answer: B
No.
Connection monitor won't provide the same level of detail as packet capture will;
"Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature
supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related
metrics for your Azure deployments."
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 1 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature
supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related
metrics for your Azure deployments.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics,
gaining information on network intrusions, to debug client-server communications and much more.
upvoted 5 times
Yes
Here are some points to consider when deciding between creating a connection monitor or a packet capture:
Connection monitors:
"Packet Capture enables you to capture all traffic on a VM in your virtual network."
https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 1 times
Selected Answer: B
B. No - With Packet capture, You can Set a time constraint on the packet capture session. The default value is 18000 seconds or 5 hours.
upvoted 2 times
• **Packet Capture**: Is run on a VM to monitor the in and out flows of IP traffic. It is not used to monitor traffic BETWEEN two VMs.
MS Docs: ("Packet Capture enables you to capture all traffic on a VM in your virtual network.")
• **Connection Monitor**: Is used to monitor connectivity and latency between VMs over a period of time.
MS Docs: ("Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.")
Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times
You will need Packet Capture. as it has an option to specify ALL protocols
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network
topology changes between the VM and the endpoint.
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a
connection, you may find that you're able to decrease the latency by moving your Azure resources to different Azure regions.
No
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network
topology changes between the VM and the endpoint.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 1 times
Question #75 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
There are several versions of this question. The following are the possible Correct and Incorrect solutions.
-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 14 times
No, there is no such thing as "Data Collector Set (DCS)" in the Network Watcher
upvoted 1 times
EmnCours 1 year, 5 months ago
Selected Answer: B
DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal
Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
upvoted 77 times
Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
Frontend IP address
Backend pool
Inbound load-balancing rules
Health probe
upvoted 3 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
A. Yes
B. No
Correct Answer: B
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/
God bless all you people putting the wrong answers on these so we can have people confidently correct you.
upvoted 18 times
Selected Answer: B
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 13 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Answer is B: No
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 3 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/
Selected Answer: B
Answer B (No)
When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent
from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16.
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/
What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2
are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down.
Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start
to direct 443 traffic from 131.107.100.50 to it.
App1 is alive!
upvoted 20 times
Thank you!
upvoted 3 times
Selected Answer: B
"Attach Network Interface" is not greyed out which means the VM is powered off. That is the reason it's not working.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
But the last step in their sequence is Connect a VN to the Virtual Hub. So I assume you leave that one out.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
upvoted 5 times
2 options are about creating virtual wan+hub resources and 3 of them are about connecting.
There has to only be one way to connect in the answer (virtual network or VPN site) (so both wan+hub are needed either way to get to 4)
but we have two apparent processes
Either you
-"Connect the virtual networks to the hub"
or
-"Create VPN Sites" &
-"Connect VPN site to the hub" (what VPN sites, you have to create them, bingo, above option)
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
No: Server2 uses Server1 for DNS. Server1 has no host2.contoso.com record for 131.107.50.50. It would work if VNET1 hat a virtual
network link to the private zone contoso.com.
Yes: Server2 uses Server1 for DNS. Server1 has a host1.contoso.com record for 131.107.10.15
No: Server3 uses 10.10.0.4 as DNS (inherited from VNET2). 10.10.0.4 (Server1) has no record for host2.contoso.com. The virtual network
link for the private zone contoso.com on VNET2 won't be used since the DNS from VNET1 is set on VNET2. VNET1 DNS is not aware of the
private zone contoso.com. It would work if VNET1 had a virtual network link to the private zone contoso.com.
upvoted 108 times
przema86 1 year, 2 months ago
I agree with this answers N/Y/N
I hate such questions, such scenarios doesn't exist in real life. If I would see such thing in production I would shout on engineers.
upvoted 23 times
Resolution Across Peered VNets: Resources in peered VNets can resolve DNS names as per their respective VNet’s DNS settings. If a
resource in VNet A needs to resolve a name managed by a DNS server in VNet B, it can do so if the DNS server in VNet B is accessible and
if the necessary DNS forwarding or conditional forwarding is set up.
Custom DNS Scenarios: In scenarios where you have custom DNS servers, you might need to configure DNS forwarding or conditional
forwarding to ensure proper name resolution across peered VNets.
Azure-Provided DNS: If you are using Azure-provided DNS, the resolution of names for resources in Azure (like VMs) works across peered
VNets without additional configuration.
upvoted 2 times
So resolved
upvoted 2 times
"After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs hosted in that virtual network can
access the private DNS zone. Every private DNS zone has a collection of virtual network link child resources. Each one of these resources
represents a connection to a virtual network. A virtual network can be linked to private DNS zone as a registration or as a resolution virtual
network."
upvoted 2 times
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of
10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 33 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-
constraints
The virtual networks you peer must have non-overlapping IP address spaces.
upvoted 4 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 1 times
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 4 times
You have the Azure virtual machines shown in the following table.
VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.
C. comp2.contoso.com only
Correct Answer: B
Reference:
https://medium.com/azure-architects/exploring-azure-private-dns-be65de08f780 https://simpledns.plus/help/dns-record-types
tested this, i say it is C - comp2.contoso.com ONLY. i created each of the records in my Azure DNS zone, a TXT record is not resolvable, an A
record is resolvable, the CNAME is pointing to comp1 which again is not resolvable, and the PTR record should be an IP to a name, when i
created the PTR record it wanted me to enter a domain name eg. contoso.com, not an IP address but i put the IP address in anyway, and it
did not resolve. So i say it is C - comp2 ONLY
upvoted 38 times
Selected Answer: C
A record resolves ip address 10.0.0.5 to comp2.contoso.com. The only other name we could find is a alias name (CNAME) record. But there
is no CNAME entries listed for comp2 so C is the answer
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/dns/dns-zones-records#record-types
Each DNS record has a name and a type. Records are organized into various types according to the data they contain. The most common
type is an 'A' record, which maps a name to an IPv4 address.
upvoted 6 times
Basically you can only ping an A record or a CNAME pointing to an A record (ignoring IP6)
upvoted 3 times
Selected Answer: C
So many people saying B? The question clearly states what you can -ping- VM2 with.
Answer is C.
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/
Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege.
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 379 times
Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 18 times
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 3 times
ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more
sense...
upvoted 2 times
it works!
upvoted 3 times
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
Please note that the rule won't block outbound response from VM2.
NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without
obstruction. NSGs will not end active TCP connections either.
upvoted 3 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
A. Yes
B. No
Correct Answer: B
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Correct Answer: B
the certificate needs to be installed on the machine you are counting from.
upvoted 32 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate isn't installed, authentication
fails.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Answer is B
upvoted 1 times
Selected Answer: B
Correct Answer: B
you need to install certificate on the machine you are counting from.
upvoted 1 times
Selected Answer: B
Correct approach would be to export Cert from Computer1 and install it on Computer2
upvoted 1 times
Answer is B
upvoted 1 times
Question #85 Topic 5
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
B. Protocol to UDP
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal
None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine.
Client IP (source IP affinity two-tuple) - Specifies that successive requests from the same client IP address will be handled by the same
virtual machine.
Client IP and protocol (source IP affinity three-tuple) - Specifies that successive requests from the same client IP address and protocol
combination will be handled by the same virtual machine.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal
The answer is A
upvoted 11 times
Get ready!!! This question will now appear a million times in the next pages
upvoted 4 times
A is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP and protocol
- Traffic from the same client IP and protocol is routed to the same backend instance
upvoted 2 times
Selected Answer: A
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Selected Answer: A
Answer is correct: A
Session persistence!
upvoted 2 times
You have an Azure subscription that uses the public IP addresses shown in the following table.
B. IP2 only
C. IP3 only
Correct Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
Answer is correct: C
upvoted 14 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer
upvoted 6 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU
resources.
upvoted 2 times
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
upvoted 1 times
Correct Answer: C
upvoted 1 times
Answer is correct: C
Basic SKU IP can not be combined with standard LB.
upvoted 2 times
Selected Answer: C
Selected Answer: C
Answer is correct: C
upvoted 2 times
C is correct
upvoted 2 times
Question #87 Topic 5
You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
Selected Answer: B
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and
kubenet (Linux).
Reference
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
upvoted 39 times
On exam 01.02.22
Answer: B
upvoted 18 times
Selected Answer: B
Azure network policy provides a built-in network security solution for AKS clusters. It allows you to define network traffic rules at the
Kubernetes namespace level using standard Kubernetes NetworkPolicy objects. With Azure network policy, you can control ingress
(incoming) and egress (outgoing) network traffic between pods based on IP addresses, ports, and protocols.
upvoted 1 times
Selected Answer: B
Selected Answer: A
To restrict network traffic between pods in an Azure Kubernetes Service (AKS) cluster, you should configure the Azure network policy.
upvoted 2 times
B is the answer.
https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-network-policy-manager-and-calico-
network-policy-and-their-capabilities
upvoted 3 times
Selected Answer: B
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and
kubenet (Linux).
Reference
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Correct Answer:
Box 1: 10.0.0.0/16
Address prefix
destination-> Vnet 1 (Address space of Vnet1)
Box1: 10.0.0.0/16
Box2: Virtual appliance
Box3: GatewaySubnet
upvoted 17 times
Answer is correct.
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
upvoted 4 times
- Source: 10.0.254.0
- Next Hop: NVA
- Assigned to 10.0.0.0/16. This covers 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24
upvoted 2 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. a health probe
Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer For
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer for Sticky Sessions set Session persistence to Client IP.
upvoted 53 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP and protocol
- Traffic from the same client IP and protocol is routed to the same backend instance
upvoted 1 times
Selected Answer: D
Correct Answer: D
upvoted 1 times
D is correct and is called Sticky Sessions like Microsoft ones sticks never let go!!
upvoted 3 times
Selected Answer: D
Selected Answer: D
Correct answer.
upvoted 1 times
Selected Answer: D
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Correct Answer:
Box 1: No
NSG1 has default rules, which denies any port open for inbound rules
Box 2: Yes
NSG2 has custom Rule1, allowing RDP port 3389 with TCP.
Box 3: Yes
VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 140 times
The VMs are on azure. The only ways I can think of that will allow you to RDP into the other server are through RDP or bastion which
will require the use of RDP on the first server. Nested RDP is not supported.
"Only one level of nested Remote Desktop connection is supported. Establishing a Remote Desktop connection from inside a nested
Remote Desktop connection isn't supported."
https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/run-remote-desktop-connection-session
upvoted 2 times
AllowVNetInBound:
Priority: 65000
Allows all inbound traffic from resources in the same Virtual Network (VNet).
Source: VirtualNetwork
Destination: VirtualNetwork
Source and Destination Port Ranges: Any
Protocol: Any
Action: Allow
upvoted 1 times
- VM1 is in subnet 1 and it doesn't have a NIC associated NSG, so subnet NSG1 applies which denies Inbound Internet traffic by default.
Answer No.
- VM2 is in subnet 2, which doesn't have an associated subnet NSG and has NSG2 applied to the VM. NSG2 allows traffic RDP traffic from
anywhere, so RDP connection is possible. Answer Yes.
- Same policy as before (Source=Any), then VM1 can RDO to VM2. Answer Yes.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
upvoted 1 times
1. VM1 is in subnet 1 which has default Inbound rules. SO traffic is blocked from the internet.
2. As VM2 is in SUbnet 2 and NSG 2 with Custom RDP port allow rule on NSG2 is attached to VM2's NIC level and as Subnet 2 doesn't have
any NSG attached, so any traffic from internet will reach the NSG2 from VNET -> SUbnet2 -> NSG2. And on NSG2, due to custom allowed
rule of 3389, RDP will work from the internet over VM's public IP.
3. Azure routes traffic within a VNET automatically. As NSG2 has RDP port allowed from any source, so VM1 can connect to VM2 over it's
private IP.
upvoted 2 times
NSG1 is attached to Subnet1 which is with the default rule. In the Default rule, there's no allowance of RDP from Internet.Hence, RDP
won't work on VM1 from the internet.
For second box, the VM2 has NSG2 attached on it’s NIC and VM2 is attached to Subnet 2, which doesn’t seem to have any Security rule /
separate custom NSG attached (at least didn’t see in the question), so I presume that Subnet 2 has Default NSG rule whereas VM2’s NIC
has allowance for RDP. But since the Vm2 inbound traffic on port 3389 is blocked at Subnet 2 level due to default rule, so Internet to VM2
is ‘No’.
Since within VNET / Subnet all traffic allowed, so RDP is allowed by default. Hence, it’s ‘Yes’.
upvoted 1 times
You have an Azure subscription that contains two virtual machines named VM1 and VM2.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balancer resources should you create before you can create the load balancing rule? Each correct answer presents part
of the solution.
A. a frontend IP address
C. a virtual network
D. a backend pool
E. a health probe
Correct Answer: DE
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/components
Selected Answer: DE
D and E.
You can't create a LB without FrontEnd IP, so if we have a LB we also have a FrontEnd IP already. You can however create a LB without a
backend pool and without any rules. If you want to add a rule to your LB later you have to create a backend pool and health probe first.
Those are mandatory properties for a rule. I also tested it in my lab to be sure.
upvoted 65 times
Selected Answer: AD
Answer ; A and D
Select; Frontend IP
When done with configuration steps.
Selected Answer: AD
whenever you create a LB, At least 1 frontend IP needs to be added for creating a Load Balancer
its a error/warning so you cannot skip it unlike the rest parameters.
frontend ip & backend pool
upvoted 1 times
Selected Answer: DE
The question is: Which two additional load balancer resources should you create before you can create the load balancing rule?
The procedure is:
Frontend IP configuration
Backend pool
Health probes
Load Balancer rules
The the 2 additional resources before the rules are:
Backend pool
Health probes
upvoted 1 times
And on step (4)Inbound rules -> Add load balancing rule, it requests mandatory resources which are "Frontend IP address" and "Backend
pool".
Regarding "Health probe", you can create a new one on this step itself. This means not BEFORE you can create the load balancing rule but
in parallel.
upvoted 3 times
Azure Load Balancer is NOT created. You are creating that, so the answer is AD.
upvoted 3 times
A. A frontend IP address: This IP address is used to receive incoming traffic and distribute it to the backend resources. It acts as the entry
point for the load balancer.
D. A backend pool: This defines the backend resources (in this case, VM1 and VM2) that will receive the load-balanced traffic. The load
balancer distributes incoming traffic across the resources in the backend pool based on the configured load balancing rule.
Selected Answer: DE
DE is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/components
upvoted 1 times
this makes sense, you would need a frontendip but the LB has been created so to have a rule for the LB you would need the backend pool
and health probe
upvoted 2 times
Selected Answer: DE
Correct Answer: DE
upvoted 1 times
Selected Answer: DE
D & E. I have just double checked this in the portal, mandatory fields are Health Probe and Backend Pool.
upvoted 2 times
Selected Answer: DE
DE seems correct - I might be wrong but if you have an LB, it follows that you already have a Frontend IP?
Selected Answer: AB
Should be A,B
Get an Frontend IP
Get an Backend Pool
A. Get an Frontend IP
D. Get an Backend Pool
E. Health Probe
Since D. Get an Backend Pool - This is mentioned and we know it's VM1 and VM2 but never saying a pool has been created
So it left us A D and E
But D Option got mentioned and test asks for 2 answers, I would choose A and E, but Assume that all combinations btw those 3
might be considered as correct.
upvoted 2 times
Question #92 Topic 5
You have an on-premises network that contains a database server named dbserver1.
You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone.
You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ensure that the virtual machines can connect to dbserver1.
Which type of public IP address SKU and assignment should you use for the gateway?
Correct Answer: C
Note: VPN gateway requires a public IP address for its configuration. A public IP address is used as the external connection point of the VPN.
Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The
public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Selected Answer: B
Ok this one is new but Lets talk about it: So this would be a "Zonal Gateway at least right"? Theres no talk about the gateway being
Zoneredundant but for it to be even Zonal it needs to be an AZ-SKU Tier right? And those always come with a Standard Public IP SKU which
is Static? So B? Heres my source https://docs.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways The
explanation given here is definitley rubbish
upvoted 25 times
"Assignment: The assignment is typically autoselected and can be either Dynamic or Static."
upvoted 1 times
Selected Answer: B
Focus on this part of the question: " Each virtual machine will be deployed to a separate availability zone."
ALWAYS REMENBER THAT :
- Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
- Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
So in this case it's Standart
upvoted 20 times
Selected Answer: B
Answer is B, When availability zones are involved always Standard SKU is needed. When you select "Standard SKU" in public ip, by default
assignment is set to static and you cannot change that.
See the image for public ip creation in this article => https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times
I am not sure where some of you guys get C saying that VPN Gateway supports only dynamic PiP. When you are creating it you are actually
choice locked into a Standard PiP as far as the Public IP Address SKU goes: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-
create-gateway-portal
upvoted 1 times
"Assignment: The assignment is typically autoselected and can be either Dynamic or Static."
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times
Azure VPN gateways support both dynamic and static IP address assignment options.
By using a Standard SKU public IP address with a static IP address assignment, you can ensure a reliable and consistent VPN gateway
configuration for your site-to-site VPN. This will allow the virtual machines deployed across different availability zones in Azure to connect
securely to dbserver1 in your on-premises network.
upvoted 6 times
Selected Answer: B
Selected Answer: B
Both Bing AI and ChatGPG chose B. a standard SKU and a static IP address assignment
upvoted 4 times
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Standard IPs can be non-zonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where 3 availability zones are
live. IPs created before zones are live won't be zone redundant.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
upvoted 7 times
Selected Answer: B
B
"Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The configuration of the Azure
public IP resource determines whether the gateway that you deploy is zone-redundant, or zonal. If you create a public IP resource with a
Basic SKU, the gateway will not have any zone redundancy, and the gateway resources will be regional."
https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways
upvoted 1 times
Selected Answer: C
"Zone-redundant and zonal gateways (gateway SKUs that have AZ in the name) both rely on a Standard SKU Azure public IP resource.
Azure Standard SKU public IP resources must use a static allocation method."
upvoted 2 times
HOTSPOT -
You have the Azure virtual machines shown in the following table.
VNET1 and VNET2 are linked to an Azure private DNS zone named contoso.com that contains the records shown in the following table.
The virtual networks are configured to use the DNS servers shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
Box 3: Yes
Hi Admin,
This looks like incomplete question or something is missing. Could you please correct this and add more discussion?
upvoted 70 times
CORRECT ANSWER
YES
NO
YES
VM1 is connected to VNET1 which has Default(Azure-Provided) DNS Server and linked to Azure Private DNS Server contoso.com
(131.107.3.3 and 131.107.3.4 DNS Servers). That means VM1 has these 2 DNS servers for resloving.
DNS Servers for VNET1
server1.contoso.com = 131.107.3.3
server2.contoso.com = 131.107.3.4
VM2 belongs to VNET2 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from dedault Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4) -NO
VM2 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)
VM3 belongs to VNET3 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from default Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4)
VM3 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)
upvoted 44 times
So 1 Y and 2 is Y
3 is No cuz Vent 3 not linked to private zone only 1 and 2.
See;
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
"If you choose to link your virtual network with the private DNS zone without autoregistration, the virtual network is treated as a
resolution virtual network only. DNS records for virtual machines deployed this virtual network won't be created automatically in the
private zone. However, virtual machines deployed in the virtual network can successfully query for DNS records in the private zone. These
records include manually created and auto registered records from other virtual networks linked to the private DNS zone.
One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated
to it."
upvoted 3 times
Why - because both VM1 and VM2 are linked to the private DNS zone, where we have the record for server1.contoso.com -> 131.107.3.3
Also, asuming that the missing explanation of the second table says "VM4 is DNS server and it has the following records", and VM3 points
to this DNS server, it will see and resolve the server2.contoso.com -> 131.107.2.4. Note that VNET3 (where VM3 is) is not linked to the
private DNS zone.
upvoted 15 times
One thing is certain, your take on this is wrong, custom defined DNS servers do take priority over VNET zone links:
"Private DNS zones linked to a VNet are queried first when using the default DNS settings of a VNet. Azure provided DNS servers are
queried next. However, if a custom DNS server is defined in a VNet, then private DNS zones linked to that VNet are not automatically
queried, because the custom settings override the name resolution order."
(https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone#private-dns-zone-resolution)
upvoted 3 times
Server 1 , A , 131.107.2.3
Server 2 , A, 131.107.2.3
upvoted 4 times
https://learn.microsoft.com/en-us/answers/questions/1150496/private-dns-vs-custom-dns-for-one-vnet
upvoted 4 times
Y = VM1 > VNET1 > Azure priv DNS > server1 is 131.107.3.3
Y = VM2 > VNET2 > Azure priv DNS and Custom DNS > I'm gonna say Azure priv will resolve this because of contoso.com,192.168.0.5 does
not have contoso.com zone > server1 is 131.107.3.3
N = VM3 > VNET3 > Custom DNS > server2 is 131.107.3.4 for the same reason as above.
upvoted 6 times
SandCloud 10 months ago
this is the right anwser, custom dns override
upvoted 1 times
VNET1 has linked private DNS zone constoso.com and it uses Default (Azure-provided) DNS
(VM1 is on VNET1)
VNET2 has linked private DNS zone constoso.com, but it uses 192.168.0.5 DNS
(VM2 is on VNET2)
HOTSPOT -
You have two Azure virtual machines as shown in the following table.
You create the Azure DNS zones shown in the following table.
✑ ׀¢ ¾׀fabrikam.com, you add a virtual network link to vnet1 and enable auto registration.
✑ For contoso.com, you assign vm1 and vm2 the Owner role.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: Yes -
Note: The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you
link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each virtual machine deployed in the
virtual network.
For each virtual machine, an A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically
Note: If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you
Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
N Y Y? Only private AZ DNS Zones can use auto registration. The set DNS search suffix in the client changes nothing about that
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
upvoted 64 times
N = none of the actions in question added the VM1 record to contoso.com dns
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
upvoted 19 times
https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
upvoted 5 times
You need to deploy an ExpressRoute gateway. The solution must meet the following requirements:
A. ERGw1AZ
B. ERGw2
C. ErGw3
D. ErGw3AZ
Correct Answer: D
The following table shows the features supported across each gateway type.
Note: ExpressRoute virtual network gateways can use the following SKUs:
Standard -
HighPerformance -
UltraPerformance -
ErGw1Az -
ErGw2Az -
ErGw3Az -
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
As if anyone really knows these things by heart. When you need to deploy something like this, you search for the right documentation
anyways, so why tf is this even a question?
upvoted 2 times
Selected Answer: D
Quote “ErGw3AZ, ErGw2AZ, ErGw1AZ equivalent to Ultra Performance SKU. The only difference in this SKU is that you can pin instance to
Zone or use Zonal redundant.”
at https://github.com/MicrosoftDocs/azure-docs/issues/27933#issuecomment-476258007
https://learn.microsoft.com/en-us/answers/questions/885158/whats-the-difference-between-ergw3az-vs-ultraperfo
upvoted 2 times
They ask super specific questions that you have to learn by heart, when you shouldn't, and nobody in real life does.
Also, they don't allow brain dumps. Instead, they want you to rely on their terrible documentation and only use tests officially supported
by Microsoft.
Try passing the exam using only that. Yes, you can do it, but seriously, good luck...
Perhaps the reason people resort to brain dumps has to do with all that nonsense?
I understand they ask complex questions to test your knowledge, but questions like this one are not complex, they are just pure evil.
upvoted 14 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 2 times
Selected Answer: D
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 7 times
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 1 times
Selected Answer: D
HOTSPOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:
You have Azure virtual machines that have the network configurations shown in the following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or
Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the
NSG1 rule has a higher priority (or lower value) than the NSG2 rule.
Box 2: Yes -
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.
Box 3: Yes -
No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are
thus applied.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the
subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.
upvoted 285 times
So in this case we are not talking about priority, we just have rules evaluated BEFORE or AFTER. That means, if the rules were
inverted and traffic was blocked from NSG1, then what was written in the rules of NSG2 wouldn't evene matter because the traffic
wouldn't have reached the NIC.
upvoted 1 times
2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
upvoted 174 times
Like the answer is litterally in the question, first Q1 can't be a YES. It has to be NO.
upvoted 1 times
2. VM1 to VM2. VM2 is in subnet2 that has no subnet NSG associated, and no VM NSG. VM1 and VM2 are in different subnets in the same
VNET, or same address space. Then traffic is allowed. Answer Yes.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
3. VM2 to VM3. VM2 and VM3 are in the same subnet AND no defined NSGs that deny traffic. Answer Yes.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
In our example, its explicit in the NSG NIC rule that VM2 cannot connect to VM1 in the said port
upvoted 1 times
Network Security Groups have default rules that you can't remove: DenyAllOutBound and DenyAllInBound. "You can't remove the default
rules, but you can override them by creating rules with higher priorities." https://learn.microsoft.com/en-us/azure/virtual-
network/network-security-groups-overview#denyallinbound
While the rules of NSG1 and NSG2 don't explicitly block traffic from VM1 to VM2, they do not allow it either. They would still have the
default deny all rules at the bottom that can't be removed. Correct me if I'm wrong.
upvoted 3 times
VM2 has no NSG - so all the traffic inbound and outbound is allowed inside the VNET;
VM1 inbound traffic is restricted by NSG1 and NSG2. Outbound rules are not specified, so I assume there are the default ones that
ALLOW all traffic.
on VM2 from VM1 - incoming at Port 1433 (VM2) - Subnet 2 - Default NSG , VM2 (default NSG) - which blocks Port 1433 - ) default Rule
65000 (Port - any , Source : Virtual Network , Destination : Virtual Network , ALLOW) ---- answer is YES
Incoming on VM3 is same as VM2 , on same Subnet 10.10.2.0 - default rules - same as above - YES
upvoted 2 times
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
HOTSPOT -
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine
needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes -
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No -
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes -
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
Y = RT is not applied to VM3. VM3 will have the default route between subnets in a vnet.
N = VM2 > Subnet2 has RT applied to it. VM3 is the next hop which is turned off.
Y = VM3 has has IP forwarding enabled which can fwd traffic from VM1 to VM2.
upvoted 48 times
YNY
if UDR was not set, connectivity between three VMs would work by default.
1) With UDR, it still works, but return traffic from VM1 and VM2 to VM3 goes straight to VM3 instead of subnet gateway (which is one of
reserverd subnet IPs)
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-
disable-ip-forwarding
upvoted 6 times
VM3 subnet does not have a route for VM1 subnet. The default route drops packets that belong to 10.0.0.0/8 -> No
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
VM2 cannot connect to VM1 because the router (VM3) is offline -> No
Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to
it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE
(IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally
facing public IP address assigned to it.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
upvoted 108 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual
network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure
virtual networks over the Microsoft network. Multiple connections can be created to the same VPN gateway. When you create multiple
connections, all VPN tunnels share the available gateway bandwidth.
upvoted 4 times
Correct answer: C
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
Selected Answer: C
C is correct.
To achieve the goal, the web app needs to integrate with Vnet so that web app can get an IP from vnet.
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 1 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: C
Note:
There are several versions of this question in the exam. The question has two correct answers:
The question can have other incorrect answer options, including the following:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
Correct Answer: C
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 85 times
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-configuration
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
upvoted 14 times
Old friend
upvoted 5 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub, or provide them to the Azure portal at extension runtime.
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
C is correct..see below
A Desired State Configuration (DSC) extension
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
webserver.
az vm extension set \
--resource-group myResourceGroup \
--publisher Microsoft.Azure.Extensions \
Selected Answer: C
The Publish-DscConfiguration cmdlet publishes a Windows PowerShell Desired State Configuration (DSC) configuration document on set
of computers. This cmdlet does not apply the configuration. Configurations are applied by either the Start-DscConfiguration cmdlet when
it is used with the UseExisting parameter or when the DSC engine runs its consistency cycle.
https://docs.microsoft.com/en-us/powershell/module/psdesiredstateconfiguration/publish-dscconfiguration?view=dsc-1.1
upvoted 3 times
Selected Answer: C
Correct Answer: C
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 1 times
Selected Answer: A
Publish-AzVMDscConfiguration cmdlet
upvoted 1 times
I thought that the correct was A, but does not, because of this:
"The Publish-AzVMDscConfiguration cmdlet uploads a Desired State Configuration (DSC) script to Azure blob storage, which later can be
applied to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
upvoted 1 times
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
B. service endpoints
D. Azure Firewall
Correct Answer: A
Selected Answer: B
I believe it should be B
"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. "
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 41 times
Selected Answer: B
Service Endpoints allow you to extend the Azure virtual network's private address space to Azure services, such as Azure Storage. By
enabling Service Endpoints, the traffic between VM1 and storage1 remains within the Azure network fabric, utilizing the Microsoft
backbone network.
upvoted 3 times
Selected Answer: B
It is not A
NSG is a set of rule that "Allow" or "Block"
Why community and admin responses are totally different in many questions ??
upvoted 2 times
B is the answer
upvoted 1 times
B service endpoint
upvoted 1 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints
enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
upvoted 4 times
Selected Answer: B
service endpoints to ensure traffic uses ms backbone network, it does not go out to the internet.
upvoted 2 times
Service endpoints and Private endpoints are the services that allows you to use MSFT backbone to communicate with Azure services
upvoted 2 times
Correct Answer is B
upvoted 1 times
Correct Answer: B
upvoted 4 times
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network.
A. IKEv1
B. PPTP
C. IKEv2
D. L2TP
Correct Answer: C
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
C. IKEv2 IPsec
keyword is "Route-Based" coz "Policy-based" only supports IKEv1.
upvoted 24 times
IKEv2 is correct
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps#azure-support-for-policy-based-
vpn
upvoted 4 times
Correct Answer: C
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 2 times
Selected Answer: C
Answer: C
upvoted 2 times
Question #102 Topic 5
You have an Azure subscription that contains the resources shown in the following table.
You configure Azure Site Recovery to replicate VM1 between the US East and West US regions.
You perform a test failover of VM1 and specify VNET2 as the target virtual network.
When the test version of VM1 is created, to which subnet will the virtual machine be connected?
A. TestSubnet1
B. DemoSubnet1
C. RecoverySubnetA
D. RecoverySubnetB
Correct Answer: A
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
The subnet of the target VM is selected based on the name of the subnet of the source VM.
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
upvoted 53 times
Selected Answer: B
in exam 26/12/2023
upvoted 2 times
B) Apparently if the target subnet doesn't have the same name, then it picks it via alphabetical order.
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#specify-a-subnet
upvoted 2 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
upvoted 1 times
Selected Answer: A
logically when you failover same subnet CIDR means less work to do.
upvoted 1 times
A. TestSubnet1
https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery
upvoted 5 times
If no specific subnet is specified, VM1's test version would be deployed to the same subnet in VNET2, same subnet refers to the same
address .
upvoted 5 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
A. Protocol to UDP
Correct Answer: D
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP
- Traffic from the same client IP is routed to the same backend instance
upvoted 6 times
Correct answer: C
Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times
Selected Answer: D
Correct Answer
D. Session persistence to Client IP
upvoted 1 times
Selected Answer: D
To ensure that visitors are serviced by the same web server for each request, you should configure session persistence to "Client IP" on
the Azure load balancer.
upvoted 2 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: D
Selected Answer: D
Correct Answer
D. a Desired State Configuration (DSC) extension
upvoted 5 times
These questions are like filler question to relax the people, appearing regularly after some questions so that people do not feel
overwhelmed.
upvoted 1 times
Selected Answer: D
Selected Answer: D
correct answer D
upvoted 3 times
Question #105 Topic 5
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. Protocol to UDP
Correct Answer: B
i hope i get this question on the exam half as often as it appears here.
upvoted 22 times
I feel like I've seen this same question about 10 times already
upvoted 1 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP
- Traffic from the same client IP is routed to the same backend instance
upvoted 2 times
Selected Answer: B
Correct answer: B
Session persistence to Client IP
Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times
Selected Answer: B
Correct Answer
B. Session persistence to Client IP
upvoted 1 times
correct
B. Session persistence to Client IP
upvoted 2 times
Question #106 Topic 5
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1.
You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1.
Which port should you configure for the inbound security rule?
A. 22
B. 443
C. 389
D. 8080
Correct Answer: B
Correct answer A....As Bastion connects to VM via port 22/3389..Azure portal connects to Bastion via port 443..as the question is to
inbound rule for vm from Bastion...Correct answer is PORT 22...option A
upvoted 20 times
"Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other
target VM subnets for port 3389 and 22."
I think the correct answer is A, and we have to assume that these are Linux VMs Bastion is connecting to over SSH.
upvoted 3 times
Selected Answer: B
Correct Answer
B. 443
If you say port 22 then what about windows VM as it is not mentioned that the VM is windows or Linux? You will have to allow port 443 in
NSG.
upvoted 19 times
Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress
traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet.
Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target
VM subnets for port 3389 and 22.
https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 1 times
Selected Answer: A
https://learn.microsoft.com/nl-nl/azure/bastion/bastion-overview
see drawing
upvoted 1 times
Selected Answer: B
Azure Bastion's Communication: Azure Bastion, regardless of SKU, uses HTTPS (port 443) to establish secure connections to virtual
machines within a virtual network. It doesn't interact directly with ports like 22 (SSH), 389 (LDAP), or 8080 (HTTP).
NSG Configuration: To enable inbound access to the virtual machines via Bastion1, you need to create an inbound security rule in NSG1
that allows traffic on port 443 from Bastion1's IP address or subnet.
Port 22 (SSH): This is typically used for direct SSH connections, but Bastion doesn't use it for its own communication.
Port 389 (LDAP): This is used for LDAP directory services, not Bastion's functionality.
Port 8080 (HTTP): This is sometimes used for web services, but Bastion uses HTTPS (port 443) for secure connections.
upvoted 2 times
Azure Bastion provides access to a private network from an external network, such as the Internet. So we need port 443, in case it has to
travel over the Internet.
upvoted 1 times
Selected Answer: B
Havent tested this but read the covo and thought I would add my 2 cents...
Since bastion resides in the same VNET as the VMs and connects over private IP, you don't have to do anything for bastion to connect to
the VMs. You would need to ensure that traffic from outside the VNET can reach the Bastion Subnet (port 443).
upvoted 2 times
burns25 3 months, 3 weeks ago
Selected Answer: A
https://www.youtube.com/watch?v=lZ_u57gJBNo&t=943s
upvoted 2 times
It clearly says about the traffic between the bastion host and the VMs it's servicing: "Egress Traffic to target VMs: Azure Bastion will
reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets for port 3389 and 22."
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
upvoted 3 times
Selected Answer: B
To allow inbound access to the virtual machines via the Azure Bastion Basic SKU host named Bastion1, you should configure the inbound
security rule on NSG1 for TCP port 443 - as per Bing AI
upvoted 1 times
In order to connect to the Linux VM via SSH, you must open inbound port 22 for SSH.
https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh-linux
upvoted 1 times
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers
You create an Azure virtual network named VNET1 that has the following settings:
• Subnet:
o Name: Subnet1
o IPv4: 10.0.1.0/24
You need to move DC1 to VNET1. The solution must ensure that the member servers in contoso.com can resolve AD DS DNS names.
How should you configure DC1? To answer, select the appropriate options in the answer area.
Another dumb correct response. The only correct responses appear to be to use a dynamic IP address and custom DNS. But, in the real
world, you would never configure a DC to use a dynamic IP address. Imagine the chaos if it is rebooted and acquires a different IP address
and the SRV records are possibly not updated, not to mention the fact that now the client DNS configurations are pointing to an incorrect
DNS address and won't be able to resolve A and SRV records for the domain. Madness.
upvoted 22 times
correcting its 443, because azure/bastion takes care of the vm network side. as in if you don't block it with a specific rule it works.
upvoted 2 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
2. Best approach will be to use a Private DNS zone, but the question is about moving the DC, which is already a DNS server. Then the
answer is to configure the VNET to use a custom DNS server (the DC in this case).
upvoted 1 times
ref: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-
resources
"If you need to use existing DNS infrastructure (for example, Active Directory integrated DNS), ensure that the DNS server role is deployed
onto at least two VMs and configure DNS settings in virtual networks to use those custom DNS servers."
ref: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
If you need to use existing DNS infrastructure (for example, Active Directory integrated DNS), ensure that the DNS server role is deployed
onto at least two VMs and configure DNS settings in virtual networks to use those custom DNS servers."
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-resources
upvoted 1 times
1: As soon as you move DC1 to VNET1, irrespective of the DNS/IP config, Server1 can not resolve AD DS DNS names as there is ZERO
mention of a P2P VPN between onsite where Server1 still is and the VNET...
however
2: Lets assume the question means if Server 2 is also moved as well, or if there is a VPN\Express Route:
You don't want to give a DC a DHCP IP but you are going to have too!:
-10.0.2.1 and 192.168.2.1 are not in any defined subnet in the vNET.
-10.0.1.3 is a reserved IP in a /24 network and can not be assigned
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
You need to point DNS for any domain members to the DC for AD DNS resolution so it has to be a Custom IP (of whatever gets assigned to
DC1). (Private DNS zones don't support Active Directory DNS Zone Integration).
Just pray no one shuts down DC1 and it gets a different IP when it starts up.
Who decides the answers to these questions? This one couldn't be more wrong.
upvoted 4 times
https://learn.microsoft.com/en-us/azure/dns/private-dns-overview
Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain
names in the virtual network without the need to configure a custom DNS solution. By using private DNS zones, you can use your own
custom domain name instead of the Azure-provided names during deployment. Using a custom domain name helps you tailor your virtual
network architecture to best suit your organization's needs. It provides a naming resolution for virtual machines (VMs) within a virtual
network and connected virtual networks.
upvoted 4 times
As to the custom DNS, yes, point the VNET at the custom DNS server (the DC). Bonus points of you point the DNS settings op de DC's VM
to Azure's DNS servers in the VM's properties (saves you a lot of work in resolving private DNS zones of e.g. Private Endpoints ;-) )
upvoted 4 times
For example, the IP address range of 192.168.1.0/24 has the following reserved addresses:
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
B. a health probe
Correct Answer: C
i hope i get this question on the exam half as often as it appears here.
upvoted 10 times
Quote "Client IP (2-tuple) - Specifies that successive requests from the same client IP address are handled by the same backend instance."
at https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence .
upvoted 1 times
C is correct.
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP
- Traffic from the same client IP is routed to the same backend instance
upvoted 2 times
Selected Answer: C
Selected Answer: C
Correct Answer
C. Session persistence to Client IP
upvoted 4 times
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.
C. VNET1 only
Correct Answer: C
Selected Answer: C
C. VNET1 only
No idea why people are saying option E as the question clearly states that "You need to deploy an Azure firewall named AF1 to RG1 in the
West US", so RG1 in the West US region means the correct answer is C(VNET1).
upvoted 44 times
"Are there any firewall resource group restrictions? Yes. The firewall, VNet, and the public IP address all must be in the same resource
group."
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 11 times
Selected Answer: E
As all resources, the resource group is just a logical grouping and the real limitations do come from the region. An Azure Firewall can be
used with peered networks, but as the question does not mention peering the firewall cannot be applied to networks in another region.
"You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual
networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central
firewall virtual network. Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues
across regions. For best performance, deploy one firewall per region."
I also just tried it out, I cannot connect an Azure Firewall to a VNET which is in another region.
upvoted 15 times
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 5 times
No, the Azure Firewall itself cannot belong to a different resource group than the resource group it protects. Azure Firewall requires tight
integration with the resources it secures, including virtual networks and subnets. This integration isn't possible if the firewall resides in a
separate resource group.
Azure Firewall needs to be deployed in the same resource group as the resources it protects for several reasons:
Policy enforcement: Azure Firewall applies its network security policies to resources within the same resource group. Placing it in a
different group weakens its ability to effectively secure those resources.
Resource association: Certain features of Azure Firewall, like IP Groups and Application Rules, require direct association with resources
within the same resource group.
Management and access control: Managing and controlling access to Azure Firewall is easier when it's within the same resource group as
the resources it protects.
upvoted 1 times
E is not correct, I have tested this in my LAB. When you try to create an Azure Firewall in RG1, you cannot select the VNET in RG2. It will
actually tell you "Azure Firewall cannot be used with a VNET from a different resource group".
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 3 times
C: seems most relevant here as per comments here and the links provided confirming restrictions implementing Azure Firewall
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 1 times
Selected Answer: C
C is correct.
upvoted 1 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-
restrictions:~:text=Yes.%20The%20firewall%2C%20VNet%2C%20and%20the%20public%20IP%20address%20all%20must%20be%20in%20t
he%20same%20resource%20group.
upvoted 2 times
Firewall must be in the same RG with other needed resources. MS allows you to allocate resources in different RG/location/VNet but many
of them just dont work. Additionally, moving resources will also casuse undesible system error as well. TBH, that is not understandable
upvoted 3 times
Source:
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 2 times
Selected Answer: C
C: Is correct
upvoted 1 times
Selected Answer: C
Its states you need to deploy to RG1 and West US, based on this there is only one solution and its VNET1
upvoted 1 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 2 times
You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and
connected to the on-premises network. The subscription contains the virtual machines shown in the following table.
You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor.
A. 1
B. 2
C. 3
D. 4
Correct Answer: B
Selected Answer: B
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#before-you-begin
upvoted 23 times
that creature has posted same message on 34 questions I have used the power of google to track it! Its a marketing bot. or a very
strange being
upvoted 5 times
Selected Answer: B
This was on my exam. I think the suggested answer to the question is correct.
upvoted 1 times
Selected Answer: B
Select a region for your connection monitor. You can select only the source VMs that are created in this region.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#create-a-connection-monitor
upvoted 5 times
Network Watcher can monitor cross-region traffic, but it is enabled on a regional basis.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
All subscriptions that have a virtual network are enabled with Network Watcher. When you create a virtual network in your subscription,
Network Watcher is automatically enabled in the virtual network's region and subscription. This automatic enabling doesn't affect your
resources or incur a charge. Ensure that Network Watcher isn't explicitly disabled on your subscription.
upvoted 6 times
Question #111 Topic 5
HOTSPOT
You plan to deploy the following Azure Resource Manager (ARM) template.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Correct Answer:
It's NO - YES - NO
Box 1: NO - the value of 'netname' is 'App1', so it's created in the App1 subnet (not netname)
Box 2: YES - There's no OTHER resource groups specified so it assumes it needs to find the resource in the one you're deploying to.
reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#remarks-3
Box 3: NO - 'sku' is a variable, not a parameter - so you can't use it as a parameter.
upvoted 20 times
I get so tired of these "yes or no" questions. It's basically 3 questions in 1. Disgusting material.
upvoted 3 times
This link (the error described in it and the cause for it described in the answer) suggest that the load balancer and the VNET must be in the
same RG:
https://learn.microsoft.com/en-us/answers/questions/203973/problem-creating-an-azure-internal-load-balancer-w
https://learn.microsoft.com/en-us/azure/load-balancer/move-across-regions-internal-load-balancer-portal
'Resource group to choose the resource group where the target load balancer will be deployed. You can select Create new to create a new
resource group for the target internal load balancer or choose the existing resource group that was created above for the virtual network.
Ensure the name isn't the same as the source resource group of the existing source internal load balancer.'
upvoted 1 times
Yes, Azure Load Balancer must be in the same resource group as the virtual network (vnet) it is being used with. This is because Load
Balancer is a resource that is used to distribute incoming network traffic across multiple virtual machines (VMs) in a backend pool. The
VMs in the backend pool must also be in the same resource group as the Load Balancer and vnet.
When you create a Load Balancer, you must specify the vnet it will be used with, and the resource group that both the Load Balancer and
vnet belong to. If you try to create a Load Balancer in a different resource group than the vnet, you will receive an error message.
It's important to note that while the Load Balancer and vnet must be in the same resource group, they can be in different regions.
However, for optimal performance, it's recommended to keep them in the same region to minimize latency.
upvoted 4 times
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/variables
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/parameters
upvoted 4 times
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.
A. private endpoints
C. Routing preference
D. load balancing
Correct Answer: C
Selected Answer: C
C is correct.
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
upvoted 18 times
Selected Answer: C
The correct option to configure for ensuring inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location
is option C, Routing preference.
Routing preference in Azure Traffic Manager allows you to specify how to route traffic to your Azure service endpoints based on various
criteria, such as the geographic location of the client or the endpoint, the performance of the endpoint, or the priority of the endpoint.
By configuring routing preference, you can direct incoming user traffic to the Microsoft point-of-presence (POP) closest to the user's
location, ensuring the best possible user experience. This can be achieved by selecting the "Performance" routing method in Azure Traffic
Manager, which uses DNS-based traffic routing to direct users to the endpoint that offers the best performance from the user's location.
upvoted 8 times
You can choose between the Microsoft global network and internet routing as the default routing preference for the public endpoint of
your storage account.
By default, clients outside of the Azure environment access your storage account over the Microsoft global network. The Microsoft
global network is optimized for low-latency path selection to deliver premium network performance with high reliability. Both inbound
and outbound traffic are routed through the point of presence (POP) that is closest to the client.
upvoted 1 times
Selected Answer: C
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
By default, clients outside of the Azure environment access your storage account over the Microsoft global network. The Microsoft global
network is optimized for low-latency path selection to deliver premium network performance with high reliability. Both inbound and
outbound traffic are routed through the point of presence (POP) that is closest to the client. This default routing configuration ensures
that traffic to and from your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network
performance.
upvoted 2 times
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure load
balancing. Azure Traffic Manager provides global load balancing for the endpoint for the storage account, routing traffic to the closest
Microsoft POP based on the lowest latency.
upvoted 1 times
Selected Answer: C
A. Private endpoints
https://intellipaat.com/blog/how-to-use-azure-cdn/#no5
upvoted 1 times
Selected Answer: A
A. private endpoints
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure Azure
Traffic Manager for your storage account
Routing preference is not a valid option for ensuring that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the
user's location.
upvoted 1 times
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1.
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network
interface of VM1.
C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.
D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
Correct Answer: A
Answer is correct. However, it will prevent VM1 from connecting to any machine using 3389, not just VM2
upvoted 13 times
A: The rule works although it will prevent VM1 from connecting to anything on 3389 they way it is described in the question (no limit to the
destination IP detailed).
Configuring a Bastion will do nothing to prevent VM1 from accessing VM2 in anyway.
C & D are wrong as they are SOURCE port Deny not destination port Deny.
A connection to remote port of 3389 is not going to be from a source port of 3389 (especially if RDP is already listening on these VMs as
that port will be unavailable as a source port), it could be any port in 1024-65535.
upvoted 7 times
Selected Answer: D
D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
upvoted 1 times
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
upvoted 1 times
zellck 1 year ago
Selected Answer: A
A is the answer.
upvoted 1 times
Selected Answer: A
Correct Answer: A
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the
network interface of VM1.
By creating an outbound security rule in a network security group (NSG) to deny destination port 3389, you can prevent VM1 from
accessing port 3389 on VM2. By applying the NSG to the network interface of VM1, you can enforce the security rule specifically for VM1.
This solution provides a centralized way to manage and enforce network security for VM1, and it helps to prevent unwanted access to port
3389 on VM2 from VM1.
***If it was D. "Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to
Subnet1" you could prevent access to port 3389 on VM2 from ANY SOURCE (including VM1). By applying the NSG to Subnet1, you can
apply the security rule to both VM1 and VM2.
The question asked "to prevent VM1 from accessing VM2 on port 3389", not from any source.
upvoted 2 times
To prevent VM1 from accessing VM2 on port 3389, you need to create an NSG with an inbound security rule that denies traffic from the
source port 3389. Then you need to apply the NSG to Subnet1, which will block the traffic to all the virtual machines in the subnet.
upvoted 1 times
Selected Answer: A
A is correct. It will prevent connections from VM1 on port 3389 to any destination, including the other VM. Question does not say that VM1
should be able to access other VMs on this port so it's fine to block all outgoing connections.
upvoted 4 times
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the
network interface of VM1.
upvoted 1 times
You have an Azure subscription that contains the resources shown in the following table.
Correct Answer: C
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall#3-route-all-traffic-to-the-firewall
When you create a virtual network, Azure automatically creates a default route table for each of its subnets and adds system default
routes to the table. In this step, you create a user-defined route table that routes all traffic to the firewall, and then associate it with the
App Service subnet in the integrated virtual network.
upvoted 6 times
Before you can manage outbound traffic from VNET1 using Firewall1, you need to have the Hybrid Connection Manager configured. The
Hybrid Connection Manager is required for Firewall1 to function as an outbound-only firewall. Once the Hybrid Connection Manager is
configured, you can manage outbound traffic from VNET1 using Firewall1.
upvoted 1 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
upvoted 1 times
Selected Answer: C
Selected Answer: C
Outbound traffic management using Azure Firewall is only available for App Service apps or function apps that are hosted on an App
Service plan in the Premium SKU
upvoted 1 times
You have an Azure subscription that contains the resources shown in the following table.
A. VM1 only
B. contoso.com only
Correct Answer: A
Be aware when checking CyberKelev comments - I think he is a troll as most of the time he posts wrong answers. Always verify with other
comments
upvoted 76 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native
SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you
provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the
Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client
software.
upvoted 25 times
Using the word "protected" here is odd to me, but Bastion is a form of RDP, its only going to reach the VM. Answer is A.
upvoted 1 times
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned.
Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the out-side world, while still providing secure access
using RDP/SSH.
"Protection against port scanning : Your VMs are protected against port scanning by rogue and malicious users because you don't need to
expose the VMs to the internet."
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
upvoted 2 times
Selected Answer: A
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion
protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
upvoted 3 times
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to the virtual machines within a
virtual network. By deploying Bastion1 to VNet1, you can protect the access to all the resources connected to the virtual network,
including VM1, App1, and contoso.com. Bastion1 provides a secure and streamlined way to access the virtual machines within VNet1
without the need to configure a public IP address or a VPN.
upvoted 1 times
Bastions protect VMs by allowing you to connect to them to manage them in a more secure way (i.e. RDP to Windows and SSH to Linux)
upvoted 4 times
Selected Answer: A
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
B. a health probe
Correct Answer: C
Selected Answer: C
i hope i get this question on the exam half as often as it appears here.
upvoted 15 times
at first i was angry about repeating questions, but now that i have gone through almost 500 of them, i am thankful to see this one like an
old friend. It just means i don't have to play connect the dots with another question that has 7 resource tables in it...
upvoted 2 times
at
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP and protocol
- Traffic from the same client IP and protocol is routed to the same backend instance
upvoted 3 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
A. a health probe
D. Protocol to UDP
Correct Answer: C
lol, everyone is so fed up seeing this question again and again that no one commented on this one. This is the comment no one will read,
hopefully, 😂
upvoted 38 times
I love seeing this one, one less question to learn out of the 43,356 questions we have to get through
upvoted 16 times
Whoever said that the definition of insanity is doing the same thing over and over again and expecting different results has obviously
never had to go through AZ-104 questions
upvoted 4 times
Selected Answer: C
Quote "https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence"
at
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence
upvoted 2 times
You have an Azure subscription that contains 10 virtual machines and the resources shown in the following table.
You need to ensure that Bastion1 can support 100 concurrent SSH users. The solution must minimize administrative effort.
Correct Answer: D
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the
number of instances. This is called host scaling.
Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the
concurrent sessions are exceeded, an additional scale unit (instance) is required.
upvoted 13 times
Just one advice here - read, think and ONLY after post. Standard SKU for bastion support up to 50 instances. /26 it have 64 IPs, with 59
usable. That it means the IPs are ENOUGH to deploy maxim supported number of bastion instances. The relation between number of
session and required IPs in the bastion subnet is not 1 to 1 - is 25 to 1. That means one IP is used for one instance that can support up to
25 concurrent sessions. For 100 sessions, you need 4 instances that will need 4 IPs. I hope I bring some clarity here.
upvoted 3 times
Selected Answer: D
Agree with D:
In the first instance, bastion should be update from basic to standard as per comments here.
This is due to bastion only 2 max instances with 40 ssh connections each.
With standard this can be up to 50 instances to meet the request with 40 SSH sessions each instance.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits
upvoted 2 times
Selected Answer: A
Selected Answer: D
To support 100 concurrent SSH users, you need to upgrade the Basic SKU Azure Bastion to the Standard SKU. The Basic SKU only supports
10 concurrent SSH users, while the Standard SKU supports up to 100 concurrent SSH users.
Resizing the subnet of Bastion1 or creating an NSG would not directly address the need to support more concurrent SSH users, and host
scaling is not applicable in this scenario.
upvoted 4 times
And the basic tear does not support 100 concurrent users, so that needs to be taken care of FIRST...
upvoted 1 times
Selected Answer: D
In general when you deploy the Azure Bastion Basic SKU Microsoft deploys two instances which supports 20-24 concurrent sessions which
means each instance support 10-12 sessions.
https://reimling.eu/2021/07/azure-bastion-supports-scalability-for-ssh-rdp-connections-with-the-new-standard-sku/
upvoted 3 times
Question #119 Topic 5
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
B. Protocol to UDP
Correct Answer: A
DRAG DROP
You have a Windows 11 device named Device and an Azure subscription that contains the resources shown in the following table.
Device1 has Azure PowerShell and Azure Command-Line Interface (CLI) installed.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
Explanation:
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native
SSH or RDP client already installed on your local computer.
The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local
SSH key pair and Azure Active Directory (Azure AD).
Using the native client requires the Standard SKU tier for Azure Bastion. First, we need to upgrade the SKU of our Azure Bastion instance.
Second, we need to enable the native client support from the configuration settings of Bastion1 in the Azure Portal.
Third, we need to sign in to our Azure account and select the subscription containing the Bastion resource as shown below:
upvoted 16 times
Lastly, we run the following command to connect via RDP. You’ll then be prompted to input your credentials. You can use either a local
username and password, or your Azure AD credentials.
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
upvoted 7 times
Correct Answer!
Nobrainer :)
Just learn from ET, no need for another study material. I passed the exam yesterday with 930 out of 1000. Best of luck guys
upvoted 15 times
https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
Select the box for Native Client Support, then apply your changes.
To connect via RDP, use the following command (az network bastion rdp --name "<BastionName>" --resource-group "
<ResourceGroupName>" --target-resource-id "<VMResourceId>")
https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
upvoted 10 times
pramodk78 11 months, 1 week ago
Answer seems ok as per link https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
upvoted 6 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. Protocol to UDP
Correct Answer: B
If I continue to see this question, I'm pretty sure I will have a nightmare in which someone kills me while continuously screaming "Session
persistence to Client IP!"
upvoted 14 times
You have an Azure subscription that has the public IP addresses shown in the following table.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1.
A. IP1 only
Correct Answer: B
Selected Answer: A
Tested in sandbox
- IPv4 - Static - Standard - Global:
Error during the selection in the interface - A Global Tier PublicIPAddress cannot be attached to Bastions.
- IPv4 - Static - Standard - Regional:
OK
- IPv4 - Static - Basic - Regional
Error during the selection in the interface - Static public IP addresses cannot be associated.
- IPv4 - Dynamic - Basic - Regional
Error during the selection in the interface - The SKU type for the public IP address does not match the SKU type of the load balancer (?? I
don't know why this message).
- IPv6 - Static - Standard - Regional:
Error during deployment (The selected IPv6 public IP address is not supported for Azure Bastion. To fix this, please recreate your Azure
Bastion with an IPv4 public IP address. (Code: PublicIpAddressVersionNotSupported))
upvoted 21 times
Azure Bastion Basic SKU does NOT support Global Tier IPs.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
upvoted 1 times
Selected Answer: A
I tested in my lab and you cannot use dynamic IP addresses, basic SKU, or the Global. If you try to associate a Bastion with a Global Public
IP you will get "Cannot be associated with this Bastion.
Correct answer: A
upvoted 1 times
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-bastion
upvoted 1 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-bastion
upvoted 1 times
Nutmeg756 3 months, 2 weeks ago
Selected Answer: B
Azure Bastion deployments require a Public IP address, except Developer SKU deployments. The Public IP must have the following
configuration:
Selected Answer: A
Azure Bastion requires a Public IP address. The Public IP must have the following configuration:
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
upvoted 4 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. a health probe
Correct Answer: D
I bet this is not the last time I see this question before I reach the end :)
upvoted 7 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. a health probe
Correct Answer: D
Selected Answer: D
Sub1 contains a virtual machine named VM1 and a storage account named storage1.
Correct Answer: D
Selected Answer: D
When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved
along with it.
In the given scenario, VM1 is associated with the resources Disk1 (OS Disk), NetInt1 (Network Interface), and VNet1 (Virtual Network), and
the storage account named storage1 is not associated with VM1.
Therefore, to move VM1 to Sub2, you need to move the following resources:
VM1: This is the virtual machine that you want to move to Sub2.
Disk1: This is the OS disk for VM1, and it contains the operating system and boot files.
NetInt1: This is the network interface that is attached to VM1 and provides connectivity to the virtual network.
VNet1: This is the virtual network that is associated with VM1, and it provides the network connectivity to the virtual machine.
upvoted 23 times
Selected Answer: A
Should be A.
Selected Answer: D
Given answer looks correct all resources in this list can be moved as per article;
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
upvoted 2 times
Selected Answer: D
D is correct.
upvoted 3 times
Question #126 Topic 5
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
Correct Answer: A
This is one of those questions, that in the exam I'm going to have to pretend to be reading it before answering, just so it wouldn't be
suspicious.
upvoted 13 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
C. a health probe
Correct Answer: D
i mean their pro sale had 1.5 hours remaining 12 hours ago and now it has 15 hours remaining and their contributor access sale has
been "expiring tonight!" for the past 3 years, so they are not bound by mortal concepts like time or integrity.
upvoted 1 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
D. Protocol to UDP
Correct Answer: A
i'm running out of (barely) funny or (barely) insightful things to write at this point... i just want it all to end.... :(
upvoted 1 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: D
Please, clean this dump. Remove duplicate, triplicate questions. This is not a new question. Update with real new questions. Thank you!
upvoted 13 times
Selected Answer: A
Selected Answer: D
DSC extension
upvoted 3 times
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
he Publish-AzVMDscConfiguration cmdlet takes in a configuration file, scans it for dependent DSC resources, and then creates a .zip file.
The .zip file contains the configuration and DSC resources that are needed to enact the configuration. The cmdlet can also create the
package locally by using the -OutputArchivePath parameter. Otherwise, the cmdlet publishes the .zip file to Blob Storage, and then
secures it with an SAS token.
upvoted 1 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: A
You have an Azure subscription that contains a Recovery Services vault named Vault1.
A. an administrative unit
B. a managed identity
C. a resource guard
Correct Answer: C
Selected Answer: C
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
Selected Answer: C
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
upvoted 3 times
Selected Answer: C
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-
vault#before-you-start
Before you start
Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in
another subscription of the same directory or in another directory to ensure maximum isolation.
Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants)
are registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection . For more information, see Azure
upvoted 3 times
Question #132 Topic 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.
A. Yes
B. No
Correct Answer: A
Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority
of 150 will not made any difference.
upvoted 24 times
Selected Answer: A
Presuming it's the health probe on 443 which is at fault and is required to ensure LB is processing as intended, the given answer is correct.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
"Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe
responses determines which backend pool instances receive new connections. Use health probes to detect the failure of an application.
Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a
health probe fails, the load balancer stops sending new connections to the respective unhealthy instance. Outbound connectivity isn't
affected, only inbound."
upvoted 14 times
Selected Answer: A
The existing rule with priority 100 has source ip of the client (131.107.100.50). But the app1 is behind a LB, so the source ip should be of
the LB and not the client. So adding, 150 priority will overrule the rule with 200 priority which is curently blocking the requests from LB to
App1
upvoted 1 times
Selected Answer: A
This has already been a previous question, and from that discussion, A is the right answer.
upvoted 2 times
The LB traffic is behind the 200 443 deny. That's why it cant get thru. The IP allow @100 is a red herring. Its testing to see if you know that
the traffic will appear as if its coming come from the LB and not the client IPs.
upvoted 1 times
The VM2 is certainly turned off (because the "Attach network interface" option is available / If the VM2 was turned on, the option would be
grayed out), therefore the VM2 is not reachable.
The NSG is attached to the Subnet, so another rule that allows any traffic from the AzureLoadBalancer with the priority 150 will not be
evaluated. There is something else that makes the App1 not to be accessible from the 131.107.100.50 IP (It could be that the VM1 is also
turned off, or something else).
Note that the Load Balancer rules are configured correctly ("You verify that the Load Balancer rules are configured correctly.").
upvoted 3 times
Tested. Without the rule, the LB is unable to complete health probes and access to the web page is cutoff. Azure even provides a nice
warning message if it detects a rule that will get in the way of Load Balancing but still lets you do it. This was tested using an NSG
connected to the subnet. Having NSGs connected to each VM that permitted the Load Balancer traffic did not take precedence over the
Subnet NSG which still blocked the health probes. Answer is YES.
upvoted 2 times
Selected Answer: B
Answer is No.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
For Load Balancer's health probe to mark up your instance, you must allow 168.63.129.16 IP address in any Azure network security groups
and local firewall policies. The AzureLoadBalancer service tag identifies this source IP address in your network security groups and permits
health probe traffic by default.
upvoted 1 times
When you create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150 you are
allowing anything from the LoadBalancer not just from the frontendIP.
If you look at it, doing this actually makes the rule that has priority 65001 have a higher priority, or 150.
upvoted 3 times
Solution will meet the goal. 100 rule allows the traffic from required IP, but we still can't access 443 port. This is most probably because
200 rule, which is blocking health probe from LB itself. When health probe traffic is blocked - LB will not pass traffic to the nodes which is
not responding to healt probes. 65001 rulle allows everything from LB, but if client still can't access 443 port it is not reached because of
200 rule match (health probe on 443 port). If we'll create 150 rule which will allow any traffic from LB - everything will work :) Simple.
upvoted 10 times
The LB needs to be able to talk to the backend pool, which is currently not allowed.
exam passed.
upvoted 4 times
There is already a rule with higher priority’s that allows the traffic.
upvoted 3 times
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
B. service endpoints
Correct Answer: B
Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints
enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet."
upvoted 9 times
You create an Azure VM named VM1 that runs Windows Server 2019.
A. Connect to VM1.
B. Start VM1.
Correct Answer: B
All these are repeated questions, and if you are at this point then you have contributor access and paid subscription.. so we miss Mlantos
comments here..
upvoted 15 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
"The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the
configuration package (.zip file) if it is stored in a location outside of Azure."
upvoted 5 times
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subnets have the IP address spaces shown in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
To which virtual networks can you connect con-env1, and which subnet mask should you use? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
I am a total newbie with this so i tried to find out what the possible IP Ranges are:
- VNET 1
10.1.128.0/23 = 10.1.128.0 - 10.1.129.255 (512 IPs)
- Sub 1
10.1.128.0/24 = 10.1.128.0 - 10.1.128.255 (256)
-> Not enough IPs available
- VNET 2
192.168.0.0/16 = 192.168.0.0-192.168.255.255
- Sub21
192.168.0.0 /17 = 192.168.0.0 - 192.168.127.255
- Sub22
192.168.128.0/17 = 192.168.128.0 - 192.168.255.255
-> The subnets take out the whole range of VNET 2
- VNET 3
172.16.0.0/16 = 172.16.0.0 - 172.16.255.255
- Sub3
172.16.1.0/24 = 172.16.1.0 - 172.16.1.255
-> VNET 3 still has most of the range for a /23 available. For example we could make the following /23 subnet: 172.16.2.0/23 = 172.16.2.0 -
172.16.3.255
Why? According to Microsoft - Consumption only environment - Container Apps. It needs a subnet with IPs in Range 512.
-/23 is the minimum subnet size required for virtual network integration.
-The Container Apps runtime reserves a minimum of 60 IPs for infrastructure in your VNet. The reserved amount may increase up to
256 addresses as apps in your environment scale.
Reference:
https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli#consumption-only-environment
upvoted 6 times
Hence all three VNets can be used because those are bigger than /27. To keep the subnet smallest we should use /26 prefix.
upvoted 2 times
Container Apps has two different environment types, which share many of the same networking characteristics with some key differences.
1. Workload profiles environment: /27 is the minimum subnet size required for virtual network integration.
2. Consumption only environment: /23 is the minimum subnet size required for virtual network integration.
upvoted 3 times
Answer is 23
https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli
upvoted 1 times
You have an Azure subscription that contains the virtual networks shown in the following table.
All the virtual networks are peered. Each virtual network contains nine virtual machines.
You need to configure secure RDP connections to the virtual machines by using Azure Bastion.
A. 1
B. 3
C. 9
D. 10
Correct Answer: B
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each
peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs
deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual
network peering.
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
Answer is A
upvoted 19 times
Answer is A.
We required only one Bastion.
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
upvoted 8 times
MatAlves Most Recent 1 week ago
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions."
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 1 times
Selected Answer: A
Azure Bastion is available in any of these regions via the Azure portal:
West US
East US
West Europe
South Central US
Australia East
Japan East
upvoted 2 times
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is
per virtual network, not per subscription/account or virtual machine.
As its a full mesh connection. And there are 10 VNet. It should have 10.
upvoted 1 times
Reference: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 1 times
Explanation:
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each
peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs
deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual
network peering.
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
The question states that VNET peering is enabled, NOT Global VNET peering, thus you need a bastion host in each region.
upvoted 4 times
Selected Answer: B
Cada bastión se compone de dos MV que permiten 20 RDP cada una, en total hay 90 MV a las que conectar, por lo que hacen falta 3 x 2 x
20 = 120 para alcanzar los 90
upvoted 2 times
Selected Answer: A
Answer A
upvoted 2 times
Selected Answer: A
As per https://learn.microsoft.com/en-us/azure/bastion/vnet-peering, with global peering a single Bastion host will suffice.
upvoted 5 times
Question #137 Topic 5
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
You create an Azure bastion for VNet1 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
hidefo6963 Highly Voted 5 months, 1 week ago
I would say
NO
YES
NO
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
upvoted 16 times
NYN
https://learn.microsoft.com/en-us/azure/bastion/vm-upload-download-native
"This feature requires the Standard SKU. The Basic SKU doesn't support using the native client."
upvoted 1 times
Basic plan for bastion does not support native client. The RDP support is not the same as native client, this is separate, do not get
confused.
https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows
https://learn.microsoft.com/en-us/azure/bastion/native-client
upvoted 2 times
"Once you sign in to your target VM, the native client on your computer opens up with your VM session via MSTSC."
https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows
upvoted 1 times
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the storage accounts shown in the following table.
You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the
subscription.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
I would go for
YNN
1) YES
Virtual networks must be in the same region as the service endpoint policy.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations
2) NO -
By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service
as VNET2 is in diff region this policy is definetly not applied to subnet 2
3) NO -
Policy allows all storage accounts + IMHO its not full vnet3 to be considered.
upvoted 16 times
Answer is correct
Box 1: Y
Virtual networks must be in the same region as the service endpoint policy
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations
Box 2: N
VNet2 is in SEA Region, so it can only connect to the stoacc in SEA Region through Service Endpoint, which is storage3
Box 3: Y
VNet3 is in the South Central US region, and so is the storage2
upvoted 12 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: D
Selected Answer: D
You have an Azure subscription that contains a resource group named RG1 and a virtual network named VNet1.
You need to be able to configure DNS name label scope reuse for container1.
D. a confidential SKU
Correct Answer: B
Selected Answer: B
Answer is correct:
Public networking type allows you to assign a DNS name label to the container instance that is globally unique within Azure, and it's
accessible from the internet. This is typically used when you want to expose a service hosted in a container to the public.
Private networking type would not allow you to configure DNS name label scope reuse because it doesn't expose the container instance to
the public internet, and it typically operates within a virtual network (VNet) for private communication.
Creating a new subnet on VNet1 (Option C) is related to configuring the network settings of the virtual network and isn't directly related to
configuring DNS name label scope reuse for the container instance.
A confidential SKU (Option D) is not related to DNS name label scope reuse or networking configurations. It is used for specific security
and confidentiality requirements.
upvoted 22 times
checked that in a lab, DNS name reuse is available only when the public networking type selected
upvoted 10 times
Selected Answer: B
For Azure portal users, you can set the DNS name reuse policy on the Networking tab during the container instance creation process
using the DNS name label scope reuse field.
Available after choosing public network type
https://learn.microsoft.com/en-us/azure/container-instances/how-to-reuse-dns-names#create-a-container-instance
upvoted 2 times
HOTSPOT
You have the Azure virtual machines shown in the following table.
VM4 has a DNS server that is authoritative for a zone named contoso.com and contains the records shown in the following table.
The virtual networks are configured to use the DNS servers shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
it's NNN
If you want VMs in VNET1 to use the authoritative DNS server in VNET2, you would need to configure custom DNS settings on those VMs
to point to the IP address of the authoritative DNS server in VNET2. This would override the default Azure-Provided DNS settings and
direct DNS queries to the specific DNS server you've configured.
upvoted 3 times
DRAG DROP
You have an Azure subscription that contains a resource group named RG1.
You plan to create an Azure Resource Manager (ARM) template to deploy a new virtual machine named VM1. VM1 must support the capture of
performance data.
In which order should you deploy the resources? To answer, move all resources from the list of resources to the answer area and arrange them in
Correct Answer:
Correct order
First, create a network
2nd, create an interface
3rd, create VM
4th, install an extension.
upvoted 35 times
The virtual network needs to exist before the network interface can be created.
The network interface needs to be prepared with the Azure Monitor extension before the virtual machine uses it to capture performance
data.
The virtual machine can only be deployed once all the required resources are in place.
So
1. Network
2. NIC
3. Monitor Extension
4. VM
upvoted 1 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: A
correct
upvoted 2 times
correct
upvoted 1 times
Selected Answer: A
Answer correct
upvoted 3 times
Question #144 Topic 5
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
A. VM1 only
Correct Answer: B
Selected Answer: B
Selected Answer: B
Correct answer is B (VM1 and VM2) because Bastion is deployed to VNEt1, which is peered with VNet2.
D would be correct answer if Bastion was deployed in VNet2, which is not the case.
upvoted 3 times
Selected Answer: B
VNet1 and VNet are peered and VNet2 and VNet3 are also peered. However VNet1 and VNet3 are not peered with each other. If gateway
transit is not allowed - and it is not stated -, then there is no connection between VNet1 and VNet3. Bastion is deployed in VNet1.
upvoted 3 times
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each
peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs
deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual
network peering.
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 1 times
Selected Answer: D
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
Correct Answer: D
Selected Answer: B
Simply incredible
upvoted 1 times
Selected Answer: B
B is correct
upvoted 3 times
Selected Answer: B
If you still have to check this question answer then its time to take some rest XD.
upvoted 4 times
Selected Answer: B
Selected Answer: B
Selected Answer: B
100% its B
upvoted 1 times
You plan to migrate 50 virtual machines from VMware vSphere to the subscription.
Correct Answer: D
Selected Answer: D
Correct Answer (D) - In order to migrate 50 VMs to Azure using Azure Site Recovery, one needs:
- Recovery Service Vault (which is created)
- Configure virtual network
- configure extended network (next step after)
upvoted 5 times
Selected Answer: D
Correct answer is D, the migration approach in the question is by using ASR and not Azure migrate. So, OVA template is not needed,
configure Vnet is the next step
upvoted 1 times
Configuring an extended network is not required for migration. You only need to set up a virtual network that Azure VMs will join after
migration.
Creating a recovery plan is not necessary for migration. A recovery plan is used to orchestrate failover and recovery of replicated machines
in Azure Site Recovery.
Configuring a virtual network is not the next step after creating a Recovery Services vault. You need to set up the Azure Migrate appliance
first, and then configure the replication settings, which include the virtual network.
https://learn.microsoft.com/en-us/azure/migrate/tutorial-migrate-vmware
upvoted 2 times
This step involves deploying the Azure Site Recovery Configuration Server as an OVA template on the vSphere environment. The
configuration server is a key component of the Site Recovery process, and it facilitates the discovery of VMs, manages replication, and
coordinates recovery operations. Once this is deployed and configured, you can then proceed to set up replication, and after that, create
and configure recovery plans.
upvoted 4 times
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to implement Azure Bastion. The solution must meet the fallowing requirements:
How should you configure Azure Bastion? To answer, select the options in the answer area.
Correct Answer:
References:
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
https://learn.microsoft.com/en-us/azure/bastion/bastion-faq
upvoted 7 times
When the documentation talks about /26 as the minimum recommended subnet size, it assumes average requirements for
concurrent sessions. (Smaller subnets would not be able to accommodate these.) But as the question states the need for 100
concurrent sessions, /26 is to small a subnet, just as you initially stated.
upvoted 1 times
/26
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to ensure that all the traffic between VNet1 and VNet2 traverses the Microsoft backbone network.
A. a private endpoint
B. peering
C. Express Route
D. a route table
Correct Answer: C
Selected Answer: B
The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
ExpressRoute private peering supports connectivity between multiple virtual networks. Although this behavior happens by default when
linking virtual networks to the same ExpressRoute circuit, Microsoft doesn't recommend this solution. To establish connectivity between
virtual networks, VNet peering should be implemented instead for the best performance possible.
https://learn.microsoft.com/en-us/azure/expressroute/virtual-network-connectivity-guidance
upvoted 6 times
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#connectivity
upvoted 1 times
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like
traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.
upvoted 1 times
You have the Azure virtual networks shown in the following table.
B. VNet2 only
Correct Answer: B
Selected Answer: C
Vnet1 and Vnet2 overlap therefor the Vnet3 & Vnet4 is correct and should be able to peer together
| Name | Address space | Subnet | Resource group | Azure region |
| VNet1 | 10.11.0.0/16 | 10.11.0.0/17 | | West US |
| VNet2 | 10.11.0.0/17 | 10.11.0.0/25 | | West US |
| VNet3 | 10.10.0.0/22 | 10.10.1.0/24 | | East US |
| VNet4 | 192.168.16.0/22 | 192.168.16.0/24 | | North Europe |
upvoted 6 times
Selected Answer: C
You are creating a new Azure container instance that will have the following settings:
• SKU: Standard
• OS type: Windows
You discover that the Private setting for Networking type is unavailable.
You need to ensure that cont1 can be configured to use private networking.
A. Memory (GiB)
B. Networking type
D. OS type
E. SKU
Correct Answer: B
Selected Answer: D
D, OS type
https://learn.microsoft.com/en-us/azure/container-instances/media/container-instances-quickstart-portal/qs-portal-04.png
upvoted 1 times
D OS TYPE
Currently
https://learn.microsoft.com/en-us/azure/container-instances/media/container-instances-quickstart-portal/qs-portal-04.png
upvoted 4 times
Answer: D
Question #1 Topic 6
You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the
following table:
D. VM1 only
Correct Answer: B
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros
Correct Answer: B
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.
The Backup service installs the backup extension whether or not the VM is running.
upvoted 120 times
Answer is Correct. "B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while
VM is offline or shutdown
upvoted 68 times
Windows Server
Windows client operating systems (Windows 7 and later)
Linux
Based on this, you can back up VM1, VM2, and VM4 using Azure Backup, as they are running Windows Server 2012 R2, Windows Server
2016, and Windows 10 (a Windows client operating system) respectively. VM3 cannot be backed up using Azure Backup as it is running
Ubuntu Server.
Selected Answer: B
According to Microsoft's official documentation on Azure Backup, the supported operating systems for VM backup using Azure Backup
are:
Selected Answer: B
B.
All OSs are supported.
Shutdown or not, VMs can still be backed up.
You don’t have to stop your virtual machines (VMs) in order to backup them in Azure. You can backup your VMs while they are running or
while they are in a deallocated state.
However, No, you cannot delete a virtual machine (VM) while it is being backed up. The backup process requires the virtual machine to be
available and running so that the backup data can be captured. If you try to delete a VM while it is being backed up, the deletion process
will be blocked until the backup is complete.
upvoted 1 times
Azure Backup can be used to back up Windows and Linux virtual machines that are running in Azure. All four virtual machines in the table,
VM1, VM2, VM3, and VM4, are Azure virtual machines, which means they can be backed up by using Azure Backup. You can schedule
backups to occur at a specific time every day, including 23:00, by using the Recovery Services vault, Vault1.
upvoted 1 times
Selected Answer: B
Correct B
upvoted 1 times
Selected Answer: B
**Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
**Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
Selected Answer: B
You can back all types of OSes and even those that are shutdown.
upvoted 2 times
Selected Answer: B
Correct B
upvoted 1 times
Selected Answer: B
I agree, all of them
upvoted 1 times
You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2.
A. an action group
C. a distribution group
Correct Answer: A
Selected Answer: A
Correct.
Selected Answer: A
Selected Answer: A
A s correct
upvoted 2 times
Question #3 Topic 6
You have the Azure virtual machines shown in the following table:
You have a Recovery Services vault that protects VM1 and VM2.
Correct Answer: A
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines
(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replicatio
Correct Answer: A
VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with
VM3 and VM4.
For storage account, it is created automatically by Azure.
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
upvoted 100 times
Answer is correct. "A" Create a new Recovery Services Vault. As the VM3 and VM4 are in a different region. then we need to create a new
one in the same region of VM3 and VM4 (data source). For storage account, it is created automatically by Azure.
for more details checl https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault#create-a-recovery-services-vault
upvoted 77 times
in exam 26/12/2023
upvoted 1 times
Ref: https://youtu.be/K1NFwu5PNrU?si=fAx3EGXbYhO9_bOa
upvoted 1 times
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct Answer: A
VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with
VM3 and VM4.
For storage account, it is created automatically by Azure.
upvoted 3 times
Selected Answer: A
VM3 and VM4 need their own ARSV as are in different region to VM1 and VM2
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Correct Answer:
You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 212 times
Box 2: 2
You need 2 Additional Action Groups (1xUser1 and User3, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
Check the question again..... it is asking how many new alerts and groups.
upvoted 1 times
Box1: 4
Box2: 3
upvoted 12 times
You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3).
upvoted 2 times
You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 1 times
'Activity Log' for restored required two action groups - one for Delete x 1 and Restore x1.Otherwise, when the storage account is restored
User2 will get notified, we don't want that based on the table.
upvoted 1 times
You have an Azure subscription that contains the identities shown in the following table.
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.
You need to identity who will receive an email notification when Alert1 is triggered.
C. User1 only
Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service
principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 150 times
So members of a role can receive emails, user 2 has inherited the role from the group.
So both User 1 and User 2 receive the email.
upvoted 5 times
I am waiting out the 24hr lag period before testing. Alert group scoped to email on VM creation or deletion, one user assigned role
directly and one via group. Will report back.
upvoted 13 times
Tested in lab, correct answer is D. User2 inherits the role from Group1, hence he will also receive an email besides User1.
upvoted 2 times
Selected Answer: D
User1 received an email because he is directly assigned to the Monitoring Reader role (which is in Action group).
User2 received alert because he has the same role as a User1, because he inherited this role from the Group1 assignment. It means, that
notification was received not because Group1 was selected as a target of notifications in AG1 (1. Cuz it's not; 2. Group can't be assigned as
an email receiver, because groups physically have no emails. Service Principals also can't have email address), but because of AG1
condition is set for Monitoring Reader role. Email was sent to User2, because User2 has the same role as a User1. Even if User1 is assigned
directly and User2 inherit this role from his Group in AAD.
upvoted 6 times
Selected Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service
principals.
upvoted 2 times
That is exactly what everyone who puts C forward as the right answer needs to understand: User2 has Monitoring Reader role and
WILL receive that email...
upvoted 1 times
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 1 times
Selected Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service
principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 1 times
See;
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
Selected Answer: C
User1: User1 is assigned the Monitoring Reader role, so they will receive the email notification when Alert1 is triggered.
User2: Although User2 is a user and a member of Group1, which is assigned the Monitoring Reader role, individual users take precedence
over groups for email notifications. Therefore, User2 will not receive the email notification.
Principal1: Principal1 is a Managed Identity and is not a member of any group. Therefore, Principal1 will not receive the email notification.
Principal2: Principal2 is a Managed Identity and a member of Group1, which is assigned the Monitoring Reader role. However, individual
users take precedence over groups for email notifications. Therefore, Principal2 will not receive the email notification.
To summarize, only User1 will receive the email notification when Alert1 is triggered because they have the Monitoring Reader role
assigned directly.
upvoted 1 times
Selected Answer: D
Selected Answer: D
in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring
Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.
upvoted 2 times
Mail enabled groups exist, so they definitely wouldn't get any notification email from the above, but what about the members of the
group, they inherit the assignment that would qualify them for the email?
I think I have to assume it means both, the Group and its members leaving C the answer.
upvoted 2 times
HOTSPOT -
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)
You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 6 -
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
Box 2: 8 -
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-and-
storage-used? forum=windowsazureonlinebackup
Correct Answer:
Box 1: 6
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
8th January = 5 daily backups (1 weekly backup included) + 1 Monthly = 6 backups
Box 2: 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
15th January is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 Sundays) + 1 Monthly = 8 backups
upvoted 82 times
Box 2: 8.
upvoted 29 times
Box 1:
5 Daily RP (4, 5, 6, 7, 8 Jan)
0 Weekly RP (4 Jan is already present in Daily RP, so no new RP is added)
1 Monthly RP (2 Jan)
TOTAL: 6 RP
Box 2:
5 Daily RP (11, 12, 13, 14, 15 Jan)
1 Weekly RP (4 Jan; 11 Jan is already present in Daily RP)
1 Monthly RP (2 Jan)
1 Yearly RP (9 Jan)
TOTAL: 8 RP
upvoted 2 times
Box 1:
5 Daily RP (4, 5, 6, 7, 8 Jan)
0 Weekly RP (4 Jan is already present in Daily RP, so no new RP is added)
1 Monthly RP (2 Jan)
TOTAL: 6 RP
Box 2:
5 Daily RP (11, 12, 13, 14, 15 Jan)
1 Weekly RP (4 Jan; 11 Jan is already present in Daily RP)
1 Monthly RP (2 Jan)
1 Yearly RP (9 Jan)
TOTAL: 8 RP
upvoted 8 times
A-B-C-D-E-F 6 copies.
Daily backup and weekly backup on Jan-4 is the same copy (B)
upvoted 3 times
on 8 Jan (Thrs) at 2.00 AM - we see , daily backup of [ Wed (7), Tues (6) , Mon (5),Sun(4)(weekly) , Sat (3) = 5 ] and Monthly Friday(2) === so a
total 6 [ Fri(2) , Thrs (1) are not retained and Fri(9) yearly did not happen yet ]
on 15 Jan (Thrs) --we See Dailys for [14(Wed)+13(Tue)+12(Mon)+11(Sun)+10(Sat) = 5 ] + Weekly on Sundays [4 (Sun) = 1] + [Monthly on
2(Friday) =1 ] + [yearly on 9 (Fri) =1] = 8
upvoted 3 times
Box 2: 8
5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups
upvoted 1 times
5 daily
1 weekly
and the monthly update happens on the 2nd day of every month. so why wouldn't we have also 1 monthly if the policy is applied on
January 1st?
upvoted 1 times
HOTSPOT -
You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modifications to the
application code.
What should you do on each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
Correct.
Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces
Status Monitor.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-detailed-instructions
upvoted 27 times
Correct
There are two ways to enable application monitoring for OnPrem, VM or App Services Web APP:
- Auto-instrumentation by using Application Insight Agent
Manual instrumentation by installing the Application Insight SDK through code
So as it's mentioned the solution must minimize the modification then it's Application Insight Agent
upvoted 21 times
Answer is in the question. You need to monitor the performance and usage of the apps by using 'Azure Application Insights.' - Ans:
Application Insights Agent.
upvoted 6 times
Manually instrumenting the application through code by installing the Application Insights SDK.
upvoted 5 times
Note:
The module currently supports codeless instrumentation of .NET and .NET Core web apps hosted with IIS. Use an SDK to instrument Java
and Node.js applications.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
upvoted 8 times
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
upvoted 1 times
This method is the easiest to enable, and no code change or advanced configurations are required. It is often referred to as "runtime"
monitoring. For Azure App Services we recommend at a minimum enabling this level of monitoring, and then based on your specific
scenario you can evaluate whether more advanced monitoring through manual instrumentation is needed.
.NET Core
.NET
Java
Nodejs
upvoted 6 times
Question #8 Topic 6
You need to ensure that all the changes to VM1 are restored.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore
If it's a single selection, I would select D. However, the test result reveals it should be two (C and D).
Conclusion, VM size and password will not be overridden by the restore process.
You will need to perform the changes again:
1. Add a data disk
2. Copy the file.
upvoted 64 times
Selected Answer: D
Selected Answer: A
You need to ensure that all the changes to VM1 are restored.
I am the only one saying A? All changes are reverted by restoring backup, but the vm size you need to revert manual!
upvoted 1 times
Selected Answer: D
Agree with D;
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
A-C are all retained if replace existing is used as far as I can tell.
upvoted 1 times
SIAMIANJI 8 months, 4 weeks ago
Selected Answer: D
When you use the "Replace existing" option to restore a virtual machine from an Azure Backup, the entire virtual machine is replaced with
the backup data, including the operating system disk and all data disks that were attached to the virtual machine at the time the backup
was taken.
upvoted 1 times
Selected Answer: C
In Backup does not exist new added Disk in meanwhile. We should add this Disk again
upvoted 1 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
upvoted 2 times
This change should be performed again because restoring a virtual machine from a backup using the "Replace existing" option will restore
the virtual machine to its state at the time the backup was created. Any changes made after the backup was created will be lost and will
need to be performed again. In this case, resetting the password for the built-in administrator account is a change that was made after
the backup was created, so it will need to be performed again after restoring the virtual machine from the backup.
upvoted 3 times
Selected Answer: D
The only thing that changes is a copy of the file to 'Data' folder. Given that 'Data' folder is located in the same disk, the copied file will
disappear upon restore. Hence, D. Copy Budget.xls to Data.
"If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM
configuration."
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 6 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)
You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods
tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: No -
Box 2: No -
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: Yes -
As a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-
directory/authentication/active-directory-passwords-faq
C0rrect Answer:
Box 1: No
Two methods are required (Mobile phone and Security questions).
Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot
add security questions to the reset process. User Administrator doesn’t have MFA permissions.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 120 times
- NO: User2 must provide two authentication methods before they can reset their password
- NO: User 1 is not enabled for SSPR
- NO: A User must have the role of global Administrator or Authentication Policy Administrator to change SSPR
(https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr).
upvoted 3 times
Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: No
User3 is User Administrator, With a two-gate policy, administrators don't have the ability to use security questions.
Admin users cannot do the following:
- Cannot manage MFA.
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 1 times
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 2 times
User1 is a member of group1. Self-service password reset is enabled only for group2.
As a user administrator, user3 cannot add security questions to the reset process.
The following Technet articles contain more information about the topic
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
upvoted 1 times
Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot
add security questions to the reset process. User Administrator doesn’t have MFA permissions.
upvoted 2 times
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.
Correct Answer: B
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-
ad-join/
Correct Answer: B
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed. By default, the
maximum number of devices per user is 50.
https://learn.microsoft.com/zh-tw/troubleshoot/azure/active-directory/maximum-number-of-devices-joined-workplace
upvoted 1 times
For those who choose D, please read the question carefully, "You verify that User1 was able to join devices to Azure AD in the past." So the
join device setting should be ok, but he already reach the maximum number of devices per user. Answer B is correct.
upvoted 68 times
The reason for this is that if the "Users may join devices to Azure AD" setting is set to "No", then even if a user has the necessary
permissions to join a device to Azure AD, they will be unable to do so. By modifying this setting to "Yes", you are allowing User1 to join
their personal device to Azure AD from their home network. The other options, such as assigning the User administrator role to User1 or
modifying the maximum number of devices per user setting, would not necessarily resolve the issue with User1's ability to join their
device to Azure AD. A point-to-site VPN from the home network of User1 to Azure may or may not be necessary, depending on the specific
network configuration and security requirements.
upvoted 1 times
Selected Answer: B
user1 was able in the past and is no longer, so he maxed out the number of devices he's allowed to join.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Selected Answer: B
Correct Answer: B
HOTSPOT -
You have two Azure App Service app named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
NNY
On January 15th you will have 9 backups as 0 day retention is defined as indefinite.
[How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.]
https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest
The DevOps / Web apps backup in the questions only includes the production slot. One cannot restore a test slot from a production slot
backup.
[If a slot is not specified, the API will create a backup for the production slot.]
https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/backup-slot
January 6th backup will still be within the 30 days retention as of January 15th.
upvoted 71 times
Citmerian 1 year, 3 months ago
app1 dont' have a retention configured but option " keep at least one backup" is yes. on 15th have one backup.
Y,N,Y
upvoted 7 times
App1 backs up every day and keeps at least one backup. However, the retention period for App1 is 0 days, meaning that any backup older
than the most recent one is immediately deleted. Since App1 backs up every day, on January 15, App1 will indeed have only the backup
from January 15 in storage.
Answer: Yes
2) On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021.
App2 backs up every day with a retention period of 30 days. Thus, the backup from January 15, 2021, would be retained until February 14,
2021. So, on February 6, you can still access the backup from January 15.
Answer: Yes
3) On January 15, 2021, you can restore the backup of the App2 production slot from January 6, 2021.
For App2, the backup from January 6, 2021, will be retained until February 5, 2021 (because of the 30-day retention period). So, you can
indeed restore from this backup on January 15.
Answer: Yes
upvoted 4 times
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021: No. The backup configuration settings
provided are for the production slots of App1 and App2. Unless the test slots have the same settings, we cannot assume that a backup
from January 15, 2021 for the App2 test slot will be accessible on February 6, 2021.
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot: Yes. The backups for App2 are
retained for 30 days. So a backup from January 6 would still be available on January 15 and could be restored to any slot including the test
slot.
upvoted 4 times
In a nutshell, depending on how you interpret the question, the answers can be right or wrong.
See;
https://petri.com/backing-azure-app-service/
See;
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#back-up--restore-vs-disaster-recovery
"Specify the restore destination in Choose a destination. To restore to a new app, select Create new under the App Service box. To restore
to a new deployment slot, select Create new under the Deployment slot box.
If you choose an existing slot, all existing data in its file system is erased and overwritten. The production slot has the same name as the
app name."
upvoted 2 times
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
Answer is YNY
upvoted 2 times
https://learn.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest#az-webapp-config-backup-update-optional-
parameters
--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.
upvoted 4 times
Backup and restore are supported in Basic, Standard, Premium, and Isolated tiers. For Basic tier, only the production slot can be backed
up and restored.
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 1 times
N - If you go to Azure Portal -> App Service -> Backups then Set Schedule -> Retention you have information "Keep your backup files for up
to 30 days, or enter 0 to keep them indefinitely", so there will be 9 backups
N - Test slot doesnt have any backups configured
Y - From Azure Portal -> Backups -> Select backup and click 'Restore' -> You have "Choose destination" where you can choose App Service
and Deployment slot (new or existing)
upvoted 13 times
HOTSPOT -
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-
premises Active
Directory domain. The domain contains the users shown in the following table.
You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
Hot Area:
Correct Answer:
Box 1: No -
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing
passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They
can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
Box 2: Yes -
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to
contact IT staff.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is
enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always
test password reset functionality as a user without any Azure administrator roles assigned.
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
upvoted 16 times
The old SSPR-A implementation is used when an Azure AD account has an admin role, such as Global Administrator or Billing
Administrator. However, the SSPR management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be enabled on the
tenant.
https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-009
upvoted 4 times
So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead,
security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't
use security questions as verification method with SSPR."
so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first
line of the link. PLEASE LIKE THIS COMMENT
Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 45 times
No
No
Yes
upvoted 1 times
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
......
Security administrator
upvoted 2 times
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
NYY
upvoted 1 times
NNY
upvoted 3 times
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is
enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always
test password reset functionality as a user without any Azure administrator roles assigned.
With a two-gate policy, administrators don't have the ability to use security questions.
"Administrator accounts can't use security questions as verification method with SSPR."
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 3 times
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
This link shows the list of administrators that arre not able to use security questions.
upvoted 3 times
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 1 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
Selected Answer: A
SO IF USER 1 has created the new tenant then obv it can create users within it as well and it is GA.
upvoted 128 times
https://learn.microsoft.com/en-us/entra/fundamentals/add-users
Since User 1 created new tenant 'external.contoso.onmicrosoft.com', User 1 is its Global Admin by default and has the right to create
user accounts.
https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global
upvoted 1 times
Selected Answer: B
B:No, when you create a new tenant, the creator is the only global admin and owner, he must first give access to others to allow anything.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant#your-user-account-in-
the-new-tenant
upvoted 16 times
Selected Answer: A
Selected Answer: A
A
User 1 created the tenant thus its the global admin of that tenant and able to create users
upvoted 1 times
Selected Answer: A
Since User1 created the new tenant he automatically became the global admin of this tenant.
upvoted 1 times
A is correct
upvoted 1 times
raj24051961 7 months, 2 weeks ago
Selected Answer: B
Answer should be B:
If we check the following linke, there is no indication as Global Administrator can create an user account
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Global Administrator
✑Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory
✑Assign administrator roles to others
✑Reset the password for any user and all other administrators
User Adminstrator
✑Create and manage all aspects of users and groups
✑Manage support tickets
✑Monitor service health
✑Change passwords for users, Helpdesk administrators, and other User Administrators
upvoted 2 times
Selected Answer: A
In the given scenario, User1, who is a Global Administrator, creates a new Azure Active Directory tenant named
external.contoso.onmicrosoft.com. As a Global Administrator, User1 has the necessary permissions to create new user accounts in the
Azure AD tenant.
Therefore, instructing User1 to create the user accounts in the new external.contoso.onmicrosoft.com tenant is a valid and appropriate
solution. User1 has the required privileges and can perform the necessary administrative actions to create new user accounts within the
newly created Azure AD tenant.
upvoted 1 times
Therefore, instructing User1 to create the user accounts in the new external.contoso.onmicrosoft.com tenant is a valid and appropriate
solution. User1 has the required privileges and can perform the necessary administrative actions to create new user accounts within the
newly created Azure AD tenant.
upvoted 1 times
Think this is the first time i've seen a Yes to this question, all the others were no.
upvoted 2 times
A is correct.
upvoted 1 times
Chosen Answer is A
upvoted 1 times
Selected Answer: A
It is A not because User1 is GA but because User1 is owner of the account (implicitly granted because User1 created the AD tenant). As a
owner, User1 can create user accounts.
upvoted 2 times
Let's get votes up for Answer A. The only answer possible without a question.
upvoted 1 times
Question #14 Topic 6
You need to monitor the latency between your on-premises network and the virtual machines.
A. Service Map
B. Connection troubleshoot
D. Effective routes
Correct Answer: C
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between
various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and
mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 184 times
Correct Answer: C
Network Watcher is a Suite of tools offering but not limited to the following:
- Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
- Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
- IP Flow - latency and network issues at the VM LEVEL
- Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 81 times
C. Network Performance Monitor is the correct option in this scenario. It provides monitoring and diagnostics tools to help you optimize
the performance and availability of your network infrastructure. It can be used to monitor the network connectivity and latency between
your on-premises network and Azure resources, including virtual machines. Service Map provides a visual representation of your
application and server dependencies, Connection troubleshoot is used for identifying and resolving connection issues, and Effective
routes is used to verify the effective routes of a virtual machine's network interface.
upvoted 1 times
zellck 1 year ago
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance
between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints
and monitor the performance of Azure ExpressRoute.
upvoted 3 times
Selected Answer: C
monitoring latency between on-prem and vms - NPM is your friend. But NPM has retired.
upvoted 1 times
Selected Answer: C
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 1 times
Selected Answer: C
Network Performance Monitor is correct however it is been replaced with Connection Monitor which is part of Network watcher tool set
upvoted 2 times
Selected Answer: C
Selected Answer: C
Open your Log Analytics workspace, and select the Overview tile.
Select the Network Performance Monitor tile with the message Solution requires additional configuration.
upvoted 2 times